FYI - Examiner caused Palm Springs credit union breach, NCUA IG to investigate - In what might be viewed as a wee bit of irony, it seems a regulator caused a data breach that National Credit Union Association (NCUA) Inspector General James Hagen now says his office will investigate. http://www.scmagazine.com/ncua-examiner-responsible-for-missing-thumb-drive/article/390455/

FYI - Researchers investigate, suggest fired employees assisted in Sony hack - researchers are saying that one or more former employees may have aided in the massive hack of Sony. http://www.scmagazine.com/one-or-more-former-employees-may-have-aided-in-hack/article/390385/

FYI - Gogo caught using fake Google SSL certificates - Flyers who don't want their data intercepted by Gogo LLC, or unnecessarily fall into the hands of law enforcement, might want to reconsider using the inflight WiFi service after it was found to be using fake Google SSL certificates. http://www.scmagazine.com/inflight-wifi-companys-mitm-attack-outed-by-google-engineer/article/391237/

FYI - Former HHS cybersecurity director gets 25 years - A former cybersecurity official at the U.S. Department of Health and Human Services has been sentenced to 25 years in prison for his role in .. http://www.scmagazine.com/hhs-cybersecurity-official-was-nabbed-in-fbi-child-porn-investigation/article/391203/

FYI - Researchers teach security master class at Oregon State - Over the next 10 weeks, analysts at McAfee Labs will teach a master class on cyber security at Oregon State University, which will cover everything from malware research, to mobile threats, incident response, and other topics. http://www.scmagazine.com/master-class-covers-malware-research-incident-response/article/391090/

FYI - Pro-Russian group claims it hacked German Chancellor website - The website of German Chancellor Angela Merkel, in addition to other German government sites, became unavailable Wednesday to visitors as a result of a cyber attack. http://www.scmagazine.com/pro-russian-group-claims-it-hacked-german-chancellor-website/article/391343/

FYI - Moonpig vulnerability exposes customers' personal information - Moonpig, a customizable greeting card company, had 3 million customers' personal information exposed after a developer detailed a security vulnerability online. http://www.scmagazine.com/developer-details-security-flaw-in-moonpig-site/article/391238/

FYI - Former CBS reporter claims gov't hacked computer, sues for $35M - An ex-CBS reporter is suing the federal government for $35 million, claiming that the feds hacked into her computer. http://www.scmagazine.com/former-cbs-reporter-claims-govt-hacked-computer-sues-for-35m/article/391675/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Chick-fil-A investigates possible POS breach - Chick-fil-A has joined forces with law enforcement authorities and IT security experts to investigate a possible breach of its point-of-sale (POS) payment system after a number of financial institutions in the U.S. detected a fraud activity on payment cards used at the restaurant chain.
http://www.scmagazine.com/chick-fil-a-investigates-possible-pos-breach/article/390469/
http://www.darkreading.com/attacks-breaches/chick-fil-a-investigating-possible-data-breach/d/d-id/1318436

FYI - UGA computer network hacked, Georgia Tech student indicted - A Georgia Tech (GT) student has been indicted after allegedly hacking into the University of Georgia (UGA) computer network prior to a rivalry football game and posting a message on the UGA online calendar. http://www.scmagazine.com/uga-computer-network-hacked-georgia-tech-student-indicted/article/390471/

FYI - Morgan Stanley employee fired for stealing data on 350K clients, reports say - Multinational financial services corporation Morgan Stanley has fired a financial adviser who stole data on 350,000 clients. http://www.scmagazine.com/account-names-numbers-transaction-data-posted-on-internet/article/390984/

FYI - Bitcoin exchange Bitstamp goes offline following possible breach - Bitstamp, a major Bitcoin exchange, went offline on Monday after the service discovered that one of its operational wallets was possibly compromised, according to a notice on the site. http://www.scmagazine.com/bitstamp-goes-offline-in-cautionary-move/article/390908/

FYI - Attempted access to Fast Forward Academy systems puts data at risk - Florida-based exam preparation company Fast Forward Academy is notifying an undisclosed number of individuals that an unauthorized person attempted to access its systems, which store partner and customer information. http://www.scmagazine.com/attempted-access-to-fast-forward-academy-systems-puts-data-at-risk/article/390923/

FYI - Medical File Hack Affected Nearly Half a Million Postal Workers - Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers’ compensation, USPS officials say.
http://www.nextgov.com/cybersecurity/2015/01/medical-file-hack-affected-nearly-half-million-postal-workers/102144/
http://www.scmagazine.com/postal-service-intrusion-exposed-health-medical-information/article/390990/

FYI - NVIDIA Corporate Network Breached - Over the winter holidays people were concerning themselves with family gatherings, the exchange of presents and even some reading on the soap opera that has blossomed from the Sony Pictures breach. http://www.forbes.com/sites/davelewis/2014/12/29/nvidia-corporate-network-breached/

FYI - Call center suspends workers in Northern Ireland over possible breach - Dozens of call center workers in Londonderry, Northern Ireland, have been suspended and are being investigated in a potential data breach. http://www.scmagazine.com/call-center-suspends-workers-in-northern-ireland-over-possible-breach/article/391071/

FYI - Stolen DJO Global laptop contained patient data - California-based medical device company DJO Global is notifying an undisclosed number of individuals that a laptop computer containing some personal patient information was stolen from a locked car belonging to a DJO consultant. http://www.scmagazine.com/stolen-djo-global-laptop-contained-patient-data/article/391181/

FYI - Malicious code on ID Parts website, credit card data of 12K customers stolen - Massachusetts-based automotive parts seller ID Parts is notifying roughly 12,000 individuals that malicious code was inserted into the functions that process customer payment information on the ID Parts website, and their credit card information was stolen. http://www.scmagazine.com/malicious-code-on-id-parts-website-credit-card-data-of-12k-customers-stolen/article/391592/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Audit Trail Practices for E-Banking Systems

1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.

2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.

3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:

a)   The bank should ensure that it has access to relevant audit trails maintained by the service provider.

b)   Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Operational Anomalies

Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.1.3 Hybrid Cryptographic Systems

Secret key systems are often used for bulk data encryption and public key systems for automated key distribution.

Public and secret key cryptography have relative advantages and disadvantages. Although public key cryptography does not require users to share a common key, secret key cryptography is much faster: equivalent implementations of secret key cryptography can run 1,000 to 10,000 times faster than public key cryptography.

To maximize the advantages and minimize the disadvantages of both secret and public key cryptography, a computer system can use both types in a complementary manner, with each performing different functions. Typically, the speed advantage of secret key cryptography means that it is used for encrypting data. Public key cryptography is used for applications that are less demanding to a computer system's resources, such as encrypting the keys used by secret key cryptography (for distribution) or to sign messages.

19.1.4 Key Escrow

Because cryptography can provide extremely strong encryption, it can thwart the government's efforts to lawfully perform electronic surveillance. For example, if strong cryptography is used to encrypt a phone conversation, a court-authorized wiretap will not be effective. To meet the needs of the government and to provide privacy, the federal government has adopted voluntary key escrow cryptography. This technology allows the use of strong encryption, but also allows the government when legally authorized to obtain decryption keys held by escrow agents. NIST has published the Escrowed Encryption Standard as FIPS 185. Under the federal government's voluntary key escrow initiative, the decryption keys are split into parts and given to separate escrow authorities. Access to one part of the key does not help decrypt the data; both keys must be obtained.