- Examiner caused Palm Springs credit union breach, NCUA IG to
investigate - In what might be viewed as a wee bit of irony, it
seems a regulator caused a data breach that National Credit Union
Association (NCUA) Inspector General James Hagen now says his office
Researchers investigate, suggest fired employees assisted in Sony
hack - researchers are saying that one or more former employees may
have aided in the massive hack of Sony.
Gogo caught using fake Google SSL certificates - Flyers who don't
want their data intercepted by Gogo LLC, or unnecessarily fall into
the hands of law enforcement, might want to reconsider using the
inflight WiFi service after it was found to be using fake Google SSL
Former HHS cybersecurity director gets 25 years - A former
cybersecurity official at the U.S. Department of Health and Human
Services has been sentenced to 25 years in prison for his role in ..
Researchers teach security master class at Oregon State - Over the
next 10 weeks, analysts at McAfee Labs will teach a master class on
cyber security at Oregon State University, which will cover
everything from malware research, to mobile threats, incident
response, and other topics.
Pro-Russian group claims it hacked German Chancellor website - The
website of German Chancellor Angela Merkel, in addition to other
German government sites, became unavailable Wednesday to visitors as
a result of a cyber attack.
Moonpig vulnerability exposes customers' personal information -
Moonpig, a customizable greeting card company, had 3 million
customers' personal information exposed after a developer detailed a
security vulnerability online.
- Former CBS reporter claims gov't hacked computer, sues for $35M -
An ex-CBS reporter is suing the federal government for $35 million,
claiming that the feds hacked into her computer.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Chick-fil-A investigates possible POS breach - Chick-fil-A has
joined forces with law enforcement authorities and IT security
experts to investigate a possible breach of its point-of-sale (POS)
payment system after a number of financial institutions in the U.S.
detected a fraud activity on payment cards used at the restaurant
UGA computer network hacked, Georgia Tech student indicted - A
Georgia Tech (GT) student has been indicted after allegedly hacking
into the University of Georgia (UGA) computer network prior to a
rivalry football game and posting a message on the UGA online
Morgan Stanley employee fired for stealing data on 350K clients,
reports say - Multinational financial services corporation Morgan
Stanley has fired a financial adviser who stole data on 350,000
Bitcoin exchange Bitstamp goes offline following possible breach -
Bitstamp, a major Bitcoin exchange, went offline on Monday after the
service discovered that one of its operational wallets was possibly
compromised, according to a notice on the site.
Attempted access to Fast Forward Academy systems puts data at risk -
Florida-based exam preparation company Fast Forward Academy is
notifying an undisclosed number of individuals that an unauthorized
person attempted to access its systems, which store partner and
Medical File Hack Affected Nearly Half a Million Postal Workers -
Network intruders compromised health information on current and
former U.S. Postal Service employees who filed for workers’
compensation, USPS officials say.
NVIDIA Corporate Network Breached - Over the winter holidays people
were concerning themselves with family gatherings, the exchange of
presents and even some reading on the soap opera that has blossomed
from the Sony Pictures breach.
Call center suspends workers in Northern Ireland over possible
breach - Dozens of call center workers in Londonderry, Northern
Ireland, have been suspended and are being investigated in a
potential data breach.
Stolen DJO Global laptop contained patient data - California-based
medical device company DJO Global is notifying an undisclosed number
of individuals that a laptop computer containing some personal
patient information was stolen from a locked car belonging to a DJO
- Malicious code on ID Parts website, credit card data of 12K
customers stolen - Massachusetts-based automotive parts seller ID
Parts is notifying roughly 12,000 individuals that malicious code
was inserted into the functions that process customer payment
information on the ID Parts website, and their credit card
information was stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Audit Trail Practices for E-Banking Systems
1. Sufficient logs should be maintained for all e-banking
transactions to help establish a clear audit trail and assist in
2. E-banking systems should be designed and installed to capture and
maintain forensic evidence in a manner that maintains control over
the evidence, and prevents tampering and the collection of false
3. In instances where processing systems and related audit trails
are the responsibility of a third-party service provider:
a) The bank should ensure that it has access to relevant audit
trails maintained by the service provider.
b) Audit trails maintained by the service provider meet the bank's
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Operational anomalies may be evidence of a broad number of issues,
one of which is potential intrusion. Anomalies that act as
intrusion-warning indicators fall into two categories, those
apparent in system processing, and those apparent outside the
System processing anomalies are evident in system logs and system
behavior. Good identification involves pre-establishing which system
processing data streams will be monitored for anomalies, defining
which anomalies constitute an indicator of an intrusion, and the
frequency of the monitoring. For example, remote access logs can be
reviewed daily for access during unusual times. Other logs can be
reviewed on other regular cycles for other unusual behaviors. System
behavior covers a broad range of issues, from CPU utilization to
network traffic protocols, quantity and destinations. One example of
a processing anomaly is CPU utilization approaching 100% when the
scheduled jobs typically require much less. Anomalous behavior,
however, may not signal an intrusion.
Outside the system, detection is typically based on system output,
such as unusual Automated Clearing House transactions or bill
payment transactions. Those unusual transactions may be flagged as a
part of ordinary transaction reviews, or customers and other system
users may report them. Customers and other users should be advised
as to where and how to report anomalies. The anomalous output,
however, may not signal an intrusion.
Central reporting and analysis of all IDS output, honeypot
monitoring, and anomalous system behavior assists in the intrusion
identification process. Any intrusion reporting should use
out-of-band communications mechanisms to protect the alert from
being intercepted or compromised by an intruder.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.1.3 Hybrid Cryptographic
Secret key systems are often
used for bulk data encryption and public key systems for
automated key distribution.
Public and secret key cryptography
have relative advantages and disadvantages. Although public key
cryptography does not require users to share a common key, secret
key cryptography is much faster: equivalent implementations of
secret key cryptography can run 1,000 to 10,000 times faster than
public key cryptography.
To maximize the advantages and
minimize the disadvantages of both secret and public key
cryptography, a computer system can use both types in a
complementary manner, with each performing different functions.
Typically, the speed advantage of secret key cryptography means that
it is used for encrypting data. Public key cryptography is used for
applications that are less demanding to a computer system's
resources, such as encrypting the keys used by secret key
cryptography (for distribution) or to sign messages.
19.1.4 Key Escrow
Because cryptography can provide
extremely strong encryption, it can thwart the government's efforts
to lawfully perform electronic surveillance. For example, if strong
cryptography is used to encrypt a phone conversation, a
court-authorized wiretap will not be effective. To meet the needs of
the government and to provide privacy, the federal government
has adopted voluntary key escrow cryptography. This technology
allows the use of strong encryption, but also allows the government
when legally authorized to obtain decryption keys held by escrow
agents. NIST has published the Escrowed Encryption Standard
as FIPS 185. Under the federal government's voluntary key escrow
initiative, the decryption keys are split into parts and given to
separate escrow authorities. Access to one part of the key does
not help decrypt the data; both keys must be obtained.