FYI - FBI Investigates $9 Million ATM Scam - A Fox 5 investigation exposes a worldwide ATM scam that swindled $9 million and possibly jeopardized sensitive information from people around the world. Law enforcement sources told Fox 5 it's one of the most frightening well-coordinated heists they've ever seen. http://www.myfoxny.com/dpp/news/090202_FBI_Investigates_9_Million_ATM_Scam

FYI - Achilles' Heel Of Corporate Security - Last year, 55% of all the computer security vulnerabilities disclosed affected Web applications, and 74% of these had no patch. "Certain types of corporate applications, namely custom-built software like Web applications, remain a highly profitable and inexpensive target for criminal attackers," the report states. http://www.techweb.com/article/printArticle?articleID=213000162&printArticle=true

FYI - Geeks.com settles with FTC - An online computer supplies and electronics retailer agreed to settle Federal Trade Commission (FTC) charges that it violated federal law by not providing adequate security to protect customer data, the agency announced. http://www.scmagazineus.com/Geekscom-settles-with-FTC/article/127035/?DCMP=EMC-SCUS_Newswire

FYI - Firms lack confidence they can deter internal attacks - Human error is the leading cause for IT system breaches, and most corporate security officials do not feel confident they can protect their organizations from internal cyberattacks, according to Deloitte Touche Tohmatsu's annual survey. http://www.scmagazineus.com/Deloitte-Firms-lack-confidence-they-can-deter-internal-attacks/article/126957/?DCMP=EMC-SCUS_Newswire

FYI - A call to revamp HIPAA - The Health Insurance Portability and Accountability Act (HIPAA) is inadequate for protecting privacy and also stymies research, as access to patient health information is vital for making medical advances, according to a new report from the National Academy of Sciences' Institute of Medicine (IOM). http://www.scmagazineus.com/A-call-to-revamp-HIPAA/article/126886/?DCMP=EMC-SCUS_Newswire

FYI - Don't blame the employees for peeping: Organizations are at fault for poor access governance - The natural curiosity of employees to view the private records of political figures and celebrities is leading to people losing their jobs or being criminally convicted. http://www.scmagazineus.com/Dont-blame-the-employees-for-peeping-Organizations-are-at-fault-for-poor-access-governance/article/127075/?DCMP=EMC-SCUS_Newswire

FYI - Houston justice system laid low by Conficker worm - The justice system in Houston was thrown into disarray late last week after the infamous Conficker (Downadup) worm infected key systems. http://www.theregister.co.uk/2009/02/09/houston_malware_infection/

FYI - Obama orders 60-day cybersecurity review - President Obama ordered a 60-day review of federal government cybersecurity initiatives, to be led by former Bush-administration aide Melissa Hathaway, the White House. http://www.scmagazineus.com/Obama-orders-60-day-cybersecurity-review/article/127141/?DCMP=EMC-SCUS_Newswire

FYI - Was Scott McNealy right? - Scott McNealy made his famous comment about privacy in the digital age at an event launching Sun Microsystems's Jini technology back in January 25, 1999. His comment immediately drew angry comments from privacy advocates. Some claimed that they were "astonished" that he could say that we don't have privacy any more. http://www.scmagazineus.com/Was-Scott-McNealy-right/article/126910/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Intruders put virus on government security contractor network - A security services provider for the federal government has alerted an unknown number of employees, former employee and customers that its network was compromised by malware. Virginia-based SRA International disclosed that hackers were able to access the network to install a virus.
http://www.scmagazineus.com/Intruders-put-virus-on-government-security-contractor-network/article/126889/
http://www.theregister.co.uk/2009/02/04/sra_virus_infection/

FYI - Cybercriminals Try Phishing With Fliers - As part of their ongoing effort to convince people to visit malicious Web sites, cybercriminals are experimenting with a new medium: phony advertisement fliers. http://www.techweb.com/article/showArticle?articleID=213200005&section=News

FYI - Open sourcey bulletin board offline after hack attack - phpBB coughs up names, addresses, passwords - The website for one of the net's more popular bulletin board software packages has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base. http://www.theregister.co.uk/2009/02/04/phpbb_breach/

FYI - FAA reports breach that puts employee data at risk - A server at the U.S. Federal Aviation Administration was illegally accessed online and personal identity information of employees was stolen, the agency said. http://news.cnet.com/8301-1009_3-10160469-83.html?tag=mncol;title

FYI - Police retrieve Kaiser employee files from criminal suspect - Kaiser Permanente today alerted its 29,500 Northern California employees that their personnel information was found in the hands of a recently arrested criminal suspect. http://www.sacbee.com/ourregion/story/1605728.html?mi_rss=Our%2520Region

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION TYPES

Three types of encryption exist: the cryptographic hash, symmetric encryption, and asymmetric encryption.

A cryptographic hash reduces a variable - length input to a fixed-length output. The fixed-length output is a unique cryptographic representation of the input. Hashes are used to verify file and message integrity. For instance, if hashes are obtained from key operating system binaries when the system is first installed, the hashes can be compared to subsequently obtained hashes to determine if any binaries were changed. Hashes are also used to protect passwords from disclosure. A hash, by definition, is a one - way encryption. An attacker who obtains the password cannot run the hash through an algorithm to decrypt the password. However, the attacker can perform a dictionary attack, feeding all possible password combinations through the algorithm and look for matching hashes, thereby deducing the password. To protect against that attack, "salt," or additional bits, are added to the password before encryption. The addition of the bits means the attacker must increase the dictionary to include all possible additional bits, thereby increasing the difficulty of the attack.

Symmetric encryption is the use of the same key and algorithm by the creator and reader of a file or message. The creator uses the key and algorithm to encrypt, and the reader uses both to decrypt. Symmetric encryption relies on the secrecy of the key. If the key is captured by an attacker either when it is exchanged between the communicating parties, or while one of the parties uses or stores the key, the attacker can use the key and the algorithm to decrypt messages, or to masquerade as a message creator.

Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When one key is used to encrypt, only the other key can decrypt. Therefore, only one key (the private key) must be kept secret. The key that is exchanged (the public key) poses no risk if it becomes known. For instance, if individual A has a private key and publishes the public key, individual B can obtain the public key, encrypt a message to individual A, and send it. As long as individual A keeps his private key secure from discovery, only individual A will be able to decrypt the message.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

1. Determine if the institution performs appropriate background checks on its personnel, during the hiring process and thereafter, according to the employee's authority over the institution's systems and information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13=, 14, and/or 15 but outside of these exceptions (Part 1 of 2)

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§13, 14, 15).

b.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

2)  Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts. (§13(a)).