REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- The 'must haves' to make the Framework for Cybersecurity useful -
This month, the National Institute of Standards and Technology
(NIST) is scheduled to release the first official draft of the
- Cisco says controversial NIST crypto-potential NSA backdoor --
'not invoked' in products - Dual EC DRBG crypto tech ended up in
some Cisco products as part of their code libraries - Controversial
crypto technology known as Dual EC DRBG, thought to be a backdoor
for the National Security Agency, ended up in some Cisco products as
part of their code libraries.
- NCA to hire 400 cyber crime fighters by end of 2014 - The UK
National Crime Agency (NCA) has pledged to train 400 new cyber
intelligence officers over the next year.
- UK cyber defence unit 'may include convicted hackers' - Convicted
computer hackers could be recruited to the UK's cyber defence force
if they pass security vetting, the head of the new unit has said.
- Federal Security Breaches Traced to User Noncompliance - Are
strong security protocols actually making the federal government
less secure? According to a new study by MeriTalk, federal
cybersecurity professionals are so focused on implementing rigid
policies to lock down data that they often ignore how those rules
will impact end users within their agencies.
- Aaron's computer rental chain settles FTC spying charges - The
rent-to-own computer company settles a complaint that accused it of
secretly taking Webcam photos of users in their homes and recording
keystrokes of Web site login credentials.
- US government releases draft cybersecurity framework - NIST comes
out with its proposed cybersecurity standards, which outlines how
private companies can protect themselves against hacks, cyberattacks,
and security breaches.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Security Flaw on 200 Government Websites Blamed on Shutdown -
Hackers can pocket sensitive personal data from citizens visiting
hundreds of .gov websites because the shutdown has reduced technical
maintenance, some security researchers say.
- Dexter malware resurfaces in South Africa, costs banks millions -
Banks in South Africa have suffered tens of millions in losses in
rand (millions of US dollars) due to a variant of the Dexter virus –
a piece of malware targeting point-of-sale (POS) devices that was
discovered in December 2012.
- Dick Cheney's wireless heart monitor was modified to curb hacking
threat - A personal account by former Vice President Dick Cheney
appears to have brought further credence to hacking concerns about
implanted medical devices.
- Experian Sold Consumer Data to ID Theft Service - An identity
theft service that sold Social Security and drivers license numbers
- as well as bank account and credit card data on millions of
Americans - purchased much of its data from Experian, one of the
three major credit bureaus, according to a lengthy investigation by
- Alerts of "rising dead" still exploitable on EAS - A security
group which shed light in July on the vulnerabilities hackers
exploited to compromise the national Emergency Alert System (EAS)
announced Thursday that those weaknesses are still present, despite
a patch having been issued.
- Ship trackers 'vulnerable to hacking', experts warn - Weaknesses
in outdated systems could allow attackers to make ships disappear
from tracking systems - or even make it look like a large fleet was
- Hacker group claims to have looted $100k via SQL injection attack
- A group of hackers, known as TeamBerserk, took credit on Twitter -
posting as @TeamBerserk - for using a SQL injection attack to access
usernames and passwords for customers of Sebastian, a
California-based internet, phone and television service provider,
and then leveraging those credentials to steal $100,000 from online
- Laptops stolen, data of 700k California hospital patients
compromised - The theft of two laptops has led to a compromise of
personal information, including Social Security numbers, for more
than 700,000 patients of California-based AHMC hospitals.
- Missouri hospital fires physician's assistant for accessing
patient information - An employee of a staff physician at Boone
Hospital Center in Missouri was fired after inappropriately
accessing patient information on the hospital network.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation B)
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Token Systems (1 of 2)
Token systems typically authenticate the token and assume that the
user who was issued the token is the one requesting access. One
example is a token that generates dynamic passwords every X seconds.
When prompted for a password, the user enters the password generated
by the token. The token's password - generating system is identical
and synchronized to that in the system, allowing the system to
recognize the password as valid. The strength of this system of
authentication rests in the frequent changing of the password and
the inability of an attacker to guess the seed and password at any
point in time.
Another example of a token system uses a challenge/response
mechanism. In this case, the user identifies him/herself to the
system, and the system returns a code to enter into the password -
generating token. The token and the system use identical logic and
initial starting points to separately calculate a new password. The
user enters that password into the system. If the system's
calculated password matches that entered by the user, the user is
authenticated. The strengths of this system are the frequency of
password change and the difficulty in guessing the challenge, seed,
Other token methods involve multi - factor authentication, or the
use of more than one authentication method. For instance, an ATM
card is a token. The magnetic strip on the back of the card contains
a code that is recognized in the authentication process. However,
the user is not authenticated until he or she also provides a PIN,
or shared secret. This method is two - factor, using both something
the user has and something the user knows. Two - factor
authentication is generally stronger than single - factor
authentication. This method can allow the institution to
authenticate the user as well as the token.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
16. If the institution provides a short-form initial privacy notice
according to §6(d)(1), does the short-form initial notice:
a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]
b. state that the institution's full privacy notice is available
upon request; [§6(d)(2)(ii)] and
c. explain a reasonable means by which the consumer may obtain the
(Note: the institution is not required to deliver the full
privacy notice with the shortform initial notice. [§6(d)(3)])