[10218] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, March 24, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Mon Mar 24 15:54:53 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 24 Mar 2014 19:53:33 +0000
Message-ID: <B14DD919-0E84-465E-A4B9-EBD182F243B6@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0568660706=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0568660706==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_B14DD9190E84465EA4B9EBD182F243B6mitedu_"
--_000_B14DD9190E84465EA4B9EBD182F243B6mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. The Story Behind the Breach at Neiman Marcus Group
2. FTC May Charge Target for Failure to Protect
3. EVENT: Security Leadership Summit in Boston, April 29 - May 7
4. Apple Responds Slow to Fake App in App Store
---------------------------------------------------------------------------=
--
1. The Story Behind the Breach at Neiman Marcus Group
---------------------------------------------------------------------------=
--
Last week I shared the Business Week article that explains how Target store=
s were breached and credit and debit card information was stolen. This week=
I found a similar article on the breach at Neiman Marcus stores.
It is almost certain that the Neiman Marcus breach was made by a different =
group of hackers than those who made the Target breach because of the diffe=
rent method and code style used. According to the investigation, card data =
was stolen from July through October, 2013. The number of cards exposed is =
less than 350,000, a much smaller number than first estimated.
Similar to the Target attack, the hackers moved unnoticed in the company=92=
s computers for several months, sometimes tripping hundreds of alerts daily=
. While the anomalous behavior was logged on the company=92s centralized se=
curity system, it did not recognize the code as malicious, or expunge it. I=
t is unclear why the alerts weren=92t investigated at the time.
According to the investigative report, Neiman Marcus was in compliance with=
standards meant to protect transaction data when the attack occurred. Data=
-security requirements were tightened again this year after a rash of theft=
s that also included Target and Michaels Stores.
Read the full story at businessweek.com<http://www.businessweek.com/article=
s/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-cred=
it-card-data>.
----------------------------------------------------------------
2. FTC May Charge Target for Failure to Protect
----------------------------------------------------------------
Following up with the Target Inc breach, the FTC has been in contact with t=
he corporation, but has failed to comment on whether it has launched a form=
al investigation. But former commission officials say the agency is taking =
a hard look at the incident, which resulted in 40 million credit card numbe=
rs falling into the hands of cyber criminals.
The FTC polices data security under its legal authority over =93unfair=94 b=
usiness practices. Companies have a responsibility to take =93reasonable an=
d appropriate=94 steps to protect the data they collect from consumers, acc=
ording to FTC lawyers.
Congress is considering legislation that would expand the FTC=92s authority=
to allow it to fine companies for inadequate data security. Currently the =
agency can force a company to change its practices, but it cannot punish co=
mpanies.
Read the full story in the news<http://www.nextgov.com/cybersecurity/2014/0=
3/target-could-face-federal-charges-failing-protect-customer-data-hackers/8=
0824/>.
---------------------------------------------------------------------------=
--------------
3. EVENT: Security Leadership Summit in Boston, April 29 - May 7
---------------------------------------------------------------------------=
--------------
Boston is hosting the SANS Security Leadership Summit, where CISOs, IT prof=
essionals, non-technical executives and other stakeholders can learn and sh=
are their knowledge, experience and leadership on keeping organizations saf=
e from hacks, intrusions, APT, malware and the constant stream of threats.
When: April 29 - May 7, 2014, Agenda<http://www.sans.org/event-downloads/35=
505/agenda.pdf> (pdf)
Where: Omni Parker House, Boston, MA
Price: $ 495 to 1,495, depending on purchase of course
Further details<http://www.sans.org/event/security-leadership-summit-2014/>
-------------------------------------------------------------------
4. Apple Responds Slow to Fake App in App Store
-------------------------------------------------------------------
According to Tor developers, they tried unsuccessfully for months to get Ap=
ple to remove a potentially malicious Tor browser app from the iOS App Stor=
e. Notices sent to Apple produced little response, other than to say the co=
mpany is allowing the app=92s developer to defend it.
The complaint, reported by Tor Project<https://trac.torproject.org/projects=
/tor/ticket/10549>, was posted 3 months ago, and warned that the Tor Browse=
r in the Apple App Store is fake, is full of adware and spyware and should =
be removed. It was surprising, according to the Tor developers comments, ho=
w slowly Apple responded to the concerns.
Three days ago, the app was finally removed from the App Store.
The lesson: even with a company such as Apple, who is normally stringent ab=
out distributing third-party applications, you still need to be careful abo=
ut what you download.
Read the full story in the news.<http://www.computerworld.com/s/article/924=
7090/Fake_Tor_app_has_been_sitting_in_Apple_39_s_App_Store_for_months_Tor_P=
roject_says>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
"Distrust and caution are the parents of security" - Benjamin Franklin
--_000_B14DD9190E84465EA4B9EBD182F243B6mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <FDB83EC6ACECF44DA8DEC7CFD73199C3@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">In this issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. The Story Behind the=
Breach at Neiman Marcus Group</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. FTC May Charge Targe=
t for Failure to Protect</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. EVENT: Security Lead=
ership Summit in Boston, April 29 - May 7</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. Apple Responds Slow =
to Fake App in App Store </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. The Story Behind the=
Breach at Neiman Marcus Group</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Last week I shared the =
Business Week article that explains how Target stores were breached and cre=
dit and debit card information was stolen. This week I found a similar arti=
cle on the breach at Neiman Marcus
stores.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">It is almost certain th=
at the Neiman Marcus breach was made by a different group of hackers than t=
hose who made the Target breach because of the different method and code st=
yle used. According to the investigation,
card data was stolen from July through October, 2013. The number of cards =
exposed is less than 350,000, a much smaller number than first estimated.&n=
bsp;</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Similar to the Target a=
ttack, the hackers moved unnoticed in the company=92s computers for several=
months, sometimes tripping hundreds of alerts daily. While the anomalous b=
ehavior was logged on the company=92s
centralized security system, it did not recognize the code as malicious, o=
r expunge it. It is unclear why the alerts weren=92t investigated at the ti=
me.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">According to the invest=
igative report, Neiman Marcus was in compliance with standards meant to pro=
tect transaction data when the attack occurred. Data-security requirements =
were tightened again this year after
a rash of thefts that also included Target and Michaels Stores.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.b=
usinessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-al=
erts-while-bagging-credit-card-data">Read the full story at businessweek.co=
m</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-----------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. FTC May Charge Targe=
t for Failure to Protect </div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-----------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Following up with the T=
arget Inc breach, the FTC has been in contact with the corporation, but has=
failed to comment on whether it has launched a formal investigation. But f=
ormer commission officials say the
agency is taking a hard look at the incident, which resulted in 40 million=
credit card numbers falling into the hands of cyber criminals.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The FTC polices data se=
curity under its legal authority over =93unfair=94 business practices. Comp=
anies have a responsibility to take =93reasonable and appropriate=94 steps =
to protect the data they collect from consumers,
according to FTC lawyers.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Congress is considering=
legislation that would expand the FTC=92s authority to allow it to fine co=
mpanies for inadequate data security. Currently the agency can force a comp=
any to change its practices, but it
cannot punish companies.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.n=
extgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-=
protect-customer-data-hackers/80824/">Read the full story in the news</a>.<=
/div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. EVENT: Security Lead=
ership Summit in Boston, April 29 - May 7</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Boston is hosting the S=
ANS Security Leadership Summit, where CISOs, IT professionals, non-technica=
l executives and other stakeholders can learn and share their knowledge, ex=
perience and leadership on keeping
organizations safe from hacks, intrusions, APT, malware and the constant s=
tream of threats.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">When: April 29 - May 7,=
2014, <a href=3D"http://www.sans.org/event-downloads/35505/agenda.pdf">
Agenda</a> (pdf)</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Where: Omni Parker Hous=
e, Boston, MA</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Price: $ 495 to 1,495, =
depending on purchase of course </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.s=
ans.org/event/security-leadership-summit-2014/">Further details</a></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. Apple Responds Slow =
to Fake App in App Store</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-------------------------------------------- </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">According to Tor develo=
pers, they tried unsuccessfully for months to get Apple to remove a potenti=
ally malicious Tor browser app from the iOS App Store. Notices sent to Appl=
e produced little response, other
than to say the company is allowing the app=92s developer to defend it.&nb=
sp;</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The complaint, <a href=
=3D"https://trac.torproject.org/projects/tor/ticket/10549">
reported by Tor Project</a>, was posted 3 months ago, and warned that the T=
or Browser in the Apple App Store is fake, is full of adware and spyware an=
d should be removed. It was surprising, according to the Tor developers com=
ments, how slowly Apple responded
to the concerns.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Three days ago, the app=
was finally removed from the App Store.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The lesson: even with a=
company such as Apple, who is normally stringent about distributing third-=
party applications, you still need to be careful about what you download.</=
div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.c=
omputerworld.com/s/article/9247090/Fake_Tor_app_has_been_sitting_in_Apple_3=
9_s_App_Store_for_months_Tor_Project_says">Read the full story in the news.=
</a></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<span style=3D"font-family: Helvetica;">"Distrust and caution are the =
parents of security" - Benjamin Franklin</span></div>
</div>
</div>
<br>
</body>
</html>
--_000_B14DD9190E84465EA4B9EBD182F243B6mitedu_--
--===============0568660706==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0568660706==--
