REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Some Things Should Be Banned from the Internet of Things - The unknown danger in connecting an increasing number of analog objects, such as light bulbs, to the Web is worrying policy advisers. http://www.nextgov.com/cybersecurity/2014/07/some-things-should-be-banned-internet-things/89636/?oref=ng-channeltopstory

FYI - Who has your credit card data? 1 million HOLIDAY-MAKERS' RECORDS exposed - Travel agent fined £150K - Sloppy coding fingered - A UK-based online travel firm has been fined £150,000 over a breach of breach of the Data Protection Act after their "insecure" coding reportedly exposed more than a million customer records to cybercrooks. http://www.theregister.co.uk/2014/07/24/travel_agent_data_breach/

FYI - Former student sentenced to six months for Nebraska university hack - A former University of Nebraska-Lincoln student that hacked into the university's computer system in 2012 was sentenced to six months in prison on Thursday, and also must pay more than $107,000 in restitution, according to a Thursday Omaha.com report. http://www.scmagazine.com/former-student-sentenced-to-six-months-for-nebraska-university-hack/article/362957/

FYI - Underinvestment, poor communication plague Canadian cybersecurity - Canadian cyber security is languishing due to poor communication and disappointing security investments, according to research from the Ponemon Institute. A two-part report revealed that almost a quarter of cyber teams in Canada never speak with their executive team about IT security issues. http://www.scmagazine.com/underinvestment-poor-communication-plague-canadian-cybersecurity/article/361839/

FYI - Hackers seed Amazon cloud with potent denial-of-service bots - Bug in open source analytics app may have compromised other services, too. Attackers have figured out a new way to get Amazon's cloud service to wage potent denial-of-service attacks on third-party websites—by exploiting security vulnerabilities in an open source search and analytics application known as Elasticsearch. http://arstechnica.com/security/2014/07/hackers-seed-amazon-cloud-with-potent-denial-of-service-bots/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - European Central Bank suffers security breach, personal data stolen - The European Central Bank's website has been hacked and personal information has been stolen by a cybercriminal. The European Central Bank (ECB) admitted Thursday that a security breach has led to the theft of personal data. http://www.zdnet.com/european-central-bank-suffers-security-breach-personal-data-stolen-7000031958/

FYI - Hacker claims breach of Wall Street Journal and Vice websites, punts 'user data' for sale - Also supposedly hit a gadgets site called 'CNET' - A hacker known for attacking news websites has claimed successful hacks against both the Wall Street Journal and Vice. http://www.theregister.co.uk/2014/07/22/wsj_vice_hack_claims_w0rm_punts_stolen_data/

FYI - Attackers raid SWISS BANKS with DNS and malware bombs - 'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts - Attackers suspected of residing in Russia are raiding Swiss bank accounts with a multi-faceted attack that intercepts SMS tokens and changes domain name system settings, researchers have warned. http://www.theregister.co.uk/2014/07/23/ruskie_vxers_change_dns_nuke_malware_in_swiss_bank_raids/

FYI - Card Breach at Goodwill Industries - Heads up, bargain shoppers: Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports. http://krebsonsecurity.com/2014/07/banks-card-breach-at-goodwill-industries/

FYI - Laptop stolen from Self Regional Healthcare contained patient data - South Carolina-based Self Regional Healthcare (SRH) is notifying at least 500 patients that their personal information – including Social Security numbers and financial data – was on a laptop stolen from an SRH facility. http://www.scmagazine.com/laptop-stolen-from-self-regional-healthcare-contained-patient-data/article/362937/

FYI - ECB database hacked, attackers ask for financial compensation - Cyber thieves hacked into a database at European Central Bank (ECB) and stole email addresses and contact information for users who signed up for bank events via its public website, ECB said Thursday. http://www.scmagazine.com/ecb-database-hacked-attackers-ask-for-financial-compensation/article/362832/  

FYI - Hacker Breached NOAA Satellite Data from Contractor’s PC - National Oceanic and Atmospheric Administration satellite data was stolen from a contractor's personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report. http://www.nextgov.com/cybersecurity/2014/07/hacker-breached-noaa-satellite-data-contractors-pc/89771/?oref=ng-HPtopstory

FYI - Catch of the Day reveals three-year old data breach - Daily deals website Catch of the Day last night revealed it had suffered a serious data breach in 2011 that led to customer passwords and a number of credit card details being stolen.http://www.itnews.com.au/News/390097,catch-of-the-day-reveals-three-year-old-data-breach.aspx

FYI - Seattle University donor checks possibly exposed due to settings error - Seattle University is notifying an undisclosed number of donors that incorrect permission settings on an internal drive made it possible for anyone with a Seattle University computer account to view scanned checks, without authorization. http://www.scmagazine.com/seattle-university-donor-checks-possibly-exposed-due-to-settings-error/article/363439/

FYI - Programming error results in CVS Caremark mailing blunder - About 350 CVS Caremark customers are being notified that a programming error resulted in mailers containing their personal information being sent to the wrong customers. http://www.scmagazine.com/programming-error-results-in-cvs-caremark-mailing-blunder/article/363641/

FYI - Jimmy John's sandwich chain investigating possible breach - Jimmy John's sandwich chain is investigating a possible breach of customer credit card information. http://www.scmagazine.com/jimmy-johns-sandwich-chain-investigating-possible-breach/article/363877/

FYI - Attackers compromise Gizmodo Brazil - Attacks on Gizmodo's Brazilian site and the website of an unnamed logistics firm hosted by the same ISP have prompted Trend Micro to investigate whether “a vulnerability was used in order to penetrate the web servers,” according to a company blog post. http://www.scmagazine.com/attackers-compromise-gizmodo-brazil/article/363734/

FYI - Paddy Power breach impacting 650K customers dates back to 2010 - Irish bookmaker Paddy Power is notifying 649,055 customers that their data was stolen in a breach dating back to 2010. http://www.scmagazine.com/paddy-power-breach-impacting-650k-customers-dates-back-to-2010/article/363728/

FYI - Malware on Backcountry Gear website, payment cards compromised - Malware installed on the Backcountry Gear website for about three months beginning in late April likely resulted in a compromise of customer information, including payment card data. http://www.scmagazine.com/malware-on-backcountry-gear-website-payment-cards-compromised/article/363888/

FYI - CIA admits to spying on Senate committee - After months of denials, CIA Director John Brennan apologizes for spying on Senate Intelligence Committee computers. http://www.cnet.com/news/cia-admits-to-spying-on-senate-computers/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk Management Principles for Electronic Banking

The e-banking risk management principles identified in this Report fall into three broad, and often overlapping, categories of issues. However, these principles are not weighted by order of preference or importance. If only because such weighting might change over time, it is preferable to remain neutral and avoid such prioritization.

A. Board and Management Oversight (Principles 1 to 3): 

1. Effective management oversight of e-banking activities. 
2. Establishment of a comprehensive security control process. 
3. Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies. 

B. Security Controls (Principles 4 to 10):

4. Authentication of e-banking customers. 
5. Non-repudiation and accountability for e-banking transactions. 
6. Appropriate measures to ensure segregation of duties. 
7. Proper authorization controls within e-banking systems, databases and applications. 
8. Data integrity of e-banking transactions, records, and information. 
9. Establishment of clear audit trails for e-banking transactions. 
10. Confidentiality of key bank information.

C. Legal and Reputational Risk Management (Principles 11 to 14):

11. Appropriate disclosures for e-banking services. 
12. Privacy of customer information. 
13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems and services. 
14. Incident response planning.

Each of the above principles will be cover over the next few weeks, as they relate to e-banking and the underlying risk management principles that should be considered by banks to address these issues.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

MALICIOUS CODE

Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.

Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.

Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.