REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Office of the Comptroller of the Currency Releases Guidance on Third-Party Relationships - The Office of the Comptroller of the Currency today issued updated risk management guidance for national banks and federal savings associations related to third-party relationships. www.occ.gov/news-issuances/news-releases/2013/nr-occ-2013-167.html 

FYI - Revised Interagency Examination Procedures for Regulation E.  www.federalreserve.gov/bankinforeg/caletters/caltr1317.htm

FYI - NIST debuts preliminary framework for securing critical infrastructure - The National Institute of Standards and Technology (NIST) has introduced a preliminary cyber security framework to help companies thwart critical infrastructure attacks. http://www.scmagazine.com/nist-debuts-preliminary-framework-for-securing-critical-infrastructure/article/317635/

FYI - Judge orders self-described hacker's computer seized without warning - The court was worried developer Corey Thuen might erase evidence - In a rare move, a federal court in Idaho recently ordered a software developer's computer seized and its contents copied without prior notice because the developer described himself as a 'hacker' on his website. http://www.computerworld.com/s/article/9243472/Update_Judge_orders_self_described_hacker_s_computer_seized_without_warning?taxonomyId=17

FYI - Court Rules Probable-Cause Warrant Required for GPS Trackers - An appellate court has finally supplied an answer to an open question left dangling by the Supreme Court in 2012: Do law enforcement agencies need a probable-cause warrant to affix a GPS tracker to a target’s vehicle? The Third Circuit Court of Appeals gave a resounding yes to that question today in a 2 to 1 decision. http://www.wired.com/threatlevel/2013/10/warrant-required-gps-trackers/

FYI - ATM malware may spread from Mexico to English-speaking world - Attacker can command an unidentified ATM brand to empty cash cassettes through keypad commands - A malicious software program found in ATMs in Mexico has been improved and translated into English, which suggests it may be used elsewhere. http://www.computerworld.com/s/article/9243572/ATM_malware_may_spread_from_Mexico_to_English_speaking_world?taxonomyId=17

FYI - Cyber-attacks are the greatest threats UK businesses face - Only four per cent of UK businesses have adequate security measures in place to battle cyber-attacks - Cyber-attacks are the main threats UK businesses face with 96 per cent fearing their security functions are not strong enough, research shows. http://www.telegraph.co.uk/technology/internet-security/10409330/Cyber-attacks-are-the-greatest-threats-UK-businesses-face.html

FYI - Dutch Banking Malware Gang Busted: Bitcoin's Role - Dutch police arrest four men on charges of using TorRAT banking malware to steal an estimated $1.4 million from consumers. They allegedly laundered the funds using the cryptographic currency known as Bitcoins. http://www.informationweek.com/security/attacks/dutch-banking-malware-gang-busted-bitcoi/240163193

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Dept. Of Energy Breach: Bigger Than We Realized - DOE says July data breach affected more than double the number of people in initial estimates. CIO tasks an independent investigator to probe breach and agency's technology infrastructure. The Department of Energy has revised its count of the number of people whose information was compromised in a July 2013 intrusion that resulted in the theft of personal information. http://www.informationweek.com/security/attacks/dept-of-energy-breach-bigger-than-we-rea/240162952

FYI - UN Nuclear Agency Computers Infected with Malware - The International Atomic Energy Agency (IAEA) has admitted that some of its computers have been infected with malware for at least the last few months, but denies that any sensitive data regarding its nuclear inspections has been compromised. http://www.infosecurity-magazine.com/view/35214/un-nuclear-agency-computers-infected-with-malware/

FYI - Aaron's computer rental chain settles FTC spying charges - The rent-to-own computer company settles a complaint that accused it of secretly taking Webcam photos of users in their homes and recording keystrokes of Web site login credentials. http://news.cnet.com/8301-1009_3-57608838-83/aarons-computer-rental-chain-settles-ftc-spying-charges/

FYI - Adobe breach impacts closer to 38 million customers - The number of Adobe customers impacted in a breach disclosed earlier this month has skyrocketed to about 38 million. That is more than ten times the roughly three million affected users the company announced previously. http://www.scmagazine.com/adobe-breach-impacts-closer-to-38-million-customers/article/318517/?DCMP=EMC-SCUS_Newswire

FYI - Two nurses' aides guilty for using patient data to commit tax fraud - Two former nurses' aides for Virginia-based nonprofit Sentara Healthcare have pleaded guilty to accessing thousands of electronic patient records and using the information to file fraudulent tax returns. http://www.scmagazine.com/two-nurses-aides-guilty-for-using-patient-data-to-commit-tax-fraud/article/318409/?DCMP=EMC-SCUS_Newswire

FYI - Phishing email fools Missouri university staff, compromises thousands - Employees of Missouri-based Saint Louis University fell victim to a phishing email that resulted in them providing account information, subsequently putting thousands at risk. http://www.scmagazine.com/phishing-email-fools-missouri-university-staff-compromises-thousands/article/317967/?DCMP=EMC-SCUS_Newswire

FYI - Twelve-year-old hacks gov't websites, trades info with Anonymous - A 12-year-old Canadian boy has pleaded guilty to hacking government websites - he knocked some of them out for days - and causing damages of about $60,000 in an incident that dates back to spring 2012. http://www.scmagazine.com/twelve-year-old-hacks-govt-websites-trades-info-with-anonymous/article/318316/?DCMP=EMC-SCUS_Newswire 

FYI - Minneapolis medical assistant fired for accessing patient data - A medical assistant at Minneapolis-based health clinic Inver Grove Heights - a part of Allina Health System - was fired for the unauthorized viewing of nearly 4,000 patient records over the span of more than three years. http://www.scmagazine.com/minneapolis-medical-assistant-fired-for-accessing-patient-data/article/318225/?DCMP=EMC-SCUS_Newswire

FYI - Norks seed online games with malware in fiendish DDoS plot - South Korea’s National Police Agency (NPA) is warning users not to download unofficial online games as they may contain malware designed by the North to compromise machines which can then be used to launch DDoS attacks on the country. http://www.theregister.co.uk/2013/10/25/norks_malware_ddos_south_korea/

FYI - Shared password across accounts results in MongoHQ breach - Upon detecting unauthorized access to an employee's administration application on Monday, California-based database-as-a-service platform MongoHQ discovered it was the victim of a breach that may have compromised information of its employees and customers. http://www.scmagazine.com/shared-password-across-accounts-results-in-mongohq-breach/article/318697/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Token Systems (2 of 2)

Weaknesses in token systems relate to theft of the token, ease in guessing any password generating algorithm within the token, ease of successfully forging any authentication credential that unlocks the token, and reverse engineering, or cloning, of the token. Each of these weaknesses can be addressed through additional control mechanisms. Token theft generally is protected against by policies that require prompt reporting and cancellation of the token's ability to allow access to the system. Additionally, the impact of token theft is reduced when the token is used in multi - factor authentication; for instance, the password from the token is paired with a password known only by the user and the system. This pairing reduces the risk posed by token loss, while increasing the strength of the authentication mechanism. Forged credentials are protected against by the same methods that protect credentials in non - token systems. Protection against reverse engineering requires physical and logical security in token design. For instance, token designers can increase the difficulty of opening a token without causing irreparable damage, or obtaining information from the token either by passive scanning or active input/output.

Token systems can also incorporate public key infrastructure, and biometrics.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: 

a. a toll-free telephone number that the consumer may call to request the notice;  [§6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery?  [§6(d)(4)(ii)]