Muslim hackers attack Israeli websites as Gaza strikes continue -
Muslim hackers have launched a massive cyberattack, defacing more
than 300 Israeli websites since the Jewish state began pounding
Hamas targets in the Gaza Strip, a computer forensics expert said.
Hackers find hole to create rogue digital certificates - Researchers
on Tuesday demonstrated an attack that allowed them to successfully
create a rogue Certification Authority (CA) certificate, which would
be trusted by all web browsers and allow an attacker to impersonate
any website, including those secured by the HTTPS protocol.
Tell us your holiday plans, banks insist - Crackdown on use of
stolen cards - Credit and debit cardholders are being told by banks
to notify them of their holiday destinations and foreign travel
plans or face having their accounts frozen in moves to combat fraud.
Israeli websites hit by pro-Hamas hackers - Visitors to the Ynet
English and Bank Discount page were directed to a page on Friday
that included messages against Israel and the US, along with a
propaganda song in Arabic.
Data breaches rose dramatically during 2008 - Data breaches
increased dramatically in 2008, according to the nonprofit Identity
Theft Resource Center (ITRC). According to the San Diego-based
organization's breach report for last year, 656 data-loss incidents
occurred by the end of 2008, an increase of 47 percent over 2007's
total of 446.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Phishing scam hits Twitter - Thousands of Twitter users may have had
their accounts hijacked and passwords taken in an ongoing phishing
campaign. The first wave of the campaign surfaced this weekend when
Twitter users began receiving fake direct messages (DMs) stating,
"hey! check out this funny blog about you [URL]," with a link to a
phishing site -- a bogus but legitimate-looking Twitter login page
that attempts to trick users into handing over their username and
CheckFree warns 5 million customers after hack - More customers than
initially thought may have been affected by the Dec. 2 attack, such
as those using CheckFree's bill payment service - CheckFree and some
of the banks that use its electronic bill payment service are
notifying more than 5 million customers after criminals took control
of several of the company's Internet domains and redirected customer
traffic to a malicious Web site hosted in the Ukraine.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS
(Part 1 of 2)
Hardware and software located in a user department are often less
secure than that located in a computer room. Distributed hardware
and software environments (e.g., local area networks or LANs) that
offer a full range of applications for small financial institutions
as well as larger organizations are commonly housed throughout the
organization, without special environmental controls or raised
flooring. In such situations, physical security precautions are
often less sophisticated than those found in large data centers, and
overall building security becomes more important. Internal control
procedures are necessary for all hardware and software deployed in
distributed, and less secure, environments. The level of security
surrounding any IS hardware and software should depend on the
sensitivity of the data that can be accessed, the significance of
applications processed, the cost of the equipment, and the
availability of backup equipment.
Because of their portability and location in distributed
environments, PCs often are prime targets for theft and misuse. The
location of PCs and the sensitivity of the data and systems they
access determine the extent of physical security required. For PCs
in unrestricted areas such as a branch lobby, a counter or divider
may provide the only barrier to public access. In these cases,
institutions should consider securing PCs to workstations, locking
or removing disk drives, and using screensaver passwords or
automatic timeouts. Employees also should have only the access to
PCs and data they need to perform their job. The sensitivity of the
data processed or accessed by the computer usually dictates the
level of control required. The effectiveness of security measures
depends on employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However, as
with larger systems, PCs are sensitive to environmental factors such
as smoke, dust, heat, humidity, food particles, and liquids. Because
they are not usually located within a secure area, policies should
be adapted to provide protection from ordinary contaminants.
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause equipment
damage or loss of data. PCs in environments that generate static
electricity are susceptible to static electrical discharges that can
cause damage to PC components or memory.
Return to the top of the
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
7. Determine whether systems are protected
against malicious software such as Trojan horses, viruses, and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify
which module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and
controls, including review of new products and services and controls
over servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including
the use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training
5) Suitability of the compliance audit program for ensuring
a) the procedures address all
regulatory provisions as applicable;
b) the work is accurate and
comprehensive with respect to the institution's information sharing
c) the frequency is appropriate;
d) conclusions are appropriately
reached and presented to responsible parties;
e) steps are taken to correct
deficiencies and to follow-up on previously identified deficiencies;
6) Knowledge level of management and personnel.