REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Combatting insider threats - Everyone agrees that combating cyber
threats is a business priority. Unfortunately, many enterprises
focus their efforts in the wrong areas.
- The immediate future of passwords - One of the most frustrating
parts of the work day for many is the constant logging in to systems
and applications needed to access for their job. While this process
is mildly annoying for end users, the authentication process
(logging into systems using a log in and password combination to
verify a user) is extremely critical for the organization to ensure
that the user is who they say they are.
- Federal judge rules NSA metadata collection is unconstitutional -
A U.S. District Court Judge in Washington ruled that the National
Security Agency's (NSA) bulk collection of telephone records
violates the privacy rights of Americans.
- DOE was aware of security issues that exposed employees to hackers
- The Department of Energy failed to address suspected
cyber-security weaknesses before a July hacking incident that
compromised the private information of employees, their dependents
and contractors, according to federal auditors.
- Ukranian fraudster and CarderPlanet “Don” finally sentenced to 18
years - In 2001, a group of 150 Russian-speaking hackers gathered at
a restaurant in Odessa to found CarderPlanet. It ultimately became
one of the world’s most notorious fraudulent credit card data
websites, and it was shut down in 2004.
- FDA Breach Raises Lawmakers' Hackles - House Panel Issues Terse
Letter Regarding October Hack - Lawmakers have raised concerns that
the Food and Drug Administration hasn't been as forthright as it
should in disclosing an October breach that exposed personally
identifiable information of 12,000 to 14,000 individuals.
- Restaurant worker sentenced for skimming scam - A Brooklyn man was
sentenced to between two and seven years in state prison after using
a skimming device to steal more than 30 credit card numbers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Poker ace's vanishing hotel laptop WAS infected by card-shark -
F-Secure - Trojan on 'swiped' laptop could peek at player's hand,
we're told - A laptop apparently stolen from a top-flight poker
pro's hotel room and mysteriously returned while he played in a card
tournament was infected by spyware.
- Two unencrypted N.J. health insurance laptops stolen, more than
800k impacted - Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ)
began sending notification letters to more than 800,000 members on
Dec. 6, alerting them that their personal information may have been
compromised after two unencrypted laptops were stolen from the
insurance provider's Newark headquarters about one month prior.
- Man receives jail time and hefty fine for hacking government
supercomputers - A Pennsylvania man received jail time after hacking
into, and attempting to sell access, to two government
- Patient information in Virginia accessed on unsecured server - The
Fairfax County Health Department in Virginia is sending notification
letters to roughly 1,500 individuals after Bailey's Health Center –
one of the county's health care clinics – inadvertently left private
pharmaceutical records on an unsecured computer server.
- Target investigating massive Black Friday data breach - The
shopping giant Target is apparently investigating a data breach that
affects the in-store records of millions of credit and debit card
transactions. It's not just online transaction databases that are
susceptible to attacks. The retailer Target is reportedly looking
into the theft of millions of in-store credit card and debit card
records from its databases.
- Hackers hit Washington Post for second time in three years -
Employee usernames and passwords were accessed in latest hack, which
the company suspected of originating in China. The Washington Post's
servers have been breached for the second time in three years,
giving hackers access to employee usernames and passwords, the
company revealed Wednesday.
- Missing unencrypted thumb drive impacts 19,000 Colorado workers -
Almost 19,000 current and former Colorado state workers may have had
personal information compromised after a worker lost an unencrypted
thumb drive containing the data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a telephone operated
by a consumer, financial institutions need not provide a terminal
receipt when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses, Attacks, and
Offsetting Controls (Part 1 of 2)
All authentication methodologies display weaknesses. Those
weaknesses are of both a technical and a nontechnical nature. Many
of the weaknesses are common to all mechanisms. Examples of common
weaknesses include warehouse attacks, social engineering, client
attacks, replay attacks, and hijacking.
Warehouse attacks result in the compromise of the authentication
storage system, and the theft of the authentication data.
Frequently, the authentication data is encrypted; however,
dictionary attacks make decryption of even a few passwords in a
large group a trivial task. A dictionary attack uses a list of
likely authenticators, such as passwords, runs the likely
authenticators through the encryption algorithm, and compares the
result to the stolen, encrypted authenticators. Any matches are
easily traceable to the pre-encrypted authenticator.
Dictionary and brute force attacks are viable due to the speeds with
which comparisons are made. As microprocessors increase in speed,
and technology advances to ease the linking of processors across
networks, those attacks will be even more effective. Because those
attacks are effective, institutions should take great care in
securing their authentication databases. Institutions that use one -
way hashes should consider the insertion of secret bits (also known
as "salt") to increase the difficulty of decrypting the hash. The
salt has the effect of increasing the number of potential
authenticators that attackers must check for validity, thereby
making the attacks more time consuming and creating more opportunity
for the institution to identify and react to the attack.
Warehouse attacks typically compromise an entire authentication
mechanism. Should such an attack occur, the financial institution
might have to deny access to all or nearly all users until new
authentication devices can be issued (e.g. new passwords).
Institutions should consider the effects of such a denial of access,
and appropriately plan for large-scale re-issuances of
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
25. Does the institution permit
each of the joint consumers in a joint relationship to opt out?
26. Does the opt out notice to joint consumers state that either:
a. the institution will consider an opt out by a joint consumer as
applying to all associated joint consumers; [§7(d)(2)(i)] or
b. each joint consumer is permitted to opt out separately?