REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Microsoft FAILS to encrypt data centre links despite NSA snooping - Microsoft has admitted it doesn't yet encrypt "server-to-server" communications, although it plans to review its security arrangements in the wake of ongoing revelations about NSA spying. http://www.theregister.co.uk/2013/11/14/ms_data_centre_link_uncryption/

FYI - Feds Charge Calif. Brothers in Cyberheists - Federal authorities have arrested two young brothers in Fresno, Calif. and charged the pair with masterminding a series of cyberheists that siphoned millions of dollars from personal and commercial bank accounts at U.S. banks and brokerages. http://krebsonsecurity.com/2013/11/feds-charge-calif-brothers-in-cyberheists/

FYI - Millions used '123456' as a password in breach affecting 42 million - Nearly 42 million names, email addresses and passwords belonging to clients of dating website company Cupid Media were reportedly discovered on the same server where hackers stored information stolen from Adobe, PR Newswire, LexisNexis and the National White Collar Crime Center (NW3C). http://www.scmagazine.com/millions-used-123456-as-a-password-in-breach-affecting-42-million/article/321959/?DCMP=EMC-SCUS_Newswire&spMailingID=7424196&spUserID=MjI5OTI3MzMyMQS2&spJobID=99224559&spReportId=OTkyMjQ1NTkS1

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal 'FULL credit card details' of 376,000 people from Irish loyalty programme firm - Data was unencrypted, claims Irish data protection commish - A hack attack against an Irish loyalty programme firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country's data protection watchdog. http://www.theregister.co.uk/2013/11/14/irish_loyalty_card_breach/

FYI - Hack of MacRumors forums exposes password data for 860,000 users - Assume your password is known, site's top brass tells account holders. MacRumors user forums have been breached by hackers who may have acquired cryptographically protected passwords belonging to all 860,000 users, one of the top editors of the news website said Tuesday evening. http://arstechnica.com/security/2013/11/hack-of-macrumors-forums-exposes-password-data-for-860000-users/

FYI - Battlefield 4 PC servers experience DDoS attack - The Battlefield 4 PC servers experienced a distributed denial-of-service (DDoS) attack on Saturday that left a number of virtual soldiers unable to compete in the Electronic Arts (EA) published first-person shooter. Employees with developer EA Digital Illusions CE (DICE) took to the official forums to address the issue. http://www.scmagazine.com/battlefield-4-pc-servers-experience-ddos-attack/article/321506/?DCMP=EMC-SCUS_Newswire

FYI - Milwaukee contractor loses flash drive, compromises thousands - Thousands of city workers in Milwaukee, as well as their spouses and domestic partners, had personal information compromised after a flash drive that contained the data was stolen. http://www.scmagazine.com/milwaukee-contractor-loses-flash-drive-compromises-thousands/article/321411/?DCMP=EMC-SCUS_Newswire

FYI - New York Times hackers linked to Japan Ichitaro attacks - Backdoors targeting government victims - Security experts have uncovered attacks exploiting a zero day vulnerability in Japan’s most popular word processing software, bearing all the hallmarks of a Chinese group blamed for last year's New York Times hack. http://www.theregister.co.uk/2013/11/18/new_york_times_hackers_linked_to_japan_ichitaro_attacks/

FYI - Nordstrom card-skimming scheme lasted nearly two months - A card-skimming operation that targeted a Nordstrom store in Florida lasted nearly two months, according to a letter detailing the event sent to the New Hampshire Department of Justice's Office of the Attorney General. http://www.scmagazine.com/nordstrom-card-skimming-scheme-lasted-nearly-two-months/article/321606/?DCMP=EMC-SCUS_Newswire&spMailingID=7414994&spUserID=MjI5OTI3MzMyMQS2&spJobID=99017723&spReportId=OTkwMTc3MjMS1

FYI - Massachusetts cops hit by CryptoLocker, pay $750 ransom - The troublesome CryptoLocker malware, which recently locked up more than 12,000 computers with ransomware in less than a week, has claimed another victim: a Massachusetts police department. http://www.scmagazine.com/massachusetts-cops-hit-by-cryptolocker-pay-750-ransom/article/321984/?DCMP=EMC-SCUS_Newswire&spMailingID=7424196&spUserID=MjI5OTI3MzMyMQS2&spJobID=99224559&spReportId=OTkyMjQ1NTkS1

FYI - California hospital notifies patients of missing thumb drive - More than a thousand patients of California-based Redwood Memorial Hospital are being notified that their personal information may have been compromised after an unencrypted thumb drive containing the data went missing. http://www.scmagazine.com/california-hospital-notifies-patients-of-missing-thumb-drive/article/321839/?DCMP=EMC-SCUS_Newswire&spMailingID=7424196&spUserID=MjI5OTI3MzMyMQS2&spJobID=99224559&spReportId=OTkyMjQ1NTkS1

FYI - Data breach of Long Island school district affects thousands of students - Roughly 15,000 students enrolled in 18 Long Island elementary, middle and high schools – comprising the Sachem School District – may have had personal data compromised by an unidentified individual who posted the information on an online forum. http://www.scmagazine.com/data-breach-of-long-island-school-district-affects-thousands-of-students/article/322144/?DCMP=EMC-SCUS_Newswire&spMailingID=7438783&spUserID=MjI5OTI3MzMyMQS2&spJobID=99575964&spReportId=OTk1NzU5NjQS1

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 3 of 3)

When utilizing PKI policies and controls, financial institutions need to consider the following:

! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;

! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;

! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;

! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;

! Updating the database of revoked certificates frequently, ideally in real - time mode;

! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;

! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;

! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;

! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and

! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.

The encryption components of PKI are addressed more fully under "Encryption."

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]

b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]