REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Organizations continue to lack incident response proficiency,
study finds - Security professionals are anticipating breaches, but
organizations continue to lack the necessary incident response
capabilities, a recent study found.
- New FBI boss says cyber crime, not terrorism, is top of Feds' todo
list - Malware cousin of fingerprint and DNA database to be shared
with infosec world - The FBI's new director James Comey has told the
RSA security conference in San Francisco that he is making thwarting
online crime the major focus for his agency in the coming decade.
- Florida Cops’ Secret Weapon: Warrantless Cellphone Tracking -
Police in Florida have offered a startling excuse for having used a
controversial “stingray” cellphone tracking gadget 200 times without
ever telling a judge: the device’s manufacturer made them sign a
non-disclosure agreement that they say prevented them from telling
- Twitter system error accidentally resets users' passwords -
Thousands of Twitter users thought their accounts were compromised
yesterday after receiving an email from the company prompting them
to reset their passwords.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- UK man charged with hacking Federal Reserve - The defendant is
accused of stealing personal information of employees and publishing
it on a website - A British man faces new charges in the U.S. for
allegedly hacking into the Federal Reserve Bank's servers and
stealing names, email addresses and other personal information of
the bank's computer users.
- Black market lights up with 360M stolen credentials - Some 360
million account credentials are newly available for sale on the
black market, according to one security firm, and may be from
several yet-to-be-reported security breaches.
- Web crawlers tap data, put about 146K Indiana Univ. students at
risk - Nearly 146,000 former and current students of Indiana
University may have had personal information – including Social
Security numbers – exposed after three web indexing bots known as
web crawlers accessed the data from an unsecured site.
- Bank reports payment cards used in Chicago cabs being compromised
- Travelers that recently charged a Chicago cab fare to a payment
card may want to be on the lookout for fraudulent charges, according
to Illinois-based First American Bank, which warned its own
customers on Friday against using their MasterCard debit cards in
Windy City taxis.
- Impact of Detroit breach could be greater than reported, expert
says - Officials are notifying about 1,700 current and former
Detroit fire and emergency medical services (EMS) employees that
their personal information may have been compromised by malware that
locked City files.
- Russia Today defaced by hackers - Russia's biggest news channel
website, Russia Today (RT), was compromised and defaced by hackers
- Las Vegas Sands confirms attackers accessed sensitive employee,
customer info - Following an early February breach that affected Las
Vegas Sands casino websites and internal office systems in the U.S.,
the corporation determined that the cyber attackers made off with
“some legally protected data” belonging to employees and customers
at the Bethlehem, Pa., hotel and casino, the company announced.
- Team Cymru spots 300,000 compromised SOHO gateways - Researchers
spot attackers 'pharming' traffic with dodgy DNS - It's time to
check the DNS settings on your broadband gateway, with security
research group Team Cymru discovering an attack that could have
redirected as many as 300,000 devices to a malicious resolver.
- Flexcoin hacked, Mt. Gox code leaks, but Bitcoin demand still
grows - Following a strong rise to prominence in recent months,
weaknesses in the anonymous and fairly unregulated virtual currency
market are beginning to show.
- Sally Beauty investigates breach, no evidence of stolen payment
cards - A weeks-old attempted intrusion is still being investigated,
but Texas-based Sally Beauty has no evidence to suggest that 282,000
payment cards found in an online underground crime market were
pilfered from the worldwide beauty supplies retailer - despite
reports that suggest otherwise.
- Smucker's breached, possible ties to other high-profile attacks -
The J.M. Smucker Company, an Ohio-based producer of fruit spreads
and beverages, has shut down its Online Store following a data
breach affecting its customers' personal financial information.
- Payroll vendor breached, data on more than 43,000 employees at
risk - More than 43,000 former and current employees of
Chicago-based Assisted Living Concepts (ALC) are being notified that
their personal data - including Social Security numbers and pay
information - may be at risk after an unauthorized third party
breached ALC's payroll vendor and gained access to sensitive files.
- North Dakota University System hacked, roughly 300K impacted - The
North Dakota University System (NDUS) is notifying more than 290,000
former and current students and roughly 780 faculty and staff that
their personal information – including Social Security numbers – may
be at risk after an unauthorized party gained access to one of its
- Oregon man received thousands of medical records on his home fax -
Patient data was compromised after a Wisconsin hospital unknowingly
faxed their records to an Oregon man.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk
Assessment Tools and Practices or Information System Security."
To ensure the security of information systems and data, financial
institutions should have a sound information security program that
identifies, measures, monitors, and manages potential risk exposure.
Fundamental to an effective information security program is ongoing
risk assessment of threats and vulnerabilities surrounding networked
and/or Internet systems. Institutions should consider the various
measures available to support and enhance information security
programs. The appendix to this paper describes certain vulnerability
assessment tools and intrusion detection methods that can be useful
in preventing and identifying attempted external break-ins or
internal misuse of information systems. Institutions should also
consider plans for responding to an information security incident.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Packet Filter Firewalls
Basic packet filtering was described in the router section and does
not include stateful inspection. Packet filter firewalls evaluate
the headers of each incoming and outgoing packet to ensure it has a
valid internal address, originates from a permitted external
address, connects to an authorized protocol or service, and contains
valid basic header instructions. If the packet does not match the
pre-defined policy for allowed traffic, then the firewall drops the
packet. Packet filters generally do not analyze the packet contents
beyond the header information. Dynamic packet filtering incorporates
stateful inspection primarily for performance benefits. Before
re-examining every packet, the firewall checks each packet as it
arrives to determine whether it is part of an existing connection.
If it verifies that the packet belongs to an established connection,
then it forwards the packet without subjecting it to the firewall
Weaknesses associated with packet filtering firewalls include the
! The system is unable to prevent attacks that employ application
specific vulnerabilities and functions because the packet filter
cannot examine packet contents.
! Logging functionality is limited to the same information used to
make access control decisions.
! Most do not support advanced user authentication schemes.
! Firewalls are generally vulnerable to attacks and exploitation
that take advantage of problems in the TCP/IP specification.
! The firewalls are easy to misconfigure, which allows traffic to
pass that should be blocked.
Packet filtering offers less security, but faster performance than
application-level firewalls. The former are appropriate in high -
speed environments where logging and user authentication with
network resources are not important. Packet filter firewalls are
also commonly used in small office/home office (SOHO) systems and
default operating system firewalls.
Institutions internally hosting Internet-accessible services should
consider implementing additional firewall components that include
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
39. Does the institution use an appropriate means to ensure that
notices may be retained or obtained later, such as:
a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]
b. mailing a printed copy to the last known address of the customer;
c. making the current privacy notice available on the institution's
web site (or via a link to the notice at another site) for the
customer who agrees to receive the notice at the web site?