REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Computer viruses and malware 'rampant' in medical tech, experts
warn - High-risk medical technology has been found to be infected by
computer viruses and malware, health and security experts have said.
The Pirate Bay ditches its servers, sets sail for the cloud - The
Pirate Bay's home page announces the site's move to the cloud. The
Pirate Bay is getting rid of its physical servers and exchanging
them for virtual machines spread across multiple cloud services.
Small organizations confident they're secure, yet lack plans - A new
study of small businesses shows that while a majority believe they
have a good handle on protecting sensitive data, most lack back
security measures, notably policies and procedures.
Retired OMB IT chiefs urge federal cyber policy rewrite - Veteran
White House information technology leaders going back to the Nixon
administration on Tuesday are pressing the Obama administration to
overhaul federal cybersecurity policy now, without legislation,
according to a report reviewed by Nextgov.
White House orders spy agencies to share cyberthreat intel with
companies - A new White House executive order would direct U.S. spy
agencies to share the latest intelligence about cyberthreats with
companies operating electric grids, water plants, railroads and
other vital industries to help protect them from electronic attacks,
according to a copy obtained by The Associated Press.
VA Computers Remain Unencrypted, Years After Breach - Following a
high-profile data breach six years ago, the U.S. Department of
Veterans Affairs spent almost $6 million on encryption software for
its PCs and laptops. But an investigation by the department's
inspector general determined that the encryption software has been
installed on only 16% of its computers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
HSBC hit by broad denial-of-service attack - The multinational bank
confirms attack, saying it "did not affect any customer data, but
did prevent customers using HSBC online services." If you haven't
been able to log into your HSBC online banking account today, you're
Pacemaker hack can deliver deadly 830-volt jolt - Pacemakers from
several manufacturers can be commanded to deliver a deadly, 830-volt
shock from someone on a laptop up to 50 feet away, the result of
poor software programming by medical device companies.
Laptop stolen from Tennessee hospital - A laptop theft at Blount
Memorial Hospital in Maryville, Tenn. has compromised the personal
data of several thousand patients.
Ally Financial sees 'unusual traffic,' cyberattack fears abound -
The company hasn't said exactly what kind of issues it's seeing, and
there has been no disruption or denial-of-service attacks. Ally
Financial is experiencing some odd traffic issues that have prompted
some to wonder if there's more there than meets the eye.
- Barnes & Noble pulls PIN pads after fraud ring hits stores -
Barnes & Noble has yanked PIN pads from all of its nearly 700 stores
nationwide after discovering that scammers tampered with the devices
at 63 locations to carry out card skimming fraud.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (4 of 12)
Assessing security incidents and identifying the unauthorized access
to or misuse of customer information essentially involve organizing
and developing a documented risk assessment process for determining
the nature and scope of the security event. The goal is to
efficiently determine the scope and magnitude of the security
incident and identify whether customer information has been
Containing and controlling the security incident involves preventing
any further access to or misuse of customer information or customer
information systems. As there are a variety of potential threats to
customer information, organizations should anticipate the ones that
are more likely to occur and develop response and containment
procedures commensurate with the likelihood of and the potential
damage from such threats. An institution's information security risk
assessment can be useful in identifying some of these potential
threats. The containment procedures developed should focus on
responding to and minimizing potential damage from the threats
identified. Not every incident can be anticipated, but institutions
should at least develop containment procedures for reasonably
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our coverage of the
FDIC's "Guidance on Managing Risks Associated With Wireless Networks
and Wireless Customer Access."
Part II. Risks Associated with Wireless Internet Devices
As wireless Internet devices become more prevalent in the
marketplace, financial institutions are adopting wireless
application technologies as a channel for reaching their customers.
Wireless Internet services are becoming available in major cities
across the United States. Through wireless banking applications, a
financial institution customer could access account information and
perform routine non-cash transactions without having to visit a
branch or ATM.
The wireless Internet devices available today present attractive
methods for offering and using financial services. Customers have
access to financial information from anywhere they can receive
wireless Internet access. Many of the wireless devices have built-in
encryption through industry-standard encryption methods. This
encryption has its limits based on the processing capabilities of
the device and the underlying network architecture.
A popular standard for offering wireless applications is through the
use of the Wireless Application Protocol (WAP). WAP is designed to
bring Internet application capabilities to some of the simplest user
interfaces. Unlike the Web browser that is available on most
personal computer workstations, the browser in a wireless device
(such as a cell phone) has a limited display that in many cases can
provide little, if any, graphical capabilities. The interface is
also limited in the amount of information that can be displayed
easily on the screen. Further, the user is limited by the keying
capabilities of the device and often must resort to many key presses
for simple words.
The limited processing capabilities of these devices restrict the
robustness of the encryption network transmissions. Effective
encryption is, by nature, processing-intensive and often requires
complex calculations. The time required to complete the encryption
calculations on a device with limited processing capabilities may
result in unreasonable delays for the device's user. Therefore,
simpler encryption algorithms and smaller keys may be used to speed
the process of obtaining access.
WAP is an evolving protocol. The most recent specification of WAP (WAP
2.0 - July 2001) offers the capability of encrypting network
conversations all the way from the WAP server (at the financial
institution) to the WAP client (the financial institution customer).
Unfortunately, WAP 2.0 has not yet been fully adopted by vendors
that provide the building blocks for WAP applications. Previous
versions of WAP provide encryption between the WAP client and a WAP
gateway (owned by the Wireless Provider). The WAP gateway then must
re-encrypt the information before it is sent across the Internet to
the financial institution. Therefore, sensitive information is
available at the wireless provider in an unencrypted form. This
limits the financial institution's ability to provide appropriate
security over customer information.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
42. Does the institution provide the consumer with a reasonable
opportunity to opt out such as by:
a. mailing the notices required by §10 and allowing the consumer to
respond by toll-free telephone number, return mail, or other
reasonable means (see question 22) within 30 days from the date
b. where the consumer opens an on-line account with the institution
and agrees to receive the notices required by §10 electronically,
allowing the consumer to opt out by any reasonable means (see
question 22) within 30 days from consumer acknowledgement of receipt
of the notice in conjunction with opening the account;
c. for isolated transactions, providing the notices required by §10
at the time of the transaction and requesting that the consumer
decide, as a necessary part of the transaction, whether to opt out
before the completion of the transaction? [§10(a)(3)(iii)]