|
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
FYI
- New NIST cybersecurity standards could pose liability risks - Once
passed, the standard will become the benchmark to measure critical
infrastructure security programs - Critical infrastructure companies
could face new liability risks if they fail to meet voluntary
cybersecurity standards being developed by the National Institute of
Standards and Technology.
http://www.computerworld.com/s/article/9243150/New_NIST_cybersecurity_standards_could_pose_liability_risks?taxonomyId=17s
FYI
- Cyber defenders are in short supply as hacking wars escalate - For
the governments and corporations facing increasing computer attacks,
the biggest challenge is finding the right cyber warriors to fight
back.
http://www.nbcnews.com/technology/cyber-defenders-are-short-supply-hacking-wars-escalate-8C11390053
FYI
- Japan needs 80,000 EXTRA info-security bods to stay safe - Japan
has an 80,000 shortfall in infosec professionals, and needs to
provide extra training for more than half of those currently in the
industry, if it’s to protect key IT systems from attack, according
to the government.
http://www.theregister.co.uk/2013/10/09/japan_infosecurity_skills_shortage/
FYI
- New malware enables attackers to take money directly from ATMs -
Skimmers were once thought to be the bane of the ATM compromising
world, but the trends may end up shifting now that security
researchers have discovered a piece of malware, known as Ploutus,
which has been infecting money machines in Mexico.
http://www.scmagazine.com/new-malware-enables-attackers-to-take-money-directly-from-atms/article/316409/?DCMP=EMC-SCUS_Newswire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Nordstrom Finds Cash Register Skimmers - Scam artists who deploy
credit and debit card skimmers most often target ATMs, yet thieves
can also use inexpensive, store-bought skimming devices to
compromise modern-day cash registers. Just this past weekend, for
instance, department store chain Nordstrom said it found a
half-dozen of these skimmers affixed to registers at a store in
Florida.
http://krebsonsecurity.com/2013/10/nordstrom-finds-cash-register-skimmers/
http://www.scmagazine.com/scammers-bug-nordstrom-registers-with-40-devices-to-skim-card-data/article/316001/?DCMP=EMC-SCUS_Newswire
FYI
- Hackers exploit vBulletin flaw to inject rogue admin accounts -
Users should delete the 'install' directories from their vBulletin
deployments and upgrade to the latest version of the software -
Hackers are exploiting a vulnerability in the popular vBulletin
Internet forum software in order to inject rogue administrator
accounts into websites using it.
http://www.computerworld.com/s/article/9243126/Hackers_exploit_vBulletin_flaw_to_inject_rogue_admin_accounts?taxonomyId=17
FYI
- Not in Kansas anymore, thousands affected by Wichita website hack
- The city of Wichita had its website hacked over the weekend,
consequently compromising sensitive information for tens of
thousands of current and former vendors who have done business with
the city and employees who have been reimbursed for expenses since
1997.
http://www.scmagazine.com/not-in-kansas-anymore-thousands-affected-by-wichita-website-hack/article/315305/
FYI
- Network Solutions investigating DNS hijack - The same
pro-Palestinian group that hit LeaseWeb earlier this week claimed
responsibility - Network Solutions is investigating an attack by a
pro-Palestinian hacking group that redirected websites belonging to
several companies.
http://www.computerworlduk.com/news/security/3472798/network-solutions-investigating-dns-hijack/
FYI
- Software firm breached, hacker reportedly behind data leak of 60K
vendor accounts - Software company Tom Sawyer has begun notifying
customers that their information was compromised via a website
database hack - and the hacker purportedly behind the intrusion has
apparently leaked the stolen data online.
http://www.scmagazine.com/software-firm-breached-hacker-reportedly-behind-data-leak-of-60k-vendor-accounts/article/315910/?DCMP=EMC-SCUS_Newswire
FYI
- Dexter malware resurfaces in South Africa, costs banks millions -
Banks in South Africa have suffered tens of millions in losses in
rand (millions of US dollars) due to a variant of the Dexter virus –
a piece of malware targeting point-of-sale (POS) devices that was
discovered in December 2012 by Israel-based security technology
company Seculert.
http://www.scmagazine.com/dexter-malware-resurfaces-in-south-africa-costs-banks-millions/article/316387/?DCMP=EMC-SCUS_Newswire
FYI
- Hackers compromise certs to spread Nemim malware, which hijacks
email and browser data - A security researcher at Symantec, who
co-authored a blog post on Tuesday about the Nemim campaign, recent
samples of the malware were digitally signed with stolen
certificates to infect users.
http://www.scmagazine.com/hackers-compromise-certs-to-spread-nemim-malware-which-hijacks-email-and-browser-data/article/316607/?DCMP=EMC-SCUS_Newswire
FYI
- Wisconsin hospital bills erroneously mailed to unauthorized
persons - A system settings error caused financial statements to be
mailed to roughly 8,000 people who received care from
Wisconsin-based Memorial Hospital of Lafayette County, but an
undisclosed number were sent to unauthorized persons.
http://www.scmagazine.com/wisconsin-hospital-bills-erroneously-mailed-to-unauthorized-persons/article/316514/?DCMP=EMC-SCUS_Newswire
FYI
- GAO - Medicare Information Technology: Centers for Medicare and
Medicaid Services Needs to Pursue a Solution for Removing Social
Security Numbers from Cards.
http://www.gao.gov/products/GAO-13-761
FYI
- PR Newswire alerts customers to change passwords following breach
- PR Newswire announced Wednesday that it became the latest company
to be breached by a group of attackers said to also be responsible
for striking LexisNexis, the National White Collar Crime Center
(NW3C) and Adobe.
http://www.scmagazine.com/pr-newswire-alerts-customers-to-change-passwords-following-breach/article/316799/?DCMP=EMC-SCUS_Newswire
FYI
- Sacramento State server hack affects nearly 2,000 employees - An
unknown party hacked into a California State University, Sacramento
(Sacramento State) computer server, compromising the personal data
of nearly 2,000 employees.
http://www.scmagazine.com/sacramento-state-server-hack-affects-nearly-2000-employees/article/316690/?DCMP=EMC-SCUS_Newswire
Return to the top
of the newsletter
WEB SITE COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 2 of 2)
The
Federal Reserve Board Official Staff Commentary (OSC) also clarifies
that terminal receipts are unnecessary for transfers initiated
on-line. Specifically, OSC regulations provides that, because the
term "electronic terminal" excludes a telephone operated by a
consumer, financial institutions need not provide a terminal receipt
when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization via a home
banking system. To satisfy the regulatory requirements, the
institution must have some means to identify the consumer (such as a
security code) and make a paper copy of the authorization available
(automatically or upon request). The text of the electronic
authorization must be displayed on a computer screen or other visual
display that enables the consumer to read the communication from the
institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Shared Secret Systems
(Part 2 of 2)
Weaknesses in shared secret mechanisms generally relate to the ease
with which an attacker can discover the secret. Attack methods vary.
! A dictionary attack is one common and successful way to discover
passwords. In a dictionary attack, the attacker obtains the system
password file, and compares the password hashes against hashes of
commonly used passwords.
Controls against dictionary attacks include securing the password
file from compromise, detection mechanisms to identify a compromise,
heuristic intrusion detection to detect differences in user
behavior, and rapid reissuance of passwords should the password file
ever be compromised. While extensive character sets and storing
passwords as one - way hashes can slow down a dictionary attack,
those defensive mechanisms primarily buy the financial institution
time to identify and react to the password file compromises.
! An additional attack method targets a specific account and submits
passwords until the correct password is discovered.
Controls against those attacks are account lockout mechanisms, which
commonly lock out access to the account after a risk - based number
of failed login attempts.
! A variation of the previous attack uses a popular password, and
tries it against a wide range of usernames.
Controls against this attack on the server are a high ratio of
possible passwords to usernames, randomly generated passwords, and
scanning the IP addresses of authentication requests and client
cookies for submission patterns.
! Password guessing attacks also exist. These attacks generally
consist of an attacker gaining knowledge about the account holder
and password policies and using that knowledge to guess the
password.
Controls include training in and enforcement of password policies
that make passwords difficult to guess. Such policies address the
secrecy, length of the password, character set, prohibition against
using well - known user identifiers, and length of time before the
password must be changed. Users with greater authorization or
privileges, such as root users or administrators, should have
longer, more complex passwords than other users.
! Some attacks depend on patience, waiting until the logged - in
workstation is unattended.
Controls include automatically logging the workstation out after a
period of inactivity (Existing
industry practice is no more than 20 - 30 minutes) and
heuristic intrusion detection.
! Attacks can take advantage of automatic login features, allowing
the attacker to assume an authorized user's identity merely by using
a workstation.
Controls include prohibiting and disabling automatic login features,
and heuristic intrusion detection.
! User's inadvertent or unthinking actions can compromise passwords.
For instance, when a password is too complex to readily memorize,
the user could write the password down but not secure the paper.
Frequently, written - down passwords are readily accessible to an
attacker under mouse pads or in other places close to the user's
machines. Additionally, attackers frequently are successful in
obtaining passwords by using social engineering and tricking the
user into giving up their password.
Controls include user training, heuristic intrusion detection, and
simpler passwords combined with another authentication mechanism.
! Attacks can also become much more effective or damaging if
different network devices share the same or a similar password.
Controls include a policy that forbids the same or similar password
on particular network devices.
Return to the top of
the newsletter
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
15. If the institution provides a short-form initial privacy notice
with the opt out notice, does the institution do so only to
consumers with whom the institution does not have a customer
relationship? [§6(d)(1)]We continue our series listing the
regulatory-privacy examination questions. When you answer the
question each week, you will help ensure compliance with the privacy
regulations.
Content of Privacy Notice
15. If the institution provides a short-form initial privacy notice
with the opt out notice, does the institution do so only to
consumers with whom the institution does not have a customer
relationship? [§6(d)(1)] |
