Internet Banking News

August 3, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - GAO - Fair Lending: Race and Gender Data Are Limited for Nonmortgage Lending.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-698
Highlights - http://www.gao.gov/highlights/d08698high.pdf

FYI - Unpatched Windows PCs fall to hackers in under 5 minutes, says ISC - Other researchers, however, put average 'survival' time at around 16 hours - It takes less than five minutes for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet, a security researcher said today. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9109938&source=rss_topic17

FYI - Schneier research team cracks TrueCrypt - Researchers led by BT security expert Bruce Schneier have shown that deniable file systems - designed to hide data so effectively that there is no trace of its existence on a user's system - may not be so deniable after all, due to the interference of standard applications and of the operating system itself. http://news.zdnet.co.uk/security/0,1000000189,39448526,00.htm

FYI - Network Managers Fear Security Threats From Within - The 1979 film "When a Stranger Calls" portrayed the terror-filled night of a young woman fielding prank and increasingly threatening calls that climaxed when the police determined "the calls are coming from inside the house." Today IT security executives experience a similar chill down their spine when they realize the biggest threat they face comes from internal security attacks and data breaches. http://www.pcworld.com/businesscenter/article/148653/network_managers_fear_security_threats_from_within.html

FYI - BlackBerry maker fixes PDF flaw that could crash server - The maker of the BlackBerry mobile device has fixed a PDF distiller vulnerability in the BlackBerry Attachment Service, which runs on the BlackBerry Enterprise Server. http://www.scmagazineus.com/BlackBerry-maker-fixes-PDF-flaw-that-could-crash-server/article/112685/?DCMP=EMC-SCUS_Newswire

FYI - Google Trends hacked again - Search engine Google has had its Hot Trends system hacked for the second time in seven days. Last week a swastika appeared on Google Trends as a top queried term. It was removed and a spokesperson claimed that a link on a popular Internet bulletin board, 4Chan, was to blame. http://www.scmagazineus.com/Google-Trends-hacked-again/article/112601/?DCMP=EMC-SCUS_Newswire\

FYI - UnitedHealthcare Insider Charged in Cal Data Theft - A former UnitedHealthcare employee has been charged in connection with 163 identity theft cases at the University of California, Irvine. http://www.csoonline.com/article/437668/UnitedHealthcare_Insider_Charged_in_Cal_Data_Theft?contentId=437668&slug=&source=nlt_csonewswatch

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - IT admin locks up San Francisco's network - Staffer blocks access to admins, refuses to reval passwords - A network administrator has allegedly locked up a multimillion-dollar computer system for the city of San Francisco that handles sensitive data, and he is refusing to give police the password. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110176&source=NLT_SEC&nlid=38

FYI - Facebook blunder exposes personal details - Beta test site shows dates of birth - Facebook has accidentally revealed personal information about its members. The social networking site divulged the dates of birth of many of its 80 million active users, even those who had requested that the information remained confidential.
http://www.vnunet.com/vnunet/news/2221777/facebook-exposes-members
http://www.scmagazineus.com/Facebook-exposes-private-data/article/112578/?DCMP=EMC-SCUS_Newswire

FYI - Georgian President's Web Site Attacked - The politically oriented DDoS attack seems to have originated from Russian hackers, according to a volunteer security watchdog organization. The Web site of President Mikhail Saakashvili of Georgia was inaccessible on Sunday as a result of a distributed denial-of-service (DDoS) attack, according to the Shadowserver Foundation, a volunteer security watchdog organization. http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=209400218

FYI - HIPAA privacy and security violations cost Seattle company $100,000 - The Health and Human Services Department has settled complaints over breaches of health information privacy and security rules by a Seattle home health care company. http://www.govhealthit.com/online/news/350464-1.html

FYI - Computer server part of haul in Veterans Home burglary - Missing server contained information about residents and some of their dependents - It appears that burglars took more than just a laptop computer and various electronics when they broke into the Minneapolis Veterans Home early last Sunday. http://www.startribune.com/local/25623519.html?location_refer=Homepage:latestNews:4

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)

PROCEDURES TO ADDRESS SPOOFING - Spoofing Incident Response

To respond to spoofing incidents effectively, bank management should establish structured and consistent procedures. These procedures should be designed to close fraudulent Web sites, obtain identifying information from the spoofed Web site to protect customers, and preserve evidence that may be helpful in connection with any subsequent law enforcement investigations.

Banks can take the following steps to disable a spoofed Web site and recover customer information. Some of these steps will require the assistance of legal counsel.

* Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
* Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
* Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
* Work with law enforcement; and
* Use other existing mechanisms to report suspected spoofing activity.

The following are other actions and types of legal documents that banks can use to respond to a spoofing incident:

* Banks can write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
* If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon. This process allows banks to take action against domain name registrars to stop a spoofing incident. However, banks must bear in mind that the UDRP can be relatively time-consuming. For more details on this process see http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
* Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d). Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 2 of 2)

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset, or a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Client attacks are an area of vulnerability common to all authentication mechanisms. Passwords, for instance, can be captured by hardware - or software - based keystroke capture mechanisms. PKI private keys could be captured or reverse - engineered from their tokens. Protection against these attacks primarily consists of physically securing the client systems, and, if a shared secret is used, changing the secret on a frequency commensurate with risk. While physically securing the client system is possible within areas under the financial institution's control, client systems outside the institution may not be similarly protected.

Replay attacks occur when an attacker eavesdrops and records the authentication as it is communicated between a client and the financial institution system, then later uses that recording to establish a new session with the system and masquerade as the true user. Protections against replay attacks include changing cryptographic keys for each session, using dynamic passwords, expiring sessions through the use of time stamps, expiring PKI certificates based on dates or number of uses, and implementing liveness tests for biometric systems.

Hijacking is an attacker's use of an authenticated user's session to communicate with system components. Controls against hijacking include encryption of the user's session and the use of encrypted cookies or other devices to authenticate each communication between the client and the server.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

16. Determine whether appropriate notification is made of requirements for authorized use, through banners or other means.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

43. Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)