|
February 16, 2003
FYI- Banker Version of "EDIE" - the
Electronic Deposit Insurance Estimator - Now Available to Download
From the FDIC's Web site - The FDIC is releasing the new banker
version of EDIE in a downloadable format that financial institutions
may load directly onto their networks. www.fdic.gov/news/news/financial/2003/fil0310.html
Editor's
comment - You may wish to link this site of your web site.
FYI- Pair who hacked court get 9 years - Former
computer consultant tried to dismiss pending cases - Two hackers who
broke into Riverside County, Calif., court computers and
electronically dismissed a variety of pending cases pleaded guilty
to the crime Friday. Both William Grace and Brandon Wilson
were sentenced to nine years in jail after pleading guilty to 72
counts of illegally entering a computer system and editing data,
along with seven counts of conspiracy to commit extortion. http://www.msnbc.com/news/870163.asp?0dm=C17LT
Editor's comment - This points out the importance of changing
passwords and doing proper due diligence on vendors.
FYI- A student at Boston College was indicted
by a Massachusetts grand jury yesterday on charges that he
surreptitiously installed keystroke-monitoring software on campus
computers, then used the software to steal personal information from
more than 4,000 individuals who used the machines. http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,78319,00.html
FYI- A former Viewsonic Corp. employee was arrested Thursday and
charged with sabotaging company computers after he was fired last
year. A federal indictment made public Thursday charges
39-year-old Andy Garcia Montebello with crippling the company’s
Taiwan offices for three days last April, causing $100,000 in damage
and costing the company $1 million in business. http://www.msnbc.com/news/869572.asp?0dm=T238T
Editor's comment - This is one reason why there should
be a formal policy for employees that leave your institution for any
reason.
FYI - U. S. Treasury to
Reinstate USA PATRIOT Act Section 314(a) Information Requests - On
November 26, 2002, the Treasury Department announced a brief
moratorium on information requests related to Section 314(a) of the
USA PATRIOT Act. Section
314(a) authorizes law enforcement authorities to communicate with
banking organizations and financial institutions about suspected
money launderers and terrorists. www.federalreserve.gov/BoardDocs/srletters/2003/sr0303.htm
www.federalreserve.gov/boarddocs/SRLETTERS/2003/sr0303.htm
www.ncua.gov/news/press_releases/2003/NR03-0211-2.htm
FYI - Firms'
hacking-related insurance costs soar - Computer worms and viruses
cost companies time and cleanup costs - and now higher insurance
premiums. http://www.usatoday.com/money/industries/technology/2003-02-09-hacker_x.htm
INTERNET
COMPLIANCE - Flood
Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
INTERNET SECURITY - We continue our
coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
PART I. Risks Associated with Wireless Internal Networks
Financial institutions are evaluating wireless networks as an
alternative to the traditional cable to the desktop network.
Currently, wireless networks can provide speeds of up to 11Mbps
between the workstation and the wireless access device without the
need for cabling individual workstations. Wireless networks also
offer added mobility allowing users to travel through the facility
without losing their network connection. Wireless networks are also
being used to provide connectivity between geographically close
locations as an alternative to installing dedicated
telecommunication lines.
Wireless differs from traditional hard-wired networking in that it
provides connectivity to the network by broadcasting radio signals
through the airways. Wireless networks operate using a set of FCC
licensed frequencies to communicate between workstations and
wireless access points. By installing wireless access points, an
institution can expand its network to include workstations within
broadcast range of the network access point.
The most prevalent class of wireless networks currently available is
based on the IEEE 802.11b wireless standard. The standard is
supported by a variety of vendors for both network cards and
wireless network access points. The wireless transmissions can be
encrypted using "Wired Equivalent Privacy" (WEP)
encryption. WEP is intended to provide confidentiality and integrity
of data and a degree of access control over the network. By design,
WEP encrypts traffic between an access point and the client.
However, this encryption method has fundamental weaknesses that make
it vulnerable. WEP is vulnerable to the following types of
decryption attacks:
1) Decrypting information based on statistical analysis;
2) Injecting new traffic from unauthorized mobile stations
based on known plain text;
3) Decrypting traffic based on tricking the access point;
4) Dictionary-building attacks that, after analyzing about a
day's worth of traffic, allow real-time automated decryption of all
traffic (a dictionary-building attack creates a translation table
that can be used to convert encrypted information into plain text
without executing the decryption routine); and
5) Attacks based on documented weaknesses in the RC4
encryption algorithm that allow an attacker to rapidly determine the
encryption key used to encrypt the user's session).
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
The Exceptions
Exceptions to the opt out right are detailed in sections 13, 14,
and 15 of the regulations. Financial institutions need not comply
with opt-out requirements if they limit disclosure of nonpublic
personal information:
1) To a nonaffiliated third party to perform services for the
financial institution or to function on its behalf, including
marketing the institution's own products or services or those
offered jointly by the institution and another financial
institution. The exception is permitted only if the financial
institution provides notice of these arrangements and by contract
prohibits the third party from disclosing or using the information
for other than the specified purposes. In a contract for a joint
marketing agreement, the contract must provide that the parties to
the agreement are jointly offering, sponsoring, or endorsing a
financial product or service. However, if the service or function is
covered by the exceptions in section 14 or 15 (discussed below), the
financial institution does not have to comply with the additional
disclosure and confidentiality requirements of section 13.
Disclosure under this exception could include the outsourcing of
marketing to an advertising company. (Section 13)
2) As necessary to effect, administer, or enforce a
transaction that a consumer requests or authorizes, or under certain
other circumstances relating to existing relationships with
customers. Disclosures under this exception could be in connection
with the audit of credit information, administration of a rewards
program, or to provide an account statement. (Section 14)
3) For specified other disclosures that a financial
institution normally makes, such as to protect against or prevent
actual or potential fraud; to the financial institution's attorneys,
accountants, and auditors; or to comply with applicable legal
requirements, such as the disclosure of information to regulators.
(Section 15) |
