Merry Christmas

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Combatting insider threats - Everyone agrees that combating cyber threats is a business priority. Unfortunately, many enterprises focus their efforts in the wrong areas. http://www.scmagazine.com/combatting-insider-threats/article/320621/?DCMP=EMC-SCUS_Newswire&spMailingID=7600706&spUserID=MjI5OTI3MzMyMQS2&spJobID=106404356&spReportId=MTA2NDA0MzU2S0

FYI - The immediate future of passwords - One of the most frustrating parts of the work day for many is the constant logging in to systems and applications needed to access for their job. While this process is mildly annoying for end users, the authentication process (logging into systems using a log in and password combination to verify a user) is extremely critical for the organization to ensure that the user is who they say they are. http://www.scmagazine.com/the-immediate-future-of-passwords/article/320823/?DCMP=EMC-SCUS_Newswire&spMailingID=7592577&spUserID=MjI5OTI3MzMyMQS2&spJobID=106227450&spReportId=MTA2MjI3NDUwS0

FYI - Federal judge rules NSA metadata collection is unconstitutional - A U.S. District Court Judge in Washington ruled that the National Security Agency's (NSA) bulk collection of telephone records violates the privacy rights of Americans.
http://www.scmagazine.com/federal-judge-rules-nsa-metadata-collection-is-unconstitutional/article/325860/?DCMP=EMC-SCUS_Newswire&spMailingID=7600706&spUserID=MjI5OTI3MzMyMQS2&spJobID=106404356&spReportId=MTA2NDA0MzU2S0
http://www.wired.com/threatlevel/2013/12/bulk-telephone-metada-ruling/

FYI - DOE was aware of security issues that exposed employees to hackers - The Department of Energy failed to address suspected cyber-security weaknesses before a July hacking incident that compromised the private information of employees, their dependents and contractors, according to federal auditors. http://www.washingtonpost.com/blogs/federal-eye/wp/2013/12/11/doe-was-aware-of-security-weaknesses-that-led-to-hacking-report-says/

FYI - Ukranian fraudster and CarderPlanet “Don” finally sentenced to 18 years - In 2001, a group of 150 Russian-speaking hackers gathered at a restaurant in Odessa to found CarderPlanet. It ultimately became one of the world’s most notorious fraudulent credit card data websites, and it was shut down in 2004. http://arstechnica.com/tech-policy/2013/12/ukranian-fraudster-and-carderplanet-don-finally-sentenced-to-18-years/

FYI - FDA Breach Raises Lawmakers' Hackles - House Panel Issues Terse Letter Regarding October Hack - Lawmakers have raised concerns that the Food and Drug Administration hasn't been as forthright as it should in disclosing an October breach that exposed personally identifiable information of 12,000 to 14,000 individuals. http://www.govinfosecurity.com/fda-breach-raises-lawmakers-hackles-a-6279

FYI - Restaurant worker sentenced for skimming scam - A Brooklyn man was sentenced to between two and seven years in state prison after using a skimming device to steal more than 30 credit card numbers. http://www.scmagazine.com/restaurant-worker-sentenced-for-skimming-scam/article/325417/?DCMP=EMC-SCUS_Newswire&spMailingID=7592577&spUserID=MjI5OTI3MzMyMQS2&spJobID=106227450&spReportId=MTA2MjI3NDUwS0

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Poker ace's vanishing hotel laptop WAS infected by card-shark - F-Secure - Trojan on 'swiped' laptop could peek at player's hand, we're told - A laptop apparently stolen from a top-flight poker pro's hotel room and mysteriously returned while he played in a card tournament was infected by spyware. http://www.theregister.co.uk/2013/12/11/poker_pros_call_shenanigans_over_hotel_malware_infections/

FYI - Two unencrypted N.J. health insurance laptops stolen, more than 800k impacted - Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ) began sending notification letters to more than 800,000 members on Dec. 6, alerting them that their personal information may have been compromised after two unencrypted laptops were stolen from the insurance provider's Newark headquarters about one month prior. http://www.scmagazine.com/two-unencrypted-nj-health-insurance-laptops-stolen-more-than-800k-impacted/article/325840/?DCMP=EMC-SCUS_Newswire&spMailingID=7600706&spUserID=MjI5OTI3MzMyMQS2&spJobID=106404356&spReportId=MTA2NDA0MzU2S0

FYI - Man receives jail time and hefty fine for hacking government supercomputers - A Pennsylvania man received jail time after hacking into, and attempting to sell access, to two government supercomputers. http://www.scmagazine.com/man-receives-jail-time-and-hefty-fine-for-hacking-government-supercomputers/article/325817/?DCMP=EMC-SCUS_Newswire&spMailingID=7600706&spUserID=MjI5OTI3MzMyMQS2&spJobID=106404356&spReportId=MTA2NDA0MzU2S0

FYI - Patient information in Virginia accessed on unsecured server - The Fairfax County Health Department in Virginia is sending notification letters to roughly 1,500 individuals after Bailey's Health Center – one of the county's health care clinics – inadvertently left private pharmaceutical records on an unsecured computer server. http://www.scmagazine.com/patient-information-in-virginia-accessed-on-unsecured-server/article/325715/?DCMP=EMC-SCUS_Newswire&spMailingID=7600706&spUserID=MjI5OTI3MzMyMQS2&spJobID=106404356&spReportId=MTA2NDA0MzU2S0

FYI - Target investigating massive Black Friday data breach - The shopping giant Target is apparently investigating a data breach that affects the in-store records of millions of credit and debit card transactions. It's not just online transaction databases that are susceptible to attacks. The retailer Target is reportedly looking into the theft of millions of in-store credit card and debit card records from its databases. http://news.cnet.com/8301-1009_3-57616054-83/target-investigating-massive-black-friday-data-breach-report/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Hackers hit Washington Post for second time in three years - Employee usernames and passwords were accessed in latest hack, which the company suspected of originating in China. The Washington Post's servers have been breached for the second time in three years, giving hackers access to employee usernames and passwords, the company revealed Wednesday. http://news.cnet.com/8301-1009_3-57616069-83/hackers-hit-washington-post-for-second-time-in-three-years/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Missing unencrypted thumb drive impacts 19,000 Colorado workers - Almost 19,000 current and former Colorado state workers may have had personal information compromised after a worker lost an unencrypted thumb drive containing the data. http://www.scmagazine.com/missing-unencrypted-thumb-drive-impacts-19000-colorado-workers/article/326150/?DCMP=EMC-SCUS_Newswire&spMailingID=7614987&spUserID=MjI5OTI3MzMyMQS2&spJobID=106709785&spReportId=MTA2NzA5Nzg1S0

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 1 of 2)

All authentication methodologies display weaknesses. Those weaknesses are of both a technical and a nontechnical nature. Many of the weaknesses are common to all mechanisms. Examples of common weaknesses include warehouse attacks, social engineering, client attacks, replay attacks, and hijacking.

Warehouse attacks result in the compromise of the authentication storage system, and the theft of the authentication data. Frequently, the authentication data is encrypted; however, dictionary attacks make decryption of even a few passwords in a large group a trivial task. A dictionary attack uses a list of likely authenticators, such as passwords, runs the likely authenticators through the encryption algorithm, and compares the result to the stolen, encrypted authenticators. Any matches are easily traceable to the pre-encrypted authenticator.

Dictionary and brute force attacks are viable due to the speeds with which comparisons are made. As microprocessors increase in speed, and technology advances to ease the linking of processors across networks, those attacks will be even more effective. Because those attacks are effective, institutions should take great care in securing their authentication databases. Institutions that use one - way hashes should consider the insertion of secret bits (also known as "salt") to increase the difficulty of decrypting the hash. The salt has the effect of increasing the number of potential authenticators that attackers must check for validity, thereby making the attacks more time consuming and creating more opportunity for the institution to identify and react to the attack.

Warehouse attacks typically compromise an entire authentication mechanism. Should such an attack occur, the financial institution might have to deny access to all or nearly all users until new authentication devices can be issued (e.g. new passwords). Institutions should consider the effects of such a denial of access, and appropriately plan for large-scale re-issuances of authentication devices.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either: 

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]