FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - US court says NSA phone data program is illegal - The US government has long argued that the program is legal under the controversial Patriot Act, but a federal appeals court sees things differently. A US Appeals court has sent shockwaves through the government and security industry after ruling that the National Security Agency's wholesale collection of phone call data is illegal. http://www.cnet.com/news/us-court-says-nsa-phone-data-program-is-illegal/

FYI - India and Japan form cyber alliance - Indian officials from the Ministry of Telecom and the Department of Electronics and Information Technology (DeitY) met with a visiting Japanese trade delegation led by Minister of Economy and Trade Yoichi Miyazawa according to the Economic Times. http://www.scmagazine.com/japan-looks-to-invest-in-indias-it-sectors/article/412811/

FYI - House approves controversial cybersecurity bill - The House of Representatives passed bipartisan legislation on Wednesday designed to help companies and the federal government better defend against the growing threat of cyberattacks, despite opposition from privacy advocates. http://www.cnet.com/news/house-approves-controversial-cybersecurity-bill/

FYI - Romanian rozzers round up alleged $15 MILLION ATM cybercrim gang - 25 people arrested over international cash-slurp operation - Romanian police have arrested 25 people who are suspected of being part of a cyber-crime gang that organised $15m in fraudulent bank withdrawals. http://www.theregister.co.uk/2015/04/28/romanian_police_arrest_25_15m_swindle_allegations/

FYI - Twin brothers indicted on computer hacking charges - Twin brothers in Virginia were indicted Thursday on computer hacking and other charges. http://www.scmagazine.com/twin-brothers-indicted-on-computer-hacking-charges/article/412825/

FYI - A former Goldman Sachs programmer has been convicted for the second time in four years on charges that he misused his former employer’s code, adding a new chapter to an already bizarre and controversial case that has drawn much unwanted attention to the world of high-speed trading and elicited criticism of prosecutorial overzealousness. http://www.wired.com/2015/05/programmer-convicted-bizarre-goldman-sachs-caseagain/

FYI - Lower house of French Parliament approves surveillance bill - The lower house of the French Parliament has approved a controversial intelligence bill that could broaden the government's surveillance powers. http://www.scmagazine.com/french-surveillance-bill-progresses-through-parliament/article/413032/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ryanair stung after $5m Shanghai'd from online fuel account - Crooks siphoned off money from an account earmarked for the payment of fuel bills via an electronic transfer to a bank in China last week. http://www.theregister.co.uk/2015/04/30/ryanair_online_heist/

FYI - FBI investigating Rutgers University in DDoS attack - The FBI is working with Rutgers University to identify the source of a series of distributed denial-of-service (DDoS) attacks that have plagued the school this week. http://www.scmagazine.com/the-fbi-is-helpign-rutger-inveigate-a-series-of-ddos-attack/article/412149/

FYI - Partners HealthCare says workers responded to phishing emails, patient data at risk - Partners HealthCare Systems has published an announcement on its website that personal and health-related data belonging to its patients was potentially exposed to unauthorized access. http://www.scmagazine.com/partners-healthcare-group-patient-information-may-be-at-risk/article/412552/

FYI - Oregon's Health CO-OP laptop stolen, about 15K members notified - Oregon's Health CO-OP has notified approximately 15,000 current and former members that a laptop containing personal information was stolen. http://www.scmagazine.com/oregons-health-co-op-laptop-stolen-about-15k-members-notified/article/412536/

FYI - EllisLab server hacked, passwords possibly compromised - Hackers last month gained unauthorized access to a server of software development company EllisLab may have gotten their hands on personal information belonging to EllisLab.com members, the company CEO Derek Jones said in a Friday blog post. http://www.scmagazine.com/attackers-use-stolen-login-info-to-hack-into-ellislabs-servers/article/412796/

FYI - Possible payment card breach at Hard Rock Hotel & Casino Las Vegas - Hard Rock Hotel & Casino Las Vegas is warning customers of a potential security incident involving payment cards.
http://www.scmagazine.com/possible-payment-card-breach-at-hard-rock-hotel-casino-las-vegas/article/412819/
http://www.theregister.co.uk/2015/05/04/hard_rock_breach/

FYI - Retail Capital notifies hundreds following security incident - Michigan-based Retail Capital is notifying more than 700 individuals that unauthorized access was gained to the electronic mailbox of a sales manager, and personal information may have been compromised. http://www.scmagazine.com/retail-capital-notifies-hundreds-following-security-incident/article/413042/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)
 
 PROCEDURES TO ADDRESS SPOOFING - Information Gathering
 
 After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response.  The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation.  Below is a list of useful information that a bank can collect.  In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.
 
 *  The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
 *  Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
 *  Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
 *  Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
 *  The geographic locations of the IP address (city, state, and country).

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
 
 PART I. Risks Associated with Wireless Internal Networks
 
 Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11 Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.
 
 Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.
 
 The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:
 
 1)  Decrypting information based on statistical analysis;
 
 2)  Injecting new traffic from unauthorized mobile stations based on known plain text;
 
 3)  Decrypting traffic based on tricking the access point;
 
 4)  Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and
 
 5)  Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.5 Network-Related Threats

Most of the human threats of concern to HGA originate from insiders. Nevertheless, HGA also recognizes the need to protect its assets from outsiders. Such attacks may serve many different purposes and pose a broad spectrum of risks, including unauthorized disclosure or modification of information, unauthorized use of services and assets, or unauthorized denial of services.

As shown in the figure below, HGA's systems are connected to the three external networks: (1) the Internet, (2) the Interagency WAN, and (3) the public-switched (telephone) network. Although these networks are a source of security risks, connectivity with them is essential to HGA's mission and to the productivity of its employees; connectivity cannot be terminated simply because of security risks.

In each of the past few years before establishing its current set of network safeguards, HGA had detected several attempts by outsiders to penetrate its systems. Most, but not all of these, have come from the Internet, and those that succeeded did so by learning or guessing user account passwords. In two cases, the attacker deleted or corrupted significant amounts of data, most of which were later restored from backup files. In most cases, HGA could detect no ill effects of the attack, but concluded that the attacker may have browsed through some files. HGA also conceded that its systems did not have audit logging capabilities sufficient to track an attacker's activities. Hence, for most of these attacks, HGA could not accurately gauge the extent of penetration.

In one case, an attacker made use of a bug in an e-mail utility and succeeded in acquiring System Administrator privileges on the server--a significant breach. HGA found no evidence that the attacker attempted to exploit these privileges before being discovered two days later. When the attack was detected, COG immediately contacted the HGA's Incident Handling Team, and was told that a bug fix had been distributed by the server vendor several months earlier. To its embarrassment, COG discovered that it had already received the fix, which it then promptly installed. It now believes that no subsequent attacks of the same nature have succeeded.

Although HGA has no evidence that it has been significantly harmed to date by attacks via external networks, it believes that these attacks have great potential to inflict damage. HGA's management considers itself lucky that such attacks have not harmed HGA's reputation and the confidence of the citizens its serves. It also believes the likelihood of such attacks via external networks will increase in the future.