R. Kinney Williams
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
August 3, 2008
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
GAO - Fair Lending: Race and Gender Data Are Limited for Nonmortgage
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-698
Highlights - http://www.gao.gov/highlights/d08698high.pdf
Unpatched Windows PCs fall to hackers in under 5 minutes, says ISC -
Other researchers, however, put average 'survival' time at around 16
hours - It takes less than five minutes for hackers to find and
compromise an unpatched Windows PC after it's connected to the
Internet, a security researcher said today.
Schneier research team cracks TrueCrypt - Researchers led by BT
security expert Bruce Schneier have shown that deniable file systems
- designed to hide data so effectively that there is no trace of its
existence on a user's system - may not be so deniable after all, due
to the interference of standard applications and of the operating
Network Managers Fear Security Threats From Within - The 1979 film
"When a Stranger Calls" portrayed the terror-filled night of a young
woman fielding prank and increasingly threatening calls that
climaxed when the police determined "the calls are coming from
inside the house." Today IT security executives experience a similar
chill down their spine when they realize the biggest threat they
face comes from internal security attacks and data breaches.
BlackBerry maker fixes PDF flaw that could crash server - The maker
of the BlackBerry mobile device has fixed a PDF distiller
vulnerability in the BlackBerry Attachment Service, which runs on
the BlackBerry Enterprise Server.
Google Trends hacked again - Search engine Google has had its Hot
Trends system hacked for the second time in seven days. Last week a
swastika appeared on Google Trends as a top queried term. It was
removed and a spokesperson claimed that a link on a popular Internet
bulletin board, 4Chan, was to blame.
UnitedHealthcare Insider Charged in Cal Data Theft - A former
UnitedHealthcare employee has been charged in connection with 163
identity theft cases at the University of California, Irvine.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
IT admin locks up San Francisco's network - Staffer blocks access to
admins, refuses to reval passwords - A network administrator has
allegedly locked up a multimillion-dollar computer system for the
city of San Francisco that handles sensitive data, and he is
refusing to give police the password.
Facebook blunder exposes personal details - Beta test site shows
dates of birth - Facebook has accidentally revealed personal
information about its members. The social networking site divulged
the dates of birth of many of its 80 million active users, even
those who had requested that the information remained confidential.
Georgian President's Web Site Attacked - The politically oriented
DDoS attack seems to have originated from Russian hackers, according
to a volunteer security watchdog organization. The Web site of
President Mikhail Saakashvili of Georgia was inaccessible on Sunday
as a result of a distributed denial-of-service (DDoS) attack,
according to the Shadowserver Foundation, a volunteer security
HIPAA privacy and security violations cost Seattle company $100,000
- The Health and Human Services Department has settled complaints
over breaches of health information privacy and security rules by a
Seattle home health care company.
Computer server part of haul in Veterans Home burglary - Missing
server contained information about residents and some of their
dependents - It appears that burglars took more than just a laptop
computer and various electronics when they broke into the
Minneapolis Veterans Home early last Sunday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 4 of
PROCEDURES TO ADDRESS SPOOFING - Spoofing
To respond to spoofing incidents effectively, bank management should
establish structured and consistent procedures. These procedures
should be designed to close fraudulent Web sites, obtain identifying
information from the spoofed Web site to protect customers, and
preserve evidence that may be helpful in connection with any
subsequent law enforcement investigations.
Banks can take the following steps to disable a spoofed Web site and
recover customer information. Some of these steps will require the
assistance of legal counsel.
* Communicate promptly, including through written communications,
with the Internet service provider (ISP) responsible for hosting the
fraudulent Web site and demand that the suspect Web site be
* Contact the domain name registrars promptly, for any domain name
involved in the scheme, and demand the disablement of the domain
* Obtain a subpoena from the clerk of a U.S. District Court
directing the ISP to identify the owners of the spoofed Web site and
to recover customer information in accordance with the Digital
Millennium Copyright Act;
* Work with law enforcement; and
* Use other existing mechanisms to report suspected spoofing
The following are other actions and types of legal documents that
banks can use to respond to a spoofing incident:
* Banks can write letters to domain name registrars demanding that
the incorrect use of their names or trademarks cease immediately;
* If these demand letters are not effective, companies with
registered Internet names can use the Uniform Domain Name Dispute
Resolution Process (UDRP) to resolve disputes in which they suspect
that their names or trademarks have been illegally infringed upon.
This process allows banks to take action against domain name
registrars to stop a spoofing incident. However, banks must bear in
mind that the UDRP can be relatively time-consuming. For more
details on this process see
* Additional remedies may be available under the federal Anti-Cybersquatting
Consumer Protection Act (ACCPA) allowing thebank to initiate
immediate action in federal district court under section 43(d) of
the Lanham Act, 15 USC 1125(d). Specifically, the ACCPA can provide
for rapid injunctive relief without the need to demonstrate a
similarity or likelihood of confusion between the goods or services
of the parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses, Attacks, and
Offsetting Controls (Part 2 of 2)
Social engineering involves an attacker obtaining
authenticators by simply asking for them. For instance, the attacker
may masquerade as a legitimate user who needs a password reset, or a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive, or using
other interpersonal skills, the attackers encourage a legitimate
user or other authorized person to give them authentication
credentials. Controls against these attacks involve strong
identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be captured
by hardware - or
software - based keystroke capture mechanisms. PKI private keys
could be captured or reverse - engineered from their tokens.
Protection against these attacks primarily consists of physically
securing the client systems, and, if a shared secret is used,
changing the secret on a frequency commensurate with risk. While
physically securing the client system is possible within areas under
the financial institution's control, client systems outside the
institution may not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records the
authentication as it is communicated between a client and the
financial institution system, then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
Hijacking is an attacker's use of an authenticated user's
session to communicate with system components. Controls against
hijacking include encryption of the user's session and the use of
encrypted cookies or other devices to authenticate each
communication between the client and the server.
Return to the top of the
16. Determine whether appropriate notification is
made of requirements for authorized use, through banners or other
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
43. Does the institution allow the consumer to select certain
nonpublic personal information or certain nonaffiliated third
parties with respect to which the consumer wishes to opt out? [§10(c)]
(Note: an institution may allow partial opt outs
in addition to, but may not allow them instead of, a comprehensive
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.