FYI - IDs from hotel computers - A Colombian engineer pleaded guilty in federal court to illegally hacking into hotel computers in Miami, Las Vegas and other cities to steal credit card numbers and other personal information to pocket more than $400,000 to finance his luxurious lifestyle. http://www.miamiherald.com/news/breaking_news/story/372940.html

FYI - Fully patched PCs are a rare breed - A small minority of users - as few as one in 20 - is running fully-patched Windows PCs. Just five per cent of newly-registered users of an online security inspection service Secunia came out with a clean bill of health, while more than 40 per cent have at least 11 insecure applications installed. http://www.theregister.co.uk/2008/01/09/secunia_insecurity_survey/print.html

FYI - New mass hack strikes sites, confounds researchers - May be linked to November 2007 break-in at U.K. hosting firm - A massive hack of legitimate Web sites has been spreading malware to visitors' PCs, using a new tactic that has made detection "extraordinarily difficult," security experts said today. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057224&source=NLT_PM&nlid=8

FYI - Barclays chairman has identity stolen - Thief gets away with £10,000 - Marcus Agius, the chairman of Barclays Bank, has had £10,000 stolen by an identity thief.
http://www.vnunet.com/vnunet/news/2207085/barclays-chairman-identity
http://www.metro.co.uk/news/article.html?in_article_id=83296&in_page_id=34

FYI - Rootkit targeting Master Boot Record in the wild - A rootkit attacking Master Boot Record (MBR) -- a vector used more than a decade ago on MS-DOS operating systems -- on various Windows operating systems is spreading in the wild, according to researchers. http://www.scmagazineus.com/Rootkit-targeting-Master-Boot-Record-in-the-wild/article/100576/

FYI - Silentbanker trojan dupes bank customers into sending money - A researcher has warned that the Silentbanker trojan apparently is able to circumvent two-factor authorization and inject itself into the middle of ongoing banking transactions, duping bank customers into sending money to attackers while the customer proceeds with what looks like a valid transaction. http://www.scmagazineus.com/Silentbanker-trojan-dupes-bank-customers-into-sending-money/article/104171/

FYI - Attack injects malicious JavaScript into hundreds of e-commerce sites - A "massive attack" related to the November break-in of an internet hosting company has injected malicious JavaScript code into several hundred e-commerce websites, particularly in the United Kingdom, according to Trend Micro. http://www.scmagazineus.com/Attack-injects-malicious-JavaScript-into-hundreds-of-e-commerce-sites/article/104206/

FYI - House Oversight panel slams TSA for lax website security - A Congressional committee has slammed the Transportation Security Administration (TSA) for giving a no-bid contract to a website developer that failed to implement cybersecurity procedures to protect the personal information of travelers. http://www.scmagazineus.com/House-Oversight-panel-slams-TSA-for-lax-website-security/article/104193/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hacker posts hundreds of credit card numbers - News First Investigates has uncovered what looks like a major internet breach. We found a list of hundreds of credit card numbers and personal information on a website hosted by Google. http://www.koaa.com/aaaa_top_stories/x1457862232

FYI - Polish teen derails tram after hacking train network - A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents. http://www.theregister.co.uk/2008/01/11/tram_hack/print.html

FYI - Security guard relaxed as Metro data thieves struck - Two laptop computers containing 337,000 Nashville voters' Social Security numbers were stolen as the building's security guard listened to Christmas music, ordered food and visited the break room, failing to make his hourly rounds. http://www.tennessean.com/apps/pbcs.dll/article?AID=200880103134
http://milwaukee.bizjournals.com/nashville/stories/2008/01/07/daily29.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively

1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;

2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and

3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

6. Determine that, where appropriate and feasible, programs do not run with greater access to other resources than necessary.  Programs to consider include application programs, network administration programs (e.g., DNS), and other programs.

7. Compare the access control rules establishment and assignment processes to the access control policy for consistency.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under §13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]