Internet Banking News

December 23, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - FFIEC Guidance on Pandemic Planning - The Federal Financial Institutions Examination Council issued guidance today for use by financial institutions in identifying the continuity planning that should be in place to minimize the potential adverse effects of a pandemic. This guidance expands upon the contents of the Interagency Advisory on Influenza Pandemic Preparedness issued in March 2006. www.federalreserve.gov/boarddocs/SRLETTERS/2007/SR0718.htm

FYI - OMB directs agencies to close off most Internet links - The Office of Management and Budget's Trusted Internet Connections (TIC) initiative likely is to be the last publicized program in the Bush administration's stepped-up focus on cybersecurity. http://www.fcw.com/online/news/150964-1.html?type=pf

FYI - Security policies? Workers ignore them, survey says - It's one thing to have a companywide information security policy in place. But it's a whole different ballgame to get employees to actually follow the policies -- even those that are IT types. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9051483&source=rss_topic17

FYI - Privacy breach nuked in Canadian passport site - Red-faced Canadian passport officials say they've closed a privacy breach on their website that leaked the personal information of applicants, including their driver's license numbers, birth dates - even whether they owned a gun. http://www.theregister.co.uk/2007/12/04/canadian_passport_site_breach/print.html

FYI - Wireless keyboards vulnerable to hacking via radio receivers - Cybercriminals can log the keystrokes of end-users by cracking the encryption of non-Bluetooth wireless keyboards from over 30 feet away. http://www.scmagazineus.com/Wireless-keyboards-vulnerable-to-hacking-via-radio-receivers-Dreamlab/article/99759/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Lost data discs 'endanger protected witnesses' - Hundreds of people in police witness protection programmes have been put at risk by the loss of millions of child benefit records. http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/05/ndata105.xml

FYI - Hackers get data of federal lab visitors - The Oak Ridge National Laboratory revealed on Thursday that a "sophisticated cyber attack" over the last few weeks may have allowed personal information about thousands of lab visitors to be stolen.
http://seattlepi.nwsource.com/business/1700ap_cyber_attack.html
http://www.scmagazineus.com/Attackers-hack-into-Oak-Ridge-National-Laboratory/article/99767/

FYI - Forrester Loses Laptop Containing Personnel Data - The incident appears to be a clear case of, "Do as I say, not as I do." Thieves stole a laptop from the home of a Forrester Research employee during the week of Nov. 26, potentially exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and directors, the company said in a letter mailed to those affected. http://www.eweek.com/article2/0%2C1895%2C2228887%2C00.asp

FYI - Stolen Laptop Had 268,000 Social Security Numbers - A Twin Cities blood bank says a laptop computer with 268,000 names and Social Security numbers has been stolen. http://wcco.com/local/stolen.laptop.social.2.603413.html

FYI - Community Blood Center affected by laptop theft - Community Blood Center is the latest business to be notified that employees' information was stored on a laptop stolen in October from a Kettering auditing firm. http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/11/30/sns120107laptop.html

FYI - Tricare data breach affects 4,700 families - Letters are in the mail to about 4,700 households who submitted claims through the Tricare Europe office since 2004 about a data breach involving their personal information - a month after the breach was reported. http://www.airforcetimes.com/news/2007/12/military_tricarebreach_071207w/

FYI - Bank details on stolen laptop - Personal details of up to 60,000 people have been lost by Citizens Advice, it was revealed. Bank account numbers, National Insurance numbers, names, addresses and dates of birth were on a laptop stolen from a staff member's car in Belfast. http://www.guardian.co.uk/uklatest/story/0,,-7135536,00.html

FYI - Police launch hunt for bogus bobbies - A gang of robbers dressed as police told staff at a data centre in London's King's Cross last night they were investigating reports of people on the roof of the building, before tying them up and making off with expensive hardware. http://www.theregister.co.uk/2007/12/07/verizon_datacentre_robbery_investigation/print.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - This concludes the series from the FDIC "Security Risks Associated with the Internet." While this Financial Institution Letter was published in December 1997, the issues still are relevant. Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks dated May 15, 2000.

V. Security Flaws and Bugs

Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued.

Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org. Many other resources are freely available on the Internet.

Active Content Languages

Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus.

Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology.

VI. Viruses

Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.

Return to the top of the newsletter

IT SECURITY QUESTION: Core application user access controls: (Part 2 of 2)

h. Is the user locked out after three unsuccessful attempts to enter the correct password?
i. How long is the user locked out after entering an incorrect password?
j. Automatic timeout if left unattended? If so, how long?
k. Automatic lockout by time of day and day of week?
l. Is user access restricted by workstation?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

8) Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 1 of 2)

a) the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b) the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c) the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d) the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]