REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
This week, I will be taking some time to be with family and friends.
I will have my laptop but may not respond to emails as quickly as
normal. I will be back in the office Tuesday February 19.
- Top firms open to voluntary cybersecurity rules - Many Fortune 500
companies support the creation of federal cybersecurity standards to
protect them from Internet threats like hacking as long as they are
voluntary, according to a Senate survey of top U.S. chief executives
released on Wednesday.
GAO - Information Security: Federal Communications Commission Needs
to Strengthen Controls over Enhanced Secured Network Project.
App owner to pay $800k to settle child privacy charges - A San
Francisco-based app operator will pay $800,000 to settle Federal
Trade Commission (FTC) charges that it violated the Children's
Online Privacy Protection Act (COPPA) by collecting youngsters'
personal information without parental consent, the agency announced
Following breaches, Utah Senate passes data protection law - The
Utah State Senate has passed legislation that would set best
practices for the storing and transmitting on state servers of
residents' personally identifiable information (PII). Sen. Stuart
Reid, R-Utah, began drafting the bill last year, following a massive
breach when a Utah Department of Health server was hacked.
Obama can 'order pre-emptive cyber-attack' if U.S. faces threat -
According to a source speaking to The New York Times, President
Obama can authorize a 'pre-emptive strike' against a nation if U.S.
national security is at risk.
U.S. weighs retaliation to alleged Chinese cyberattacks - Following
a string of cyberattacks allegedly coming from China, the U.S.
government is debating what from the response should take. The Obama
administration is considering further action after the failure of
high-level talks with Chinese officials over cyberattacks against
America, according to the Associated Press.
Defense positions a military cyber squad on DHS turf - Pentagon
plans to deploy a military cyber squad to guard U.S. networks
sustaining hospitals and other vital commercial sectors drew hopeful
skepticism from technology experts -- and silence from counterparts
at the Homeland Security Department.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hackers in China Attacked The Times for Last 4 Months - For the last
four months, Chinese hackers have persistently attacked The New York
Times, infiltrating its computer systems and getting passwords for
its reporters and other employees.
Wall Street Journal also a victim of espionage - Less than a day
after The New York Times revealed that its reporters were targeted
by Chinese hackers, The Wall Street Journal disclosed on Thursday
that its systems were also breached by attackers from China wanting
to observe the newspaper's coverage of the country.
Anonymous claims to expose bank executive details - Hacktivist group
Anonymous said it has posted the sensitive details of 4,000 bank
executives on a government website.
- Federal Reserve confirms its Web site was hacked- Days after
Anonymous claimed to have stolen and published private information
from more than 4,000 bank executives, the Fed says its system was
Department Of Energy Confirms Data Breach - Online attackers
successfully penetrated the Department of Energy (DOE) network in
the middle of January and obtained copies of personally identifiable
information (PII) pertaining to several hundred of the agency's
employees and contractors.
Dutch man sentenced in US to 12 years in credit card scam - A
22-year-old Dutch man who sold credit card details online was
sentenced on Friday to 12 years in a U.S. prison in a fraud case
that prosecutors alleged caused more than $63 million in damages,
according to the Department of Justice.
Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012
- The Washington Post was among several major U.S. newspapers that
spent much of 2012 trying to untangle its newsroom computer networks
from a Web of malicious software thought to have been planted by
Chinese cyberspies, according to a former information technology
employee at the paper.
Energy Department latest to be struck by skilled hackers - The
personally identifiable information (PII) of hundreds of U.S.
Department of Energy (DOE) employees and contractors was accessed by
intruders that breached DOE's networks.
HRSDC loses 583,000 personal data of Canadians - Human Resources and
Skills Development Canada (HRSDC), a department of the Government of
Canada, was reeling last month after the personal data of 583,000
Canadians was lost on a portable hard drive.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
! A financial institution's Web page should never be accessed from
a link provided by a third party. It should only be accessed by
typing the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail messages
that request confidential information, such as account numbers,
passwords, or PINs. Financial institution customers should be
reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Data Transmission and Types
Data traverses the Internet in units referred to as packets. Each
packet has headers which contain information for delivery, such as
where the packet is from, where it is going, and what application it
contains. The varying firewall techniques examine the headers and
either permit or deny access to the system based on the firewall's
There are different types of firewalls that provide various levels
of security. For instance, packet filters, sometimes implemented as
screening routers, permit or deny access based solely on the stated
source and/or destination IP address and the application (e.g.,
FTP). However, addresses and applications can be easily falsified,
allowing attackers to enter systems. Other types of firewalls, such
as circuit-level gateways and application gateways, actually have
separate interfaces with the internal and external (Internet)
networks, meaning no direct connection is established between the
two networks. A relay program copies all data from one interface to
another, in each direction. An even stronger firewall, a stateful
inspection gateway, not only examines data packets for IP addresses,
applications, and specific commands, but also provides security
logging and alarm capabilities, in addition to historical
comparisons with previous transmissions for deviations from normal
When evaluating the need for firewall technology, the potential
costs of system or data compromise, including system failure due to
attack, should be considered. For most financial institution
applications, a strong firewall system is a necessity. All
information into and out of the institution should pass through the
firewall. The firewall should also be able to change IP addresses to
the firewall IP address, so no inside addresses are passed to the
outside. The possibility always exists that security might be
circumvented, so there must be procedures in place to detect attacks
or system intrusions. Careful consideration should also be given to
any data that is stored or placed on the server, especially
sensitive or critically important data.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Consumer and Customer:
A "customer" is a consumer who has a "customer relationship"
with a financial institution. A "customer relationship" is a
continuing relationship between a consumer and a financial
institution under which the institution provides one or more
financial products or services to the consumer that are to be used
primarily for personal, family, or household purposes.
For example, a customer relationship may be established when a
consumer engages in one of the following activities with a financial
1) maintains a deposit or investment account;
2) obtains a loan;
3) enters into a lease of personal property; or
4) obtains financial, investment, or economic advisory services for
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
There is a special rule for loans. When a financial institution
sells the servicing rights to a loan to another financial
institution, the customer relationship transfers with the servicing
rights. However, any information on the borrower retained by the
institution that sells the servicing rights must be accorded the
protections due any consumer.
Note that isolated transactions alone will not cause a consumer to
be treated as a customer. For example, if an individual purchases a
bank check from a financial institution where the person has no
account, the individual will be a consumer but not a customer of
that institution because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a financial
institution where the individual has no account, even repeatedly,
the individual will be a consumer, but not a customer of that