REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Utah CTO takes fall for data breach - Resignation sought by Gov. Herbert after breach exposes data on 280,000 Medicaid recipients - The executive director of Utah's Department of Technology Services has resigned over a data breach two months ago that exposed the Social Security numbers and other personal data of about 280,000 Medicaid recipients. http://www.computerworld.com/s/article/9227215/Utah_CTO_takes_fall_for_data_breach?taxonomyId=17

FYI - UK man to spend year in the clink for Facebook account hack - 21-year-old admitted breaking into US victim's profile - A British man has been jailed for a year after hacking into the Facebook account of a US citizen. http://www.theregister.co.uk/2012/05/17/facebook_account_hacker_jailed/

FYI - The FBI took -- and mysteriously returned -- their server. Here's their story - Presumed FBI agents reinstall a server seized from MayFirst/PeopleLink. The bureau won't say why it took it or why it returned it in such an unusual manner. Ever wonder what it's like to have FBI agents knock on your door? Or to have them walk into your business unannounced and walk away with your computer? http://redtape.msnbc.msn.com/_news/2012/05/11/11647813-the-fbi-took-and-mysteriously-returned-their-server-heres-their-story

FYI - GAO - Management Report: Opportunities for Improvement in the Bureau of Consumer Financial Protection's Internal Controls and Accounting Procedures. http://www.gao.gov/products/GAO-12-528R

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - The Pirate Bay hit by DDoS attack - File-sharing website The Pirate Bay (TPB) has been hit by a Distributed Denial of Service (DDoS) attack. The site has been largely inaccessible for the last 24 hours, and the service is intermittent in the UK. http://www.bbc.co.uk/news/technology-18095370

FYI - Global Payments Breach Fueled Prepaid Card Fraud - Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud. http://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fraud/

FYI - Hacktivists take down Chicago Police Department website - On Sunday, the Chicago Police Department (CPD) and city of Chicago's official websites were victims of a cyber strike seemingly performed by hacktivists affiliated with Anonymous. http://www.scmagazine.com/hacktivists-take-down-chicago-police-department-website/article/242106/?DCMP=EMC-SCUS_Newswire

FYI - Hacked UMaine server leads to exposed personal data - Sensitive data belonging to people who made web-based purchases at the University of Maine's (UMaine) Orono Campus may have been stolen after the school's server suffered a security breach. http://www.scmagazine.com/hacked-umaine-server-leads-to-exposed-personal-data/article/242121/?DCMP=EMC-SCUS_Newswire

FYI - Anonymous hacks DoJ and dumps data online - The infamous hacktivist collective Anonymous released a 1.7-GB archive of sensitive information after infiltrating the U.S. Department of Justice (DoJ) with the help of their hacking collaborators AntiSe3curityOPS. http://www.scmagazine.com/anonymous-hacks-doj-and-dumps-data-online/article/242349/?DCMP=EMC-SCUS_Newswire 

FYI - Unencrypted hospital laptop exposes 2k patient records - An employee of the Boston Children's Hospital lost a laptop holding patient information. http://www.scmagazine.com/unencrypted-hospital-laptop-exposes-2k-patient-records/article/242541/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Security Controls - Principle 1: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)

The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.

Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.

As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:

1)  Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.

2)  Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.

3)  Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.

4)  Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 3 of 4)

Some network IDS units allow the IP addresses associated with certain signatures to be automatically blocked. Financial institutions that use that capability run the risk of an attacker sending attack packets that falsely report the sending IP addresses as that of service providers and others that the institution needs to continue offering service, thereby creating a denial - of - service situation. To avoid such a situation, the institution also may implement a list of IP addresses that should not be blocked by the IDS.

Hosts also use a signature-based method. One such method creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion, and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.

An additional host-based signature method monitors the application program interfaces for unexpected or unwanted behavior, such as a Web server calling a command line interface.

Attackers can defeat host-based IDS systems using loadable kernel modules, or LKMs. A LKM is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing. With the proper LKM, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. LKMs can also hide the use of the application program interfaces. Detection of LKMs is extremely difficult and is typically done through another LKM.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [§6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [§6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [§6(d)(3)])