REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Microsoft extends virus warnings for Windows XP to 2015 - Microsoft has decided to continue providing virus warnings for the ageing Windows XP operating system until 2015. http://www.bbc.co.uk/news/technology-25758308

FYI - Feds Failing To Secure Their Mobile Devices - The federal government may have specific policies for security, but many of its users aren't adopting secure mobile practices and behaviors, according to a new study by the Mobile Work Exchange. http://www.darkreading.com/end-user/feds-failing-to-secure-their-mobile-devi/240165345

FYI - 13 indicted in $2M gas station card-skimming scheme - Pump-mounted devices used Bluetooth chips that allowed the thieves to retrieve the data without having to physically connect to the devices, prosecutors allege. http://news.cnet.com/8301-1009_3-57617638-83/13-indicted-in-$2m-gas-station-card-skimming-scheme/

FYI - Companies settle over false data security framework compliance claims - Twelve U.S. companies have agreed to settle Federal Trade Commission (FTC) charges, which accuse the firms of falsely claiming to comply with an international data security framework. http://www.scmagazine.com/companies-settle-over-false-data-security-framework-compliance-claims/article/330788

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - A First Look at the Target Intrusion, Malware - Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

FYI - Neiman Marcus breach dates back to July 2013, according to report - The attack on Neiman Marcus point-of-sale systems dates back to July 2013 and the threat was not completely mitigated until Sunday, unnamed people briefed on the retailer's investigation told the New York Times in a Thursday report. http://www.scmagazine.com/neiman-marcus-breach-dates-back-to-july-2013-according-to-report/article/329955/

FYI - Defect in Veterans Affairs eBenefits site results in data compromise - When a Navy veteran signed into the Department of Veterans Affairs (VA) eBenefits website on Wednesday night, he was shocked to see a different person's name and information pop up each time he came back. http://www.scmagazine.com/defect-in-veterans-affairs-ebenefits-site-results-in-data-compromise/article/329974/

FYI - Target's data breach: Yes, it gets worse - Target and Neiman Marcus weren't the only name-brand retailers to be stung by cybercriminals last holiday season. Plus: Was a teenager behind the malware? http://news.cnet.com/8301-1009_3-57617447-83/targets-data-breach-yes-it-gets-worse/

FYI - Data of 20 million South Koreans copied to USB stick, sold to marketing firms - An IT worker was arrested after allegedly copying names, Social Security numbers, and credit card details of 20 millions South Koreans to a USB stick, so the trove of information could be sold to phone marketing firms. http://www.scmagazine.com/data-of-20-million-south-koreans-copied-to-usb-stick-sold-to-marketing-firms/article/330613

FYI - Data breach affects 16M in Germany - A data breach affecting 16 million German internet users was announced this week by the country's Federal Office for Information Security (BSI). http://www.scmagazine.com/data-breach-affects-16m-in-germany/article/330550

FYI - Snapchat's new verification already hacked - Security researcher shows that the service's new "find the ghost" system to prove that you're a human and not a bot can be easily tricked. http://news.cnet.com/8301-1009_3-57617647-83/snapchats-new-verification-already-hacked/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 2 of 3)

Other common protocols in a TCP/IP network include the following types.

! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.

! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.

! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.

! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.

! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.

! Post office protocol (POP) - Commonly used to receive e-mail.

! Hypertext transport protocol (HTTP) - Used for Web browsing.

! Secure shell (SSH)  - Encrypts communications sessions, typically used for remote administration of servers.

! Secure sockets layer (SSL)  - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]