R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 16, 2011

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

- Cybersecurity Awareness Month launched - The eighth annual National Cybersecurity Awareness Month was launched on Friday with a gathering in Ypsilanti, Mich., featuring Janet Napolitano, the secretary of the U.S. Department of Homeland Security (DHS), and White House Cybersecurity Coordinator Howard Schmidt. http://www.scmagazineus.com/cybersecurity-awareness-month-launched/article/213861/?DCMP=EMC-SCUS_Newswire

FYI - White House Orders New Computer Security Rules - The White House plans to issue an executive order on Friday to replace a flawed patchwork of computer security safeguards exposed by the disclosure of hundreds of thousands of classified government documents to WikiLeaks last year. http://www.nytimes.com/2011/10/07/us/politics/white-house-orders-new-computer-security-rules.html?_r=1

FYI - Calif. Governor Veto Allows Warrantless Cellphone Searches - California Gov. Jerry Brown is vetoing legislation requiring police to obtain a court warrant to search the mobile phones of suspects at the time of any arrest. http://www.wired.com/threatlevel/2011/10/warrantless-phone-searches/

FYI - German government's Skype spying tool has holes, hackers say - A hacker club found a Skype spying tool used by German law enforcement may violate the country's constitutional law - An eavesdropping tool allegedly used by the German government to intercept Skype calls is full of security problems and may violate a ruling by the country's constitutional court, according to a European hacker club. http://www.computerworld.com/s/article/9220677/German_government_s_Skype_spying_tool_has_holes_hackers_say?taxonomyId=17

FYI - TD Ameritrade settles lawsuit over major breach - A U.S. District Court judge has approved a settlement stemming from the 2007 TD Ameritrade breach that exposed the personal information of some 6.3 million customers, two years after a deal was shot down because it didn't benefit the plaintiffs enough. http://www.scmagazineus.com/td-ameritrade-settles-lawsuit-over-major-breach/article/214042/

FYI - Couple files suit against Citigroup over breach - A couple from New York state is seeking class-action status for a lawsuit against Citigroup, alleging that the third-largest U.S. bank has "taken no steps" to protect victims in the wake of a massive data breach, according to reports. http://www.scmagazineus.com/couple-files-suit-against-citigroup-over-breach/article/214030/?DCMP=EMC-SCUS_Newswire


FYI - Stanford Hospital blames contractor for data breach - After patient files $20M lawsuit, health care provider firm says contractor is responsible - Stanford Hospital & Clinics this week blamed a third party billing contractor for a data breach that exposed the personal data of some 20,000 patients. http://www.computerworld.com/s/article/9220626/Stanford_Hospital_blames_contractor_for_data_breach?taxonomyId=17

FYI - BofA site outages called 'unprecedented' - The bank has replaced its standard online Web page with an alternate - The six days of online brownouts and slowdowns that have plagued Bank of America's website are "unprecedented," a leading Internet and mobile cloud monitoring service said today. http://www.computerworld.com/s/article/9220562/Update_BofA_site_outages_called_unprecedented_?taxonomyId=17

FYI - Anonymous Threatens New York Stock Exchange Attack - Calls for distributed denial-of-service attack as part of the Occupy Wall Street protests. A video that purports to be from the Anonymous hacktivist collective has called for a distributed denial-of-service (DDoS) attack to be launched against the New York Stock Exchange (NYSE). http://www.informationweek.com/news/security/vulnerabilities/231900039

FYI - Computer Virus Hits U.S. Drone Fleet - rus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet

FYI - AmEx 'debug mode left site wide open', says hacker - Customer cookies 'at risk' - An alleged vulnerability on American Express site exposed customers to a serious security risk before the credit card giant closed down a portion of its site on Thursday afternoon. http://www.theregister.co.uk/2011/10/07/amex_website_security_snafu/

FYI - Military jamming of GPS in Scotland suspended - Jamming of global positioning signals (GPS) during Europe's largest military exercise has been suspended, following complaints from fishermen. http://www.bbc.co.uk/news/uk-scotland-highlands-islands-15242835

FYI - 111 arrested in massive ID theft bust - Restaurant workers and bank insiders are charged in what's billed as the largest-ever ID theft round-up - Prosecutors call it the biggest identity theft bust in U.S. history. On Friday, 111 bank tellers, retail workers, waiters and alleged criminals were charged with running a credit-card-stealing organization that stole more than $13 million in less than a year-and-a-half. http://www.computerworld.com/s/article/9220655/111_arrested_in_massive_ID_theft_bust?taxonomyId=82

FYI - Another PlayStation Network breach stings Sony customers - Sony on Wednesday said hackers have again accessed its network, this time compromising the accounts of some 93,000 customers. http://www.scmagazineus.com/another-playstation-network-breach-stings-sony-customers/article/214179/?DCMP=EMC-SCUS_Newswire

FYI - Delaware pediatric health facility loses data on 1.6 million - Three unencrypted backup tapes containing the personal information of more than a million and a half individuals have gone missing from Nemours, a children's health system based in Wilmington, Del. http://www.scmagazineus.com/delaware-pediatric-health-facility-loses-data-on-16-million/article/214139/?DCMP=EMC-SCUS_Newswire

FYI - Sensitive University of Georgia employee data posted online - The personal information of thousands of individuals who worked at the University of Georgia (UGA) in 2002 was accessible online for several years. http://www.scmagazineus.com/sensitive-university-of-georgia-employee-data-posted-online/article/214032/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Sensitive or mission - critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their database should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.

Some security software programs will integrate access control for the operating system and some applications. That software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application's access controls. Examples of such security software products for mainframe computers include RACF, CA - ACF2, and CA - TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated