REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The 'must haves' to make the Framework for Cybersecurity useful - This month, the National Institute of Standards and Technology (NIST) is scheduled to release the first official draft of the Cybersecurity Framework. http://www.scmagazine.com/the-must-haves-to-make-the-framework-for-cybersecurity-useful/article/317206/?DCMP=EMC-SCUS_Newswire

FYI - Cisco says controversial NIST crypto-potential NSA backdoor -- 'not invoked' in products - Dual EC DRBG crypto tech ended up in some Cisco products as part of their code libraries - Controversial crypto technology known as Dual EC DRBG, thought to be a backdoor for the National Security Agency, ended up in some Cisco products as part of their code libraries. http://www.computerworld.com/s/article/9243301/Cisco_says_controversial_NIST_crypto_potential_NSA_backdoor_not_invoked_in_products?taxonomyId=17s

FYI - NCA to hire 400 cyber crime fighters by end of 2014 - The UK National Crime Agency (NCA) has pledged to train 400 new cyber intelligence officers over the next year. http://www.v3.co.uk/v3-uk/news/2301933/nca-to-hire-400-cyber-crime-fighters-by-end-of-2014

FYI - UK cyber defence unit 'may include convicted hackers' - Convicted computer hackers could be recruited to the UK's cyber defence force if they pass security vetting, the head of the new unit has said. http://www.bbc.co.uk/news/technology-24613376

FYI - Federal Security Breaches Traced to User Noncompliance - Are strong security protocols actually making the federal government less secure? According to a new study by MeriTalk, federal cybersecurity professionals are so focused on implementing rigid policies to lock down data that they often ignore how those rules will impact end users within their agencies. http://www.csoonline.com/article/741586/federal-security-breaches-traced-to-user-noncompliance?source=CSONLE_nlt_newswatch_2013-10-18

FYI - Aaron's computer rental chain settles FTC spying charges - The rent-to-own computer company settles a complaint that accused it of secretly taking Webcam photos of users in their homes and recording keystrokes of Web site login credentials. http://news.cnet.com/8301-1009_3-57608838-83/aarons-computer-rental-chain-settles-ftc-spying-charges/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - US government releases draft cybersecurity framework - NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches. http://news.cnet.com/8301-1009_3-57608834-83/us-government-releases-draft-cybersecurity-framework/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Security Flaw on 200 Government Websites Blamed on Shutdown - Hackers can pocket sensitive personal data from citizens visiting hundreds of .gov websites because the shutdown has reduced technical maintenance, some security researchers say. http://www.nextgov.com/cybersecurity/2013/10/security-flaw-200-government-websites-blamed-shutdown/72035/?oref=ng-HPriver

FYI - Dexter malware resurfaces in South Africa, costs banks millions - Banks in South Africa have suffered tens of millions in losses in rand (millions of US dollars) due to a variant of the Dexter virus – a piece of malware targeting point-of-sale (POS) devices that was discovered in December 2012. http://www.scmagazine.com/dexter-malware-resurfaces-in-south-africa-costs-banks-millions/article/316387/

FYI - Dick Cheney's wireless heart monitor was modified to curb hacking threat - A personal account by former Vice President Dick Cheney appears to have brought further credence to hacking concerns about implanted medical devices.
http://www.scmagazine.com/dick-cheneys-wireless-heart-monitor-was-modified-to-curb-hacking-threat/article/317205/?DCMP=EMC-SCUS_Newswire
http://www.theregister.co.uk/2013/10/21/us_veeps_wireless_heart_implant_disabled_to_stop_terrorist_hackers/

FYI - Experian Sold Consumer Data to ID Theft Service - An identity theft service that sold Social Security and drivers license numbers - as well as bank account and credit card data on millions of Americans - purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity. http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service/

FYI - Alerts of "rising dead" still exploitable on EAS - A security group which shed light in July on the vulnerabilities hackers exploited to compromise the national Emergency Alert System (EAS) announced Thursday that those weaknesses are still present, despite a patch having been issued. http://www.scmagazine.com/alerts-of-rising-dead-still-exploitable-on-eas/article/316996/

FYI - Ship trackers 'vulnerable to hacking', experts warn - Weaknesses in outdated systems could allow attackers to make ships disappear from tracking systems - or even make it look like a large fleet was incoming. http://www.bbc.co.uk/news/technology-24586394

FYI - Hacker group claims to have looted $100k via SQL injection attack - A group of hackers, known as TeamBerserk, took credit on Twitter - posting as @TeamBerserk - for using a SQL injection attack to access usernames and passwords for customers of Sebastian, a California-based internet, phone and television service provider, and then leveraging those credentials to steal $100,000 from online accounts. http://www.scmagazine.com/hacker-group-claims-to-have-looted-100k-via-sql-injection-attack/article/317412/?DCMP=EMC-SCUS_Newswire

FYI - Laptops stolen, data of 700k California hospital patients compromised - The theft of two laptops has led to a compromise of personal information, including Social Security numbers, for more than 700,000 patients of California-based AHMC hospitals. http://www.scmagazine.com/laptops-stolen-data-of-700k-california-hospital-patients-compromised/article/317295/?DCMP=EMC-SCUS_Newswire

FYI - Missouri hospital fires physician's assistant for accessing patient information - An employee of a staff physician at Boone Hospital Center in Missouri was fired after inappropriately accessing patient information on the hospital network. http://www.scmagazine.com/missouri-hospital-fires-physicians-assistant-for-accessing-patient-information/article/317590/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Token Systems (1 of 2)

Token systems typically authenticate the token and assume that the user who was issued the token is the one requesting access. One example is a token that generates dynamic passwords every X seconds. When prompted for a password, the user enters the password generated by the token. The token's password - generating system is identical and synchronized to that in the system, allowing the system to recognize the password as valid. The strength of this system of authentication rests in the frequent changing of the password and the inability of an attacker to guess the seed and password at any point in time.

Another example of a token system uses a challenge/response mechanism. In this case, the user identifies him/herself to the system, and the system returns a code to enter into the password - generating token. The token and the system use identical logic and initial starting points to separately calculate a new password. The user enters that password into the system. If the system's calculated password matches that entered by the user, the user is authenticated. The strengths of this system are the frequency of password change and the difficulty in guessing the challenge, seed, and password.

Other token methods involve multi - factor authentication, or the use of more than one authentication method. For instance, an ATM card is a token. The magnetic strip on the back of the card contains a code that is recognized in the authentication process. However, the user is not authenticated until he or she also provides a PIN, or shared secret. This method is two - factor, using both something the user has and something the user knows. Two - factor authentication is generally stronger than single - factor authentication. This method can allow the institution to authenticate the user as well as the token.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [§6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [§6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [§6(d)(3)])