REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Corporate bank account takeovers less successful than ever -
Hijacking corporate bank accounts is still prevalent, but miscreants
are continuing to find less success in performing fraudulent
transactions, according to a new study released Wednesday.
- Hacktivists forecast continued DDoS campaign for banks - The
collective of hackers taking claim for the months-long distributed
denial-of-service (DDoS) attacks on U.S. banking sites now say the
campaign could extend until 2014.
- Feds step up HIPAA enforcement with hospice settlement - A Hayden,
Idaho-based hospice is the first health care organization to be
fined for sustaining a breach that affected fewer than 500
To thwart hackers, firms salting their servers with fake data - A
Printing Co., which prints popular magazines and catalogues, knew
that it had valuable assets in its computer systems and that those
assets - online editions and subscriber databases - were
increasingly at risk with the proliferation of cyber-espionage.
Google finds unauthorized certificate for google.com domain,
scrambles to protect users - The company updated its Chrome browser
and notified other browser makers about the problem - Google has
taken steps to close potential security holes created by a
fraudulent certificate for its google.com domain, discovered in late
- States Bar Employers From Demanding Facebook Passwords -
California and Illinois on Tuesday joined four others in becoming
the union’s only states barring employers from demanding that
employees fork over their social-media passwords.
Nations prepare for cyber war - Security analysts are predicting
that 2013 is when nation-sponsored cyberwarfare goes mainstream --
and some think such attacks will lead to actual deaths.
Los Alamos replaces Chinese-made computer parts over security fears
- US nuclear weapons laboratory found 'isolated cases' of
H3C-branded network switches, according to letter sent to government
- The US nuclear weapons laboratory that was the birthplace of the
atomic bomb has replaced at least two Chinese-made components in its
computer systems over fears they might pose a national security
risk, according to a letter seen by the Reuters news agency.
- UNC cancer center servers attacked to expose info of 3.5K -
Attackers compromised the servers of a North Carolina cancer center
to expose the sensitive information of thousands of employees,
educators and contractors.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
DDoS attacks on banks continue into the New Year - A hacktivist
group is claiming responsibility for outages affecting nine U.S.
bank websites in recent weeks – part of a distributed
denial-of-service (DDoS) operation that began last fall.
Latest IE attack brought by same gang that hacked Google - Active
attacks targeting a critical vulnerability in older versions of
Microsoft's Internet Explorer browser have been carried out by an
experienced gang of hackers.
Hacked SC agency failed to heed security warnings, ex-worker says -
A computer chief at the S.C. Department of Revenue did not heed
warnings about cyber-security shortcomings at that state agency
before hackers stole personal financial data belonging to 6.4
million consumers and business, a former agency employee told
Calif. health vendor laptop stolen; nearly 70K affected - An
unencrypted laptop belonging to a California health care vendor was
stolen, leaving the sensitive information of thousands of patients
- Subway restaurant hacker sentenced to 21 months - A Romanian
hacker, who pleaded guilty to compromising the credit card
processing systems of Subway restaurants in 2011, has been sentenced
to 21 months in prison.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 3 of 5)
PROCEDURES TO ADDRESS SPOOFING - Information
After a bank has determined that it is the target of a spoofing
incident, it should collect available information about the attack
to enable an appropriate response. The information that is
collected will help the bank identify and shut down the fraudulent
Web site, determine whether customer information has been obtained,
and assist law enforcement authorities with any investigation.
Below is a list of useful information that a bank can collect. In
some cases, banks will require the assistance of information
technology specialists or their service providers to obtain this
* The means by which the bank became aware that it was the target
of a spoofing incident (e.g., report received through Website, fax,
* Copies of any e-mails or documentation regarding other forms of
communication (e.g., telephone calls, faxes, etc.) that were used to
direct customers to the spoofed Web sites;
* Internet Protocol (IP) addresses for the spoofed Web sites along
with identification of the companies associated with the IP
* Web-site addresses (universal resource locator) and the
registration of the associated domain names for the spoofed site;
* The geographic locations of the IP address (city, state, and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Digital signatures authenticate the identity of a sender, through
the private, cryptographic key. In addition, every digital
signature is different because it is derived from the content of the
message itself. T he combination of identity authentication and
singularly unique signatures results in a transmission that cannot
Digital signatures can be applied to any data transmission,
including e-mail. To generate a digital signature, the original,
unencrypted message is run through a mathematical algorithm that
generates what is known as a message digest (a unique, character
representation of the data). This process is known as the "hash."
The message digest is then encrypted with a private key, and sent
along with the message. The recipient receives both the message and
the encrypted message digest. The recipient decrypts the message
digest, and then runs the message through the hash function again.
If the resulting message digest matches the one sent with the
message, the message has not been altered and data integrity is
verified. Because the message digest was encrypted with a private
key, the sender can be identified and bound to the specific
message. The digital signature cannot be reused, because it is
unique to the message. In the above example, data privacy and
confidentiality could also be achieved by encrypting the message
itself. The strength and security of a digital signature system is
determined by its implementation, and the management of the
Return to the top of
INTERNET PRIVACY - We
continue our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer in
connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.