REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Some Things Should Be Banned from the Internet of Things - The
unknown danger in connecting an increasing number of analog objects,
such as light bulbs, to the Web is worrying policy advisers.
Who has your credit card data? 1 million HOLIDAY-MAKERS' RECORDS
exposed - Travel agent fined £150K - Sloppy coding fingered - A
UK-based online travel firm has been fined £150,000 over a breach of
breach of the Data Protection Act after their "insecure" coding
reportedly exposed more than a million customer records to
Former student sentenced to six months for Nebraska university hack
- A former University of Nebraska-Lincoln student that hacked into
the university's computer system in 2012 was sentenced to six months
in prison on Thursday, and also must pay more than $107,000 in
restitution, according to a Thursday Omaha.com report.
Underinvestment, poor communication plague Canadian cybersecurity -
Canadian cyber security is languishing due to poor communication and
disappointing security investments, according to research from the
Ponemon Institute. A two-part report revealed that almost a quarter
of cyber teams in Canada never speak with their executive team about
IT security issues.
Hackers seed Amazon cloud with potent denial-of-service bots - Bug
in open source analytics app may have compromised other services,
too. Attackers have figured out a new way to get Amazon's cloud
service to wage potent denial-of-service attacks on third-party
websites—by exploiting security vulnerabilities in an open source
search and analytics application known as Elasticsearch.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
European Central Bank suffers security breach, personal data stolen
- The European Central Bank's website has been hacked and personal
information has been stolen by a cybercriminal. The European Central
Bank (ECB) admitted Thursday that a security breach has led to the
theft of personal data.
Hacker claims breach of Wall Street Journal and Vice websites, punts
'user data' for sale - Also supposedly hit a gadgets site called
'CNET' - A hacker known for attacking news websites has claimed
successful hacks against both the Wall Street Journal and Vice.
Attackers raid SWISS BANKS with DNS and malware bombs - 'Retefe'
trojan uses clever spin on old attacks to grant total control of
bank accounts - Attackers suspected of residing in Russia are
raiding Swiss bank accounts with a multi-faceted attack that
intercepts SMS tokens and changes domain name system settings,
researchers have warned.
Card Breach at Goodwill Industries - Heads up, bargain shoppers:
Financial institutions across the country report that they are
tracking what appears to be a series of credit card breaches
involving Goodwill locations nationwide. For its part, Goodwill
Industries International Inc. says it is working with the U.S.
Secret Service on an investigation into these reports.
Laptop stolen from Self Regional Healthcare contained patient data -
South Carolina-based Self Regional Healthcare (SRH) is notifying at
least 500 patients that their personal information – including
Social Security numbers and financial data – was on a laptop stolen
from an SRH facility.
ECB database hacked, attackers ask for financial compensation -
Cyber thieves hacked into a database at European Central Bank (ECB)
and stole email addresses and contact information for users who
signed up for bank events via its public website, ECB said Thursday.
Hacker Breached NOAA Satellite Data from Contractor’s PC - National
Oceanic and Atmospheric Administration satellite data was stolen
from a contractor's personal computer last year, but the agency
could not investigate the incident because the employee refused to
turn over the PC, according to a new inspector general report.
Catch of the Day reveals three-year old data breach - Daily deals
website Catch of the Day last night revealed it had suffered a
serious data breach in 2011 that led to customer passwords and a
number of credit card details being stolen.http://www.itnews.com.au/News/390097,catch-of-the-day-reveals-three-year-old-data-breach.aspx
- Seattle University donor checks possibly exposed due to settings
error - Seattle University is notifying an undisclosed number of
donors that incorrect permission settings on an internal drive made
it possible for anyone with a Seattle University computer account to
view scanned checks, without authorization.
- Programming error results in CVS Caremark mailing blunder - About
350 CVS Caremark customers are being notified that a programming
error resulted in mailers containing their personal information
being sent to the wrong customers.
John's sandwich chain investigating possible breach - Jimmy John's
sandwich chain is investigating a possible breach of customer credit
compromise Gizmodo Brazil - Attacks on Gizmodo's Brazilian site and
the website of an unnamed logistics firm hosted by the same ISP have
prompted Trend Micro to investigate whether “a vulnerability was
used in order to penetrate the web servers,” according to a company
breach impacting 650K customers dates back to 2010 - Irish bookmaker
Paddy Power is notifying 649,055 customers that their data was
stolen in a breach dating back to 2010.
Backcountry Gear website, payment cards compromised - Malware
installed on the Backcountry Gear website for about three months
beginning in late April likely resulted in a compromise of customer
information, including payment card data.
to spying on Senate committee - After months of denials, CIA
Director John Brennan apologizes for spying on Senate Intelligence
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this
Report fall into three broad, and often overlapping, categories of
issues. However, these principles are not weighted by order of
preference or importance. If only because such weighting might
change over time, it is preferable to remain neutral and avoid such
A. Board and Management Oversight (Principles 1 to 3):
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process for
outsourcing relationships and other third-party dependencies.
B. Security Controls (Principles 4 to 10):
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking transactions.
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems, databases
8. Data integrity of e-banking transactions, records, and
9. Establishment of clear audit trails for e-banking transactions.
10. Confidentiality of key bank information.
C. Legal and Reputational Risk Management (Principles 11 to
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to ensure
availability of e-banking systems and services.
14. Incident response planning.
Each of the above principles will be cover over the next few weeks,
as they relate to e-banking and the underlying risk management
principles that should be considered by banks to address these
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
Malicious code is any program that acts in unexpected and
potentially damaging ways. Common types of malicious code are
viruses, worms, and Trojan horses. The functions of each were once
mutually exclusive; however, developers combined functions to create
more powerful malicious code. Currently malicious code can replicate
itself within a computer and transmit itself between computers.
Malicious code also can change, delete, or insert data, transmit
data outside the institution, and insert backdoors into institution
systems. Malicious code can attack institutions at either the server
or the client level. It can also attack routers, switches, and other
parts of the institution infrastructure. Malicious code can also
monitor users in many ways, such as logging keystrokes, and
transmitting screenshots to the attacker.
Typically malicious code is mobile, using e - mail, Instant
Messenger, and other peer-to-peer (P2P) applications, or active
content attached to Web pages as transmission mechanisms. The code
also can be hidden in programs that are downloaded from the Internet
or brought into the institution on diskette. At times, the malicious
code can be created on the institution's systems either by intruders
or by authorized users. The code can also be introduced to a Web
server in numerous ways, such as entering the code in a response
form on a Web page.
Malicious code does not have to be targeted at the institution to
damage the institution's systems or steal the institution's data.
Most malicious code is general in application, potentially affecting
all Internet users with whatever operating system or application the
code needs to function.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 3 of 6)
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable and
designed to call attention to the nature and significance of the
information contained in the notice. The regulations do not
prescribe specific methods for making a notice clear and
conspicuous, but do provide examples of ways in which to achieve the
standard, such as the use of short explanatory sentences or bullet
lists, and the use of plain-language headings and easily readable
typeface and type size. Privacy notices also must accurately reflect
the institution's privacy practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice in
writing, or if the consumer agrees, electronically. To meet this
standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2) mail
a printed copy of the notice to a consumer's last known address, or
(3) for the consumer who conducts transactions electronically, post
the notice on the institution's web site and require the consumer to
acknowledge receipt of the notice as a necessary step to completing
For customers only, a financial institution must provide the initial
notice (as well as the annual notice and any revised notice) so that
a customer may be able to retain or subsequently access the notice.
A written notice satisfies this requirement. For customers who
obtain financial products or services electronically, and agree to
receive their notices on the institution's web site, the institution
may provide the current version of its privacy notice on its web