REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - FBI warns globe trotters about malware lurking in hotel room connections - The FBI is warning individuals who travel abroad that cybercriminals are installing malware through bogus software updates when users connect to the internet in their hotel rooms. http://www.infosecurity-magazine.com/view/25671/fbi-warns-globe-trotters-about-malware-lurking-in-hotel-room-connections/

FYI - Queen's speech confirms government internet snooping plans still in place - The government has used the Queen's Speech to confirm it intends to press ahead with controversial snooping plans that will make it easier for the police and intelligence agencies to access communications data. http://www.v3.co.uk/v3-uk/news/2173470/queens-speech-confirms-government-internet-snooping-plans

FYI - GAO - Social Security Administration: Improved Planning and Performance Measures Are Needed to Help Ensure Successful Technology Modernization. http://www.gao.gov/products/GAO-12-495

FYI - Pentagon expands cybersecurity exchange - The Pentagon predicts that as many as 1,000 defense contractors may join a voluntary effort to share classified information on cyberthreats under an expansion of a first-ever initiative to protect computer networks. http://www.washingtonpost.com/politics/pentagon-expands-cybersecurity-exchange/2012/05/13/gIQAwPyQOU_story.html

FYI - Georgia Man Admits Role in $1.3 Million Global Cyberscam - An online criminal pleaded guilty last week to participating in a cybercrime ring that deployed fake bank and payroll processing websites to steal more than $1.3 million. http://www.msnbc.msn.com/id/47342263/ns/technology_and_science-security/t/georgia-man-admits-role-million-global-cyberscam/

FYI - Trade in sensitive personal data uncovered by secret investigation - C4's Dispatches records private investigator selling bank details and criminal and medical records to reporters - The ease with which private investigators can access highly personal and sensitive information stored in secure government databases has been exposed by a report that will intensify calls to regulate the industry. http://www.guardian.co.uk/technology/2012/may/12/trade-personal-data-secret-investigation

FYI - Mounties Bust Disciplined, Multi-Million-Dollar Carding Ring - More than 40 people were arrested on Wednesday in Canada in a sting operation against what authorities say was a well-organized international bank card ring that stole at least $7 million and possibly hundreds of millions more. http://www.wired.com/threatlevel/2012/05/mounties-bust-carders/

FYI - IT head fired, ombudsman hired in wake of Utah breach - The governor of Utah has fired the head of the state's Department of Technology Services (DTS) following a Medicaid breach announced last month that quickly grew into a public relations disaster. http://www.scmagazine.com/it-head-fired-ombudsman-hired-in-wake-of-utah-breach/article/241473/?DCMP=EMC-SCUS_Newswire

FYI - Pros of managing security in cloud make it attractive - Small to midsize businesses (SMBs) looking to allocate more funds toward areas that directly affect their growth should be looking to the cloud, a new study from Microsoft reveals. http://www.scmagazine.com/pros-of-managing-security-in-cloud-make-it-attractive/article/241437/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Twitter warns users to reset passwords after hacking scare - Twitter has attempted to assure its users after reports circulated of 55,000 accounts being hacked and login credentials publicly disclosed. http://www.scmagazineuk.com/twitter-warns-users-to-reset-passwords-after-hacking-scare/article/240264/

FYI - 350,000 SSNs exposed in UNC-Charlotte breach - The Social Security numbers and financial account information of students and staff at the University of North Carolina at Charlotte (UNC-Charlotte) was exposed during an online security breach. http://www.scmagazine.com/350000-social-security-numbers-exposed-in-university-breach/article/240864/?DCMP=EMC-SCUS_Newswire

FYI - Data on 700K California home care workers, recipients lost - The personal information of home care workers and their elderly and disabled recipients may have been compromised when the storage device on which it was contained was lost in the mail.
http://www.scmagazine.com/data-on-700k-california-home-care-workers-recipients-lost/article/241124/?DCMP=EMC-SCUS_Newswire
http://arstechnica.com/security/2012/05/ca-social-services-office-looses-hundreds-of-thousands-of-recordson-microfiche/

FYI - Soca website attack: Norway arrests two youths - Two teenagers in Norway have been arrested in connection with a series of computer attacks. Britain's Serious Organised Crime Agency (Soca) is believed to have been among their suspected targets. http://www.bbc.com/news/technology-18005505

FYI - The Pirate Bay hits out at DDoS attacks on ISPs - File-sharing website The Pirate Bay has called distributed denial of service (DDoS) and similar attacks "forms of censorship". In a statement posted on its Facebook group, The Pirate Bay responded to actions by Anonymous against internet service providers (ISPs) that were instructed to block access to the file-sharing website. http://www.scmagazineuk.com/the-pirate-bay-hits-out-at-ddos-attacks-on-isps/article/240265/

FYI - Team Poison hacking inquiry: UK teenager arrested - Police have arrested a 17-year-old boy alleged to be the spokesman for a notorious hacking group. The boy is said to be a member of Team Poison, a group which claimed responsibility for more than 1,400 illegal activities. http://www.bbc.com/news/technology-18017387

FYI - Six indicted over Population Registry data theft - Former Social Affairs Ministry contractor allegedly stole database, passed it to haredi charity, from where it was sold abroad. http://www.jpost.com/NationalNews/Article.aspx?id=269728

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking.  Over the next number of weeks we will cover the principles of Security Controls.

Security Controls - Principle 1: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 1 of 2)

It is essential in banking to confirm that a particular communication, transaction, or access request is legitimate. Accordingly, banks should use reliable methods for verifying the identity and authorization of new customers as well as authenticating the identity and authorization of established customers seeking to initiate electronic transactions.

Customer verification during account origination is important in reducing the risk of identity theft, fraudulent account applications and money laundering. Failure on the part of the bank to adequately authenticate customers could result in unauthorized individuals gaining access to e-banking accounts and ultimately financial loss and reputational damage to the bank through fraud, disclosure of confidential information or inadvertent involvement in criminal activity.

Establishing and authenticating an individual's identity and authorization to access banking systems in a purely electronic open network environment can be a difficult task. Legitimate user authorization can be misrepresented through a variety of techniques generally known as "spoofing." Online hackers can also take over the session of a legitimate authorized individual through use of a "sniffer" and carry out activities of a mischievous or criminal nature. Authentication control processes can in addition be circumvented through the alteration of authentication databases.

Accordingly, it is critical that banks have formal policy and procedures identifying appropriate methodology(ies) to ensure that the bank properly authenticates the identity and authorization of an individual, agent or system by means that are unique and, as far as practical, exclude unauthorized individuals or systems. Banks can us a variety of methods to establish authentication, including PINs, passwords, smart cards, biometrics, and digital certificates. These methods can be either single factor or multi-factor (e.g. using both a password and biometric technology to authenticate). Multi-factor authentication generally provides stronger assurance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 2 of 4)

"Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.

Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).

Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.

Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [§6(d)(1)]We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [§6(d)(1)]