R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 14, 2011

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

- Spy agency gathering information on Canadian citizens - Communications Security Establishment Canada, which intercepts foreign communications and also protects Canadian government computer systems, is using information about Canadians to help in the acquisition of foreign intelligence after recent changes in its policy. http://www.scmagazineus.com/spy-agency-gathering-information-on-canadian-citizens/article/209125/?DCMP=EMC-SCUS_Newswire

FYI - Judge Nixes Patco’s eBanking Fraud Case - A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines. http://krebsonsecurity.com/2011/08/judge-nixes-patcos-ebanking-fraud-case/

FYI - Evil Android Trojan records your calls - Criminals have increased the functionality of Android Trojans with a new strain that is capable of recording, and not just logging, conversations on compromised smartphones. http://www.theregister.co.uk/2011/08/02/android_malware_records_calls/

FYI - Government drops website blocking - Plans to block websites that host copyright infringing material are to be dumped by the government. http://www.bbc.co.uk/news/technology-14372698

FYI - ACLU wants details on mobile tracking by police - Affiliates of the American Civil Liberties Union (ACLU) in 31 states have filed 379 information requests, demanding that state and local law enforcement agencies tell how they use location information from mobile phones to track U.S. residents. http://www.computerworld.com/s/article/9218852/ACLU_wants_details_on_mobile_tracking_by_police?taxonomyId=17

FYI - GAO - State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain
RElease - http://www.gao.gov/products/GAO-11-149
Highlights - http://www.gao.gov/highlights/d11149high.pdf

FYI - So why hasn't "Anonymous" been caught? - We recently heard of crackdowns on the “hacktivist” group Anonymous, where a haul of hackers and their computers were swooped down upon and spirited away by the FBI. So how come we continue to see communications from the group? http://www.scmagazineus.com/so-why-hasnt-anonymous-been-caught/article/209234/?DCMP=EMC-SCUS_Newswire

FYI - India cracks down on the Blackberry - The use of the humble Blackberry may be outlawed in India if Research in Motion fails to comply with the government’s strict security demands. http://www.theregister.co.uk/2011/08/08/indian_blackberry_crackdown/


FYI - Governments, IOC and UN hit by massive cyber attack - IT security firm claims to have uncovered one of the largest ever series of cyber attacks. http://www.bbc.co.uk/news/technology-14387559

FYI - A contractor loses hundreds of bank account details, leaving them at a pub. - Two companies have been found in breach of the Data Protection Act after tens of thousands of tenants’ details were left at a London pub, alongside 800 records with bank account details. http://www.itpro.co.uk/635422/hundreds-of-bank-account-details-left-at-london-pub

FYI - Anonymous, LulzSec Dump Data from 70 Sheriffs' Offices - Anonymous continued its attacks against law enforcement agencies to protest recent arrests of Anonymous members and Topiary by breaching a third-party marketing firm hosting 70 law enforcement Websites. http://www.eweek.com/c/a/Security/Anonymous-LulzSec-Dump-Data-from-70-Sheriffs-Offices-547474/

FYI - Travelodge blames 'vindictive individual' for email database breach - Hacker or disaffected worker mystery remains - Travelodge UK has confirmed that a customer database security breach was behind the recent run of spam emails to its customers. http://www.theregister.co.uk/2011/08/05/travelodge_email_snafu/

Return to the top of the newsletter

This week begins our series on the FDIC's Supervisory Policy on Identity Theft (Part 1 of  6)

Supervisory Policy on Identity Theft

Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.  This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Packet Filter Firewalls

Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.

Weaknesses associated with packet filtering firewalls include the following:

! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.

! Logging functionality is limited to the same information used to make access control decisions.

! Most do not support advanced user authentication schemes.

! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.

! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.

Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.

Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.


Return to the top of the newsletter

- We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1)  a consumer provides to a financial institution to obtain a financial product or service from the institution;

2)  results from a transaction between the consumer and the institution involving a financial product or service; or

3)  a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated