REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- SCADA flaws put world leaders at risk of TERRIBLE TRAFFIC JAM -
Host city for 2014's G20 meeting pen tests its traffic lights and
finds flaws galore - In November 2014, leaders of the G20 group of
nations will convene in Brisbane, Australia, for a few days of
plotting to form a one-world government high-level talks aimed at
ensuring global stability and amity.
Where's your data going? Hacks redirect traffic through distant
lands - A disturbing trend appeared in the world of computer
security during 2013: subtle hacks that redirect traffic through
foreign countries, where it may be inspected and even modified
before moving on to its recipient.
New Defense Contracts Will Protect Vendor Trade Secrets From Hackers
- All future Pentagon contracts will regulate the security of
certain unclassified networks owned by suppliers, amid concerns that
the theft of technical information can jeopardize economic security.
Six suspects in $45M ATM heist arrested - Law enforcement arrested
more suspects for their alleged connection to an international ATM
heist, which drained banks of $45 million. The suspects are believed
to have operated the New York cell of “cashers,” who withdrew money
from ATMs after other criminals raised the limits on victims'
accounts by hacking a credit card processor.
H&R Block website not accessible to disabled, Justice Department
claims - The U.S. government sought to intervene in a lawsuit
accusing units of Kansas City-based H&R Block of operating a website
inaccessible to people who are blind, deaf or have other
UK bank networks hijacked to spew botnet spam, BBC finds - Computers
inside many of the UK's largest banks and building societies are
being used to spew malicious botnet spam, research conducted on
behalf of the BBC has shown.
Ding Ding Ding! Video Poker ‘Hackers’ Cleared of Federal Charges - A
federal judge in Las Vegas this morning dismissed federal charges
against the men, ending a nearly two-year-long legal battle over
when beating the house becomes a crime.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
GitHub resets user passwords following rash of account hijack
attacks - As many as 40,000 unique addresses flood site with
fraudulent login attempts. GitHub is experiencing an increase in
user account hijackings that's being fueled by a rash of automated
login attempts from as many as 40,000 unique Internet addresses.
Hackers reportedly steal 42M customer records from online dating
network Cupid Media - The exposed information included email
addresses and plaintext passwords - Hackers reportedly stole 42
million customer records including email addresses and clear-text
passwords from Cupid Media, a network of dating websites.
RFE/RL Computer Network 'Targeted' By Internet Attack - Radio Free
Europe/Radio Liberty has been targeted in an Internet attack known
as a distributed denial of service (DDoS).
Thousands of California doctors impacted in Anthem breach -
Thousands of doctors at Anthem Blue Cross of California are being
notified that their personal information was mistakenly posted
More than a million dollars in Bitcoins stolen by hackers - Last
week hackers stole 1,295 Bitcoins – more than a million dollars –
from Denmark-based Bitcoin exchange BIPS. The founder and CEO took
to the bitcointalk.org forums beginning Tuesday to explain the
Patients compromised again, second UCSF laptop theft within two
months - More than 8,000 patients of University of California, San
Francisco (UCSF) are receiving notification letters after a possibly
unencrypted laptop that contained the personal information was
stolen from a physician's vehicle. A similar UCSF incident occurred
Racing Post website hit by ‘aggressive’ cyber attack - Racing Post
has revealed that its website was hit by a “sophisticated, sustained
and aggressive attack” over the weekend in which one of its
databases containing customer information was accessed.
Florida health employee caught photographing patient data, gets
fired - Florida Digestive Health Specialists LLP is notifying about
4,400 patients that a former employee improperly accessed their
personal information and photographed the data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
TRUTH IN SAVINGS ACT (REG
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Biometrics (Part 1 of 2)
Biometrics can be implemented in many forms, including tokens.
Biometrics verifies the identity of the user by reference to unique
physical or behavioral characteristics. A physical characteristic
can be a thumbprint or iris pattern. A behavioral characteristic is
the unique pattern of key depression strength and pauses made on a
keyboard when a user types a phrase. The strength of biometrics is
related to the uniqueness of the physical characteristic selected
for verification. Biometric technologies assign data values to the
particular characteristics associated with a certain feature. For
example, the iris typically provides many more characteristics to
store and compare, making it more unique than facial
characteristics. Unlike other authentication mechanisms, a biometric
authenticator does not rely on a user's memory or possession of a
token to be effective. Additional strengths are that biometrics do
not rely on people to keep their biometric secret or physically
secure their biometric. Biometrics is the only authentication
methodology with these advantages.
Enrollment is a critical process for the use of biometric
authentication. The user's physical characteristics must be reliably
recorded. Reliability may require several samples of the
characteristic and a recording device free of lint, dirt, or other
interference. The enrollment device must be physically secure from
tampering and unauthorized use.
When enrolled, the user's biometric is stored as a template.
Subsequent authentication is accomplished by comparing a submitted
biometric against the template, with results based on probability
and statistical confidence levels. Practical usage of biometric
solutions requires consideration of how precise systems must be for
positive identification and authentication. More precise solutions
increase the chances a person is falsely rejected. Conversely, less
precise solutions can result in the wrong person being identified or
authenticated as a valid user (i.e., false acceptance rate). The
equal error rate (EER) is a composite rating that considers the
false rejection and false acceptance rates. Lower EERs mean more
consistent operations. However, EER is typically based upon
laboratory testing and may not be indicative of actual results due
to factors that can include the consistency of biometric readers to
capture data over time, variations in how a user presents their
biometric sample (e.g., occasionally pressing harder on a finger
scanner), and environmental factors.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
21. Does the institution provide the
consumer with the following information about
the right to opt out:
a. all the categories of nonpublic personal information that the
institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the
information is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of
that information; [§7(a)(2)(i)(A)] and
d. the financial products or services that the consumer obtains to
which the opt out direction would apply? [§7(a)(2)(i)(B)]