REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - California lawmakers move to bar state help to NSA - Proposal to prohibit sale of water, electricity by state owned facilities to the NSA will likely be copied by legislators in other states - Two California lawmakers this week introduced a bill that would prohibit state agencies and corporations from providing material support to the National Security Agency. http://www.computerworld.com/s/article/9245232/California_lawmakers_move_to_bar_state_help_to_NSA
 
 FYI - Zero-Day Flaws Found, Patched In Siemens Switches - A security researcher has discovered a pair of zero-day vulnerabilities in a popular family of Siemens industrial control system switches that could allow an attacker to take over the network devices without a password. http://www.darkreading.com/vulnerability/zero-day-flaws-found-patched-in-siemens/240165252
 
 FYI - Firm Bankrupted by Cyberheist Sues Bank -A state-appointed receiver for the now defunct Huntington Beach, Calif. based Efficient Services Escrow has filed suit against First Foundation Bank, alleging that the bank’s security procedures were not up to snuff, and that it failed to act in good faith when it processed three fraudulent international wire transfers totaling $1,558,439 between December 2012 and February 2013. http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank/
 
 FYI - Teen Reported to Police After Finding Security Hole in Website - A teenager in Australia who thought he was doing a good deed by reporting a security vulnerability in a government website was reported to the police. http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
 
 FYI - Air Force Academy's cyber team reaches rare heights - Computer warfare is a top priority for the Air Force, which sees Internet attacks as a key component of future conflicts. Air Force Space Command at Peterson Air Force Base is guiding the Air Force's cyber troops. http://www.stripes.com/news/air-force/air-force-academy-s-cyber-team-reaches-rare-heights-1.261732
 
 FYI - Ways to avoid a multi-million dollar security disaster - From Adobe to Facebook, security breaches continue to be top-of-mind for both companies and users, and organizations around the globe are all wondering if they are next in line to deal with a breach of their own. http://www.scmagazine.com/ways-to-avoid-a-multi-million-dollar-security-disaster/article/329238/?DCMP=EMC-SCUS_Newswire&spMailingID=7757804&spUserID=MjI5OTI3MzMyMQS2&spJobID=114466325&spReportId=MTE0NDY2MzI1S0
 
 FYI - Apple to refund $32.5 million after kids rack up app charges without adult consent - Apple has agreed to refund $32.5 million to consumers, after games in its App Store allowed kids to make costly purchases without parental consent. http://www.scmagazine.com/apple-to-refund-325-million-after-kids-rack-up-app-charges-without-adult-consent/article/329767
 
 ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 
 FYI - Cryptolocker scrambles eight years of data belonging to US town hall - The Cryptolocker ransom Trojan has claimed another victim in small-town America, scrambling eight years-worth of files held by a New Hampshire town authority. Some are believed to be irretrievable. http://www.computerworld.com.my/resource/security/cryptolocker-scrambles-eight-years-of-data-belonging-to-us-town-hall/
 
 FYI - Yahoo malware turned European computers into bitcoin slaves - Search firm remains silent on how its ad servers infected Windows PCs of visitors to homepage - As many as two million European users of Yahoo may have received PC malware from virus-laden ads served by its homepage over a four-day period last week. http://www.theguardian.com/technology/2014/jan/08/yahoo-malware-turned-europeans-computers-into-bitcoin-slaves
 
 FYI - Hacked Agencies Are Inconsistent in Alerting Victims - Agencies are not in synch when it comes to notifying victims of hacks, which might be impairing the government’s ability to protect affected federal employees and citizens from predators, according to a new federal audit. http://www.nextgov.com/cybersecurity/2014/01/hacked-agencies-are-inconsistent-about-alerting-potential-victims/76502/
 
 FYI - Credit card hackers hit Neiman Marcus - Neiman Marcus says that it's the latest victim of data thieves, who made off with the credit card information of an unknown number of customers.
 http://news.cnet.com/8301-1009_3-57617075-83/credit-card-hackers-hit-neiman-marcus/
 http://www.scmagazine.com/neiman-marcus-ceo-says-pin-data-not-accessed-in-card-breach/article/329740/?DCMP=EMC-SCUS_Newswire&spMailingID=7778887&spUserID=MjI5OTI3MzMyMQS2&spJobID=114962594&spReportId=MTE0OTYyNTk0S0
 
 FYI - Two employees fired after hospital computer containing PHI is dumped - Two employees at Georgia-based Phoebe Putney Memorial Hospital have been fired after a desktop computer containing information on nearly 6,800 individuals was mistakenly thrown away. http://www.scmagazine.com/two-employees-fired-after-hospital-computer-containing-phi-is-dumped/article/329136/?DCMP=EMC-SCUS_Newswire&spMailingID=7753550&spUserID=MjI5OTI3MzMyMQS2&spJobID=114402207&spReportId=MTE0NDAyMjA3S0
 
 FYI - Server storing 6,000 emergency medical response calls breached - North East King County Regional Public Safety Communication Agency (NORCOM), a company that provides emergency communication services to the public, fire and police agencies, had a server breached in late December. http://www.scmagazine.com/server-storing-6000-emergency-medical-response-calls-breached/article/329321/?DCMP=EMC-SCUS_Newswire&spMailingID=7757804&spUserID=MjI5OTI3MzMyMQS2&spJobID=114466325&spReportId=MTE0NDY2MzI1S0
 
 FYI - Virginia county school data accidentally posted online - An undisclosed number of Loudoun County Public Schools (LCPS) students and staffers in Virginia may have had personal information compromised after their data was accidentally posted publicly online. http://www.scmagazine.com/virginia-county-school-data-accidentally-posted-online/article/329443/?DCMP=EMC-SCUS_Newswire&spMailingID=7770694&spUserID=MjI5OTI3MzMyMQS2&spJobID=114797799&spReportId=MTE0Nzk3Nzk5S0
 
 FYI - Starbucks iOS app vulnerability endangers users' data - A vulnerability in Starbucks iOS mobile payment app puts user email addresses, passwords, usernames and location data at risk of being compromised. http://www.scmagazine.com/starbucks-ios-app-vulnerability-endangers-users-data/article/329747/
 
 FYI - Card data among info accessed in malware attack on medical supplier - The information – including payment card data – of more than 4,000 individuals was inappropriately accessed after malware was introduced into the computer systems of Ohio-based Edgepark Medical Supplies. http://www.scmagazine.com/card-data-among-info-accessed-in-malware-attack-on-medical-supplier/article/329707/
 
 Return to the top of the newsletter
 
 WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?
 
 The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 
 
 Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.
 
 Return to the top of the newsletter
  
 INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Protocols and Ports (Part 1 of 3)
 
 Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.
 
 The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming from a trusted host.
 
 Return to the top of the newsletter
 
 INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 32. When a customer relationship ends, does the institution continue to apply the customer's opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)]