<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">In this issue:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">1. The Story Behind the Breach at Neiman Marcus Group</div>
<div style="margin: 0px; font-family: Helvetica;">2. FTC May Charge Target for Failure to Protect</div>
<div style="margin: 0px; font-family: Helvetica;">3. EVENT: Security Leadership Summit in Boston, April 29 - May 7</div>
<div style="margin: 0px; font-family: Helvetica;">4. Apple Responds Slow to Fake App in App Store </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">-----------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">1. The Story Behind the Breach at Neiman Marcus Group</div>
<div style="margin: 0px; font-family: Helvetica;">-----------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Last week I shared the Business Week article that explains how Target stores were breached and credit and debit card information was stolen. This week I found a similar article on the breach at Neiman Marcus
stores.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">It is almost certain that the Neiman Marcus breach was made by a different group of hackers than those who made the Target breach because of the different method and code style used. According to the investigation,
card data was stolen from July through October, 2013. The number of cards exposed is less than 350,000, a much smaller number than first estimated. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Similar to the Target attack, the hackers moved unnoticed in the company’s computers for several months, sometimes tripping hundreds of alerts daily. While the anomalous behavior was logged on the company’s
centralized security system, it did not recognize the code as malicious, or expunge it. It is unclear why the alerts weren’t investigated at the time.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">According to the investigative report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after
a rash of thefts that also included Target and Michaels Stores.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data">Read the full story at businessweek.com</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">----------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">2. FTC May Charge Target for Failure to Protect </div>
<div style="margin: 0px; font-family: Helvetica;">----------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Following up with the Target Inc breach, the FTC has been in contact with the corporation, but has failed to comment on whether it has launched a formal investigation. But former commission officials say the
agency is taking a hard look at the incident, which resulted in 40 million credit card numbers falling into the hands of cyber criminals.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The FTC polices data security under its legal authority over “unfair” business practices. Companies have a responsibility to take “reasonable and appropriate” steps to protect the data they collect from consumers,
according to FTC lawyers.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Congress is considering legislation that would expand the FTC’s authority to allow it to fine companies for inadequate data security. Currently the agency can force a company to change its practices, but it
cannot punish companies.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/">Read the full story in the news</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">-----------------------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">3. EVENT: Security Leadership Summit in Boston, April 29 - May 7</div>
<div style="margin: 0px; font-family: Helvetica;">-----------------------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Boston is hosting the SANS Security Leadership Summit, where CISOs, IT professionals, non-technical executives and other stakeholders can learn and share their knowledge, experience and leadership on keeping
organizations safe from hacks, intrusions, APT, malware and the constant stream of threats.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">When: April 29 - May 7, 2014, <a href="http://www.sans.org/event-downloads/35505/agenda.pdf">
Agenda</a> (pdf)</div>
<div style="margin: 0px; font-family: Helvetica;">Where: Omni Parker House, Boston, MA</div>
<div style="margin: 0px; font-family: Helvetica;">Price: $ 495 to 1,495, depending on purchase of course </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.sans.org/event/security-leadership-summit-2014/">Further details</a></div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">-------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">4. Apple Responds Slow to Fake App in App Store</div>
<div style="margin: 0px; font-family: Helvetica;">------------------------------------------------------------------- </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">According to Tor developers, they tried unsuccessfully for months to get Apple to remove a potentially malicious Tor browser app from the iOS App Store. Notices sent to Apple produced little response, other
than to say the company is allowing the app’s developer to defend it. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The complaint, <a href="https://trac.torproject.org/projects/tor/ticket/10549">
reported by Tor Project</a>, was posted 3 months ago, and warned that the Tor Browser in the Apple App Store is fake, is full of adware and spyware and should be removed. It was surprising, according to the Tor developers comments, how slowly Apple responded
to the concerns.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Three days ago, the app was finally removed from the App Store.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The lesson: even with a company such as Apple, who is normally stringent about distributing third-party applications, you still need to be careful about what you download.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.computerworld.com/s/article/9247090/Fake_Tor_app_has_been_sitting_in_Apple_39_s_App_Store_for_months_Tor_Project_says">Read the full story in the news.</a></div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica;">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/"><span style="color: rgb(4, 46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<span style="font-family: Helvetica;">"Distrust and caution are the parents of security" - Benjamin Franklin</span></div>
</div>
</div>
<br>
</body>
</html>