REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- The case for forecasting cyberattacks - Recent data from states
that 96 percent of data breaches are uncovered by third parties -
not internal security teams - and that victimized organizations are
breached for 416 days, or about 13 months, on average.
- The Internet of Things Is Wildly Insecure - And Often Unpatchable
- We’re at a crisis point now with regard to the security of
embedded systems, where computing is embedded into the hardware
itself - as with the Internet of Things. These embedded computers
are riddled with vulnerabilities, and there’s no good way to patch
- Hacker economics: Opportunity costs and attacker attention spans -
When we think about criminal hackers, we picture a techie who lives
and breathes code. The game player, puzzle solver, master of
manipulation. But more recently, another picture comes to mind. When
you get right down to it, hackers are people, too.
- ACLU appeals judge's decision to throw out NSA lawsuit - The civil
liberties group asks an appeals court to review the judge's order
finding a phone records collection program legal - The American
Civil Liberties Union will appeal a judge's decision to throw out
the civil liberties group's lawsuit challenging National Security
- Senators Seek Hearing - Session Would Consider If Stronger Data
Safeguards Needed - Three Democratic senators are calling on the
Senate Banking Committee to examine whether stronger cybersecurity
standards are needed to protect consumer data following a breach at
Target stores that affected as many as 40 million debit and credit
- Cyberwarfare Is Top Threat Facing US - Cyberwarfare is the most
serious threat facing the United States, according to almost half of
US national security leaders who responded to the inaugural Defense
News Leadership Poll.
- Possible link discovered that ties together Wi-Fi routers with
backdoors - A manufacturer of broadband and wireless networking
equipment may be the link that ties together a number of Wi-Fi
routers that contain backdoors, some of which are vulnerable to
remote attacks, according to a researcher.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Predictably, Snapchat user database maliciously exposed - Snapchat
is a textbook example of why responsible disclosure is a failure. On
January 1, 2014, an anonymous user announced the release of
SnapchatDB and 4.6 million usernames and matched phone numbers in a
Hacker News post.
- Poker website hack impacts 50K active accounts, officials say -
Officials with World Poker Tour Amateur Poker League (WPTAPL) have
confirmed that a small portion of data was hacked on its website,
subsequently compromising roughly 50,000 active accounts.
- Undisclosed number of T-Mobile customers impacted in data breach -
An undisclosed number of T-Mobile customers may have had personal
information compromised after an unauthorized party gained access to
a file stored on servers that are owned and managed by a T-Mobile
- Malicious ads infect thousands of Yahoo site visitors per hour - A
Netherlands-based security firm detected an influx of Yahoo.com
visitors being redirected to infected domains by way of malicious
- The county sheriff who keylogged his wife - Oh, you mean this
keylogger? - The keylogger would record his wife's e-mails and her
instant messaging chats as she typed them out letter by letter,
along with the usernames and passwords she used for various online
- World of Warcraft users hit by account-hijacking malware attack -
Infection spread by trojanized add-on, able to defeat two-factor
authentication. World of Warcraft players have been hit with a
malicious trojan that hijacks accounts even when they're protected
by two-factor authentication, officials have warned.
- Trojan identified that steals World of Warcraft account
credentials - An unknown number of World of Warcraft players were
forced to halt their virtual sword swinging and spell casting in
order to combat a trojan designed to compromise account credentials
– even those with two-factor authentication enabled.
- Programming error leads to 50K Medicaid cards mailed to wrong
addresses - It was a computer programming error in the North
Carolina Department of Health and Human Services (NCDHHS) that led
to the Medicaid cards of almost 50,000 children being mailed to
- Hacker Guccifer strikes again, nabbing 'Downton Abbey' script -
Not only did the hacker get a hold of Julian Fellowes' season 4
finale, he also breached the accounts of Leonardo DiCaprio, Tina
Brown, George W. Bush, Robert Redford, and dozens more.
- Stolen laptop compromises more than 12,000 New Mexico patients - A
laptop stolen from the office of a New Mexico Oncology Hematology
Consultants (NMOHC) employee may have led to a compromise of
unsecured protected health information (PHI) for more than 12,000
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system designers
consult with the compliance officer during the development and
implementation stages in order to minimize compliance risk. The
compliance officer should ensure that the proper controls are
incorporated into the system so that all relevant compliance issues
are fully addressed. This level of involvement will help decrease
an institution's compliance risk and may prevent the need to delay
deployment or redesign programs that do not meet regulatory
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This profile will establish a framework from which
the compliance officer and technology staff can discuss specific
technical elements that should be incorporated into the system to
ensure that the online system meets regulatory requirements. For
example, the compliance officer may communicate with the technology
staff about whether compliance disclosures/notices on a web site
should be indicated or delivered by the use of "pointers" or
"hotlinks" to ensure that required disclosures are presented to the
consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Computer networks often extend connectivity far beyond the financial
institution and its data center. Networks provide system access and
connectivity between business units, affiliates, TSPs, business
partners, customers, and the public. This increased connectivity
requires additional controls to segregate and restrict access
between various groups and information users.
A typical approach to securing a large network involves dividing the
network into logical security domains. A logical security domain is
a distinct part of a network with security policies that differ from
other domains. The differences may be far broader than network
controls, encompassing personnel, host, and other issues.
Typical network controls that distinguish security domains include
access control software permissions, dedicated lines, filtering
routers, firewalls, remote-access servers, and virtual private
networks. This booklet will discuss additional access controls
within the applications and operating systems residing on the
network in other sections. Before selecting the appropriate
controls, financial institutions should map and configure the
network to identify and control all access control points. Network
configuration considerations could include the following actions:
! Identifying the various applications and user-groups accessed via
! Identifying all access points to the network including various
telecommunications channels (e.g., wireless, Ethernet, frame relay,
dedicated lines, remote dial - up access, extranets, Internet);
! Mapping the internal and external connectivity between various
! Defining minimum access requirements for network services (i.e.,
most often referenced as a network services access policy); and
! Determining the most appropriate network configuration to ensure
adequate security and performance.
With a clear understanding of network connectivity, the financial
institution can avoid introducing security vulnerabilities by
minimizing access to less - trusted domains and employing encryption
for less secure connections. Institutions can then determine the
most effective deployment of protocols, filtering routers,
firewalls, gateways, proxy servers, and/or physical isolation to
restrict access. Some applications and business processes may
require complete segregation from the corporate network (e.g., no
connectivity between corporate network and wire transfer system).
Others may restrict access by placing the services that must be
accessed by each zone in their own security domain, commonly called
a "demilitarized zone" (DMZ).
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
30. Does the institution allow the
consumer to opt out at any time? [§7(f)]
31. Does the institution continue to honor the consumer's opt out
direction until revoked by the consumer in writing, or, if the
consumer agrees, electronically?