Internet Banking News

March 11, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Mass. bill wants stores to pay more in data breaches - Small banks fed up with footing the bill for other companies' security leaks support the effort. But what does it mean for consumers? Businesses would have to reimburse banks for costs stemming from data security breaches, under a Massachusetts bill that could be mimicked by other states and in Congress. http://news.com.com/Mass.+bill+wants+stores+to+pay+more+in+data+breaches/2100-7348_3-6161536.html?tag=cd.lede

FYI - TJX breach more severe than originally thought, says retailer - Hackers infiltrated network systems at TJX Companies -- potentially accessing the personal details of millions of shoppers -- for a longer period than the discount clothing retailer initially thought. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070226/635166/

FYI - Mass-pharming attack targeting 50 banks is shut down - Fifty financial institutions in the United States, Europe and the Asia-Pacific region were hit with a well crafted pharming attack this week. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070226/635161/

FYI - Japan's 'cyber crime' rate rise 40% - Japanese police pledged to improve their technology to battle cyber crime, which shot up 40% last year as fraudsters become increasingly sly, an AFP report said. The AFP report, quoting Japan's National Police Agency, said police investigated 4,425 cases of online crime last year, an increase from 3,161 a year earlier and about 3.3 times more than five years ago. http://www.americasnetwork.com/americasnetwork/article/articleDetail.jsp?id=406880

FYI - SEC sues firm for hacking company news releases - U.S. regulators sued an overseas company and its owner on Monday, alleging they hacked into computer systems to get corporate news releases early and traded on that information, making a profit of $2.7 million. http://news.zdnet.com/2102-1009_22-6162258.html

FYI - Trojan phishing attack claims multiple victims - Security watchers have discovered a string of malicious websites that install Trojan code, allowing hackers to compromise end-user banking credentials for more than 50 financial institutions and ecommerce websites. http://www.theregister.co.uk/2007/02/23/trojan_phishing_attack/print.html

FYI - Lawmakers Working to Limit RFID Door Cards - RFID door cards raise security concerns, legislation in the works. There's already an RFID security brouhaha brewing in Washington, and if some people have their way, it won't be the last legal fight waged in the nation's capital over use of the wireless technology. http://www.pcworld.com/article/129487-1/article.html?tk=nl_dnxnws

MISSING COMPUTERS/DATA

FYI - Hackers hit Georgia Tech and steal personal info - The personal information of about 3,000 current and former Georgia Tech employees may have been compromised by unauthorized access to a Georgia Tech computer account by unknown sources outside the university, Georgia Tech reported Feb. 21. http://atlanta.bizjournals.com/atlanta/stories/2007/02/19/daily20.html?t=printable

FYI - Laptop with patients' personal information stolen - Seton computer contains information on 7,800 uninsured patients. The theft of a laptop computer from an Austin office last week has led the Seton hospital system to warn about 7,800 uninsured patients to watch for signs of identity theft. http://www.statesman.com/news/content/news/stories/local/02/20/20laptop.html

FYI - Stop & Shop reports credit data was stolen - Card readers reveal tampering - Quincy-based Stop & Shop has bolted down card readers at all 385 of its supermarkets in New England, New York, and New Jersey to prevent them from being removed and tampered with. With help from US Secret Service agents, Stop & Shop Supermarket Cos. executives scrambled yesterday to determine how many consumers may have had their credit and debit card data stolen by high-tech thieves who apparently broke into checkout-line card readers and planted the equivalent of bugs to steal information. http://www.boston.com/business/articles/2007/02/19/stop__shop_reports_credit_data_was_stolen/

FYI - Former Fruit of the Loom workers' identities compromised - A security breach with a Fruit of the Loom database has left former Rabun Apparel Inc., employees on edge. Word spread rapidly across the North Georgia Technical College campus Tuesday morning about how easily one could access the 1,006 names and Social Security numbers of former employees. http://www.thenortheastgeorgian.com/articles/2007/02/23/news/business/01business.prt

FYI - Security alert as thousands told bank details have been stolen - THOUSANDS of county council staff are at risk of identity theft after their highly confidential bank and national insurance details were stolen. A lap top computer containing the personal information of up to 19,000 staff - complete with names and addresses - was taken in a street robbery. http://www.worcesternews.co.uk/misc/print.php?artid=1216931

FYI - Mysterious Computer Theft Hits Mystery Shopping Company - Speedmark, a marketing services firm that employs "mystery shoppers" to observe employee behavior for client companies, was hit with a data breach when thieves stole computers containing some shoppers' personal data from the company's Woodlands, Texas office. http://www.consumeraffairs.com/printme.php?url=/news04/2007/02/speedmark.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (6 of 12)

Best Practices-Going Beyond the Minimum

Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.

Preparation

Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.

Establish an incident response team.

A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 3 of 4)

Some network IDS units allow the IP addresses associated with certain signatures to be automatically blocked. Financial institutions that use that capability run the risk of an attacker sending attack packets that falsely report the sending IP addresses as that of service providers and others that the institution needs to continue offering service, thereby creating a denial - of - service situation. To avoid such a situation, the institution also may implement a list of IP addresses that should not be blocked by the IDS.

Hosts also use a signature-based method. One such method creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion, and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.

An additional host-based signature method monitors the application program interfaces for unexpected or unwanted behavior, such as a Web server calling a command line interface.

Attackers can defeat host-based IDS systems using loadable kernel modules, or LKMs. A LKM is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing. With the proper LKM, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. LKMs can also hide the use of the application program interfaces. Detection of LKMs is extremely difficult and is typically done through another LKM.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

7. Determine if appropriate detection capabilities exist related to:

! System resource usage and anomalies,
! Active host and network intrusion detection systems,
! User related anomalies,
! Operating and tool configuration anomalies,
! File and data integrity problems, and
! Vulnerability testing.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

44. If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a. to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b. to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c. to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])