FYI - Major League Baseball, National Hockey League websites hit by traffic-redirection attack - Malicious banner ads first affected visitors to the websites of Major League Baseball and the National Hockey League late last week, according to researchers at Exploit Prevention Labs. http://www.scmagazineus.com/Major-League-Baseball-National-Hockey-League-websites-hit-by-traffic-redirection-attack/article/96362/

FYI - Nevada tightens payroll security - Under the new procedures, disks must be signed for and returned to the personnel department after each pay period. Passwords will be required to read data stored on CDs. And state employee information will be correlated to unique employee identification numbers instead of Social Security numbers. http://www.gcn.com/online/vol1_no1/45412-1.html?topic=security&CMP=OTC-RSS

FYI - FCO breached data privacy of 50,000 visa applicants - The personal details of 50,000 visa applicants were on view to visitors to a website run by the Foreign and Commonwealth Office, the Information Commissioner's Office has found. http://www.computerweekly.com/Articles/2007/11/13/228058/fco-breached-data-privacy-of-50000-visa-applicants.htm

FYI - Commonwealth passes security question to Netbank users - Commonwealth Bank is looking to shift concerns over online security to Netbank customers with the announcement that it will be giving away security software to a selection of users.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283812-130061744t-110000005c
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283820-130061744t-110000005c

FYI - Ulster Bank steps up security against ID theft - Ulster Bank is issuing special card readers to its internet banking customers as part of ongoing measures to combat online banking fraud. The free-of-charge readers are part of Ulster Bank's overall enhanced security strategy to prevent identity theft by making it difficult for attackers to steal a user's online identity. http://www.siliconrepublic.com/news/news.nv?storyid=single9630

FYI - Targeted e-mail attacks spoof DOJ, business group - Security expert says latest attacks part of an escalating problem. Availability of toolkits, rise of social networks are making it easier for phishers. Security experts warned this week of two separate e-mail attacks launched Monday that take aim at specific individuals within corporations. http://www.news.com/Targeted-e-mail-attacks-spoof-DOJ%2C-business-group/2100-7349_3-6219559.html?tag=nefd.lede

FYI - NIST addresses security for industrial controls systems - Print this Email this Purchase a Reprint Link to this page The National Institute of Standards and Technology has released an initial draft of new security guidelines for government information technology systems used for industrial control processes. The guidelines are in a revised appendix to NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems." http://www.gcn.com/online/vol1_no1/45455-1.html?topic=security&CMP=OTC-RSS

MISSING COMPUTERS/DATA

FYI - UK bank data of millions missingStory Highlights - Britain's tax and customs service lost banking and personal data of 25 million people -- nearly half the country's population -- when two computer disks disappeared in an internal mail service, the Treasury chief said. http://edition.cnn.com/2007/WORLD/europe/11/20/britain.personal.ap/index.html

FYI - Deja vu all over again at Veterans Administration - Another breach for an agency that's prone to them - In what's become a fairly familiar routine for them of late, the U.S. Department of Veterans Affairs is investigating a potential data breach -- the theft of three computers containing personal data on potentially 12,000 individuals. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=13&articleId=9047482

FYI - Missing: 25m people's personal data - Computer discs holding sensitive personal data on 25 million people and 7.25 million families have gone missing, Chancellor Alistair Darling has admitted to MPs. http://www.guardian.co.uk/uklatest/story/0,,-7091592,00.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Product Certification and Security Scanning Products

Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.

Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

IT SECURITY QUESTION:  Network user access controls: (Part 1 of 2)

a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter the username?
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters, special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

5)  When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]