Internet Banking News

February 3, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Putin orders Russian computers protected after spy attacks - President Vladimir Putin has ordered Russian authorities to protect state computers from hacking attacks, the Kremlin said on Monday, after an Internet security firm said a spy network had infiltrated government and embassy computers across the former Soviet bloc. http://www.reuters.com/article/2013/01/21/russia-cyber-security-putin-idINDEE90K0AZ20130121

FYI - Oracle speaks, promises to get Java "fixed up" - After a series of Java malware outbreaks that have resulted in widespread infections and earned significant criticisms from security analysts, many of whom recommended uninstalling the software altogether, Oracle appears ready to break its silence and address the concerns. http://www.scmagazine.com/oracle-speaks-promises-to-get-java-fixed-up/article/277898/?DCMP=EMC-SCUS_Newswire

FYI - Security lands Sony Ł250k fine for PlayStation Network hack - Leak of millions of Brits' sensitive info preventable, says ICO - Sony has been fined Ł250,000 ($395k) for allowing million of UK gamers’ details to be spilled online by PlayStation Network hackers. http://www.theregister.co.uk/2013/01/24/sony_psn_breach_fine/

FYI - Exposure of files on unsecured wireless no excuse to search, judge rules - An individual who inadvertently exposes the contents of his computer over an unsecured wireless network still has a reasonable expectation of privacy against a search of those contents by the police, a federal judge in Oregon ruled last week. http://www.computerworld.com/s/article/9236036/Exposure_of_files_on_unsecured_wireless_no_excuse_to_search_judge_rules?taxonomyId=17

FYI - Hacktivists suspend bank DDoS campaign - A grroup that claimed responsibility for launching distributed denial-of-service (DDoS) attacks against several U.S. bank sites suspended its campaign after an offensive anti-Muslim video was pulled offline. http://www.scmagazine.com/hacktivists-suspend-bank-ddos-campaign/article/278076/?DCMP=EMC-SCUS_Newswire

FYI - Security as the infrastructure platform of the future - January is a good time to plan. It's the start of a new year and those things that seemed so far away in December are suddenly right around the corner. http://www.scmagazine.com/security-as-the-infrastructure-platform-of-the-future/article/277890/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Stanford reports fourth HIPAA breach - Some 57,000 pediatric patients get notified - Some 57,000 patients seen at the Palo Alto, Calif.-based Lucile Packard Children's Hospital have been notified of a potential HIPAA-breach after an unencrypted company laptop containing patient medical information was stolen from a physician's car Jan. 9.
http://www.healthcareitnews.com/news/fourth-hipaa-breach-involving-stanford-u
http://www.scmagazine.com/laptop-theft-at-stanford-childrens-hospital-risks-data-of-57k/article/277912/?DCMP=EMC-SCUS_Newswire

FYI - FBI turns up heat in hunt for Stuxnet leakers - Summary: The FBI and Department of Justice are scouring email and phone records of a potentially small circle of officials that knew about Stuxnet. US federal investigators are applying pressure on senior government officials suspected of leaking details about the US government's role in developing the Stuxnet malware, according to a report by the Washington Post. http://www.zdnet.com/fbi-turns-up-heat-in-hunt-for-stuxnet-leakers-7000010412/

FYI - In Swartz protest, Anon hacks U.S. site, threatens leaks - Saying "a line was crossed" with the treatment of tech activist Aaron Swartz, the group hacks a government site related to the justice system and distributes encrypted files it says it will decrypt unless demands are met. http://news.cnet.com/8301-1009_3-57566016-83/in-swartz-protest-anon-hacks-u.s-site-threatens-leaks/

FYI - New York Times breach opens anti-virus, attribution debate - Stealthy and sophisticated hackers spent four months infiltrating computer networks at The New York Times, ripping off passwords of reporters in an attempt to uncover information related to a story the newspaper wrote in October about the fortune amassed by relatives of China's prime minister, the publication disclosed in an article Wednesday. http://www.scmagazine.com/new-york-times-breach-opens-anti-virus-attribution-debate/article/278481/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

Firewalls - Description, Configuration, and Placement

A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise.

The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.

Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual's legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution's evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender's evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if their financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.