REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Banking malware spies on victims by hijacking webcams,
microphones, researchers say - A new variant of SpyEye malware
allows cybercriminals to monitor potential bank fraud victims by
hijacking their webcams and microphones, according to security
researchers from antivirus vendor Kaspersky Lab.
- FBI quietly forms secretive Net-surveillance unit - CNET has
learned that the FBI has formed a Domestic Communications Assistance
Center, which is tasked with developing new electronic surveillance
technologies, including intercepting Internet, wireless, and VoIP
- Invasion of privacy - Gardaí, the Defence Forces, and Revenue
Commissioners are accessing record levels of private landline,
mobile phone, and internet records. The latest available figures
show authorities accessed more than 40 private communications each
day in 2010 - compared with 31 per day a year earlier.
- Hundreds of words to avoid using online if you don't want the
government spying on you (and they include 'pork', 'cloud' and
'Mexico') - The Department of Homeland Security has been forced to
release a list of keywords and phrases it uses to monitor social
networking sites and online media for signs of terrorist or other
threats against the U.S.
- Texas school district to track kids through RFID tags - A San
Antonio district is so concerned that it can't keep tabs of its kids
that it has decided to insert RFID tags into their IDs. This will,
apparently, save money, as well as help the counting process.
- Clouds don’t need real-time threat reporting tools to win federal
stamp of approval - Cloud companies planning to apply in June for
certification to sell Web services governmentwide will not be
obligated to provide automated threat reports, the government’s
purchasing agency told Nextgov.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- China arrests suspects as ID theft crackdown continues - Beijing
authorities have arrested 160 individuals on charges of stealing
personal information, according to the Chinese news site Sina.
- Researchers uncover causes of MilitarySingles.com hack - A common
web application vulnerability, poor detection capabilities and a
lack of adequate encryption led to the recent hack of
MilitarySingles.com, according to research performed by security
- Hospital agrees to pay $750,000 over data breach allegations - A
Massachusetts hospital has agreed to settle in court to the sum of
$750,000 over allegations concerning its failure to protect
sensitive patient data.
- Information of U.S. federal employees exposed - A computer run by
service provider Serco was compromised in July last year - A hack in
July last year of a computer used by third-party services provider
Serco to support the Thrift Savings Plan run by the U.S. Federal
Retirement Thrift Investment Board resulted in unauthorized access
to the personal information of about 123,201 TSP participants and
payees, FRTIB said Friday.
- Ex-Nokia Siemens engineer admits eBaying nicked routers -
Cash-strapped dad in court for Wi-Fi kit theft - A hard-up
ex-engineer at Nokia Siemens swiped wireless routers worth thousands
of pounds from his employer to refurbish and flog on eBay.
- US mayor and son charged with hacking into opposition site - We'd
rather be fending off global cyberwar, sniff Feds - A small town US
mayor and his son have been arrested over allegations they hacked
into a website calling for his recall.
- Rockefeller questions cybersecurity of gas pipelines - Sen. Jay
Rockefeller (D-W.Va.) questioned whether gas pipelines are
vulnerable to cyberattacks in a letter on Thursday to the president
of a gas trade association. ackers recently attacked computer
networks managing several major gas pipelines, although it is
unclear how much damage they caused.
- WHMCS Breach May Be Only Tip of the Trouble - A recent breach at
billing and support software provider WHMCS that exposed a half
million customer usernames, passwords - and in some cases credit
cards - may turn out to be the least of the company’s worries.
- Hackers raid U. of Nebraska database with 654k Social Security
nos. - Vandals gained access to a database containing the personal
records, including Social Security numbers, of hundreds of thousands
of University of Nebraska students, alumni and others connected to
the school's four campuses.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 2: Banks should use transaction authentication methods
that promote non-repudiation and establish accountability for
Non-repudiation involves creating proof of the origin or
delivery of electronic information to protect the sender against
false denial by the recipient that the data has been received, or to
protect the recipient against false denial by the sender that the
data has been sent. Risk of transaction repudiation is already an
issue with conventional transactions such as credit cards or
securities transactions. However, e-banking heightens this risk
because of the difficulties of positively authenticating the
identities and authority of parties initiating transactions, the
potential for altering or hijacking electronic transactions, and the
potential for e-banking users to claim that transactions were
To address these heightened concerns, banks need to make reasonable
efforts, commensurate with the materiality and type of the e-banking
transaction, to ensure that:
1) E-banking systems are designed to reduce the likelihood that
authorized users will initiate unintended transactions and that
customers fully understand the risks associated with any
transactions they initiate.
2) All parties to the transaction are positively authenticated and
control is maintained over the authenticated channel.
3) Financial transaction data are protected from alteration and any
alteration is detectable.
Banking organizations have begun to employ various techniques that
help establish non-repudiation and ensure confidentiality and
integrity of e-banking transactions, such as digital certificates
using public key infrastructure (PKI). A bank may issue a digital
certificate to a customer or counterparty to allow for their unique
identification/authentication and reduce the risk of transaction
repudiation. Although in some countries customers' rights to
disclaim transactions is provided in specific legal provisions,
legislation has been passed in certain national jurisdictions making
digital signatures legally enforceable. Wider global legal
acceptance of such techniques is likely as technology continues to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
Some host-based IDS units address the difficulty of
performing intrusion detection on encrypted traffic. Those units
position their sensors between the decryption of the IP packet and
the execution of any commands by the host. This host-based intrusion
detection method is particularly appropriate for Internet banking
servers and other servers that communicate over an encrypted
channel. LKMs, however, can defeat these host-based IDS units.
Host-based intrusion detection systems are recommended by the NIST
for all mission-critical systems, even those that should not allow
The heuristic, or behavior, method creates a statistical profile of
normal activity on the host or network. Boundaries for activity are
established based on that profile. When current activity exceeds the
boundaries, an alert is generated. Weaknesses in this system involve
the ability of the system to accurately model activity, the
relationship between valid activity in the period being modeled and
valid activity in future periods, and the potential for malicious
activity to take place while the modeling is performed. This method
is best employed in environments with predictable, stable activity.
Both signature-based and heuristic detection methods result in false
positives (alerts where no attack exists), and false negatives (no
alert when an attack does take place). While false negatives are
obviously a concern, false positives can also hinder detection. When
security personnel are overwhelmed with the number of false
positives, they may look at the IDS reports with less vigor,
allowing real attacks to be reported by the IDS but not researched
or acted upon. Additionally, they may tune the IDS to reduce the
number of false positives, which may increase the number of false
negatives. Risk-based testing is necessary to ensure the detection
capability is adequate.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
17. Does the institution provide consumers who receive the
short-form initial notice with a reasonable means of obtaining the
longer initial notice, such as:
a. a toll-free telephone number that the consumer may call to
request the notice; [§6(d)(4)(i)] or
b. for the consumer who conducts business in person at the
institution's office, having copies available to provide immediately
by hand-delivery? [§6(d)(4)(ii)]