REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Study of French “three strikes” piracy law finds no deterrent effect - More iTunes sales come from "public education," not from fear of piracy. A recently published study of 2,000 French Internet users found that the widely-publicized "three strikes" law hasn't had much effect on how pirates get their content. http://arstechnica.com/tech-policy/2014/01/study-of-french-three-strikes-piracy-law-finds-no-deterrent-effect/

FYI - If You Used This Secure Webmail Site, the FBI Has Your Inbox - While investigating a hosting company known for sheltering child porn last year the FBI incidentally seized the entire e-mail database of a popular anonymous webmail service called TorMail. http://www.wired.com/threatlevel/2014/01/tormail/

FYI - US-CERT publishes advice on defending POS systems against attacks like those against Target, Neiman Marcus - Major hacks at retailers that include Target and Neiman Marcus have put a new spotlight on the security of point-of-sale (POS) systems. What may come as a surprise to some is that the memory-scraping malware attacks were nothing new. http://www.darkreading.com/attacks-breaches/tech-insight-defending-point-of-sale-sys/240165629

FYI - Why Companies Want Congress To Tell Them What To Do After Data Breaches - It's the kind of top-down, one-size-fits-all, heavy-handed regulation that corporate America despises. The exact type of mandate that businesses pay lobby shops millions to tweak and twist into oblivion. http://www.nextgov.com/cybersecurity/2014/01/why-companies-want-congress-tell-them-what-do-after-data-breaches/77429/

FYI - Attacker extorts coveted Twitter username in elaborate social engineering scheme - Attackers do not always need an advanced knowledge of technology, networks, coding and malware to get what they want – sometimes all it takes is a little intuitive social engineering. Just ask Naoki Hiroshima, the creator of the Cocoyon app and developer for the Echofon Twitter client application. http://www.scmagazine.com/attacker-extorts-coveted-twitter-username-in-elaborate-social-engineering-scheme/article/331675

FYI - GoDaddy admits giving up info that led to Twitter username extortion - When Naoki Hiroshima had his coveted @N Twitter username stolen in an elaborate extortion plot involving simple social engineering techniques, the frustrated developer pointed the finger at GoDaddy and PayPal for being careless with his data. http://www.scmagazine.com/godaddy-admits-giving-up-info-that-led-to-twitter-username-extortion/article/331867/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Neiman Marcus: 1.1 million cards compromised - The retailer, however, said it has no knowledge of any connection between its data breach and the one disclosed by Target. Upscale retailer Neiman Marcus confirmed that it was a victim of a data breach and that 1.1 million customer payment cards were scraped for data. http://www.zdnet.com/neiman-marcus-1-1-million-cards-compromised-7000025513/

FYI - China blames Internet outage on hacking attack - Tuesday's Internet outage in China is dividing experts over what caused the networking error, with authorities calling it a hacking attack, and others blaming it on the country's censorship systems. http://www.computerworld.com/s/article/9245626/China_blames_Internet_outage_on_hacking_attack?taxonomyId=17

FYI - DHS Alerts Contractors to Bank Data Theft - A security breach at a Web portal for the U.S. Department of Homeland Security has exposed private documents and some financial information belonging to at least 114 organizations that bid on a contract at the agency last year. http://krebsonsecurity.com/2014/01/dhs-alerts-contractors-to-bank-data-theft/

FYI - South Korea and the U.S. Reacted Much Differently to a Credit Card Theft Scandal - Residents in both the U.S. and South Korea were recently hit with a major security breach that let significant populations exposed to credit card theft. The two discrete incidents offer an insight into how such disparate nations react to similar crimes, and the cultural implications of each response. http://news.yahoo.com/south-korea-u-reacted-much-differently-credit-card-214036383.html

FYI - Stolen Medicentres laptop impacts roughly 620,000 patients in Canada - Canada-based Medicentres Family Health Care Clinics announced on Wednesday that the personal information of roughly 620,000 is at risk after a laptop belonging to an IT consultant was stolen. http://www.scmagazine.com/stolen-medicentres-laptop-impacts-roughly-620000-patients-in-canada/article/331004

FYI - Google services, including Gmail, go down for about an hour - Although a number of Google services went down for longer than an hour on Friday – the outage started at about 2:15 p.m. ET and ended at about 3:30 p.m. ET – it was the absence of Gmail that seems to have hit internet users the hardest. http://www.scmagazine.com/google-services-including-gmail-go-down-for-about-an-hour/article/331036

FYI - Theft of unencrypted laptops behind Coca-Cola breach impacting 74,000 - Due to a theft of unencrypted laptops at Coca-Cola, around 74,000 current and former employees at the company may be at risk of identity theft or fraud. http://www.scmagazine.com/theft-of-unencrypted-laptops-behind-coca-cola-breach-impacting-74000/article/331273

FYI - Michaels Stores confirms payment cards compromised in breach - After Target and Neiman Marcus, Michaels Stores is the next in a line of U.S. retailers to reveal that a security breach has resulted in the compromise of customer payment cards. http://www.scmagazine.com/michaels-stores-confirms-payment-cards-compromised-in-breach/article/331275

FYI - Hasbro website served malware to visitors - Throughout this month, Hasbro.com, an online retailer for children's toys and board games, has infected users via drive-by download. http://www.scmagazine.com/hasbro-website-served-malware-to-visitors/article/331262

FYI - CNN's social media accounts compromised by Syrian Electronic Army - On Thursday, the Syrian Electronic Army (SEA) took claim on Twitter for compromising a variety of social media websites belonging to CNN and using the accounts to post messages blasting the popular news network's reporting. http://www.scmagazine.com/cnns-social-media-accounts-compromised-by-syrian-electronic-army/article/331017/s/

FYI - US Court System downed by technical glitch, not hackers - The U.S. Court system was taken down Friday afternoon for several hours by a suspected denial-of-service attack. The FBI challenged such claims on Saturday. http://www.zdnet.com/ddos-takes-down-us-court-system-7000025574/

FYI - Laptop stolen with health data on 620,000 Albertans - The theft of a unencrypted laptop in Edmonton means the personal health information of more than 620,000 Albertans may be compromised, an "outraged" Health Minister Fred Horne said Wednesday. http://cnews.canoe.ca/CNEWS/Canada/2014/01/22/21418891.html

FYI - Phishing scam lures three Calif. physicians, patient data compromised - Roughly 1,800 patients of UC Davis Health System in California are being notified that their personal information may be at risk after the email accounts of three physicians were compromised in a phishing scam. http://www.scmagazine.com/phishing-scam-lures-three-calif-physicians-patient-data-compromised/article/331354/

FYI - Hundreds impacted after Washington doctor's laptop is stolen - A laptop containing personal information – including Social Security numbers – on roughly 900 individuals at nursing homes in Washington state was stolen from the vehicle of a South Sound doctor. http://www.scmagazine.com/hundreds-impacted-after-washington-doctors-laptop-is-stolen/article/331635/

FYI - Hackers vandalize Angry Birds' website - Hackers defaced the website of the popular mobile game Angry Birds on Tuesday in response to allegations that the National Security Agency used the app to gain users' information. http://www.scmagazine.com/hackers-vandalize-angry-birds-website/article/331870

FYI - FBI alerts Ohio company of breach involving Social Security numbers - The FBI alerted Ohio-based State Industrial Products that the personal information – including Social Security numbers – of an undisclosed number of current and former employees may be at risk. http://www.scmagazine.com/fbi-alerts-ohio-company-of-breach-involving-social-security-numbers/article/331856/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 3 of 3)

Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org.  Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

(Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])