REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Feds ‘Hacked’ Silk Road Without a Warrant? Perfectly Legal, Prosecutors Argue - With only a month until the scheduled trial of Ross Ulbricht, the alleged creator of the Silk Road drug site, Ulbricht’s defense lawyers have zeroed in on the argument that the U.S. government illegally hacked the billion-dollar black market site to expose the location of its hidden server. http://www.wired.com/2014/10/feds-silk-road-hack-legal/

FYI - 'A motivated, funded, skilled hacker will always get in' – Schneier - It's how you respond that's key, says securo guru - IP Expo Hacking attacks are more or less inevitable, so organisations need to move on from the protection and detection of attacks towards managing their response to breaches so as to minimise harm, according to security guru Bruce Schneier. http://www.theregister.co.uk/2014/10/09/your_security_defences_are_going_to_fall_get_over_it_schneier/

FYI - JPMorgan hackers targeted 13 firms, including Fidelity, report reveals - Fidelity Investments, a major mutual fund and financial services firm, is believed to have been targeted by the same hackers which struck JPMorgan Chase, the Financial Times has revealed. http://www.scmagazine.com/jpmorgan-data-breach-targeted-fidelity-12-others/article/376694/

FYI - Report examines cloud-based security market drivers, concerns - A new report sheds light on the growing number cloud-based security vendors in the marketplace, as well as concerns that may arise as enterprises take advantage of solutions facilitating secure adoption of cloud services. http://www.scmagazine.com/an-nss-labs-report-says-cloud-based-services-growing-at-staggering-rate/article/377507/

FYI - ABA wants to automatically call and text mobiles regarding breach and fraud alerts - With data breach and fraud alerts in mind, the American Bankers Association (ABA) filed a petition on Tuesday asking the Federal Communications Commission (FCC) to remove “outdated regulatory restrictions” that prevent sending automated calls and texts to mobile devices. http://www.scmagazine.com/aba-wants-to-automatically-call-and-text-mobiles-regarding-breach-and-fraud-alerts/article/377505/

FYI - TD Bank reaches $850K breach settlement with states - TD Bank has reached a settlement with several states, in order to resolve an investigation of a 2012 data breach in which it lost unencrypted backup tapes containing data of 260,000 customers. http://www.scmagazine.com/td-bank-reaches-850k-breach-settlement-with-states/article/377744/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bond insurer MBIA investigates potential breach of client data - MBIA, the country's largest bond insurer, says that data related to an undisclosed number of its customers may have been “illegally accessed.” http://www.scmagazine.com/mbias-client-data-may-have-been-accessed-illegally/article/376195/

FYI - 'Crypto-ransomware' scam email brings down ABC News 24 - A scam email was enough to bring down Australia's national broadcaster, with ABC News 24's Sydney studios being compromised by a "crypto-ransomware attack". http://www.cnet.com/au/news/crypto-ransomware-scam-email-brings-down-abc-news-24/

FYI - ATM malware dispenses cash to attackers - A backdoor program allowing cash dispersal has been detected on automated teller machines in multiple countries, although mostly in Russia. Kaspersky Lab reports that the program, designated Backdoor.MSIL.Tyupkin, requires physical access to the ATM system and booting it off of a CD to install the malware. http://www.zdnet.com/atm-malware-dispenses-cash-to-attackers-7000034416/

FYI - Dairy Queen confirms breach, Backoff malware intrusion at 395 U.S. stores - A data breach at International Dairy Queen, Inc. has resulted in systems at 395 of its more than 4,500 U.S. stores and one Orange Julius location being infected with the same Backoff malware that has plagued other retailers nationwide and exposed customer payment information. http://www.scmagazine.com/backoff-malware-infected-395-dairy-queen-locations-and-one-orange-julius/article/376735/

FYI - Attackers Hacked Critical Manufacturing Firm For Months - An unnamed manufacturing firm vital to the U.S. economy recently suffered a prolonged hack, the Department of Homeland Security has disclosed. http://www.nextgov.com/cybersecurity/2014/10/dhs-attackers-hacked-critical-manufacturing-firm-months/96317/?oref=ng-channeltopstory

FYI - Kmart shops hit by payment card hack attackKmart store Kmart is the latest big US chain to be attacked by hackers - Cash registers at 1,200 Kmart stores were infected with malware that scooped up payment card numbers for over a month, reports the retailer. http://www.bbc.com/news/technology-29595214

FYI - Snapsaved.com breach prompts Snapchat warning - A claim Monday by Snapsaved.com that its servers had been breached and 500 megabytes of photographs had been stolen, prompted Snapchat to issue a warning to users about “the unfortunate threats these third-party applications can pose.” http://www.scmagazine.com/snapchat-warned-users-about-third-party-applications/article/377240/

FYI - Oregon Employment Department notifies 850K individuals of breach - The Oregon Employment Department (OED) is notifying more than 850,000 individuals that their personal information – including Social Security numbers – may have been compromised during an intrusion into the agency's website. http://www.scmagazine.com/oregon-employment-department-notifies-850k-individuals-of-breach/article/377193/

FYI - Physician's email account, accessed by unknown source, contained patient data - UC Davis Health System is notifying 1,326 patients that a physician's work email account was accessed by an unknown source and an email within that account contained their personal or medical information. http://www.scmagazine.com/physicians-email-account-accessed-by-unknown-source-contained-patient-data/article/377499/

FYI - Hackers targeted Chase Corporate Challenge site to find infiltration route - A previously known breach of the JPMorgan Chase Corporate Challenge website has now been confirmed as one of many avenues cyber attackers explored while trying to gain access to the bank's internal systems. http://www.scmagazine.com/hackers-struck-out-at-chase-corporate-challenge-site/article/377724/

FYI - Marquette University notifies graduate applicants of possible breach - Marquette University is notifying an undisclosed number of people that settings for an internal file server were inadvertently modified, enabling anyone with University login credentials to access personal information – including Social Security numbers – on their graduate school applications. http://www.scmagazine.com/marquette-university-notifies-graduate-applicants-of-possible-breach/article/377723/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Principle 5: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.
 
 Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization. Failure to maintain the data integrity of transactions, records and information can expose banks to financial losses as well as to substantial legal and reputational risk.
 
 The inherent nature of straight-through processes for e-banking may make programming errors or fraudulent activities more difficult to detect at an early stage. Therefore, it is important that banks implement straight-through processing in a manner that ensures safety and soundness and data integrity.
 
 As e-banking is transacted over public networks, transactions are exposed to the added threat of data corruption, fraud and the tampering of records. Accordingly, banks should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-banking transactions, records and information that is either transmitted over Internet, resident on internal bank databases, or transmitted/stored by third-party service providers on behalf of the bank. Common practices used to maintain data integrity within an e-banking environment include the following:
 
 1)  E-banking transactions should be conducted in a manner that makes them highly resistant to tampering throughout the entire process.
 
 2)  E-banking records should be stored, accessed and modified in a manner that makes them highly resistant to tampering.
 
 3)  E-banking transaction and record-keeping processes should be designed in a manner as to make it virtually impossible to circumvent detection of unauthorized changes.
 
 4)  Adequate change control policies, including monitoring and testing procedures, should be in place to protect against any e-banking system changes that may erroneously or unintentionally compromise controls or data reliability.
 
 5)  Any tampering with e-banking transactions or records should be detected by transaction processing, monitoring and record keeping functions.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 ELECTRONIC AND PAPER - BASED MEDIA HANDLING
 
 Sensitive information is frequently contained on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation. Protection of that data requires protection of the media. The theft, destruction, or Information Security other loss of the media could result in the exposure of corporate secrets, breaches in customer confidentiality, alteration of data, and the disruption of business activities. The policies and procedures necessary to protect media may need revision as new data storage technologies are contemplated for use and new methods of attack are developed. The sensitivity of the data (as reflected in the data classification) dictates the extent of procedures and controls required. Many institutions find it easier to store and dispose of all media consistently without having to segregate out the most sensitive information. This approach also can help reduce the likelihood that someone could infer sensitive information by aggregating a large amount of less sensitive information. Management must address three components to secure media properly: handling and storage, disposal, and transit.
 
 HANDLING AND STORAGE
 
 IT management should ensure secure storage of media from unauthorized access. Controls could include physical and environmental controls including fire and flood protection, limited access (e.g., physical locks, keypad, passwords, biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring all employees have authorization to access the minimum level of data required to perform their responsibilities. More sensitive media like system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive media, including the printouts of sensitive information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 3 of 3)
 
 C. Opt Out Right 
 
 1)  Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:
 
 a.  Are clear and conspicuous (§§3(b) and 7(a)(1));
 
 b.  Accurately explain the right to opt out (§7(a)(1));
 
 c.  Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (§7(a)(1)); and
 
 d.  Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (§7(d)).
 
 2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:
 
 a.  Timeliness of delivery (§10(a)(1));
 
 b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).
 
 c.  Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii), 10(a)(3)); and
 
 d.  Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (§7(e), (f), (g)).