R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 13, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, visit http://www.internetbankingaudits.com/.

FYI - GAO - U.S. Postal Service Needs to Strengthen System Acquisition and Management Capabilities to Improve Its Intelligent Mail® Full Service Program.
Release - http://www.gao.gov/new.items/d10145.pdf
Highlights - http://www.gao.gov/highlights/d10145high.pdf

Obama Wants Computer Privacy Ruling Overturned - The Obama administration is seeking to reverse a federal appeals court decision that dramatically narrows the government's search-and-seizure powers in the digital age. http://www.wired.com/threatlevel/2009/11/obama-wants-computer-privacy-ruling-overturned/


Thousands of Wis. hospital patients at risk after laptop theft - A laptop containing the personal information of thousands of patients of Aurora St. Luke's Medical Center in Milwaukee, Wis. was recently stolen. http://www.scmagazineus.com/thousands-of-wis-hospital-patents-at-risk-after-laptop-theft/article/158660/?DCMP=EMC-SCUS_Newswire

Restaurants Sue Vendors After Point-of-sale Hack - When Keith Bond bought a computerized cash register system for his Broussard, Louisiana, restaurant, he thought he was modernizing his restaurant. Today, he believes he was unwittingly opening a back door for Romanian hackers who have now cost him more than US$50,000. http://www.pcworld.com/businesscenter/article/183499/restaurants_sue_vendors_after_pointofsale_hack.html?tk=nl_dnx_t_crawl

Hackers attempt to take $1.3 million from D.C. firm - It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies. http://voices.washingtonpost.com/securityfix/2009/11/hackers_hit_wash_dc_firm_for_1.html

Lost Royal Navy memory stick reportedly contained information on manoeuvres and UK personnel - A memory stick that contained 'restricted' information on naval manoeuvres and personnel around the UK was reported missing last week. http://www.scmagazineuk.com/lost-royal-navy-memory-stick-reportedly-contained-information-on-manoeuvres-and-uk-personnel/article/158595/

Skim versus hack: Council still in the dark - Auckland City says it still doesn't know how carpark systems were compromised - Auckland City is referring all enquiries about how its carparking systems were compromised, leading to the reissue of thousands of credit cards, to Westpac, which is leading the investigation into the incident. http://computerworld.co.nz/news.nsf/scrt/7E178E15FC9F7306CC25767A000E4A3E

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Authorization Practices for E-Banking Applications

1. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct e-banking activities.

2. All e-banking systems should be constructed to ensure that they interact with a valid authorization database.

3. No individual agent or system should have the authority to change his or her own authority or access privileges in an e-banking authorization database.

4. Any addition of an individual, agent or system or changes to access privileges in an e-banking authorization database should be duly authorized by an authenticated source empowered with the adequate authority and subject to suitable and timely oversight and audit trails.

5. Appropriate measures should be in place in order to make e-banking authorization databases reasonably resistant to tampering. Any such tampering should be detectable through ongoing monitoring processes. Sufficient audit trails should exist to document any such tampering.

6. Any e-banking authorization database that has been tampered with should not be used until replaced with a validated database.

7. Controls should be in place to prevent changes to authorization levels during e-banking transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management.

Return to the top of the newsletter
We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

PART I. Risks Associated with Wireless Internal Networks

Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.

Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.

The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:

1)  Decrypting information based on statistical analysis;

2)  Injecting new traffic from unauthorized mobile stations based on known plain text;

3)  Decrypting traffic based on tricking the access point;

4)  Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and

5)  Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

IT SECURITY QUESTION:  The IT security question has been discontinued.  We have developed The Weekly IT Security Review, which is a weekly email that allows IT personnel to continuously review their IT operations THROUGHOUT THE YEAR.  The Weekly IT Security Review is also be used by auditors, IT security officers, and management.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

40.  Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated