REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - President’s tech council plays sad trombone for federal cybersecurity - Report finds that government "rarely follows accepted best practices." - The President's Council of Advisors on Science and Technology (PCAST) released a report on the state of the nation's cybersecurity today. The report's first finding: the US government is terrible at cybersecurity. http://arstechnica.com/information-technology/2013/11/presidents-tech-council-plays-sad-trombone-for-federal-cyber-security/

FYI - Microsoft, HURTING after NSA backdooring, vows to now harden its pipe - Snooping on private messages 'breach of the 4th Amendment' - Microsoft is scrambling to encrypt its data centers' interlinks - after a fresh Snowden leak suggested the NSA and GCHQ tapped into the cables and intercepted sensitive network traffic. http://www.theregister.co.uk/2013/11/27/microsoft_encryption_nsa_spying/

FYI - 'Neverquest' trojan threatens online banking users - Attackers could start to aggressively distribute this malware in the near future - A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn. http://www.computerworld.com/s/article/9244374/_Neverquest_trojan_threatens_online_banking_users?taxonomyId=17

FYI - U.S. government settles software piracy case - The Army used thousands more copies of a system than what they paid for, and tried to hack the software to get around the licenses, the software company alleges. The government is paying $50 million to make the case go away. http://www.zdnet.com/u-s-government-settles-software-piracy-case-7000023804/

FYI - U.S. data breach notification laws likely to remain state-by-state - Constantly updating technology coupled with the dynamic and evolving nature of data breaches may be stalling notification laws from becoming uniform across the United States. http://www.scmagazine.com/us-data-breach-notification-laws-likely-to-remain-state-by-state/article/323538/?DCMP=EMC-SCUS_Newswire&spMailingID=7512259&spUserID=MjI5OTI3MzMyMQS2&spJobID=102563786&spReportId=MTAyNTYzNzg2S0

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - European Parliament's network hacked; public Wi-Fi shutdown - The news comes not long after leaked documents showed the NSA was bugging and spying EU offices around the world. But the U.S. agency can likely be ruled out as a suspect in this latest hack, following reports from German media. http://www.zdnet.com/european-parliaments-network-hacked-public-wi-fi-network-shutdown-7000023733/

FYI - Funds of RBS customers unavailable during Cyber Monday glitch - A system failure hitting The Royal Bank of Scotland (RBS) on Cyber Monday kept more than 1 million UK customers from making online purchases, withdrawing money from ATM machines or carrying out other transactions via online and mobile banking. http://www.scmagazine.com/funds-of-rbs-customers-unavailable-during-cyber-monday-glitch/article/323496/?DCMP=EMC-SCUS_Newswire&spMailingID=7512259&spUserID=MjI5OTI3MzMyMQS2&spJobID=102563786&spReportId=MTAyNTYzNzg2S0

FYI - Staffer compromises more than a thousand Pittsburgh patients - More than a thousand patients treated at a variety of University of Pittsburgh Medical Center (UPMC) locations over the past year are being notified that their personal information was viewed inappropriately by a former employee. http://www.scmagazine.com/staffer-compromises-more-than-a-thousand-pittsburgh-patients/article/323483/?DCMP=EMC-SCUS_Newswire&spMailingID=7512259&spUserID=MjI5OTI3MzMyMQS2&spJobID=102563786&spReportId=MTAyNTYzNzg2S0

FYI - More than 1,700 alerted to breach of Oregon online retailer - More than 1,700 people who made purchases with online retailer Made In Oregon are being notified that their credit card information may have been compromised in a security breach. http://www.scmagazine.com/more-than-1700-alerted-to-breach-of-oregon-online-retailer/article/323608/?DCMP=EMC-SCUS_Newswire&spMailingID=7516582&spUserID=MjI5OTI3MzMyMQS2&spJobID=102661257&spReportId=MTAyNjYxMjU3S0

FYI - Discovery of two million hacked credentials, '123456' is again the common password - Researchers with SpiderLabs, the advanced security team with information security company Trustwave, discovered a treasure trove of nearly two million pilfered credentials from a variety of companies, including Facebook, Google, Yahoo, Twitter, LinkedIn and payroll service provider ADP.
http://www.scmagazine.com/discovery-of-two-million-hacked-credentials-123456-is-again-the-common-password/article/324201/?DCMP=EMC-SCUS_Newswire&spMailingID=7516582&spUserID=MjI5OTI3MzMyMQS2&spJobID=102661257&spReportId=MTAyNjYxMjU3S0
http://news.cnet.com/8301-1009_3-57614479-83/researchers-discover-database-with-2m-stolen-login-credentials/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Hackers access plain text info on nearly 500K JPMorgan Chase cardholders - Banking and financial services holding company JPMorgan Chase is alerting 465,000 prepaid cash cardholders that their personal information may have been compromised by hackers. http://www.scmagazine.com/hackers-access-plain-text-info-on-nearly-500k-jpmorgan-chase-cardholders/article/324285/?DCMP=EMC-SCUS_Newswire&spMailingID=7529275&spUserID=MjI5OTI3MzMyMQS2&spJobID=103005403&spReportId=MTAzMDA1NDAzS0

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Biometrics (Part 2 of 2)

Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user's thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.

Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.

Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

(Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])