R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of August 19, 2018

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.

Newsletter Content IT Security IT Security Checklist
Web Site Compliance Internet Privacy Pen Testing Auditing

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. 

- FBI Warns of ‘Unlimited’ ATM Cashout Blitz - The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours. https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blitz/

Banks and Retailers Are Tracking How You Type, Swipe and Tap - When you’re browsing a website and the mouse cursor disappears, it might be a computer glitch - or it might be a deliberate test to find out who you are. https://www.nytimes.com/2018/08/13/business/behavioral-biometrics-banks-security.html

NARA is doing great at email, website security. Maybe - The National Archives and Records Administration is (possibly) a model for federal agencies looking to comply with a binding operational directive issued by the Department of Homeland Security last year to boost security of federal websites and email. https://fcw.com/articles/2018/08/09/nara-email-johnson.aspx

A New Pacemaker Hack Puts Malware Directly on the Device - The first pacemaker hacks emerged about a decade ago. But the latest variation on the terrifying theme depends not on manipulating radio commands, as many previous attacks have, but on malware installed directly on an implanted pacemaker. https://www.wired.com/story/pacemaker-hack-malware-black-hat/

FCC lied to Congress about made-up DDoS attack, investigation found - The Federal Communications Commission lied to members of Congress multiple times in a letter that answered questions about a "DDoS attack" that never happened, an internal investigation found. https://arstechnica.com/tech-policy/2018/08/fcc-lied-to-congress-about-made-up-ddos-attack-investigation-found/

'Hack the Marine Corps' Bug Bounty Event Held in Vegas - The US Marine Corps yesterday in Las Vegas held a live hacking event focused on its public-facing websites and enterprise services, and it paid out $80,000 in total to researchers for 75 new vulnerabilities that they found. http://www.darkreading.com/vulnerabilities---threats/hack-the-marine-corps-bug-bounty-event-held-in-vegas-/d/d-id/1332541

How California Is Improving Cyber Threat Information Sharing - The state wants to add every city and county government to its automated threat feed program in the next three to four years. https://www.nextgov.com/cybersecurity/2018/08/how-california-improving-cyber-threat-information-sharing/150475/

Fax Machines Are Still Everywhere, and Wildly Insecure - It's tempting to think of fax machines as a relic, every bit as relevant as an eight-track tape. But fields like health care and government still rely on faxes every day. Even your all-in-one printer probably has a fax component. And new research shows that vulnerabilities in that very old tech could expose entire corporate networks to attack. https://www.wired.com/story/fax-machine-vulnerabilities/

Caesars' Palace security room checks rattle Def Con attendees, conference SecOps head offers resignation - A policy implemented at Caesar's Palace in the wake of last October's shooting that allows hotel security to spotcheck the room of guests who've rejected housekeeping services has prompted the head of security operations of Def Con, which held its conference in the hotel last week, to offer his resignation. https://www.scmagazine.com/caesars-palace-security-room-checks-rattle-def-con-attendees-conference-secops-head-offers-resignation/article/788300/

If not now, when? Reinventing your IT security approach to prioritize speed - For years, the security ecosystem has been in response mode. When an attack happens, the common reaction is centered around damage control or applying security band-aids, and it doesn't always happen in a speedy fashion. https://www.scmagazine.com/if-not-now-when-reinventing-your-it-security-approach-to-prioritize-speed/article/783895/


FYI - Ransomware attack at Blue Springs Family Care in Missouri affects 45,000 patients - Blue Springs Family Care in Missouri was hit by a ransomware attack that compromised the information of nearly 45,000 patients. https://www.scmagazine.com/ransomware-attack-at-blue-springs-family-care-in-missouri-affects-45000-patients/article/787508/

Comcast Xfinity exposed 26.5 million customer SSNs and partial home addresses - Security researcher Ryan Stevenson spotted a vulnerability in Comcast Xfinity's in-home authentication system, which exposed the partial home addresses and partial Social Security numbers of 26.5 million customers. https://www.scmagazine.com/comcast-xfinity-exposed-265-million-customer-ssns-and-partial-home-addresses/article/787215/

The worst kind of hazard: PGA falls victim to ransomware - "Hacker" was already a dirty word in golf when it referred to a terrible player. But now the term is taking on an even worse connotation, after attackers reportedly infected the PGA of America with ransomware. https://www.scmagazine.com/the-worst-kind-of-hazard-pga-falls-victim-to-ransomware/article/787171/

GoDaddy configuration info exposed on open S3 bucket created by Amazon employee - An open Amazon AWS S3 bucket that exposed GoDaddy's cloud configuration information was originated with an AWS salesperson, according to Amazon, and secured after the UpGuard Cyber Risk Team that discovered it notified the domain name registrar. https://www.scmagazine.com/godaddy-configuration-info-exposed-on-open-s3-bucket-created-by-amazon-employee/article/787940/

Brazilian banking customers targeted by IoT DNS hijacking attacks - A DNS hijacking campaign has been discovered targeting Banco de Brasil and Itau Unibanco customer credentials through the end-user IoT devices. https://www.scmagazine.com/brazilian-banking-customers-targeted-by-iot-dns-hijacking-attacks/article/788160/

50.5 million Sungy Mobile customers exposed through open ports - Chinese app maker Sungy Mobile may have exposed the information of more than 50.5 million of its customers, according to researchers who were able to access dozens of the company's databases through a pair of IP addresses that did not require any login credentials. https://www.scmagazine.com/505-million-sungy-mobile-customers-exposed-through-open-ports/article/788804/

Return to the top of the newsletter

Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
  Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
  Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.
  A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.
  Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.
  Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to 'protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 17.3.1 Internal Access Controls

 Internal access controls are a logical means of separating what defined users (or user groups) can or cannot do with system resources. Five methods of internal access control are discussed in this section: passwords, encryption, access control lists, constrained user interfaces, and labels. Passwords

 Passwords are most often associated with user authentication. However, they are also used to protect data and applications on many systems, including PCs. For instance, an accounting application may require a password to access certain financial data or to invoke a restricted application (or function of an application).
 Password-based access control is often inexpensive because it is already included in a large variety of applications. However, users may find it difficult to remember additional application passwords, which, if written down or poorly chosen, can lead to their compromise. Password-based access controls for PC applications are often easy to circumvent if the user has access to the operating system (and knowledge of what to do). There are other disadvantages to using passwords.
 The use of passwords as a means of access control can result in a proliferation of passwords that can reduce overall security. Encryption

 Another mechanism that can be used for logical access control is encryption. Encrypted information can only be decrypted by those possessing the appropriate cryptographic key. This is especially useful if strong physical access controls cannot be provided, such as for laptops or floppy diskettes. Thus, for example, if information is encrypted on a laptop computer, and the laptop is stolen, the information cannot be accessed. While encryption can provide strong access control, it is accompanied by the need for strong key management. Use of encryption may also affect availability. For example, lost or stolen keys or read/write errors may prevent the decryption of the information.

Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
IT Security Auditor
Yennik, Inc.

Independent Pen-test Audits
Our pen-test firewall audit  meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  For more information, please call R. Kinney Williams at Office 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/


You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.