Legislators call for lifetime identity protection for OPM data
breach victims - Nine legislators are putting their support behind a
bill that, if passed, would provide free lifetime identity theft
protection coverage to the victims of the Office of Personnel
Management (OPM) data breaches.
China makes internet shut-downs official with new security law - If
it threatens security, China reserves the right to switch off
networks - China is able to shut off internet access during major
'social security incidents' and has granted its Cyberspace
Administration agency wider decision making powers under a draft law
published this month.
Two U.S. telecoms to pay $3.5M for data breach - Two sister mobile
and telecom service providers will pay a combined $3.5 million after
the U.S. Federal Communications Commission found that they were
storing customers' personal data on unprotected servers accessible
over the Internet.
Encryption backdoors for cops are unworkable, will put internet
security at risk, warn experts - Demands for access to encrypted
communications raise huge technical and ethical questions, according
to security researchers.
NYC investigator convicted for hiring hackers, fears retaliation
from clients - A New York City private investigator who was
convicted of hiring hackers to assist in his work now fears that his
former clients will retaliate after it emerged that he cooperated
Thousands of vulnerabilities identified in government system -
Nearly 3,000 critical and high-risk vulnerabilities were identified
in three U.S. Department of the Interior (DOI) bureaus.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hotels announces payment card incident involving malware -
California-based Evans Hotels – which operates Bahia Resort Hotel,
Catamaran Resort Hotel and Spa, and The Lodge at Torrey Pines –
announced that malware was installed on computers at the front desks
of its properties that could have compromised payment card data.
Oriental says 10 properties impacted in credit card breach -
Mandarin Oriental Hotel Group said Friday that 10 of its properties
were affected in a malware attack on its credit card systems.
bug prompts Range Rover recall - Land Rover is recalling more than
65,000 cars to fix a software bug that can "unlatch" the vehicles'
USB stick contains Barclays data, customers offered compensation -
London-based Barclays bank will pay out more than $780,000 in
compensation to the 2,000 customers who had personal information on
a USB stick that was recovered at an apartment in England during a
criminal investigation, The Herald in Scotland reported on Monday.
Canada's Online Photocentre down after potential breach - Walmart
Canada has taken down its online photo processing service and is
investigating a possible breach that may have compromised the credit
card information of up to 60,000 people, according to The Globe and
provides additional information on payment card breach - Payment
cards used at certain Hershey Entertainment & Resorts Company (HE&R)
properties may have been compromised.
Plan compromises personal data of 722 patients - University of
Pittsburgh Medical Center (UPMC) Health Plan said Tuesday that the
information of 722 insurance subscribers has been compromised in its
third breach in two years.
- Epic Games forums compromised, passwords to be reset - The forums
for Epic Games – the video game development company responsible for
the Gears of War series and Infinity Blade series – have been
compromised, according to a notification letter published on
- Army National Guard breach affects 850K, not related to OPM -
Personal information from more than 850,000 current and former Army
National Guard members may have been compromised, according to a
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider
Some of the factors that institutions should consider when
performing due diligence in selecting a service provider are
categorized and listed below. Institutions should review the service
provider’s due diligence process for any of its significant
supporting agents (i.e., subcontractors, support vendors, and other
parties). Depending on the services being outsourced and the level
of in-house expertise, institutions should consider whether to hire
or consult with qualified independent sources. These sources include
consultants, user groups, and trade associations that are familiar
with products and services offered by third parties. Ultimately, the
depth of due diligence will vary depending on the scope and
importance of the outsourced services as well as the risk to the
institution from these services.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Utilization of the Internet presents numerous issues and risks
which must be addressed. While many aspects of system performance
will present additional challenges to the bank, some will be beyond
the bank's control. The reliability of the Internet continues to
improve, but situations including delayed or misdirected
transmissions and operating problems involving Internet Service
Providers (ISPs) could also have an effect on related aspects of the
The risks will not remain static. As technologies evolve, security
controls will improve; however, so will the tools and methods used
by others to compromise data and systems. Comprehensive security
controls must not only be implemented, but also updated to guard
against current and emerging threats. Security controls that address
the risks will be presented over the next few weeks.
The FDIC paper discusses the primary interrelated technologies,
standards, and controls that presently exist to manage the risks of
data privacy and confidentiality, data integrity, authentication,
Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues
surrounding data privacy, confidentiality, and data integrity.
Encryption technology is also employed in digital signature
processes, which address the issues of authentication and
non-repudiation. Certificate authorities and digital certificates
are emerging to address security concerns, particularly in the area
of authentication. The function of and the need for encryption,
digital signatures, certificate authorities, and digital
certificates differ depending on the particular security issues
presented by the bank's activities. The technologies,
implementation standards, and the necessary legal infrastructure
continue to evolve to address the security needs posed by the
Internet and electronic commerce.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Vulnerabilities Related to Payroll Fraud
The primary safeguards
against falsified time sheets are review and approval by supervisory
personnel, who are not permitted to approve their own time and
attendance data. The risk assessment has concluded that, while
imperfect, these safeguards are adequate. The related requirement
that a clerk and a supervisor must cooperate closely in creating
time and attendance data and submitting the data to the mainframe
also safeguards against other kinds of illicit manipulation of time
and attendance data by clerks or supervisors acting independently.
When a PC user enters a
password to the server during I&A, the password is sent to the
server by broadcasting it over the LAN "in the clear." This allows
the password to be intercepted easily by any other PC connected to
the LAN. In fact, so-called "password sniffer" programs that capture
passwords in this way are widely available. Similarly, a malicious
program planted on a PC could also intercept passwords before
transmitting them to the server. An unauthorized individual who
obtained the captured passwords could then run the time and
attendance application in place of a clerk or supervisor. Users
might also store passwords in a log-on script file.
Bogus Time and
The server's access
controls are probably adequate for protection against bogus time and
attendance applications that run on the server. However, the
server's operating system and access controls have only been in
widespread use for a few years and contain a number of
security-related bugs. And the server's access controls are
ineffective if not properly configured, and the administration of
the server's security features in the past has been notably lax.
Modification of Time and Attendance Data
unauthorized modification of time and attendance data requires a
variety of safeguards because each system component on which the
data are stored or transmitted is a potential source of
First, the time and
attendance data are entered on the server by a clerk. On occasion,
the clerk may begin data entry late in the afternoon, and complete
it the following morning, storing it in a temporary file between the
two sessions. One way to avoid unauthorized modification is to store
the data on a diskette and lock it up overnight. After being
entered, the data will be stored in another temporary file until
reviewed and approved by a supervisor. These files, now stored on
the system, must be protected against tampering. As before, the
server's access controls, if reliable and properly configured, can
provide such protection (as can digital signatures, as discussed
later) in conjunction with proper auditing.
Second, when the
Supervisor approves a batch of time and attendance data, the time
and attendance application sends the data over the WAN to the
mainframe. The WAN is a collection of communications equipment and
special-purpose computers called "switches" that act as relays,
routing information through the network from source to destination.
Each switch is a potential site at which the time and attendance
data may be fraudulently modified. For example, an HGA PC user might
be able to intercept time and attendance data and modify the data
enroute to the payroll application on the mainframe. Opportunities
include tampering with incomplete time and attendance input files
while stored on the server, interception and tampering during WAN
transit, or tampering on arrival to the mainframe prior to
processing by the payroll application.
Third, on arrival at
the mainframe, the time and attendance data are held in a temporary
file on the mainframe until the payroll application is run.
Consequently, the mainframe's I&A and access controls must provide a
critical element of protection against unauthorized modification of
According to the risk
assessment, the server's access controls, with prior caveats,
probably provide acceptable protection against unauthorized
modification of data stored on the server. The assessment concluded
that a WAN-based attack involving collusion between an employee of
HGA and an employee of the WAN service provider, although unlikely,
should not be dismissed entirely, especially since HGA has only
cursory information about the service provider's personnel security
practices and no contractual authority over how it operates the WAN.
The greatest source of
vulnerabilities, however, is the mainframe. Although its operating
system's access controls are mature and powerful, it uses
password-based I&A. This is of particular concern, because it serves
a large number of federal agencies via WAN connections. A number of
these agencies are known to have poor security programs. As a
result, one such agency's systems could be penetrated (e.g., from
the Internet) and then used in attacks on the mainframe via the WAN.
In fact, time and attendance data awaiting processing on the
mainframe would probably not be as attractive a target to an
attacker as other kinds of data or, indeed, disabling the system,
rendering it unavailable. For example, an attacker might be able to
modify the employee data base so that it disbursed paychecks or
pensions checks to fictitious employees. Disclosure-sensitive law
enforcement databases might also be attractive targets.
The access control on
the mainframe is strong and provides good protection against
intruders breaking into a second application after they have broken
into a first. However, previous audits have shown that the
difficulties of system administration may present some opportunities
for intruders to defeat access controls.