[IS&T Security-FYI] SFYI Newsletter, March 24, 2014

Mon Mar 24 15:53:33 EDT 2014

In this issue:

1. The Story Behind the Breach at Neiman Marcus Group
2. FTC May Charge Target for Failure to Protect
3. EVENT: Security Leadership Summit in Boston, April 29 - May 7
4. Apple Responds Slow to Fake App in App Store

-----------------------------------------------------------------------------
1. The Story Behind the Breach at Neiman Marcus Group
-----------------------------------------------------------------------------

Last week I shared the Business Week article that explains how Target stores were breached and credit and debit card information was stolen. This week I found a similar article on the breach at Neiman Marcus stores.

It is almost certain that the Neiman Marcus breach was made by a different group of hackers than those who made the Target breach because of the different method and code style used. According to the investigation, card data was stolen from July through October, 2013. The number of cards exposed is less than 350,000, a much smaller number than first estimated.

Similar to the Target attack, the hackers moved unnoticed in the company’s computers for several months, sometimes tripping hundreds of alerts daily. While the anomalous behavior was logged on the company’s centralized security system, it did not recognize the code as malicious, or expunge it. It is unclear why the alerts weren’t investigated at the time.

According to the investigative report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores.

Read the full story at businessweek.com<http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data>.

----------------------------------------------------------------
2. FTC May Charge Target for Failure to Protect
----------------------------------------------------------------

Following up with the Target Inc breach, the FTC has been in contact with the corporation, but has failed to comment on whether it has launched a formal investigation. But former commission officials say the agency is taking a hard look at the incident, which resulted in 40 million credit card numbers falling into the hands of cyber criminals.

The FTC polices data security under its legal authority over “unfair” business practices. Companies have a responsibility to take “reasonable and appropriate” steps to protect the data they collect from consumers, according to FTC lawyers.

Congress is considering legislation that would expand the FTC’s authority to allow it to fine companies for inadequate data security. Currently the agency can force a company to change its practices, but it cannot punish companies.

Read the full story in the news<http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/>.

-----------------------------------------------------------------------------------------
3. EVENT: Security Leadership Summit in Boston, April 29 - May 7
-----------------------------------------------------------------------------------------

Boston is hosting the SANS Security Leadership Summit, where CISOs, IT professionals, non-technical executives and other stakeholders can learn and share their knowledge, experience and leadership on keeping organizations safe from hacks, intrusions, APT, malware and the constant stream of threats.

When: April 29 - May 7, 2014, Agenda<http://www.sans.org/event-downloads/35505/agenda.pdf> (pdf)
Where: Omni Parker House, Boston, MA
Price: $ 495 to 1,495, depending on purchase of course

Further details<http://www.sans.org/event/security-leadership-summit-2014/>

-------------------------------------------------------------------
4. Apple Responds Slow to Fake App in App Store
-------------------------------------------------------------------

According to Tor developers, they tried unsuccessfully for months to get Apple to remove a potentially malicious Tor browser app from the iOS App Store. Notices sent to Apple produced little response, other than to say the company is allowing the app’s developer to defend it.

The complaint, reported by Tor Project<https://trac.torproject.org/projects/tor/ticket/10549>, was posted 3 months ago, and warned that the Tor Browser in the Apple App Store is fake, is full of adware and spyware and should be removed. It was surprising, according to the Tor developers comments, how slowly Apple responded to the concerns.

Three days ago, the app was finally removed from the App Store.

The lesson: even with a company such as Apple, who is normally stringent about distributing third-party applications, you still need to be careful about what you download.

Read the full story in the news.<http://www.computerworld.com/s/article/9247090/Fake_Tor_app_has_been_sitting_in_Apple_39_s_App_Store_for_months_Tor_Project_says>

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

"Distrust and caution are the parents of security" - Benjamin Franklin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140324/5e637189/attachment.htm