REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Study of French “three strikes” piracy law finds no deterrent
effect - More iTunes sales come from "public education," not from
fear of piracy. A recently published study of 2,000 French Internet
users found that the widely-publicized "three strikes" law hasn't
had much effect on how pirates get their content.
- If You Used This Secure Webmail Site, the FBI Has Your Inbox -
While investigating a hosting company known for sheltering child
porn last year the FBI incidentally seized the entire e-mail
database of a popular anonymous webmail service called TorMail.
- US-CERT publishes advice on defending POS systems against attacks
like those against Target, Neiman Marcus - Major hacks at retailers
that include Target and Neiman Marcus have put a new spotlight on
the security of point-of-sale (POS) systems. What may come as a
surprise to some is that the memory-scraping malware attacks were
- Why Companies Want Congress To Tell Them What To Do After Data
Breaches - It's the kind of top-down, one-size-fits-all,
heavy-handed regulation that corporate America despises. The exact
type of mandate that businesses pay lobby shops millions to tweak
and twist into oblivion.
- Attacker extorts coveted Twitter username in elaborate social
engineering scheme - Attackers do not always need an advanced
knowledge of technology, networks, coding and malware to get what
they want – sometimes all it takes is a little intuitive social
engineering. Just ask Naoki Hiroshima, the creator of the Cocoyon
app and developer for the Echofon Twitter client application.
- GoDaddy admits giving up info that led to Twitter username
extortion - When Naoki Hiroshima had his coveted @N Twitter username
stolen in an elaborate extortion plot involving simple social
engineering techniques, the frustrated developer pointed the finger
at GoDaddy and PayPal for being careless with his data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Neiman Marcus: 1.1 million cards compromised - The retailer,
however, said it has no knowledge of any connection between its data
breach and the one disclosed by Target. Upscale retailer Neiman
Marcus confirmed that it was a victim of a data breach and that 1.1
million customer payment cards were scraped for data.
- China blames Internet outage on hacking attack - Tuesday's
Internet outage in China is dividing experts over what caused the
networking error, with authorities calling it a hacking attack, and
others blaming it on the country's censorship systems.
- DHS Alerts Contractors to Bank Data Theft - A security breach at a
Web portal for the U.S. Department of Homeland Security has exposed
private documents and some financial information belonging to at
least 114 organizations that bid on a contract at the agency last
- South Korea and the U.S. Reacted Much Differently to a Credit Card
Theft Scandal - Residents in both the U.S. and South Korea were
recently hit with a major security breach that let significant
populations exposed to credit card theft. The two discrete incidents
offer an insight into how such disparate nations react to similar
crimes, and the cultural implications of each response.
- Stolen Medicentres laptop impacts roughly 620,000 patients in
Canada - Canada-based Medicentres Family Health Care Clinics
announced on Wednesday that the personal information of roughly
620,000 is at risk after a laptop belonging to an IT consultant was
- Google services, including Gmail, go down for about an hour -
Although a number of Google services went down for longer than an
hour on Friday – the outage started at about 2:15 p.m. ET and ended
at about 3:30 p.m. ET – it was the absence of Gmail that seems to
have hit internet users the hardest.
- Theft of unencrypted laptops behind Coca-Cola breach impacting
74,000 - Due to a theft of unencrypted laptops at Coca-Cola, around
74,000 current and former employees at the company may be at risk of
identity theft or fraud.
- Michaels Stores confirms payment cards compromised in breach -
After Target and Neiman Marcus, Michaels Stores is the next in a
line of U.S. retailers to reveal that a security breach has resulted
in the compromise of customer payment cards.
- Hasbro website served malware to visitors - Throughout this month,
Hasbro.com, an online retailer for children's toys and board games,
has infected users via drive-by download.
- CNN's social media accounts compromised by Syrian Electronic Army
- On Thursday, the Syrian Electronic Army (SEA) took claim on
Twitter for compromising a variety of social media websites
belonging to CNN and using the accounts to post messages blasting
the popular news network's reporting.
- US Court System downed by technical glitch, not hackers - The U.S.
Court system was taken down Friday afternoon for several hours by a
suspected denial-of-service attack. The FBI challenged such claims
- Laptop stolen with health data on 620,000 Albertans - The theft of
a unencrypted laptop in Edmonton means the personal health
information of more than 620,000 Albertans may be compromised, an
"outraged" Health Minister Fred Horne said Wednesday.
- Phishing scam lures three Calif. physicians, patient data
compromised - Roughly 1,800 patients of UC Davis Health System in
California are being notified that their personal information may be
at risk after the email accounts of three physicians were
compromised in a phishing scam.
- Hundreds impacted after Washington doctor's laptop is stolen - A
laptop containing personal information – including Social Security
numbers – on roughly 900 individuals at nursing homes in Washington
state was stolen from the vehicle of a South Sound doctor.
- Hackers vandalize Angry Birds' website - Hackers defaced the
website of the popular mobile game Angry Birds on Tuesday in
response to allegations that the National Security Agency used the
app to gain users' information.
- FBI alerts Ohio company of breach involving Social Security
numbers - The FBI alerted Ohio-based State Industrial Products that
the personal information – including Social Security numbers – of an
undisclosed number of current and former employees may be at risk.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our
series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 3 of 3)
Applications are built in conformance with the protocols to provide
services from hosts to clients. Because clients must have a standard
way of accessing the services, the services are assigned to standard
host ports. Ports are logical not physical locations that are either
assigned or available for specific network services. Under TCP/IP,
65536 ports are available, and the first 1024 ports are commercially
accepted as being assigned to certain services. For instance, Web
servers listen for requests on port 80, and secure socket layer Web
servers listen on port 443. A complete list of the commercially
accepted port assignments is available at
www.iana.org. Ports above 1024
are known as high ports, and are user - assignable. However, users
and administrators have the freedom to assign any port to any
service, and to use one port for more than one service.
Additionally, the service listening on one port may only proxy a
connection for a separate service. For example, a Trojan horse
keystroke - monitoring program can use the Web browser to send
captured keystroke information to port 80 of an attacker's machine.
In that case, monitoring of the packet headers from the compromised
machine would only show a Web request to port 80 of a certain IP
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
34. Does the institution deliver a
revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a
nonaffiliated third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of
nonaffiliated third party; [§8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer
to a nonaffiliated third party, if that former customer has not had
the opportunity to exercise an opt out right regarding that
(Note: a revised
notice is not required if the institution adequately described the
nonaffiliated third party or information to be disclosed in the
prior privacy notice. [§8(b)(2)])