REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Tech experts look to establish facial recognition software guidelines - A group of technology industry experts will meet this Thursday to discuss facial recognition technologies and take the first steps toward establishing guidelines for future technology. An agency within the U.S. government's Commerce Department invited the group of privacy advocates, technical experts and industry professionals to come together. http://www.scmagazine.com/tech-experts-look-to-establish-facial-recognition-software-guidelines/article/332457 

FYI - Visa pushes credit card industry to enhance security measures - Visa is urging card issuers to adopt chip cards instead of cards relying on magnetic stripes after a slew of retail stores' data breaches, including Target and Neiman Marcus. http://www.scmagazine.com/visa-pushes-credit-card-industry-to-enhance-security-measures/article/332066

FYI - Watch at four minute video interview that my friend John Moynihan gave regarding the Target breach saying that the breach was "completely undetectable" for major security products. http://www.necn.com/01/22/14/Expert-Target-data-breach-was-completely/landing_mobile.html?blockID=862043

FYI - The need for a national cyber breach notification standard - It is a well-known fact that cyber attacks pose a significant risk to businesses. Most recently, we have seen how the cyber attack on Target resulted in lower sales, higher costs, and a loss of customer trust. http://www.scmagazine.com/fuzzy-math-the-need-for-a-national-cyber-breach-notification-standard/article/331478

FYI - SEC examiners to review how asset managers fend off cyber attacks - U.S. regulators said Thursday they plan to scrutinize whether asset managers have policies to prevent and detect cyber attacks and are properly safeguarding against security risks that could arise from vendors having access to their systems. http://www.baltimoresun.com/business/sns-rt-us-sec-cyber-assetmanagers-20140130,0,6544544.story

FYI - Strict Hacking Definition Doesn't Touch IT Misuse - Accessing a firm's proprietary information with customer login credentials does not qualify as hacking under state and federal computer fraud laws, a federal magistrate ruled. http://www.courthousenews.com/2014/01/29/64921.htm

FYI - Yet Another Data Breach Bill Introduced - Latest Proposal to Create National Requirement for Notification - Yet another bill to create a federal requirement for data breach notification has been introduced, this time by Democratic leaders of the Senate Commerce, Science and Transportation Committee. http://www.govinfosecurity.com/yet-another-data-breach-bill-introduced-a-6466

FYI - PCI Council Responds to Critics - Council's GM Says No Standards Changes Needed - The PCI Security Standards Council has no plans to modify its standards for payment card data security in response to high-profile payment card breaches at Target and Neiman Marcus. http://www.govinfosecurity.com/interviews/pci-council-responds-to-critics-i-2175

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Target traces security breach to stolen vendor credentials - The hackers who stole millions of credit card numbers from Target have been tracked back to electronic credentials stolen from a vendor. arget's investigation of the massive security breach which allowed hackers to take millions of credit and debit card numbers has revealed a stolen vendor's credentials as a source of access. http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-7000025780/

FYI - Yahoo! Mail! users! change! your! passwords! NOW! - Web giant blames 'third-party database compromise' - Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant – after a security breach exposed account login details to theft. http://www.theregister.co.uk/2014/01/31/yahoo_mail_users_change_your_password_now/

FYI - Calif. high schoolers expelled after using keylogger, doctoring grades - Eleven students at a California high school have been expelled for bugging teachers' computers with a keylogger and later doctoring online grades.
http://www.scmagazine.com/calif-high-schoolers-expelled-after-using-keylogger-doctoring-grades/article/332113/
http://news.cnet.com/8301-1009_3-57618144-83/teens-expelled-in-keylogging-of-school-computers

FYI - Canada's largest telecom firm Bell Canada hit with 22k password breach - Bell Canada, the country's largest communications firm, is alerting its small business customers that 22,421 usernames and passwords were posted online. http://www.scmagazine.com/canadas-largest-telecom-firm-bell-canada-hit-with-22k-password-breach/article/332458

FYI - Wisconsin health insurer loses hard drive, 41K members impacted - About 41,000 members of Wisconsin-based Unity Health Insurance are being notified that their personal information may be at risk after a portable hard drive was reported missing from the University of Wisconsin-School of Pharmacy. http://www.scmagazine.com/wisconsin-health-insurer-loses-hard-drive-41k-members-impacted/article/332213/

FYI - Coding error on hundreds of NHS sites redirects users to dodgy pages - Hundreds of NHS websites have been redirecting web users to pages hosting advertising or malware, due to a "coding error". http://www.v3.co.uk/v3-uk/news/2326540/coding-error-on-hundreds-of-nhs-sites-redirects-users-to-dodgy-pages

FYI - Hackers access 800,000 Orange customers' data - Orange reveals an attack on its website exposed details for three percent of its French customer base. Orange customers in France could see a spike in phishing attempts after hackers nabbed hundreds of thousands of customers' unencrypted personal data in an attack on the operator's website. http://www.zdnet.com/hackers-access-800000-orange-customers-data-7000025880/

FYI - US hotels look into data security breachKeyboard and mouse - It is not yet clear how payment card data went astray from computers at White Lodging - Thousands of guests at US hotels may have had their credit and debit data stolen, suggests a security researcher. http://www.bbc.co.uk/news/technology-26015428

FYI - French mobile provider breach affects 800,000 - A French mobile provider, Orange, admitted that the personal information of 800,000 customers was breached in mid-January. http://www.scmagazine.com/french-mobile-provider-breach-affects-800000/article/332665

FYI - Social Security numbers of 14K Texas students on stolen devices - Roughly 14,000 current and former Midland Independent School District students in Texas may have had personal information – including Social Security numbers – compromised after a laptop and unsecured external hard drive were stolen from a district administrator's vehicle. http://www.scmagazine.com/social-security-numbers-of-14k-texas-students-on-stolen-devices/article/332564

FYI - Texas health system attacked, data on more than 400K compromised - More than 400,000 patients and employees of St. Joseph Health System in Texas are being notified that their personal information – including Social Security numbers and, in some cases, bank account information – may have been accessed following an attack on the health system's computer system. http://www.scmagazine.com/texas-health-system-attacked-data-on-more-than-400k-compromised/article/332759

FYI - Health workers' personal info compromised after breach - More than 1,000 Minnesota-based healthcare workers' personal information might have been compromised after an attack on a medical center's employee database. http://www.scmagazine.com/health-workers-personal-info-compromised-after-breach/article/333059

FYI - Home Depot staffers arrested, stole employee info and opened fraudulent credit cards - Three former human resources associates with Home Depot have been arrested for accessing the personal information – including Social Security numbers – of employees and attempting to use that data to open fraudulent credit cards. http://www.scmagazine.com/home-depot-staffers-arrested-stole-employee-info-and-opened-fraudulent-credit-cards/article/333037

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

TCP/IP Packets

TCP/IP is a packet - based communications system. A packet consists of a header and a data payload. A header is analogous to a mail envelope, containing the information necessary for delivery of the envelope, and the return address. The data payload is the content of the envelope. The IP packet header contains the address of the sender (source address) and the intended recipient (destination address) and other information useful in handling the packet. Under IP, the addresses are unique numbers known as IP addresses. Each machine on an IP network is identified by a unique IP address. The vast majority of IP addresses are publicly accessible. Some IP addresses, however, are reserved for use in internal networks. Those addresses are 10.0.0.0  -  10.255.255.255, 172.16.0.0  -  172.31.255.255, and 192.168.0.0  -  192.168.255.255. Since those internal addresses are not accessible from outside the internal network, a gateway device is used to translate the external IP address to the internal address. The device that translates external and internal IP addresses is called a network address translation (NAT) device. Other IP packet header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether routers are allowed to fragment the packet, and other information.

If the IP packet indicates the protocol is TCP, a TCP header will immediately follow the IP header. The TCP header contains the source and destination ports, the sequence number, and other information. The sequence number is used to order packets upon receipt and to verify that all packets in the transmission were received.

Information in headers can be spoofed, or specially constructed to contain misleading information. For instance, the source address can be altered to reflect an IP address different from the true source address, and the protocol field can indicate a different protocol than actually carried. In the former case, an attacker can hide their attacking IP, and cause the financial institution to believe the attack came from a different IP and take action against that erroneous IP. In the latter case, the attacker can craft an attack to pass through a firewall and attack with an otherwise disallowed protocol.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]