REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Medical identity theft to be explored at FTC hearing - The Federal Trade Commission next week will host a hearing examining identity theft affecting senior citizens, and a portion of the discussion will focus on the the rising rates and awareness of medical identity theft. http://www.scmagazine.com/medical-identity-theft-to-be-explored-at-ftc-hearing/article/291780/?DCMP=EMC-SCUS_Newswire

FYI - Dutch bill would give police hacking powers - The Dutch government today presented a draft bill that aims to give law enforcement the power to hack into computer systems -- including those located in foreign countires -- to do research, gather and copy evidence or block access to certain data. http://www.computerworld.com/s/article/9238849/Dutch_bill_would_give_police_hacking_powers?taxonomyId=17

FYI - US regulators look at dealing with social media - A week after hackers broke into The Associated Press' Twitter feed and roiled financial markets, federal regulators say they need to find ways to deal with the impact of social media. http://www.nbcnews.com/technology/technolog/us-regulators-look-dealing-social-media-6C9693063

FYI - Amid a barrage of password breaches, “honeywords” to the rescue - Decoy passwords would trigger alarms that account credentials are compromised. Security experts have proposed a simple way for websites to better secure highly sensitive databases used to store user passwords: the creation of false "honeyword" passcodes that when entered would trigger alarms that account hijacking attacks are underway. http://arstechnica.com/security/2013/05/amid-a-barrage-of-password-breaches-honeywords-to-the-rescue/

FYI - Dell investigates report of its computers being sold to Syria - Dell reseller is accused of selling computers to a company with ties to the Syrian government - Dell is investigating a report that a Middle East reseller has sold large numbers of computers to a Syrian company with ties to the embattled government there, in violation of U.S. export restrictions. http://www.computerworld.com/s/article/9238899/Dell_investigates_report_of_its_computers_being_sold_to_Syria?taxonomyId=17

FYI - Department of Defense approves use of BlackBerry and Samsung devices by military and government workers, a big win for the two companies. The U.S. Department of Defense (DOD) has approved the use of new BlackBerrys and Samsung Galaxy smartphones and tablets by government workers and military officials. The approval is a big deal for both companies, which want to pitch their gear to the government. http://www.informationweek.com/mobility/smart-phones/blackberry-samsung-get-pentagon-nod-of-a/240154163

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - U.S. Department of Labor website infected with malware - The malware has been linked to a China-based hacking campaign that struck a Fortune 500 company in 2011 - A subdomain of a U.S. Department of Labor website appeared offline on Wednesday after an apparent hack that looks similar to a known China-based hacking campaign nicknamed DeepPanda. http://www.computerworld.com/s/article/9238842/U.S._Department_of_Labor_website_infected_with_malware?taxonomyId=17

FYI - Company that manages users' online reputation hit by breach - An undisclosed number of customers had their personal information accessed, after an online reputation management company was breached. On Tuesday, Reputation.com, a Redwood City, Calif.-based business, sent emails to customers about the incident. http://www.scmagazine.com/company-that-manages-users-online-reputation-hit-by-breach/article/291582/

FYI - Hacker Breached U.S. Army Database Containing Sensitive Information on Dams - A hacker compromised a U.S. Army database that holds sensitive information about vulnerabilities in U.S. dams, according to a news report. http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/

FYI - Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case - On Monday, July 6, 2009, two engineers from Nevada’s Gaming Control Board showed up at the Silverton Casino Lodge. The off-the-strip Soutfasseenth Las Vegas casino is best known for its mermaid aquarium, but the GCB geek squad wasn’t there to see swimmers in bikini tops and zip-on fish tails. http://www.wired.com/threatlevel/2013/05/game-king/

FYI - Wash. Hospital Hit By $1.03 Million Cyberheist - Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years. http://krebsonsecurity.com/2013/04/wash-hospital-hit-by-1-03-million-cyberheist/

FYI - Website 'spoofing' still fools users, security study reveals - A close look at vulnerabilities in about 15,000 websites found 86 percent have at least one serious hole that hackers could exploit, and content spoofing is the most prevalent vulnerability, identified in over half of the sites, according to WhiteHat Security's annual study published last week. http://www.pcworld.com/article/2037183/website-spoofing-still-fools-users-security-study-reveals.html#tk.nl_today

FYI - Researchers Hack Building Control System at Google Australia Office - Tens of thousands of control systems connected to the internet, dozens of hardcoded passwords that can’t be changed, untold numbers of backdoors embedded in systems by vendors that hackers can use to remotely control them — these are just a sampling of the problems uncovered by researchers in the last three years. http://www.wired.com/threatlevel/2013/05/googles-control-system-hacked/

FYI - Systems manager arrested for hacking former employer's network - He allegedly caused over US$90,000 in damages, the FBI said - A 41-year-old systems manager was arrested for allegedly disrupting his former employer's network after he was passed over for promotions, leading him to quit his job and take revenge, the FBI said. http://www.computerworld.com/s/article/9238874/Systems_manager_arrested_for_hacking_former_employer_39_s_network?taxonomyId=17

FYI - Alaska phishing pupils take over classroom computers - A group of pupils at a middle school in Alaska took control of their classroom computers after phishing for administrator privileges. http://www.bbc.co.uk/news/technology-22398484

FYI - Personal California birth records found in "unsecure" location - The California Department of Public Health (CDPH) reported that a "reel" containing birth records of people born in the state in 1974 was found in an "unsecure" location. http://www.scmagazine.com/personal-california-birth-records-found-in-unsecure-location/article/292368/?DCMP=EMC-SCUS_Newswire

FYI - $45M drained from bank accounts in international cyber heist - Eight individuals have been charged for their role in the hacking of two credit card processors, which allowed a global gang of cyber bandits to withdraw tens of millions of dollars from ATMs around the world, federal prosecutors announced Thursday. http://www.scmagazine.com/feds-45m-drained-from-bank-accounts-in-international-cyber-heist/article/292734/?DCMP=EMC-SCUS_Newswire

FYI - Hackers raid Washington state court system to steal 160,000 SSNs, 1M driver's license numbers - A hack on the public website of the Washington state Administrative Office of the Courts (AOC) has led to the compromised sensitive data of individuals whose cases were making their way through the state court system. http://www.scmagazine.com/hackers-raid-washington-state-court-system-to-steal-160000-ssns-1m-drivers-license-numbers/article/292730/?DCMP=EMC-SCUS_Newswire

FYI - Hackers hit domain registrar, access credit card data and passwords - A Denver-based domain name provider has suffered a breach where customers' personal data, including encrypted passwords and credit card information, was compromised. http://www.scmagazine.com/hackers-hit-domain-registrar-access-credit-card-data-and-passwords/article/292696/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Ownership and License

The contract should address ownership and allowable use by the service provider of the institution’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution’s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.

Duration

Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions’ intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 3 of 3)

Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org.  Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§§4(a), 7(c), 8(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).