REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - GAO - Information Technology: Leveraging Best Practices to Help Ensure Successful Major Acquisitions. http://www.gao.gov/products/GAO-14-183T

FYI - Cyber dragnet: Five new HACKERS join FBI's 'most wanted' list - 'Operation Ghost Click' seeks its last fugitive - The US Federal Bureau of Investigation has added five new names to its "Cyber's Most Wanted" list, bringing the total number of fugitives urgently wanted in relation to computer and data-related crimes to 17. http://www.theregister.co.uk/2013/11/06/fbi_cyber_most_wanted/

FYI - More than half of corporate breaches go unreported, according to study - In a survey of 200 security professionals who deal with malware analysis for U.S. businesses, 57 percent revealed they investigated or addressed a data breach their company never disclosed.
http://www.scmagazine.com/more-than-half-of-corporate-breaches-go-unreported-according-to-study/article/320252/?DCMP=EMC-SCUS_Newswire
http://www.zdnet.com/enterprise-data-breaches-often-left-undisclosed-malware-analysts-say-7000023032/

FYI - New York Police Detective Pleads Guilty to Hacking Charges - A New York City police detective has pleaded guilty to hiring hacking services to steal the passwords of dozens of email accounts belonging to fellow officers in the police department and others. http://www.wired.com/threatlevel/2013/11/police-detective-guiltyhacking-charges/

FYI - Mom helped hide laptops from FBI in cabinet, gets 6 months probation - Barrett Brown's mother will also pay a $1,000 fine as part of guilty plea. Back in January 2013, former self-proclaimed Anonymous spokesperson Barrett Brown was charged for the third time in four months on federal criminal charges. http://arstechnica.com/tech-policy/2013/11/mom-helped-hide-laptops-from-fbi-in-dishwasher-gets-6-months-probation/

FYI - Firm highlights top site attacks on world's biggest banks - An analysis of the most common website attacks affecting the world's biggest banks, turned up concerning evidence that a common coding flaw remains an easy entry point for attackers. http://www.scmagazine.com/firm-highlights-top-site-attacks-on-worlds-biggest-banks/article/321037/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal $1.2m of bitcoins from Inputs.io, a supposedly secure wallet service - In a phone interview with Australia’s AM radio show Tradefortress responded to challenges that the theft was ‘an inside job’, though he insisted that he wouldn’t be reporting the theft to the police because the bitcoins are untraceable and it would be impossible to track the culprit.
http://www.coindesk.com/hackers-steal-bitcoins-inputs-io-wallet-service/
http://www.scmagazine.com/hackers-steal-more-than-a-million-dollars-worth-of-bitcoin/article/320244/?DCMP=EMC-SCUS_Newswire

FYI - Two hard drives stolen from Washington State University office - Hundreds of employees, former employees and students of Washington State University are being notified that their personal information may have been compromised after two possibly unencrypted external hard drives were stolen from an on-campus office. http://www.scmagazine.com/two-hard-drives-stolen-from-washington-state-university-office/article/320133/?DCMP=EMC-SCUS_Newswire

FYI - Indiana data breach dates back to 2001 - The personal information of hundreds of Jeffersonville, IN vendors and officials may have been compromised in an ongoing data breach that dates back to 2001. http://www.scmagazine.com/indiana-data-breach-dates-back-to-2001/article/320528/?DCMP=EMC-SCUS_Newswire

FYI - Instagram companion app compromises 100k accounts - An iOS and Android application that claims to provide free 'likes' and followers to users of Instagram is actually a clever scam. http://www.scmagazine.com/instagram-companion-app-compromises-100k-accounts/article/320848/?DCMP=EMC-SCUS_Newswire

FYI - More than 800,000 accounts compromised in MacRumors Forums breach - About 860,000 members who post on the forums of popular Apple website MacRumors are being asked to change their passwords after accounts were compromised in a hack. http://www.scmagazine.com/more-than-800000-accounts-compromised-in-macrumors-forums-breach/article/320740/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements

Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)

The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user's identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution's systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution's computer system were performed by that user.

The user's private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.

PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]