R. Kinney Williams
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
August 24, 2008
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Unencrypted traveler data laptop disappears then reappears - The
missing laptop has now been found - in the office from which it was
Kaminsky (finally) reveals gaping hole in internet - Black Hat After
a four-week orgy of speculation, recrimination and warnings, Dan
Kaminsky's domain-name system vulnerability has finally gone public.
And boy, are we glad the net's overlords paid attention.
Gov't charges alleged TJX credit-card thieves - The U.S. government
may have closed the book on the TJX Companies credit-card breach and
at least eight other recent thefts of financial data. " So far as we
know, this is the single largest and most complex identity theft
case ever charged in this country. "
Webcam hacker-ogler jailed for four years - A middle-aged Cypriot
has been jailed for four years after he was convicted of hacking
into internet webcams in order to spy on teenage girls. The unnamed
47-year-old computer technician used Trojan horse spyware to gain
remote control of a webcam and take illicit pictures of least one
young woman in her bedroom.
More UCLA Medical Center employees peeked at celebrities' records,
state says - A total of 127 workers, nearly double the initial
reported number, have been implicated by the California Department
of Public Health in the growing scandal.
Vista ineffective against browser attacks - The memory protections
in Windows Vista are largely ineffective at preventing browser
exploitation. This was the position taken by two researchers
presenting at the Black Hat conference in Las Vegas.
Georgia hit by war hackers - As its conflict with Russia continues,
Georgia's government and commercial websites have been hit by
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hundreds of credit card owners hit by online scam - HUNDREDS of bank
customers have had their credit cards cancelled following the latest
international scam to hit the financial services sector. Personal
banking details of hundreds of customers were compromised after
thieves hacked into the online database of one of the country's
Wells Fargo code used to illegally access consumer data - Latest in
a string of incidents reported by Wells Fargo over the past five
years - Wells Fargo Bank NA is in the process of notifying some
7,000 individuals that a thief may have accessed their Social
Security numbers and other personal information by illegally using
the financial services firm's access codes.
BBC confirms personal details stolen - The BBC has confirmed that is
has lost the personal details of its staff's children. The
corporation said that a laptop and several memory sticks that
contained the names, addresses and mobile phone numbers of children
had been stolen from a staff vehicle. The BBC has informed the
parents of those affected and is currently reviewing internal
security procedures across its programmes.
Records loss may violate U.S. law - 'Total files' of patients, many
with HIV and AIDS, missing - Share Print Email
Del.icio.usDiggTechnoratiYahoo! BuzzA low-level Harris County
Hospital District administrator probably violated federal law when
she downloaded medical and financial records for 1,200 patients with
HIV, AIDS and other medical conditions onto a flash drive that later
was lost or stolen, legal experts said.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
! A financial institution's Web page should never be accessed
from a link provided by a third party. It should only be accessed by
typing the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail
messages that request confidential information, such as account
numbers, passwords, or PINs. Financial institution customers should
be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information
SECURITY CONTROLS -
Protocols and Ports (Part 1 of 3)
Network communications rely on software protocols to ensure the
proper flow of information. A protocol is a set of rules that allows
communication between two points in a telecommunications connection.
Different types of networks use different protocols. The Internet
and most intranets and extranets, however, are based on the TCP/IP
layered model of protocols. That model has four layers, and
different protocols within each layer. The layers, from bottom to
top, are the network access layer, the Internet layer, the
host-to-host layer, and the application layer. Vulnerabilities and
corresponding attack strategies exist at each layer. This becomes an
important consideration in evaluating the necessary controls.
Hardware and software can use the protocols to restrict network
access. Likewise, attackers can use weaknesses in the protocols to
The primary TCP/IP protocols are the Internet protocol (IP) and the
transmission control protocol (TCP). IP is used to route messages
between devices on a network, and operates at the Internet layer.
TCP operates at the host-to-host layer, and provides a
connection-oriented, full - duplex, virtual circuit between hosts.
Different protocols support different services for the network. The
different services often introduce additional vulnerabilities. For
example, a third protocol, the user datagram protocol (UDP) is also
used at the host-to-host layer. Unlike TCP, UDP is not connection -
oriented, which makes it faster and a better protocol for supporting
broadcast and streaming services. Since UDP is not
connection-oriented, however, firewalls often do not effectively
filter it. To provide additional safeguards, it is often blocked
entirely from inbound traffic or additional controls are added to
verify and authenticate inbound UDP packets as coming from a trusted
Return to the top of the newsletter
IT SECURITY QUESTION:
B. NETWORK SECURITY
Evaluate the appropriateness of techniques that prevent the spread
of malicious code across the network.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
46. Does the institution refrain from
disclosing, directly or through affiliates, account numbers or
similar forms of access numbers or access codes for a consumer's
credit card account, deposit account, or transaction account to any
nonaffiliated third party (other than to a consumer reporting
agency) for telemarketing, direct mail or electronic mail marketing
to the consumer, except:
a. to the institution's agents or service providers
solely to market the institution's own products or services, as long
as the agent or service provider is not authorized to directly
initiate charges to the account; ['12(b)(1)] or
b. to a participant in a private label credit card
program or an affinity or similar program where the participants in
the program are identified to the customer when the customer enters
into the program? ['12(b)(2)]
(Note: an "account number or similar form of
access number or access code" does not include numbers in encrypted
form, so long as the institution does not provide the recipient with
a means of decryption. ['12(c)(1)] A transaction account does not
include an account to which third parties cannot initiate charges.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.