REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.FYI
- "Human error" contributes to nearly all cyber incidents, study
finds - Even though organizations may have all of the bells and
whistles needed in their data security arsenal, it's the human
element that continues to fuel cyber incidents occurring, according
to one recent study.
The Federal Financial Institutions Examination Council today
launched a Web page on cybersecurity. The Web page is a central
repository for current and future FFIEC-related materials on
NCUA Hosting Webinar on Mobile Apps - Learn How Mobile
Applications Are Changing the Financial Services Landscape - The
growing use of mobile applications and the rewards and risks
associated with their usage will be discussed during a free webinar,
“Mobile Applications - The Next Step” hosted by the National Credit
Union Administration on Wednesday, July 9, 2014, at 2 p.m. Eastern.
- United Security Bank settles with TRC oil firm for $350K - A
Fresno, Calif., bank has settled with an oil production firm after
fraudulent Ukrainian wire transfers stole more than $200,000 from
the oil firm's accounts.
- Google and Facebook can be legally intercepted, says UK spy boss -
UK intelligence service GCHQ can legally snoop on British use of
Google, Facebook and web-based email without specific warrants
because the firms are based abroad, the government has said.
- Google yanks malicious app from Play Store - A malware app called
“Google Play Stoy,” which intercepts banking credentials,
certificates and text messages from Android devices, has been
removed from the Google Play Store, according to a Wednesday blog
post from FireEye, which worked with Google to remove it.
- Despite patching efforts, 300K servers are still vulnerable to
Heartbleed - The number of servers vulnerable to the Heartbleed
exploit decreased by only around 9,000 in the past month, a recent
scan shows - Despite a great start, the rate of patching OpenSSL
servers against the critical Heartbleed vulnerability has slowed
down to almost a halt. Around 300,000 servers remain vulnerable and
many of them are unlikely to get patched anytime soon.
- Illinois buys cell-tracking gear complete with NDAs, no-bid
process - Homeland Security grant funded secret buy of stingrays for
state police. Newly published documents show that in July 2008, the
Illinois State Police purchased more than $250,000 worth of “covert
cellular tracking equipment” from the Harris Corporation.
- HackingTeam tool makes use of mobile malware targeting all major
platforms - Researchers have uncovered troubling details about a
mobile surveillance service provided by HackingTeam, an Italian
seller of monitoring software.
- Banks, payment services and social networks most targeted by
phishing kits - Financial institutions, ePayment and money transfer
services, and social networks are the top three targets of phishing
kits, respectively, according to PhishLabs.
- Supreme Court's landmark ruling bars warrantless search of cell
phones - In a landmark ruling, the Supreme Court has decided that
police may no longer search the contents of suspects' cell phones
without a warrant.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- P.F. Chang’s Breach Likely Began in Sept. 2013 - The
recently-announced credit card breach at P.F. Chang’s Chinese Bistro
appears to have gone on for at least nine months: New information
indicates that the breach at the nationwide restaurant chain began
on or around Sept. 18, 2013, and didn’t end until June 11, one day
after KrebsOnSecurity.com broke the news about the break-in.
- Hong Kong polling site suffers massive DDoS attack - An online
polling site intended to gauge the support for universal suffrage in
Hong Kong was hit by a large distributed denial-of-service (DDoS)
- Nearly 8,500 notification letters sent out in Metropolitan
Companies breach - About 8,500 notification letters are being sent
out to individuals employed by, or who submitted an application for
employment to, New York-based The Metropolitan Companies, Inc.
- Employee accesses nearly 100K patient files in NRAD Medical
Associates breach - As many as 97,000 current and former patients of
New York-based NRAD Medical Associates had personal information –
including Social Security numbers – compromised by a former employee
radiologist who accessed and acquired the data without
- Hackers steal trade secrets from major US hedge firm - Trades
delayed as multi-million dollar secret sauce snaffled - Criminals
have successfully attacked a hedge fund, delaying trades and
stealing profitable secrets in a rare direct raid on the financial
services sector, according to BAE Systems Applied Intelligence.
- College student faces computer fraud charges, hacked peers'
accounts - A Pasco-Hernando State College student has been arrested
and charged with 11 felony computer fraud charges after hacking into
his peers' accounts.
- Laptop stolen from Calif. hospital stored data on more than 500
patients - More than 500 patients of California-based Riverside
County Regional Medical Center (RCRMC) have been notified that their
personal information was on a laptop that was reported missing from
a hospital procedure room.
- New Jersey teen charged after altering students' grades and
attendance records - A 16-year-old New Jersey teen is being charged
with unlawfully accessing his school district's computer system and
using it to change students' grades and attendance records.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with high customer expectations for constant and
rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users
and be able to maintain such availability in all circumstances.
Effective incident response mechanisms are also critical to minimize
operational, legal and reputational risks arising from unexpected
events, including internal and external attacks, that may affect the
provision of e-banking systems and services. To meet customers'
expectations, banks should therefore have effective capacity,
business continuity and contingency planning. Banks should also
develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk
and limit liability associated with disruptions in their e-banking
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
Encryption is used to secure communications and data storage,
particularly authentication credentials and the transmission of
sensitive information. It can be used throughout a technological
environment, including the operating systems, middleware,
applications, file systems, and communications protocols.
Encryption is used both as a prevention and detection control. As a
prevention control, encryption acts to protect data from disclosure
to unauthorized parties. As a detective control, encryption is used
to allow discovery of unauthorized changes to data and to assign
responsibility for data among authorized parties. When prevention
and detection are joined, encryption is a key control in ensuring
confidentiality, data integrity, and accountability.
Properly used, encryption can strengthen the security of an
institution's systems. Encryption also has the potential, however,
to weaken other security aspects. For instance, encrypted data
drastically lessens the effectiveness of any security mechanism that
relies on inspections of the data, such as anti - virus scanning and
intrusion detection systems. When encrypted communications are used,
networks may have to be reconfigured to allow for adequate detection
of malicious code and system intrusions.
Although necessary, encryption carries the risk of making data
unavailable should anything go wrong with data handling, key
management, or the actual encryption. The products used and
administrative controls should contain robust and effective controls
to ensure reliability.
Encryption can impose significant overhead on networks and computing
devices. A loss of encryption keys or other failures in the
encryption process can deny the institution access to the encrypted
Financial institutions should employ an encryption strength
sufficient to protect information from disclosure until such time as
the information's disclosure poses no material threat. For instance,
authenticators should be encrypted at a strength sufficient to allow
the institution time to detect and react to an authenticator theft
before the attacker can decrypt the stolen authenticators.
Decisions regarding what data to encrypt and at what points to
encrypt the data are typically based on the risk of disclosure and
the costs and risks of encryption. Generally speaking,
authenticators are always encrypted whether on public networks or on
the financial institution's network. Sensitive information is also
encrypted when passing over a public network, and also may be
encrypted within the institution.
Encryption cannot guarantee data security. Even if encryption is
properly implemented, for example, a security breach at one of the
endpoints of the communication can be used to steal the data or
allow an intruder to masquerade as a legitimate system user.
Return to the top of
INTERNET PRIVACY -
continue our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
Exceptions to the opt out right are detailed in sections 13, 14,
and 15 of the regulations. Financial institutions need not comply
with opt-out requirements if they limit disclosure of nonpublic
1) To a nonaffiliated third party to perform services for the
financial institution or to function on its behalf, including
marketing the institution's own products or services or those
offered jointly by the institution and another financial
institution. The exception is permitted only if the financial
institution provides notice of these arrangements and by contract
prohibits the third party from disclosing or using the information
for other than the specified purposes. In a contract for a joint
marketing agreement, the contract must provide that the parties to
the agreement are jointly offering, sponsoring, or endorsing a
financial product or service. However, if the service or function is
covered by the exceptions in section 14 or 15 (discussed below), the
financial institution does not have to comply with the additional
disclosure and confidentiality requirements of section 13.
Disclosure under this exception could include the outsourcing of
marketing to an advertising company. (Section 13)
2) As necessary to effect, administer, or enforce a transaction
that a consumer requests or authorizes, or under certain other
circumstances relating to existing relationships with customers.
Disclosures under this exception could be in connection with the
audit of credit information, administration of a rewards program, or
to provide an account statement. (Section 14)
3) For specified other disclosures that a financial institution
normally makes, such as to protect against or prevent actual or
potential fraud; to the financial institution's attorneys,
accountants, and auditors; or to comply with applicable legal
requirements, such as the disclosure of information to regulators.