R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 20, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
 
Internet Privacy
 
Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - New NIST cybersecurity standards could pose liability risks - Once passed, the standard will become the benchmark to measure critical infrastructure security programs - Critical infrastructure companies could face new liability risks if they fail to meet voluntary cybersecurity standards being developed by the National Institute of Standards and Technology. http://www.computerworld.com/s/article/9243150/New_NIST_cybersecurity_standards_could_pose_liability_risks?taxonomyId=17s

FYI - Cyber defenders are in short supply as hacking wars escalate - For the governments and corporations facing increasing computer attacks, the biggest challenge is finding the right cyber warriors to fight back. http://www.nbcnews.com/technology/cyber-defenders-are-short-supply-hacking-wars-escalate-8C11390053

FYI - Japan needs 80,000 EXTRA info-security bods to stay safe - Japan has an 80,000 shortfall in infosec professionals, and needs to provide extra training for more than half of those currently in the industry, if its to protect key IT systems from attack, according to the government. http://www.theregister.co.uk/2013/10/09/japan_infosecurity_skills_shortage/

FYI - New malware enables attackers to take money directly from ATMs - Skimmers were once thought to be the bane of the ATM compromising world, but the trends may end up shifting now that security researchers have discovered a piece of malware, known as Ploutus, which has been infecting money machines in Mexico. http://www.scmagazine.com/new-malware-enables-attackers-to-take-money-directly-from-atms/article/316409/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Nordstrom Finds Cash Register Skimmers - Scam artists who deploy credit and debit card skimmers most often target ATMs, yet thieves can also use inexpensive, store-bought skimming devices to compromise modern-day cash registers. Just this past weekend, for instance, department store chain Nordstrom said it found a half-dozen of these skimmers affixed to registers at a store in Florida.
http://krebsonsecurity.com/2013/10/nordstrom-finds-cash-register-skimmers/
http://www.scmagazine.com/scammers-bug-nordstrom-registers-with-40-devices-to-skim-card-data/article/316001/?DCMP=EMC-SCUS_Newswire

FYI - Hackers exploit vBulletin flaw to inject rogue admin accounts - Users should delete the 'install' directories from their vBulletin deployments and upgrade to the latest version of the software - Hackers are exploiting a vulnerability in the popular vBulletin Internet forum software in order to inject rogue administrator accounts into websites using it. http://www.computerworld.com/s/article/9243126/Hackers_exploit_vBulletin_flaw_to_inject_rogue_admin_accounts?taxonomyId=17

FYI - Not in Kansas anymore, thousands affected by Wichita website hack - The city of Wichita had its website hacked over the weekend, consequently compromising sensitive information for tens of thousands of current and former vendors who have done business with the city and employees who have been reimbursed for expenses since 1997. http://www.scmagazine.com/not-in-kansas-anymore-thousands-affected-by-wichita-website-hack/article/315305/

FYI - Network Solutions investigating DNS hijack - The same pro-Palestinian group that hit LeaseWeb earlier this week claimed responsibility - Network Solutions is investigating an attack by a pro-Palestinian hacking group that redirected websites belonging to several companies. http://www.computerworlduk.com/news/security/3472798/network-solutions-investigating-dns-hijack/

FYI - Software firm breached, hacker reportedly behind data leak of 60K vendor accounts - Software company Tom Sawyer has begun notifying customers that their information was compromised via a website database hack - and the hacker purportedly behind the intrusion has apparently leaked the stolen data online. http://www.scmagazine.com/software-firm-breached-hacker-reportedly-behind-data-leak-of-60k-vendor-accounts/article/315910/?DCMP=EMC-SCUS_Newswire

FYI - Dexter malware resurfaces in South Africa, costs banks millions - Banks in South Africa have suffered tens of millions in losses in rand (millions of US dollars) due to a variant of the Dexter virus a piece of malware targeting point-of-sale (POS) devices that was discovered in December 2012 by Israel-based security technology company Seculert. http://www.scmagazine.com/dexter-malware-resurfaces-in-south-africa-costs-banks-millions/article/316387/?DCMP=EMC-SCUS_Newswire

FYI - Hackers compromise certs to spread Nemim malware, which hijacks email and browser data - A security researcher at Symantec, who co-authored a blog post on Tuesday about the Nemim campaign, recent samples of the malware were digitally signed with stolen certificates to infect users. http://www.scmagazine.com/hackers-compromise-certs-to-spread-nemim-malware-which-hijacks-email-and-browser-data/article/316607/?DCMP=EMC-SCUS_Newswire

FYI - Wisconsin hospital bills erroneously mailed to unauthorized persons - A system settings error caused financial statements to be mailed to roughly 8,000 people who received care from Wisconsin-based Memorial Hospital of Lafayette County, but an undisclosed number were sent to unauthorized persons. http://www.scmagazine.com/wisconsin-hospital-bills-erroneously-mailed-to-unauthorized-persons/article/316514/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Medicare Information Technology: Centers for Medicare and Medicaid Services Needs to Pursue a Solution for Removing Social Security Numbers from Cards. http://www.gao.gov/products/GAO-13-761

FYI - PR Newswire alerts customers to change passwords following breach - PR Newswire announced Wednesday that it became the latest company to be breached by a group of attackers said to also be responsible for striking LexisNexis, the National White Collar Crime Center (NW3C) and Adobe. http://www.scmagazine.com/pr-newswire-alerts-customers-to-change-passwords-following-breach/article/316799/?DCMP=EMC-SCUS_Newswire

FYI - Sacramento State server hack affects nearly 2,000 employees - An unknown party hacked into a California State University, Sacramento (Sacramento State) computer server, compromising the personal data of nearly 2,000 employees. http://www.scmagazine.com/sacramento-state-server-hack-affects-nearly-2000-employees/article/316690/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE -
 
Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

 

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION -
Shared Secret Systems (Part 2 of 2)

Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.

! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.

Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.

! An additional attack method targets a specific account and submits passwords until the correct password is discovered.

Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.

! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.

Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.

! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

! Some attacks depend on patience, waiting until the logged - in workstation is unattended.

Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.

! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.

Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.

! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

Controls include a policy that forbids the same or similar password on particular network devices.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [6(d)(1)]We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [6(d)(1)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated