- Agencies Mold Regulations around ‘Voluntary’ Cyber Standards -
Federal regulators are adapting voluntary cybersecurity standards to
suit industries they oversee, for what could pan out to be
- Senate passes DHS cyber bill - The Senate has approved a cyber
bill to codify much of the Department of Homeland Security’s
Security group plans for a future without passwords - The FIDO
Alliance encourages stronger use of biometrics and hardware tokens
instead of passwords to identify users.
Pirate Bay Torrent Tracking Site Goes Dark - Ever since it was
created, torrent tracking site The Pirate Bay has evaded copyright
holders and law enforcement—that is, until Dec. 9. On that date,
Swedish authorities reportedly seized the Stockholm servers of The
Pirate Bay, effectively shutting down the site and its affiliates.
New report sheds light on National Research Council breach - A new
federal analysis has revealed that Chinese hackers used spear
phishing techniques to place malware on the National Research
Council's network in an attempt to steal sensitive data.
- Landmark HIPAA settlement confirms push to firm up patching
schedules - For the first time, a medical services provider will
have to pay a “neglect” settlement over Health Insurance Portability
and Accountability Act of 1996 (HIPAA) violations that led to a data
- NIST drafts new cloud metrics guide - The National Institute of
Standards and Technology (NIST) has drafted a new guide aimed at
helping organizations find the right cloud service.
- Jeans and blazers will feature RFID blocking fabric - A notable
security firm has teamed up with a clothing brand to produce jeans
and blazers that add an additional layer of security to your mobile
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar Era - The
pipeline was outfitted with sensors and cameras to monitor every
step of its 1,099 miles from the Caspian Sea to the Mediterranean.
The blast that blew it out of commission didn’t trigger a single
Now at the Sands Casino: An Iranian Hacker in Every Server - Most
gamblers were still asleep, and the gondoliers had yet to pole their
way down the ersatz canal in front of the Venetian casino on the Las
DDoS of unprecedented scale 'stops Sweden working'. The target? A
gaming site - Much of Sweden's fixed-line broadband became
collateral damage as a result of a DDoS attack on a mystery gaming
site this week.
More than 100K WordPress sites compromised by malware due to plugin
vulnerability - Since Sunday, unidentified attackers have been
indiscriminately infecting WordPress websites with malware by
exploiting a previously disclosed vulnerability in the Slider
Revolution plugin, according to security company Sucuri.
Stolen EMCOR Services laptop contained Social Security numbers,
other data - EMCOR Services Mesa Energy Systems is notifying an
undisclosed number of individuals that their personal information –
including Social Security numbers – was on a company laptop that was
- UC Berkeley data breach impacts about 1,600 individuals -
University of California, Berkeley (UC Berkeley) is notifying
roughly 1,600 individuals that their personal information may have
been compromised in a data breach that involved unauthorized access
to servers and databases in the campus's Real Estate Division.
- Skimming at Virginia ATMs, more than 3,000 Union debit cards
compromised - Virginia-based Union First Market Bank announced that
a number of ATMs in the Richmond area fell victim to skimming, and
certain activity has been restricted for more than 3,000 of its
debit cards that were affected.
- After hack, Ars Technica asks subscribers to change passwords -
After experiencing an intrusion on Sunday, technology news and
information site Ars Technica is asking all readers who have
accounts to change their passwords.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 2 of 3)3. Banks should adopt appropriate procedures for ensuring
the adequacy of contracts governing e-banking. Contracts governing
outsourced e-banking activities should address, for example, the
a) The contractual liabilities of the respective parties as well
as responsibilities for making decisions, including any
sub-contracting of material services are clearly defined.
b) Responsibilities for providing information to and receiving
information from the service provider are clearly defined.
Information from the service provider should be timely and
comprehensive enough to allow the bank to adequately assess service
levels and risks. Materiality thresholds and procedures to be used
to notify the bank of service disruptions, security breaches and
other events that pose a material risk to the bank should be spelled
c) Provisions that specifically address insurance coverage, the
ownership of the data stored on the service provider's servers or
databases, and the right of the bank to recover its data upon
expiration or termination of the contract should be clearly defined.
d) Performance expectations, under both normal and contingency
circumstances, are defined.
e) Adequate means and guarantees, for instance through audit
clauses, are defined to insure that the service provider complies
with the bank's policies.
f) Provisions are in place for timely and orderly intervention
and rectification in the event of substandard performance by the
g) For cross-border outsourcing arrangements, determining which
country laws and regulations, including those relating to privacy
and other customer protections, are applicable.
h) The right of the bank to conduct independent reviews and/or
audits of security, internal controls and business continuity and
contingency plans is explicitly defined.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 3 of 4)
Some network IDS units allow the IP addresses
associated with certain signatures to be automatically blocked.
Financial institutions that use that capability run the risk of an
attacker sending attack packets that falsely report the sending IP
addresses as that of service providers and others that the
institution needs to continue offering service, thereby creating a
denial - of - service situation. To avoid such a situation, the
institution also may implement a list of IP addresses that should
not be blocked by the IDS.
Hosts also use a signature-based method. One such method creates a
hash of key binaries, and periodically compares a newly generated
hash against the original hash. Any mismatch signals a change to the
binary, a change that could be the result of an intrusion.
Successful operation of this method involves protection of the
original binaries from change or deletion, and protection of the
host that compares the hashes. If attackers can substitute a new
hash for the original, an attack may not be identified. Similarly,
if an attacker can alter the host performing the comparison so that
it will report no change in the hash, an attack may not be
An additional host-based signature method monitors the application
program interfaces for unexpected or unwanted behavior, such as a
Web server calling a command line interface.
Attackers can defeat host-based IDS systems using loadable kernel
modules, or LKMs. A LKM is software that attaches itself to the
operating system kernel. From there, it can redirect and alter
communications and processing. With the proper LKM, an attacker can
force a comparison of hashes to always report a match and provide
the same cryptographic fingerprint of a file, even after the source
file was altered. LKMs can also hide the use of the application
program interfaces. Detection of LKMs is extremely difficult and is
typically done through another LKM.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
Cryptography is a branch of mathematics based on the transformation
of data. It provides an important tool for protecting information
and is used in many aspects of computer security. For example,
cryptography can help provide data confidentiality, integrity,
electronic signatures, and advanced user authentication. Although
modern cryptography relies upon advanced mathematics, users can reap
its benefits without understanding its mathematical underpinnings.
This chapter describes cryptography as a tool for satisfying a wide
spectrum of computer security needs and requirements. It describes
fundamental aspects of the basic cryptographic technologies and some
specific ways cryptography can be applied to improve security. The
chapter also explores some of the important issues that should be
considered when incorporating cryptography into computer systems.
Cryptography is traditionally associated only with keeping data
secret. However, modern cryptography can be used to provide many
security services, such as electronic signatures and ensuring that
data has not been modified.