REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Appeals Court Sides With Bush Wiretapping - A federal appeals
court is refusing to reconsider its August ruling in which it said
the federal government may spy on Americans’ communications without
warrants and without fear of being sued.
S.C. inspector general calls for statewide security program -
Following the massive breach that affected 80 percent of South
Carolina taxpayers, the state's Inspector General Patrick Maley has
recommended several corrective security actions.
- Fraudsters plan spring strike on U.S. banks - Researchers believe
that a fraud scheme to launch malware against customers at 30 U.S.
banks is still moving forward, though organizers behind the plot are
laying low before they strike next spring.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Nine out of 10 hospitals lost personal data in last two years - Take
out a quarter and flip it four times. It's unlikely the coin will
land on heads (or tails) four times in a row -- a one-in-16 chance
to be exact. Yet tossing four consecutive heads or tails is a
likelier outcome than being a hospital that hasn't been breached
over the past two years.
'Eurograbber' Lets Attackers Steal 36 Million Euros From Banks,
Customers - Cybercriminals combine new Trojan with SMS malware to
crack online banking systems - Researchers say they have identified
and thwarted a malware attack that enabled attackers to steal more
than 36 million euros from more than 30,000 online banking customers
US and UK spooks alerted over massive Swiss data leak - Rogue IT
admin plundered state secrets - The Swiss intelligence agency (NDB)
has been warning its US and UK counterparts that it may have lost
terabytes of their secret information, thanks to one of its IT
administrators pulling an inside job.
Foreign hackers targeted former military chief Mullen: report -
Foreign hackers targeted the computers of Mike Mullen, ex-chairman
of the Joint Chiefs of Staff, the Wall Street Journal reported on
Wednesday, calling it the latest in a pattern of attacks on
computers of former high-ranking U.S. officials.
Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches -
Hacking group Team Ghostshell Monday announced its latest string of
exploits, as well as the release of 1.6 million accounts and records
gathered as part of what it has dubbed Project WhiteFox.
Ransom hackers encrypt medical centre's entire database - Attackers
demand £2,600 to release data - An Australian medical centre is
reported to be considering paying a ransom demand of $4,000 AUD
(£2,600) after blackmailers broke into the organisation’s servers
and encrypted its entire patient database.
- Team GhostShell leaks data from 1.6 million accounts - Team
GhostShell, an Anonymous-related hacktivist group, has claimed that
it leaked 1.6 million account details and records gleaned from
dozens of organizations and businesses, including NASA, the FBI, the
Credit Union National Association (CUNA) and the Institute of Makers
of Explosives (IME).
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (11 of 12)
Last week's best
practices focused on the more common criteria that have been noted
in actual IRPs, but some banks have developed other effective
incident response practices. Examples of these additional practices
are listed below. Organizations may want to review these practices
and determine if any would add value to their IRPs given their
Additional IRP Best Practices
1) Test the incident response plan (via walkthrough or tabletop
exercises) to assess thoroughness.
2) Implement notices on login screens for customer information
systems to establish a basis for disciplinary or legal action.
3) Develop an incident grading system that quantifies the severity
of the incident, helps determine if the incident response plan needs
to be activated, and specifies the extent of notification
4) Provide periodic staff awareness training on recognizing
potential indicators of unauthorized activity and reporting the
incident through proper channels. Some institutions have established
phone numbers and e-mail distribution lists for reporting possible
5) Inform users about the status of any compromised system they may
6) Establish a list of possible consultants, in case the bank does
not have the expertise to handle or investigate the specific
incident (especially regarding technical compromises).
7) Establish evidence-gathering and handling procedures aimed at
preserving evidence of the incident and aiding in prosecution
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls
A primary concern in controlling system access is the safeguarding
of user IDs and passwords. The Internet presents numerous issues to
consider in this regard. Passwords can be obtained through deceptive
"spoofing" techniques such as redirecting users to false Web sites
where passwords or user names are entered, or creating shadow copies
of Web sites where attackers can monitor all activities of a user.
Many "spoofing" techniques are hard to identify and guard against,
especially for an average user, making authentication processes an
important defense mechanism.
The unauthorized or unsuspected acquisition of data such as
passwords, user IDs, e-mail addresses, phone numbers, names, and
addresses, can facilitate an attempt at unauthorized access to a
system or application. If passwords and user IDs are a derivative of
someone's personal information, malicious parties could use the
information in software programs specifically designed to generate
possible passwords. Default files on a computer, sometimes called
"cache" files, can automatically retain images of such data received
or sent over the Internet, making them a potential target for a
Security Flaws and Bugs / Active Content Languages
Vulnerabilities in software and hardware design also represent an
area of concern. Security problems are often identified after the
release of a new product, and solutions to correct security flaws
commonly contain flaws themselves. Such vulnerabilities are usually
widely publicized, and the identification of new bugs is constant.
These bugs and flaws are often serious enough to compromise system
integrity. Security flaws and exploitation guidelines are also
frequently available on hacker Web sites. Furthermore, software
marketed to the general public may not contain sufficient security
controls for financial institution applications.
Newly developed languages and technologies present similar security
concerns, especially when dealing with network software or active
content languages which allow computer programs to be attached to
Web pages (e.g., Java, ActiveX). Security flaws identified in Web
browsers (i.e., application software used to navigate the Internet)
have included bugs which, theoretically, may allow the installation
of programs on a Web server, which could then be used to back into
the bank's system. Even if new technologies are regarded as secure,
they must be managed properly. For example, if controls over active
content languages are inadequate, potentially hostile and malicious
programs could be automatically downloaded from the Internet and
executed on a system.
Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or
networks that are connected to the Internet, because they may be
downloaded directly. Aside from causing destruction or damage to
data, these programs could open a communication link with an
external network, allowing unauthorized system access, or even
initiating the transmission of data.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
49. If the institution uses a Section 14 exception as necessary to
effect, administer, or enforce a transaction, is it :
a. required, or is one of the lawful or appropriate methods to
enforce the rights of the institution or other persons engaged in
carrying out the transaction or providing the product or service;
b. required, or is a usual, appropriate, or acceptable method
1. carry out the transaction or the product or service business
of which the transaction is a part, including recording, servicing,
or maintaining the consumer's account in the ordinary course of
2. administer or service benefits or claims; [§14(b)(2)(ii)]
3. confirm or provide a statement or other record of the
transaction or information on the status or value of the financial
service or financial product to the consumer or the consumer's agent
or broker; [§14(b)(2)(iii)]
4. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
5. underwrite insurance or for reinsurance or for certain other
purposes related to a consumer's insurance; [§14(b)(2)(v)] or
6. in connection with:
i. the authorization, settlement, billing, processing,
clearing, transferring, reconciling, or collection of amounts
charged, debited, or otherwise paid by using a debit, credit, or
other payment card, check, or account number, or by other payment
ii. the transfer of receivables, accounts or interests
therein; [§14(b)(2)(vi)(B)] or
iii. the audit of debit, credit, or other payment