R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

January 11, 2015

ewsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Examiner caused Palm Springs credit union breach, NCUA IG to investigate - In what might be viewed as a wee bit of irony, it seems a regulator caused a data breach that National Credit Union Association (NCUA) Inspector General James Hagen now says his office will investigate. http://www.scmagazine.com/ncua-examiner-responsible-for-missing-thumb-drive/article/390455/

FYI - Researchers investigate, suggest fired employees assisted in Sony hack - researchers are saying that one or more former employees may have aided in the massive hack of Sony. http://www.scmagazine.com/one-or-more-former-employees-may-have-aided-in-hack/article/390385/

FYI - Gogo caught using fake Google SSL certificates - Flyers who don't want their data intercepted by Gogo LLC, or unnecessarily fall into the hands of law enforcement, might want to reconsider using the inflight WiFi service after it was found to be using fake Google SSL certificates. http://www.scmagazine.com/inflight-wifi-companys-mitm-attack-outed-by-google-engineer/article/391237/

FYI - Former HHS cybersecurity director gets 25 years - A former cybersecurity official at the U.S. Department of Health and Human Services has been sentenced to 25 years in prison for his role in .. http://www.scmagazine.com/hhs-cybersecurity-official-was-nabbed-in-fbi-child-porn-investigation/article/391203/

FYI - Researchers teach security master class at Oregon State - Over the next 10 weeks, analysts at McAfee Labs will teach a master class on cyber security at Oregon State University, which will cover everything from malware research, to mobile threats, incident response, and other topics. http://www.scmagazine.com/master-class-covers-malware-research-incident-response/article/391090/

FYI - Pro-Russian group claims it hacked German Chancellor website - The website of German Chancellor Angela Merkel, in addition to other German government sites, became unavailable Wednesday to visitors as a result of a cyber attack. http://www.scmagazine.com/pro-russian-group-claims-it-hacked-german-chancellor-website/article/391343/

FYI - Moonpig vulnerability exposes customers' personal information - Moonpig, a customizable greeting card company, had 3 million customers' personal information exposed after a developer detailed a security vulnerability online. http://www.scmagazine.com/developer-details-security-flaw-in-moonpig-site/article/391238/

FYI - Former CBS reporter claims gov't hacked computer, sues for $35M - An ex-CBS reporter is suing the federal government for $35 million, claiming that the feds hacked into her computer. http://www.scmagazine.com/former-cbs-reporter-claims-govt-hacked-computer-sues-for-35m/article/391675/


FYI - Chick-fil-A investigates possible POS breach - Chick-fil-A has joined forces with law enforcement authorities and IT security experts to investigate a possible breach of its point-of-sale (POS) payment system after a number of financial institutions in the U.S. detected a fraud activity on payment cards used at the restaurant chain.

FYI - UGA computer network hacked, Georgia Tech student indicted - A Georgia Tech (GT) student has been indicted after allegedly hacking into the University of Georgia (UGA) computer network prior to a rivalry football game and posting a message on the UGA online calendar. http://www.scmagazine.com/uga-computer-network-hacked-georgia-tech-student-indicted/article/390471/

FYI - Morgan Stanley employee fired for stealing data on 350K clients, reports say - Multinational financial services corporation Morgan Stanley has fired a financial adviser who stole data on 350,000 clients. http://www.scmagazine.com/account-names-numbers-transaction-data-posted-on-internet/article/390984/

FYI - Bitcoin exchange Bitstamp goes offline following possible breach - Bitstamp, a major Bitcoin exchange, went offline on Monday after the service discovered that one of its operational wallets was possibly compromised, according to a notice on the site. http://www.scmagazine.com/bitstamp-goes-offline-in-cautionary-move/article/390908/

FYI - Attempted access to Fast Forward Academy systems puts data at risk - Florida-based exam preparation company Fast Forward Academy is notifying an undisclosed number of individuals that an unauthorized person attempted to access its systems, which store partner and customer information. http://www.scmagazine.com/attempted-access-to-fast-forward-academy-systems-puts-data-at-risk/article/390923/

FYI - Medical File Hack Affected Nearly Half a Million Postal Workers - Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers’ compensation, USPS officials say.

FYI - NVIDIA Corporate Network Breached - Over the winter holidays people were concerning themselves with family gatherings, the exchange of presents and even some reading on the soap opera that has blossomed from the Sony Pictures breach. http://www.forbes.com/sites/davelewis/2014/12/29/nvidia-corporate-network-breached/

FYI - Call center suspends workers in Northern Ireland over possible breach - Dozens of call center workers in Londonderry, Northern Ireland, have been suspended and are being investigated in a potential data breach. http://www.scmagazine.com/call-center-suspends-workers-in-northern-ireland-over-possible-breach/article/391071/

FYI - Stolen DJO Global laptop contained patient data - California-based medical device company DJO Global is notifying an undisclosed number of individuals that a laptop computer containing some personal patient information was stolen from a locked car belonging to a DJO consultant. http://www.scmagazine.com/stolen-djo-global-laptop-contained-patient-data/article/391181/

FYI - Malicious code on ID Parts website, credit card data of 12K customers stolen - Massachusetts-based automotive parts seller ID Parts is notifying roughly 12,000 individuals that malicious code was inserted into the functions that process customer payment information on the ID Parts website, and their credit card information was stolen. http://www.scmagazine.com/malicious-code-on-id-parts-website-credit-card-data-of-12k-customers-stolen/article/391592/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Audit Trail Practices for E-Banking Systems

1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.

2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.

3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:

a)   The bank should ensure that it has access to relevant audit trails maintained by the service provider.

b)   Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  


Operational Anomalies

Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.


19.1.3 Hybrid Cryptographic Systems
Secret key systems are often used for bulk data encryption and public key systems for automated key distribution.

Public and secret key cryptography have relative advantages and disadvantages. Although public key cryptography does not require users to share a common key, secret key cryptography is much faster: equivalent implementations of secret key cryptography can run 1,000 to 10,000 times faster than public key cryptography.

To maximize the advantages and minimize the disadvantages of both secret and public key cryptography, a computer system can use both types in a complementary manner, with each performing different functions. Typically, the speed advantage of secret key cryptography means that it is used for encrypting data. Public key cryptography is used for applications that are less demanding to a computer system's resources, such as encrypting the keys used by secret key cryptography (for distribution) or to sign messages.

19.1.4 Key Escrow

Because cryptography can provide extremely strong encryption, it can thwart the government's efforts to lawfully perform electronic surveillance. For example, if strong cryptography is used to encrypt a phone conversation, a court-authorized wiretap will not be effective. To meet the needs of the government and to provide privacy, the federal government has adopted voluntary key escrow cryptography. This technology allows the use of strong encryption, but also allows the government when legally authorized to obtain decryption keys held by escrow agents. NIST has published the Escrowed Encryption Standard as FIPS 185. Under the federal government's voluntary key escrow initiative, the decryption keys are split into parts and given to separate escrow authorities. Access to one part of the key does not help decrypt the data; both keys must be obtained.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated