R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of February 17, 2019

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content IT Security IT Security Checklist
Web Site Compliance Internet Privacy Pen Testing Auditing


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. 

FYI
- Phishing emails imitate North American banks to infect recipients with TrickBot - An spam-based phishing campaign recently targeted North American banking customers with malicious Excel documents designed to infect victims with a new variant of the information-stealing TrickBot banking trojan, researchers reported earlier this week. https://www.scmagazine.com/home/security-news/phishing-emails-imitate-north-american-banks-to-infect-recipients-with-trickbot/

Reversing the Rachio Smart Sprinkler Controller - A new smart device that “takes the guesswork out of watering.” An IoT device that extends the boundaries of your smart home into the yard? Sure, what could go wrong? Turns out, sometimes, when things are designed with security in mind, not as much. https://medium.com/tenable-techblog/reversing-the-rachio3-smart-sprinkler-controller-ae7fc06aab9

South African Power Firm Eskom Fails To Secure Customer Data - A security researcher resorted to a public tweet about a serious data breach involving customer data, after a South African electricity provider ignored all other pleas to resolve the leak. https://www.silicon.co.uk/security/cyberwar/south-african-eskom-customer-data-241245

Bipartisan bill would create public-private cyber workforce exchange - Sens. Amy Klobuchar (D-Minn.) and John Thune (R-S.D.) on Monday introduced a bipartisan bill to create an exchange program between the federal government and private firms aimed at bringing more cybersecurity expertise to the federal workforce. https://thehill.com/policy/cybersecurity/429493-bipartisan-bill-would-create-public-private-cyber-workforce-exchange

Report: Details on 617 million user accounts up for sale on dark web - A dark web marketplace this week reportedly began selling stolen data linked to roughly 617 million user accounts from 16 different websites. https://www.scmagazine.com/home/security-news/report-details-on-617-million-user-accounts-up-for-sale-on-dark-web/

The key to protecting against internet traffic hijacking - Recently, reports emerged that a large Asian telecommunications company has been covertly hijacking global internet traffic for nearly 30 months. https://www.scmagazine.com/home/opinion/the-key-to-protecting-against-internet-traffic-hijacking/

31 AGs ask FTC to update Identity Theft Rules - Attorneys general from 31 states have asked the Federal Trade Commission (FTC) to update its Identity Theft Rules. https://www.scmagazine.com/home/security-news/31-ags-ask-ftc-to-update-identity-theft-rules/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Movie and TV-tracking service Trakt belatedly discovers 2014 breach - An unauthorized party illegally accessed data from TV and movie “scrobbling” service Trakt more than four years ago, but only now are users learning about it. https://www.scmagazine.com/home/security-news/movie-and-tv-tracking-service-trakt-belatedly-discovers-2014-breach/

Unauthorized intruder preys on Bayside Covenant Church - The Bayside Covenant Church of Roseville, Calif. reported that for three months last year unauthorized personnel accessed some employee information. https://www.scmagazine.com/home/security-news/data-breach/bayside-covenant-church-phished-and-breached/

Some Airline Flight Online Check-in Links Expose Passenger Data - Several airlines send unencrypted links to passengers for flight check-in that could be intercepted by attackers to view passenger and other data, researchers found. http://www.darkreading.com/attacks-breaches/some-airline-flight-online-check-in-links-expose-passenger-data-/d/d-id/1333806

Dunkin’ Donuts target of credentials stuffing for second time - or the second time in three months, Dunkin’ Donuts has been the target of credentials stuffing attacks. https://www.scmagazine.com/home/security-news/dunkin-donuts-target-of-credentials-stuffing-for-second-time/

Credential-stuffing hackers reportedly break hearts, accounts at OkCupid - Dating can make people feel vulnerable enough, especially in the run up to Valentine’s Day, without hackers blocking access to their OkCupid accounts and potentially tapping their personal information. https://www.scmagazine.com/home/security-news/credential-stuffing-hackers-reportedly-break-hearts-accounts-at-okcupid/

Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions - A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/

Big trouble Down Under as Australian MPs told to reset their passwords amid hack attack fears - 'No evidence that any data has been accessed time' say Australian officials as fingers pointed at foreign spies. https://www.theregister.co.uk/2019/02/08/australia_parliament_password_reset/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Legal and Reputational Risk Management 
  
  To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimize operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  

  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  
Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 2 of 2)
  
  Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset, or a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.
  
  Client attacks
are an area of vulnerability common to all authentication mechanisms. Passwords, for instance, can be captured by hardware -  or software - based keystroke capture mechanisms. PKI private keys could be captured or reverse - engineered from their tokens. Protection against these attacks primarily consists of physically securing the client systems, and, if a shared secret is used, changing the secret on a frequency commensurate with risk. While physically securing the client system is possible within areas under the financial institution's control, client systems outside the institution may not be similarly protected.
  
  Replay attacks
occur when an attacker eavesdrops and records the authentication as it is communicated between a client and the financial institution system, then later uses that recording to establish a new session with the system and masquerade as the true user. Protections against replay attacks include changing cryptographic keys for each session, using dynamic passwords, expiring sessions through the use of time stamps, expiring PKI certificates based on dates or number of uses, and implementing liveness tests for biometric systems.
  
  Hijacking
is an attacker's use of an authenticated user's session to communicate with system components. Controls against hijacking include encryption of the user's session and the use of encrypted cookies or other devices to authenticate each communication between the client and the server.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY


19.1.3 Hybrid Cryptographic Systems
Secret key systems are often used for bulk data encryption and public key systems for automated key distribution.

Public and secret key cryptography have relative advantages and disadvantages. Although public key cryptography does not require users to share a common key, secret key cryptography is much faster: equivalent implementations of secret key cryptography can run 1,000 to 10,000 times faster than public key cryptography.

To maximize the advantages and minimize the disadvantages of both secret and public key cryptography, a computer system can use both types in a complementary manner, with each performing different functions. Typically, the speed advantage of secret key cryptography means that it is used for encrypting data. Public key cryptography is used for applications that are less demanding to a computer system's resources, such as encrypting the keys used by secret key cryptography (for distribution) or to sign messages.

19.1.4 Key Escrow

Because cryptography can provide extremely strong encryption, it can thwart the government's efforts to lawfully perform electronic surveillance. For example, if strong cryptography is used to encrypt a phone conversation, a court-authorized wiretap will not be effective. To meet the needs of the government and to provide privacy, the federal government has adopted voluntary key escrow cryptography. This technology allows the use of strong encryption, but also allows the government when legally authorized to obtain decryption keys held by escrow agents. NIST has published the Escrowed Encryption Standard as FIPS 185. Under the federal government's voluntary key escrow initiative, the decryption keys are split into parts and given to separate escrow authorities. Access to one part of the key does not help decrypt the data; both keys must be obtained.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Pen-test Audits
Our pen-test firewall audit  meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  For more information, please call R. Kinney Williams at Office 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/

 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.