REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - SCADA flaws put world leaders at risk of TERRIBLE TRAFFIC JAM - Host city for 2014's G20 meeting pen tests its traffic lights and finds flaws galore - In November 2014, leaders of the G20 group of nations will convene in Brisbane, Australia, for a few days of plotting to form a one-world government high-level talks aimed at ensuring global stability and amity. http://www.theregister.co.uk/2013/11/21/scada_flaws_put_world_leaders_at_risk_of_terrible_traffic_jam/

FYI - Where's your data going? Hacks redirect traffic through distant lands - A disturbing trend appeared in the world of computer security during 2013: subtle hacks that redirect traffic through foreign countries, where it may be inspected and even modified before moving on to its recipient. http://www.nbcnews.com/technology/wheres-your-data-going-hacks-redirect-traffic-through-distant-lands-2D11624570

FYI - New Defense Contracts Will Protect Vendor Trade Secrets From Hackers - All future Pentagon contracts will regulate the security of certain unclassified networks owned by suppliers, amid concerns that the theft of technical information can jeopardize economic security. http://www.nextgov.com/defense/2013/11/new-defense-contracts-will-protect-vendor-trade-secrets-hackers/74156/?oref=ng-HPtopstory

FYI - Six suspects in $45M ATM heist arrested - Law enforcement arrested more suspects for their alleged connection to an international ATM heist, which drained banks of $45 million. The suspects are believed to have operated the New York cell of “cashers,” who withdrew money from ATMs after other criminals raised the limits on victims' accounts by hacking a credit card processor. http://www.scmagazine.com/six-suspects-in-45m-atm-heist-arrested/article/322326/?DCMP=EMC-SCUS_Newswire&spMailingID=7442740&spUserID=MjI5OTI3MzMyMQS2&spJobID=99650025&spReportId=OTk2NTAwMjUS1

FYI - H&R Block website not accessible to disabled, Justice Department claims - The U.S. government sought to intervene in a lawsuit accusing units of Kansas City-based H&R Block of operating a website inaccessible to people who are blind, deaf or have other disabilities. http://www.kansascity.com/2013/11/26/4651486/hr-block-website-not-accessible.html

FYI - UK bank networks hijacked to spew botnet spam, BBC finds - Computers inside many of the UK's largest banks and building societies are being used to spew malicious botnet spam, research conducted on behalf of the BBC has shown. http://www.computerworld.com.my/resource/security/uk-bank-networks-hijacked-to-spew-botnet-spam-bbc-finds/

FYI - Ding Ding Ding! Video Poker ‘Hackers’ Cleared of Federal Charges - A federal judge in Las Vegas this morning dismissed federal charges against the men, ending a nearly two-year-long legal battle over when beating the house becomes a crime. http://www.wired.com/threatlevel/2013/11/video-poker-case/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - GitHub resets user passwords following rash of account hijack attacks - As many as 40,000 unique addresses flood site with fraudulent login attempts. GitHub is experiencing an increase in user account hijackings that's being fueled by a rash of automated login attempts from as many as 40,000 unique Internet addresses.
http://arstechnica.com/security/2013/11/github-resets-user-passwords-following-rash-of-account-hijack-attacks/
http://www.scmagazine.com/brute-force-attack-against-github-affects-users-with-weak-passwords/article/322327/?DCMP=EMC-SCUS_Newswire&spMailingID=7442740&spUserID=MjI5OTI3MzMyMQS2&spJobID=99650025&spReportId=OTk2NTAwMjUS1

FYI - Hackers reportedly steal 42M customer records from online dating network Cupid Media - The exposed information included email addresses and plaintext passwords - Hackers reportedly stole 42 million customer records including email addresses and clear-text passwords from Cupid Media, a network of dating websites. http://www.computerworld.com/s/article/9244202/Hackers_reportedly_steal_42M_customer_records_from_online_dating_network_Cupid_Media?taxonomyId=17

FYI - RFE/RL Computer Network 'Targeted' By Internet Attack - Radio Free Europe/Radio Liberty has been targeted in an Internet attack known as a distributed denial of service (DDoS). http://www.rferl.org/content/radio-free-europe-internet-attack/25171864.html

FYI - Thousands of California doctors impacted in Anthem breach - Thousands of doctors at Anthem Blue Cross of California are being notified that their personal information was mistakenly posted online. http://www.scmagazine.com/thousands-of-california-doctors-impacted-in-anthem-breach/article/322232/?DCMP=EMC-SCUS_Newswire&spMailingID=7442740&spUserID=MjI5OTI3MzMyMQS2&spJobID=99650025&spReportId=OTk2NTAwMjUS1

FYI - More than a million dollars in Bitcoins stolen by hackers - Last week hackers stole 1,295 Bitcoins – more than a million dollars – from Denmark-based Bitcoin exchange BIPS. The founder and CEO took to the bitcointalk.org forums beginning Tuesday to explain the situation. http://www.scmagazine.com/more-than-a-million-dollars-in-bitcoins-stolen-by-hackers/article/322605/?DCMP=EMC-SCUS_Newswire&spMailingID=7456452&spUserID=MjI5OTI3MzMyMQS2&spJobID=100336343&spReportId=MTAwMzM2MzQzS0

FYI - Patients compromised again, second UCSF laptop theft within two months - More than 8,000 patients of University of California, San Francisco (UCSF) are receiving notification letters after a possibly unencrypted laptop that contained the personal information was stolen from a physician's vehicle. A similar UCSF incident occurred in October. http://www.scmagazine.com/patients-compromised-again-second-ucsf-laptop-theft-within-two-months/article/322581/?DCMP=EMC-SCUS_Newswire&spMailingID=7456452&spUserID=MjI5OTI3MzMyMQS2&spJobID=100336343&spReportId=MTAwMzM2MzQzS0

FYI - Racing Post website hit by ‘aggressive’ cyber attack - Racing Post has revealed that its website was hit by a “sophisticated, sustained and aggressive attack” over the weekend in which one of its databases containing customer information was accessed. http://www.v3.co.uk/v3-uk/news/2308953/racing-post-website-hit-by-aggressive-cyber-attack

FYI - Florida health employee caught photographing patient data, gets fired - Florida Digestive Health Specialists LLP is notifying about 4,400 patients that a former employee improperly accessed their personal information and photographed the data. http://www.scmagazine.com/florida-health-employee-caught-photographing-patient-data-gets-fired/article/322701/?DCMP=EMC-SCUS_Newswire&spMailingID=7471006&spUserID=MjI5OTI3MzMyMQS2&spJobID=100609022&spReportId=MTAwNjA5MDIyS0

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Biometrics (Part 1 of 2)

Biometrics can be implemented in many forms, including tokens. Biometrics verifies the identity of the user by reference to unique physical or behavioral characteristics. A physical characteristic can be a thumbprint or iris pattern. A behavioral characteristic is the unique pattern of key depression strength and pauses made on a keyboard when a user types a phrase. The strength of biometrics is related to the uniqueness of the physical characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user's memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.

Enrollment is a critical process for the use of biometric authentication. The user's physical characteristics must be reliably recorded. Reliability may require several samples of the characteristic and a recording device free of lint, dirt, or other interference. The enrollment device must be physically secure from tampering and unauthorized use.

When enrolled, the user's biometric is stored as a template. Subsequent authentication is accomplished by comparing a submitted biometric against the template, with results based on probability and statistical confidence levels. Practical usage of biometric solutions requires consideration of how precise systems must be for positive identification and authentication. More precise solutions increase the chances a person is falsely rejected. Conversely, less precise solutions can result in the wrong person being identified or authenticated as a valid user (i.e., false acceptance rate). The equal error rate (EER) is a composite rating that considers the false rejection and false acceptance rates. Lower EERs mean more consistent operations. However, EER is typically based upon laboratory testing and may not be indicative of actual results due to factors that can include the consistency of biometric readers to capture data over time, variations in how a user presents their biometric sample (e.g., occasionally pressing harder on a finger scanner), and environmental factors.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [§7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [§7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [§7(a)(2)(i)(B)]