FBI Investigates $9 Million ATM Scam - A Fox 5 investigation exposes
a worldwide ATM scam that swindled $9 million and possibly
jeopardized sensitive information from people around the world. Law
enforcement sources told Fox 5 it's one of the most frightening
well-coordinated heists they've ever seen.
Achilles' Heel Of Corporate Security - Last year, 55% of all the
computer security vulnerabilities disclosed affected Web
applications, and 74% of these had no patch. "Certain types of
corporate applications, namely custom-built software like Web
applications, remain a highly profitable and inexpensive target for
criminal attackers," the report states.
Geeks.com settles with FTC - An online computer supplies and
electronics retailer agreed to settle Federal Trade Commission (FTC)
charges that it violated federal law by not providing adequate
security to protect customer data, the agency announced.
Firms lack confidence they can deter internal attacks - Human error
is the leading cause for IT system breaches, and most corporate
security officials do not feel confident they can protect their
organizations from internal cyberattacks, according to Deloitte
Touche Tohmatsu's annual survey.
A call to revamp HIPAA - The Health Insurance Portability and
Accountability Act (HIPAA) is inadequate for protecting privacy and
also stymies research, as access to patient health information is
vital for making medical advances, according to a new report from
the National Academy of Sciences' Institute of Medicine (IOM).
Don't blame the employees for peeping: Organizations are at fault
for poor access governance - The natural curiosity of employees to
view the private records of political figures and celebrities is
leading to people losing their jobs or being criminally convicted.
Houston justice system laid low by Conficker worm - The justice
system in Houston was thrown into disarray late last week after the
infamous Conficker (Downadup) worm infected key systems.
Obama orders 60-day cybersecurity review - President Obama ordered a
60-day review of federal government cybersecurity initiatives, to be
led by former Bush-administration aide Melissa Hathaway, the White
Was Scott McNealy right? - Scott McNealy made his famous comment
about privacy in the digital age at an event launching Sun
Microsystems's Jini technology back in January 25, 1999. His comment
immediately drew angry comments from privacy advocates. Some claimed
that they were "astonished" that he could say that we don't have
privacy any more.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Intruders put virus on government security contractor network - A
security services provider for the federal government has alerted an
unknown number of employees, former employee and customers that its
network was compromised by malware. Virginia-based SRA International
disclosed that hackers were able to access the network to install a
Cybercriminals Try Phishing With Fliers - As part of their ongoing
effort to convince people to visit malicious Web sites,
cybercriminals are experimenting with a new medium: phony
Open sourcey bulletin board offline after hack attack - phpBB coughs
up names, addresses, passwords - The website for one of the net's
more popular bulletin board software packages has been taken offline
following a security breach that gave an attacker full access to a
database containing names, email, address, and hashed passwords for
its entire user base.
FAA reports breach that puts employee data at risk - A server at the
U.S. Federal Aviation Administration was illegally accessed online
and personal identity information of employees was stolen, the
Police retrieve Kaiser employee files from criminal suspect - Kaiser
Permanente today alerted its 29,500 Northern California employees
that their personnel information was found in the hands of a
recently arrested criminal suspect.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
Three types of encryption exist: the cryptographic hash, symmetric
encryption, and asymmetric encryption.
A cryptographic hash reduces a variable - length input to a
fixed-length output. The fixed-length output is a unique
cryptographic representation of the input. Hashes are used to verify
file and message integrity. For instance, if hashes are obtained
from key operating system binaries when the system is first
installed, the hashes can be compared to subsequently obtained
hashes to determine if any binaries were changed. Hashes are also
used to protect passwords from disclosure. A hash, by definition, is
a one - way encryption. An attacker who obtains the password cannot
run the hash through an algorithm to decrypt the password. However,
the attacker can perform a dictionary attack, feeding all possible
password combinations through the algorithm and look for matching
hashes, thereby deducing the password. To protect against that
attack, "salt," or additional bits, are added to the password before
encryption. The addition of the bits means the attacker must
increase the dictionary to include all possible additional bits,
thereby increasing the difficulty of the attack.
Symmetric encryption is the use of the same key and algorithm by the
creator and reader of a file or message. The creator uses the key
and algorithm to encrypt, and the reader uses both to decrypt.
Symmetric encryption relies on the secrecy of the key. If the key is
captured by an attacker either when it is exchanged between the
communicating parties, or while one of the parties uses or stores
the key, the attacker can use the key and the algorithm to decrypt
messages, or to masquerade as a message creator.
Asymmetric encryption lessens the risk of key exposure by using two
mathematically related keys, the private key and the public key.
When one key is used to encrypt, only the other key can decrypt.
Therefore, only one key (the private key) must be kept secret. The
key that is exchanged (the public key) poses no risk if it becomes
known. For instance, if individual A has a private key and publishes
the public key, individual B can obtain the public key, encrypt a
message to individual A, and send it. As long as individual A keeps
his private key secure from discovery, only individual A will be
able to decrypt the message.
Return to the top of the
F. PERSONNEL SECURITY
1. Determine if the institution performs appropriate background
checks on its personnel, during the hiring process and thereafter,
according to the employee's authority over the institution's systems
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13=, 14, and/or 15 but outside of these
exceptions (Part 1 of 2)
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party. The sample should
include a cross-section of relationships but should emphasize those
that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the data shared and with whom the data were shared
to ensure that the institution accurately categorized its
information sharing practices and is not sharing nonpublic personal
information outside the exceptions (§§13, 14, 15).
b. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers in its notices about its
policies and practices in this regard and what the institution
actually does are consistent (§§10, 6).
2) Review contracts with nonaffiliated third parties that
perform services for the financial institution not covered by the
exceptions in section 14 or 15. Determine whether the contracts
adequately prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts. (§13(a)).