REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Medical identity theft to be explored at FTC hearing - The Federal
Trade Commission next week will host a hearing examining identity
theft affecting senior citizens, and a portion of the discussion
will focus on the the rising rates and awareness of medical identity
- Dutch bill would give police hacking powers - The Dutch government
today presented a draft bill that aims to give law enforcement the
power to hack into computer systems -- including those located in
foreign countires -- to do research, gather and copy evidence or
block access to certain data.
- US regulators look at dealing with social media - A week after
hackers broke into The Associated Press' Twitter feed and roiled
financial markets, federal regulators say they need to find ways to
deal with the impact of social media.
- Amid a barrage of password breaches, “honeywords” to the rescue -
Decoy passwords would trigger alarms that account credentials are
compromised. Security experts have proposed a simple way for
websites to better secure highly sensitive databases used to store
user passwords: the creation of false "honeyword" passcodes that
when entered would trigger alarms that account hijacking attacks are
- Dell investigates report of its computers being sold to Syria -
Dell reseller is accused of selling computers to a company with ties
to the Syrian government - Dell is investigating a report that a
Middle East reseller has sold large numbers of computers to a Syrian
company with ties to the embattled government there, in violation of
U.S. export restrictions.
- Department of Defense approves use of BlackBerry and Samsung
devices by military and government workers, a big win for the two
companies. The U.S. Department of Defense (DOD) has approved the use
of new BlackBerrys and Samsung Galaxy smartphones and tablets by
government workers and military officials. The approval is a big
deal for both companies, which want to pitch their gear to the
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- U.S. Department of Labor website infected with malware - The
malware has been linked to a China-based hacking campaign that
struck a Fortune 500 company in 2011 - A subdomain of a U.S.
Department of Labor website appeared offline on Wednesday after an
apparent hack that looks similar to a known China-based hacking
campaign nicknamed DeepPanda.
- Company that manages users' online reputation hit by breach - An
undisclosed number of customers had their personal information
accessed, after an online reputation management company was
breached. On Tuesday, Reputation.com, a Redwood City, Calif.-based
business, sent emails to customers about the incident.
- Hacker Breached U.S. Army Database Containing Sensitive
Information on Dams - A hacker compromised a U.S. Army database that
holds sensitive information about vulnerabilities in U.S. dams,
according to a news report.
- Use a Software Bug to Win Video Poker? That’s a Federal Hacking
Case - On Monday, July 6, 2009, two engineers from Nevada’s Gaming
Control Board showed up at the Silverton Casino Lodge. The
off-the-strip Soutfasseenth Las Vegas casino is best known for its
mermaid aquarium, but the GCB geek squad wasn’t there to see
swimmers in bikini tops and zip-on fish tails.
- Wash. Hospital Hit By $1.03 Million Cyberheist - Organized hackers
in Ukraine and Russia stole more than $1 million from a public
hospital in Washington state earlier this month. The costly
cyberheist was carried out with the help of nearly 100 different
accomplices in the United States who were hired through work-at-home
job scams run by a crime gang that has been fleecing businesses for
the past five years.
- Website 'spoofing' still fools users, security study reveals - A
close look at vulnerabilities in about 15,000 websites found 86
percent have at least one serious hole that hackers could exploit,
and content spoofing is the most prevalent vulnerability, identified
in over half of the sites, according to WhiteHat Security's annual
study published last week.
- Researchers Hack Building Control System at Google Australia
Office - Tens of thousands of control systems connected to the
internet, dozens of hardcoded passwords that can’t be changed,
untold numbers of backdoors embedded in systems by vendors that
hackers can use to remotely control them — these are just a sampling
of the problems uncovered by researchers in the last three years.
- Systems manager arrested for hacking former employer's network -
He allegedly caused over US$90,000 in damages, the FBI said - A
41-year-old systems manager was arrested for allegedly disrupting
his former employer's network after he was passed over for
promotions, leading him to quit his job and take revenge, the FBI
- Alaska phishing pupils take over classroom computers - A group of
pupils at a middle school in Alaska took control of their classroom
computers after phishing for administrator privileges.
- Personal California birth records found in "unsecure" location -
The California Department of Public Health (CDPH) reported that a
"reel" containing birth records of people born in the state in 1974
was found in an "unsecure" location.
- $45M drained from bank accounts in international cyber heist -
Eight individuals have been charged for their role in the hacking of
two credit card processors, which allowed a global gang of cyber
bandits to withdraw tens of millions of dollars from ATMs around the
world, federal prosecutors announced Thursday.
- Hackers raid Washington state court system to steal 160,000 SSNs,
1M driver's license numbers - A hack on the public website of the
Washington state Administrative Office of the Courts (AOC) has led
to the compromised sensitive data of individuals whose cases were
making their way through the state court system.
- Hackers hit domain registrar, access credit card data and
passwords - A Denver-based domain name provider has suffered a
breach where customers' personal data, including encrypted passwords
and credit card information, was compromised.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Ownership and License
The contract should address ownership and allowable use by the
service provider of the institution’s data, equipment/hardware,
system documentation, system and application software, and other
intellectual property rights. Other intellectual property rights may
include the institution’s name and logo; its trademark or
copyrighted material; domain names; web sites designs; and other
work products developed by the service provider for the institution.
The contract should not contain unnecessary limitations on the
return of items owned by the institution. Institutions that purchase
software should consider establishing escrow agreements. These
escrow agreements may provide for the following: institution access
to source programs under certain conditions (e.g., insolvency of the
vendor), documentation of programming and systems, and verification
of updated source code.
Institutions should consider the type of technology and current
state of the industry when negotiating the appropriate length of the
contract and its renewal periods. While there can be benefits to
long-term technology contracts, certain technologies may be subject
to rapid change and a shorter-term contract may prove beneficial.
Similarly, institutions should consider the appropriate length of
time required to notify the service provider of the institutions’
intent not to renew the contract prior to expiration. Institutions
should consider coordinating the expiration dates of contracts for
inter-related services (e.g., web site, telecommunications,
programming, network support) so that they coincide, where
practical. Such coordination can minimize the risk of terminating a
contract early and incurring penalties as a result of necessary
termination of another related service contract.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our
series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 3 of 3)
Applications are built in conformance with the protocols to provide
services from hosts to clients. Because clients must have a standard
way of accessing the services, the services are assigned to standard
host ports. Ports are logical not physical locations that are either
assigned or available for specific network services. Under TCP/IP,
65536 ports are available, and the first 1024 ports are commercially
accepted as being assigned to certain services. For instance, Web
servers listen for requests on port 80, and secure socket layer Web
servers listen on port 443. A complete list of the commercially
accepted port assignments is available at
www.iana.org. Ports above 1024
are known as high ports, and are user - assignable. However, users
and administrators have the freedom to assign any port to any
service, and to use one port for more than one service.
Additionally, the service listening on one port may only proxy a
connection for a separate service. For example, a Trojan horse
keystroke - monitoring program can use the Web browser to send
captured keystroke information to port 80 of an attacker's machine.
In that case, monitoring of the packet headers from the compromised
machine would only show a Web request to port 80 of a certain IP
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 2 of 3)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial, annual and revised
notices, as well as any short-form notices that the institution may
use for consumers who are not customers. Determine whether or not
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes
practices disclosed in the notices that exceed regulatory
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§6). Note that if
the institution shares under Section 13 the notice provisions for
that section shall also apply.
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
consumer records where available, determine if the institution has
adequate procedures in place to provide notices to consumers, as
appropriate. Assess the following:
a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
customers only, review the timeliness of delivery (§§4(d), 4(e),
5(a)), means of delivery of annual notice (§9(c)), and accessibility
of or ability to retain the notice (§9(e)).