REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Feds ‘Hacked’ Silk Road Without a Warrant? Perfectly Legal,
Prosecutors Argue - With only a month until the scheduled trial of
Ross Ulbricht, the alleged creator of the Silk Road drug site,
Ulbricht’s defense lawyers have zeroed in on the argument that the
U.S. government illegally hacked the billion-dollar black market
site to expose the location of its hidden server.
'A motivated, funded, skilled hacker will always get in' – Schneier
- It's how you respond that's key, says securo guru - IP Expo
Hacking attacks are more or less inevitable, so organisations need
to move on from the protection and detection of attacks towards
managing their response to breaches so as to minimise harm,
according to security guru Bruce Schneier.
JPMorgan hackers targeted 13 firms, including Fidelity, report
reveals - Fidelity Investments, a major mutual fund and financial
services firm, is believed to have been targeted by the same hackers
which struck JPMorgan Chase, the Financial Times has revealed.
- Report examines cloud-based security market drivers, concerns - A
new report sheds light on the growing number cloud-based security
vendors in the marketplace, as well as concerns that may arise as
enterprises take advantage of solutions facilitating secure adoption
of cloud services.
- ABA wants to automatically call and text mobiles regarding breach
and fraud alerts - With data breach and fraud alerts in mind, the
American Bankers Association (ABA) filed a petition on Tuesday
asking the Federal Communications Commission (FCC) to remove
“outdated regulatory restrictions” that prevent sending automated
calls and texts to mobile devices.
- TD Bank reaches $850K breach settlement with states - TD Bank has
reached a settlement with several states, in order to resolve an
investigation of a 2012 data breach in which it lost unencrypted
backup tapes containing data of 260,000 customers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bond insurer MBIA investigates potential breach of client data -
MBIA, the country's largest bond insurer, says that data related to
an undisclosed number of its customers may have been “illegally
'Crypto-ransomware' scam email brings down ABC News 24 - A scam
email was enough to bring down Australia's national broadcaster,
with ABC News 24's Sydney studios being compromised by a "crypto-ransomware
ATM malware dispenses cash to attackers - A backdoor program
allowing cash dispersal has been detected on automated teller
machines in multiple countries, although mostly in Russia. Kaspersky
Lab reports that the program, designated Backdoor.MSIL.Tyupkin,
requires physical access to the ATM system and booting it off of a
CD to install the malware.
Dairy Queen confirms breach, Backoff malware intrusion at 395 U.S.
stores - A data breach at International Dairy Queen, Inc. has
resulted in systems at 395 of its more than 4,500 U.S. stores and
one Orange Julius location being infected with the same Backoff
malware that has plagued other retailers nationwide and exposed
customer payment information.
Attackers Hacked Critical Manufacturing Firm For Months - An unnamed
manufacturing firm vital to the U.S. economy recently suffered a
prolonged hack, the Department of Homeland Security has disclosed.
Kmart shops hit by payment card hack attackKmart store Kmart is the
latest big US chain to be attacked by hackers - Cash registers at
1,200 Kmart stores were infected with malware that scooped up
payment card numbers for over a month, reports the retailer.
Snapsaved.com breach prompts Snapchat warning - A claim Monday by
Snapsaved.com that its servers had been breached and 500 megabytes
of photographs had been stolen, prompted Snapchat to issue a warning
to users about “the unfortunate threats these third-party
applications can pose.”
Oregon Employment Department notifies 850K individuals of breach -
The Oregon Employment Department (OED) is notifying more than
850,000 individuals that their personal information – including
Social Security numbers – may have been compromised during an
intrusion into the agency's website.
- Physician's email account, accessed by unknown source, contained
patient data - UC Davis Health System is notifying 1,326 patients
that a physician's work email account was accessed by an unknown
source and an email within that account contained their personal or
- Hackers targeted Chase Corporate Challenge site to find
infiltration route - A previously known breach of the JPMorgan Chase
Corporate Challenge website has now been confirmed as one of many
avenues cyber attackers explored while trying to gain access to the
bank's internal systems.
- Marquette University notifies graduate applicants of possible
breach - Marquette University is notifying an undisclosed number of
people that settings for an internal file server were inadvertently
modified, enabling anyone with University login credentials to
access personal information – including Social Security numbers – on
their graduate school applications.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 5: Banks should ensure that appropriate measures are
in place to protect the data integrity of e-banking transactions,
records and information.
Data integrity refers to the assurance that information that is
in-transit or in storage is not altered without authorization.
Failure to maintain the data integrity of transactions, records and
information can expose banks to financial losses as well as to
substantial legal and reputational risk.
The inherent nature of straight-through processes for e-banking may
make programming errors or fraudulent activities more difficult to
detect at an early stage. Therefore, it is important that banks
implement straight-through processing in a manner that ensures
safety and soundness and data integrity.
As e-banking is transacted over public networks, transactions are
exposed to the added threat of data corruption, fraud and the
tampering of records. Accordingly, banks should ensure that
appropriate measures are in place to ascertain the accuracy,
completeness and reliability of e-banking transactions, records and
information that is either transmitted over Internet, resident on
internal bank databases, or transmitted/stored by third-party
service providers on behalf of the bank. Common practices used to
maintain data integrity within an e-banking environment include the
1) E-banking transactions should be conducted in a manner that
makes them highly resistant to tampering throughout the entire
2) E-banking records should be stored, accessed and modified in a
manner that makes them highly resistant to tampering.
3) E-banking transaction and record-keeping processes should be
designed in a manner as to make it virtually impossible to
circumvent detection of unauthorized changes.
4) Adequate change control policies, including monitoring and
testing procedures, should be in place to protect against any
e-banking system changes that may erroneously or unintentionally
compromise controls or data reliability.
5) Any tampering with e-banking transactions or records should be
detected by transaction processing, monitoring and record keeping
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
ELECTRONIC AND PAPER - BASED MEDIA HANDLING
Sensitive information is frequently contained on media such as
paper documents, output reports, back-up tapes, disks, cassettes,
optical storage, test data, and system documentation. Protection of
that data requires protection of the media. The theft, destruction,
or Information Security other loss of the media could result in the
exposure of corporate secrets, breaches in customer confidentiality,
alteration of data, and the disruption of business activities. The
policies and procedures necessary to protect media may need revision
as new data storage technologies are contemplated for use and new
methods of attack are developed. The sensitivity of the data (as
reflected in the data classification) dictates the extent of
procedures and controls required. Many institutions find it easier
to store and dispose of all media consistently without having to
segregate out the most sensitive information. This approach also can
help reduce the likelihood that someone could infer sensitive
information by aggregating a large amount of less sensitive
information. Management must address three components to secure
media properly: handling and storage, disposal, and transit.
HANDLING AND STORAGE
IT management should ensure secure storage of media from
unauthorized access. Controls could include physical and
environmental controls including fire and flood protection, limited
access (e.g., physical locks, keypad, passwords, biometrics),
labeling, and logged access. Management should establish access
controls to limit access to media, while ensuring all employees have
authorization to access the minimum level of data required to
perform their responsibilities. More sensitive media like system
documentation, application source code, and production transaction
data should have more extensive controls to guard against alteration
(e.g., integrity checkers, cryptographic hashes). Furthermore,
policies should minimize the distribution of sensitive media,
including the printouts of sensitive information. Periodically, the
security staff, audit staff, and data owners should review
authorization levels and distribution lists to ensure they remain
appropriate and current.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt out
notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers (customers
and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written records where available, determine if the institution has
adequate procedures in place to provide the opt out notice and
comply with opt out directions of consumers (customers and those who
are not customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time allowed
to and the means by which the consumer may opt out)
(§§10(a)(1)(iii), 10(a)(3)); and
d. Adequacy of procedures to implement and track the status of a
consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).