- Thousands of devices left in UK bars each year - Each year in the
UK, over 100,000 mobile devices and laptops are left in bars with
almost two-thirds (64 percent) of them not having any security
- DHS Giving Firms Free Penetration Tests - The U.S. Department of
Homeland Security (DHS) has been quietly launching stealthy cyber
attacks against a range of private U.S. companies — mostly banks and
energy firms. These digital intrusion attempts, commissioned in
advance by the private sector targets themselves, are part of a
little-known program at DHS designed to help “critical
infrastructure” companies shore up their computer and network
defenses against real-world adversaries. And it’s all free of charge
(well, on the U.S. taxpayer’s dime).
- Kazakhstan will force its citizens to install internet backdoors -
The poorly thought-out and crude surveillance technique could have a
devastating effect on the country's internet security. In less than
a month, Kazakhstan will begin enforcing a new law that requires
every internet user in the country to install a backdoor, allowing
the government to conduct surveillance.
Hacker Leaks Customer Data After a United Arab Emirates Bank Fails
to Pay Ransom - A hacker who broke into a large bank in the United
Arab Emirates made good on his threat to release customer data after
the bank refused to pay a bitcoin ransom worth about $3 million.
GCHQ admits to hacking in court, says hacking helps stop terror
attacks - In a court case brought forward by Privacy International
and seven ISPs, GCHQ has admitted for the first time that it has
hacked computers, smartphones, and networks in the UK and abroad.
New Hampshire company hacks smaller competitor for customer list - A
linen services company in New Hampshire pleaded guilty to hacking
into the computer server of a similarly named, but smaller
Cash machines in malware risk as embedded Windows XP reaches end of
life - Tens of thousands of cash machines could become vulnerable to
malware and DDoS attacks next month when support for the embedded
version of Windows XP comes to an end.
- Former agent sentenced to 71 months for stealing in Silk Road
probe - A former Secret Service agent who pleaded guilty to stealing
$820,000 worth of Bitcoin during the Silk Road investigation, was
sentenced in federal court to 71 months in prison.
- NIST opens comment period on Framework for Improving Critical
Infrastructure Cybersecurity - The National Institute of Standards
and Technology (NIST) will begin accepting comments and feedback
starting on December 11 on its voluntary “Framework for Improving
Critical Infrastructure Cybersecurity.”
- FTC, Wyndham settle suit over trio of breaches - Less than a month
after an administrative judge ruled against the Federal Trade
Commission (FTC) in a case against LabMD, the commission reached a
settlement with Wyndham Worldwide that had challenged its authority
to pursue enforcement action against companies regarding security.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Correction: 220,000 kids weren't exposed in VTech mega hack – it's
actually 6.4 million - Toymaker VTech has admitted that millions of
kiddies' online profiles were left exposed to hackers – much higher
than the 220,000 first feared.
- Nearly 657K affected in JD Wetherspoon breach - The personal
information of nearly 657,000 customers was compromised in a breach
of British pub chain operator JD Wetherspoon.
- Anonymous hacks UN climate conference officials - Anonymous has
hacked and released the private details of nearly 1,500 UN officials
in retaliation agains last week's arrest of protestors at a climate
march in Paris.
- 29 locations affected in Elephant Bar POS breach - CM Ebar, LLC,
the owner of Elephant Bar restaurants, announced a point-of-sale
(POS) breach may have affected the information of customers at 29
locations in California, Colorado, Arizona, Missouri, Nevada, New
Mexico, and Florida.
- USB ports pose hidden risk for medical facilities - When visiting
a medical facility, it can be tempting to charge a mobile device
into a spare USB port, but the free charge may contain an unpleasant
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 9 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
Customer Service Complaints
Financial institutions should have plans to respond to customer
complaints, including those regarding the appropriateness or quality
of content, services, or products provided or the privacy and
security policies of the third-party site. The plan also should
address how the financial institution will address complaints
regarding any failures of linked third parties to provide agreed
upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the
activities of linked third parties as a part of its risk management
strategy. Monitoring policies and procedures should include periodic
content review and testing to ensure that links function properly,
and to verify that the levels of services provided by third parties
are in accordance with contracts and agreements. Website content is
dynamic, and third parties may change the presentation or content of
a website in a way that results in risk to the financial
institution's reputation. Periodic review and testing will reduce
this risk exposure. The frequency of review should be commensurate
with the degree of risk presented by the linked site.
the top of the newsletter
FFIEC IT SECURITY
This completes our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Information Sharing.
Information sharing among reliable and reputable experts can help
institutions reduce the risk of information system intrusions. The
OCC encourages management to participate in information-sharing
mechanisms as part of an effort to detect and respond to intrusions
and vulnerabilities. Mechanisms for information sharing are being
developed by many different organizations, each with a different
mission and operation. In addition, many vendors offer information
sharing and analysis services. Three organizations that are
primarily involved with the federal government's national
information security initiatives are the Financial Services
Information Sharing and Analysis Center (FS/ISAC), the Federal
Bureau of Investigation (FBI), and Carnegie Mellon University's
The FS/ISAC was formed in response to Presidential Decision
Directive 63: Critical Infrastructure Protection (May 22, 1998),
which encourages the banking, finance, and other industries to
establish information-sharing efforts in conjunction with the
federal government. The FS/ISAC allows financial services entities
to report incidents anonymously. In turn, the FS/ISAC rapidly
distributes information about attacks to the FS/ISAC members. Banks
can contact FS/ISAC by telephone at (888) 660-0134, e-mail at
email@example.com or their Web site at http://www.fsisac.com.
The FBI operates the National Information Protection Center
Infraguard outreach effort. Since Infraguard supports law
enforcement efforts, Infraguard members submit two versions of an
incident report. One complete version is used by law enforcement and
contains information that identifies the reporting member. The other
version does not contain that identifying information, and is
distributed to other Infraguard members. Banks can contact the FBI
by contacting local FBI field offices or via e-mail at
CERT/CC is part of a federally funded research and development
center at Carnegie Mellon University that helps organizations
identify vulnerabilities and recover from intrusions. It provides
up-to-date information on specific attacks (including viruses and
denial of service) and collates and shares information with other
organizations. CERT/CC does not require membership to report
problems. Banks can contact CERT/CC by phone at (412) 268-7090 or
e-mail at firstname.lastname@example.org.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.1 Errors and Omissions
Errors and omissions are an important threat to data and system
integrity. These errors are caused not only by data entry clerks
processing hundreds of transactions per day, but also by all types
of users who create and edit data. Many programs, especially those
designed by users for personal computers, lack quality control
measures. However, even the most sophisticated programs cannot
detect all types of input errors or omissions. A sound awareness and
training program can help an organization reduce the number and
severity of errors and omissions.
Users, data entry clerks, system operators, and programmers
frequently make errors that contribute directly or indirectly to
security problems. In some cases, the error is the threat, such as a
data entry error or a programming error that crashes a system. In
other cases, the errors create vulnerabilities. Errors can occur
during all phases of the systems life cycle. A long-term survey of
computer-related economic losses conducted by Robert Courtney, a
computer security consultant and former member of the Computer
System Security and Privacy Advisory Board, found that 65 percent of
losses to organizations were the result of errors and omissions.
This figure was relatively consistent between both private and
public sector organizations.
Programming and development errors, often called "bugs," can range
in severity from benign to catastrophic. In a 1989 study for the
House Committee on Science, Space and Technology, entitled Bugs in
the Program, the staff of the Subcommittee on Investigations and
Oversight summarized the scope and severity of this problem in terms
of government systems as follows:
a) As expenditures grow, so do concerns about the reliability,
cost and accuracy of ever-larger and more complex software systems.
These concerns are heightened as computers perform more critical
tasks, where mistakes can cause financial turmoil, accidents, or in
extreme cases, death.
Since the study's publication, the software industry has changed
considerably, with measurable improvements in software quality. Yet
software "horror stories" still abound, and the basic principles and
problems analyzed in the report remain the same. While there have
been great improvements in program quality, as reflected in
decreasing errors per 1,000 lines of code, the concurrent growth in
program size often seriously diminishes the beneficial effects of
these program quality enhancements.
Installation and maintenance errors are another source of security
problems. For example, an audit by the President's Council for
Integrity and Efficiency (PCIE) in 1988 found that every one of the
ten mainframe computer sites studied had installation and
maintenance errors that introduced significant security