FYI - GAO - U.S. Postal Service Needs to Strengthen System Acquisition and Management Capabilities to Improve Its Intelligent Mail® Full Service Program.
Release - http://www.gao.gov/new.items/d10145.pdf
Highlights - http://www.gao.gov/highlights/d10145high.pdf

FYI - Obama Wants Computer Privacy Ruling Overturned - The Obama administration is seeking to reverse a federal appeals court decision that dramatically narrows the government's search-and-seizure powers in the digital age. http://www.wired.com/threatlevel/2009/11/obama-wants-computer-privacy-ruling-overturned/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Thousands of Wis. hospital patients at risk after laptop theft - A laptop containing the personal information of thousands of patients of Aurora St. Luke's Medical Center in Milwaukee, Wis. was recently stolen. http://www.scmagazineus.com/thousands-of-wis-hospital-patents-at-risk-after-laptop-theft/article/158660/?DCMP=EMC-SCUS_Newswire

FYI - Restaurants Sue Vendors After Point-of-sale Hack - When Keith Bond bought a computerized cash register system for his Broussard, Louisiana, restaurant, he thought he was modernizing his restaurant. Today, he believes he was unwittingly opening a back door for Romanian hackers who have now cost him more than US$50,000. http://www.pcworld.com/businesscenter/article/183499/restaurants_sue_vendors_after_pointofsale_hack.html?tk=nl_dnx_t_crawl

FYI - Hackers attempt to take $1.3 million from D.C. firm - It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies. http://voices.washingtonpost.com/securityfix/2009/11/hackers_hit_wash_dc_firm_for_1.html

FYI - Lost Royal Navy memory stick reportedly contained information on manoeuvres and UK personnel - A memory stick that contained 'restricted' information on naval manoeuvres and personnel around the UK was reported missing last week. http://www.scmagazineuk.com/lost-royal-navy-memory-stick-reportedly-contained-information-on-manoeuvres-and-uk-personnel/article/158595/

FYI - Skim versus hack: Council still in the dark - Auckland City says it still doesn't know how carpark systems were compromised - Auckland City is referring all enquiries about how its carparking systems were compromised, leading to the reissue of thousands of credit cards, to Westpac, which is leading the investigation into the incident. http://computerworld.co.nz/news.nsf/scrt/7E178E15FC9F7306CC25767A000E4A3E

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Authorization Practices for E-Banking Applications

1. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct e-banking activities.

2. All e-banking systems should be constructed to ensure that they interact with a valid authorization database.

3. No individual agent or system should have the authority to change his or her own authority or access privileges in an e-banking authorization database.

4. Any addition of an individual, agent or system or changes to access privileges in an e-banking authorization database should be duly authorized by an authenticated source empowered with the adequate authority and subject to suitable and timely oversight and audit trails.

5. Appropriate measures should be in place in order to make e-banking authorization databases reasonably resistant to tampering. Any such tampering should be detectable through ongoing monitoring processes. Sufficient audit trails should exist to document any such tampering.

6. Any e-banking authorization database that has been tampered with should not be used until replaced with a validated database.

7. Controls should be in place to prevent changes to authorization levels during e-banking transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

PART I. Risks Associated with Wireless Internal Networks

Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.

Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.

The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:

1)  Decrypting information based on statistical analysis;

2)  Injecting new traffic from unauthorized mobile stations based on known plain text;

3)  Decrypting traffic based on tricking the access point;

4)  Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and

5)  Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

IT SECURITY QUESTION:  The IT security question has been discontinued.  We have developed The Weekly IT Security Review, which is a weekly email that allows IT personnel to continuously review their IT operations THROUGHOUT THE YEAR.  The Weekly IT Security Review is also be used by auditors, IT security officers, and management.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

40.  Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]