REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Putin orders Russian computers protected after spy attacks -
President Vladimir Putin has ordered Russian authorities to protect
state computers from hacking attacks, the Kremlin said on Monday,
after an Internet security firm said a spy network had infiltrated
government and embassy computers across the former Soviet bloc.
- Oracle speaks, promises to get Java "fixed up" - After a series of
Java malware outbreaks that have resulted in widespread infections
and earned significant criticisms from security analysts, many of
whom recommended uninstalling the software altogether, Oracle
appears ready to break its silence and address the concerns.
- Security lands Sony £250k fine for PlayStation Network hack - Leak
of millions of Brits' sensitive info preventable, says ICO - Sony
has been fined £250,000 ($395k) for allowing million of UK gamers’
details to be spilled online by PlayStation Network hackers.
- Exposure of files on unsecured wireless no excuse to search, judge
rules - An individual who inadvertently exposes the contents of his
computer over an unsecured wireless network still has a reasonable
expectation of privacy against a search of those contents by the
police, a federal judge in Oregon ruled last week.
- Hacktivists suspend bank DDoS campaign - A grroup that claimed
responsibility for launching distributed denial-of-service (DDoS)
attacks against several U.S. bank sites suspended its campaign after
an offensive anti-Muslim video was pulled offline.
- Security as the infrastructure platform of the future - January is
a good time to plan. It's the start of a new year and those things
that seemed so far away in December are suddenly right around the
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Stanford reports fourth HIPAA breach - Some 57,000 pediatric
patients get notified - Some 57,000 patients seen at the Palo Alto,
Calif.-based Lucile Packard Children's Hospital have been notified
of a potential HIPAA-breach after an unencrypted company laptop
containing patient medical information was stolen from a physician's
car Jan. 9.
- FBI turns up heat in hunt for Stuxnet leakers - Summary: The FBI
and Department of Justice are scouring email and phone records of a
potentially small circle of officials that knew about Stuxnet. US
federal investigators are applying pressure on senior government
officials suspected of leaking details about the US government's
role in developing the Stuxnet malware, according to a report by the
- In Swartz protest, Anon hacks U.S. site, threatens leaks - Saying
"a line was crossed" with the treatment of tech activist Aaron
Swartz, the group hacks a government site related to the justice
system and distributes encrypted files it says it will decrypt
unless demands are met.
- New York Times breach opens anti-virus, attribution debate -
Stealthy and sophisticated hackers spent four months infiltrating
computer networks at The New York Times, ripping off passwords of
reporters in an attempt to uncover information related to a story
the newspaper wrote in October about the fortune amassed by
relatives of China's prime minister, the publication disclosed in an
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 1 of 3)
E-mail and Internet-related fraudulent schemes, such as "phishing"
(pronounced "fishing"), are being perpetrated with increasing
frequency, creativity and intensity. Phishing involves the use of
seemingly legitimate e-mail messages and Internet Web sites to
deceive consumers into disclosing sensitive information, such as
bank account information, Social Security numbers, credit card
numbers, passwords, and personal identification numbers (PINs). The
perpetrator of the fraudulent e-mail message may use various means
to convince the recipient that the message is legitimate and from a
trusted source with which the recipient has an established business
relationship, such as a bank. Techniques such as a false "from"
address or the use of seemingly legitimate bank logos, Web links and
graphics may be used to mislead e-mail recipients.
In most phishing schemes, the fraudulent e-mail message will request
that recipients "update" or "validate" their financial or personal
information in order to maintain their accounts, and direct them to
a fraudulent Web site that may look very similar to the Web site of
the legitimate business. These Web sites may include copied or
"spoofed" pages from legitimate Web sites to further trick consumers
into thinking they are responding to a bona fide request. Some
consumers will mistakenly submit financial and personal information
to the perpetrator who will use it to gain access to financial
records or accounts, commit identity theft or engage in other
The Federal Deposit Insurance Corporation (FDIC) and other
government agencies have also been "spoofed" in the perpetration of
e-mail and Internet-related fraudulent schemes. For example, in
January 2004, a fictitious e-mail message that appeared to be from
the FDIC was widely distributed, and it told recipients that their
deposit insurance would be suspended until they verified their
identity. The e-mail message included a hyperlink to a fraudulent
Web site that looked similar to the FDIC's legitimate Web site and
asked for confidential information, including bank account
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Firewalls - Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between
two networks which all traffic, regardless of the direction, must
pass through. When employed properly, it is a primary security
measure in governing access control and protecting the internal
system from compromise.
The key to a firewall's ability to protect the network is its
configuration and its location within the system. Firewall products
do not afford adequate security protection as purchased. They must
be set up, or configured, to permit or deny the appropriate traffic.
To provide the most security, the underlying rule should be to deny
all traffic unless expressly permitted. This requires system
administrators to review and evaluate the need for all permitted
activities, as well as who may need to use them. For example, to
protect against Internet protocol (IP) spoofing, data arriving from
an outside network that claims to be originating from an internal
computer should be denied access. Alternatively, systems could be
denied access based on their IP address, regardless of the
origination point. Such requests could then be evaluated based on
what information was requested and where in the internal system it
was requested from. For instance, incoming FTP requests may be
permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to
perform business operations and the need for security. Due to the
intricate details of firewall programming, the configuration should
be reassessed after every system change or software update. Even if
the system or application base does not change, the threats to the
system do. Evolving risks and threats should be routinely monitored
and considered to ensure the firewall remains an adequate security
measure. If the firewall system should ever fail, the default should
deny all access rather than permit the information flow to continue.
Ideally, firewalls should be installed at any point where a computer
system comes into contact with another network. The firewall system
should also include alerting mechanisms to identify and record
successful and attempted attacks and intrusions. In addition,
detection mechanisms and procedures should include the generation
and routine review of security logs.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a financial
institution's evaluation or brokerage of information that the
institution collects in connection with a request or an application
from a consumer for a financial product or service. For example, a
financial service includes a lender's evaluation of an application
for a consumer loan or for opening a deposit account even if the
application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer relationship" with a
financial institution. A "customer relationship" is a continuing
relationship between a consumer and a financial institution under
which the institution provides one or more financial products or
services to the consumer that are to be used primarily for personal,
family, or household purposes.