REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Microsoft FAILS to encrypt data centre links despite NSA snooping
- Microsoft has admitted it doesn't yet encrypt "server-to-server"
communications, although it plans to review its security
arrangements in the wake of ongoing revelations about NSA spying.
- Feds Charge Calif. Brothers in Cyberheists - Federal authorities
have arrested two young brothers in Fresno, Calif. and charged the
pair with masterminding a series of cyberheists that siphoned
millions of dollars from personal and commercial bank accounts at
U.S. banks and brokerages.
- Millions used '123456' as a password in breach affecting 42
million - Nearly 42 million names, email addresses and passwords
belonging to clients of dating website company Cupid Media were
reportedly discovered on the same server where hackers stored
information stolen from Adobe, PR Newswire, LexisNexis and the
National White Collar Crime Center (NW3C).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers steal 'FULL credit card details' of 376,000 people from
Irish loyalty programme firm - Data was unencrypted, claims Irish
data protection commish - A hack attack against an Irish loyalty
programme firm, Loyaltybuild, has led to the theft of the full
credit card details of at least 376,000 consumers, says the
country's data protection watchdog.
- Hack of MacRumors forums exposes password data for 860,000 users -
Assume your password is known, site's top brass tells account
holders. MacRumors user forums have been breached by hackers who may
have acquired cryptographically protected passwords belonging to all
860,000 users, one of the top editors of the news website said
- Battlefield 4 PC servers experience DDoS attack - The Battlefield
4 PC servers experienced a distributed denial-of-service (DDoS)
attack on Saturday that left a number of virtual soldiers unable to
compete in the Electronic Arts (EA) published first-person shooter.
Employees with developer EA Digital Illusions CE (DICE) took to the
official forums to address the issue.
- Milwaukee contractor loses flash drive, compromises thousands -
Thousands of city workers in Milwaukee, as well as their spouses and
domestic partners, had personal information compromised after a
flash drive that contained the data was stolen.
- New York Times hackers linked to Japan Ichitaro attacks -
Backdoors targeting government victims - Security experts have
uncovered attacks exploiting a zero day vulnerability in Japan’s
most popular word processing software, bearing all the hallmarks of
a Chinese group blamed for last year's New York Times hack.
- Nordstrom card-skimming scheme lasted nearly two months - A
card-skimming operation that targeted a Nordstrom store in Florida
lasted nearly two months, according to a letter detailing the event
sent to the New Hampshire Department of Justice's Office of the
- Massachusetts cops hit by CryptoLocker, pay $750 ransom - The
troublesome CryptoLocker malware, which recently locked up more than
12,000 computers with ransomware in less than a week, has claimed
another victim: a Massachusetts police department.
- California hospital notifies patients of missing thumb drive -
More than a thousand patients of California-based Redwood Memorial
Hospital are being notified that their personal information may have
been compromised after an unencrypted thumb drive containing the
data went missing.
- Data breach of Long Island school district affects thousands of
students - Roughly 15,000 students enrolled in 18 Long Island
elementary, middle and high schools – comprising the Sachem School
District – may have had personal data compromised by an unidentified
individual who posted the information on an online forum.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Public Key Infrastructure (Part 3
When utilizing PKI policies and controls, financial institutions
need to consider the following:
! Defining within the certificate issuance policy the methods of
initial verification that are appropriate for different types of
certificate applicants and the controls for issuing digital
certificates and key pairs;
! Selecting an appropriate certificate validity period to minimize
transactional and reputation risk exposure - expiration provides an
opportunity to evaluate the continuing adequacy of key lengths and
encryption algorithms, which can be changed as needed before issuing
a new certificate;
! Ensuring that the digital certificate is valid by such means as
checking a certificate revocation list before accepting transactions
accompanied by a certificate;
! Defining the circumstances for authorizing a certificate's
revocation, such as the compromise of a user's private key or the
closure of user accounts;
! Updating the database of revoked certificates frequently, ideally
in real - time mode;
! Employing stringent measures to protect the root key including
limited physical access to CA facilities, tamper - resistant
security modules, dual control over private keys and the process of
signing certificates, as well as the storage of original and back -
up keys on computers that do not connect with outside networks;
! Requiring regular independent audits to ensure controls are in
place, public and private key lengths remain appropriate,
cryptographic modules conform to industry standards, and procedures
are followed to safeguard the CA system;
! Recording in a secure audit log all significant events performed
by the CA system, including the use of the root key, where each
entry is time/date stamped and signed;
! Regularly reviewing exception reports and system activity by the
CA's employees to detect malfunctions and unauthorized activities;
! Ensuring the institution's certificates and authentication systems
comply with widely accepted PKI standards to retain the flexibility
to participate in ventures that require the acceptance of the
financial institution's certificates by other CAs.
The encryption components of PKI are addressed more fully under
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
20. Does the opt out notice
a. that the institution discloses or reserves the right to disclose
nonpublic personal information about the consumer to a nonaffiliated
third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure;
c. a reasonable means by which the consumer may opt out?