The Story Behind the Breach at Neiman Marcus Group

Last week I shared the Business Week article that explains how Target stores were breached and credit and debit card information was stolen. This week I found a similar article on the breach at Neiman Marcus stores.

It is almost certain that the Neiman Marcus breach was made by a different group of hackers than those who made the Target breach because of the different method and code style used. According to the investigation, card data was stolen from July through October, 2013. The number of cards exposed is less than 350,000, a much smaller number than first estimated.

Similar to the Target attack, the hackers moved unnoticed in the company’s computers for several months, sometimes tripping hundreds of alerts daily. While the anomalous behavior was logged on the company’s centralized security system, it did not recognize the code as malicious, or expunge it. It is unclear why the alerts weren’t investigated at the time.

According to the investigative report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores.

Read the full story at businessweek.com.

FTC May Charge Target for Failure to Protect

Following up with the Target Inc breach, the FTC has been in contact with the corporation, but has failed to comment on whether it has launched a formal investigation. But former commission officials say the agency is taking a hard look at the incident, which resulted in 40 million credit card numbers falling into the hands of cyber criminals.

The FTC polices data security under its legal authority over “unfair” business practices. Companies have a responsibility to take “reasonable and appropriate” steps to protect the data they collect from consumers, according to FTC lawyers.

Congress is considering legislation that would expand the FTC’s authority to allow it to fine companies for inadequate data security. Currently the agency can force a company to change its practices, but it cannot punish companies.

Read the full story in the news.

The Story Behind the Breach at Target, Inc.

Businessweek.com has written an in-depth article and posted a video explaining how Target Stores were breached and their systems infected with malware, leading to one of the biggest data thefts in retail history. According to the investigation conducted after the discovery of the theft, Target employees failed to respond to several alerts made by their security system, provided by FireEye. Had Target security staff responded appropriately to the alarms, they could have prevented the transmission of the stolen credit card data.

Even without human intervention, the breach could’ve been stopped, according to the article. “The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off.” While not unusual, it puts pressure on a team to quickly find and neutralize the infected computers.

It was clear, according to the article, that Target was getting warnings of a serious compromise; even the company’s antivirus system by Symantec, identified suspicious behavior over several days around Thanksgiving – pointing to the same server identified by FireEye.

Read the full story on Businessweek.com

The University of Maryland Data Breach

University of Maryland President Wallace D. Loh has disclosed a breach of a university database that compromised personal information of more than 300,000 students and staff members.

The incident affects anyone who was associated with the university’s College Park and Shady Grove campuses dating back to 1998. The exposed data include birth dates, Social Security numbers (SSNs) and school ID numbers, but not financial, academic, or health data.

Forensic investigators are examining the breached files and logs. University CIO Brian Voss said the intruder copied the information in the database.

Read the full story in the news.

Yahoo! User Data Compromised

Last week Yahoo announced that usernames and passwords were stolen, belonging to about 450,000 of its email customers. As a result, Yahoo believes attackers have been able to gather personal information on its email customer’s contacts.

Users who were affected will get a prompt to change their passwords when they log in, and Yahoo also sent out email and SMS notifications. It is probably not a bad idea for all Yahoo email customers to reset their passwords.

Yahoo believes, based on their findings, that the usernames and passwords were accessed from a third-party database compromise and have no evidence that they were obtained from Yahoo’s systems. That third-party has not been identified, but experts note that attackers are finding ways to breach their targets by cracking systems that belong to the target’s business partners.

Read the full story online.

Target Reveals New Data on Breach

According to the latest reports from the Target Corporation, new details from the forensic investigation show that the attackers not only stole credit and debit card information, but also names, mailing addresses, phone numbers and email addresses, impacting another 70 million individuals.

Perhaps it’s time for us to stop handing over our personal information to businesses, even with the assurances given that the information won’t be used and will be protected.

More about the data breach at Target is posted here.

Security Predictions for 2014

Every year around this time, security professionals look at the year ahead and the changing threat landscape to predict what might be the biggest threats emerging on the Internet.

Trend Micro offers this interactive and easy to follow online pamphlet, with predictions for 2014 and beyond.

Their predictions include:

  1. Basic two-step verification will no longer work against mobile Man in the Middle (MitM) attacks.*
  2. More cyber criminals will use targeted attack methods to compromise machines and networks, using the weakest link in the chain: humans. They will also leverage proven vulnerabilities from the past.
  3. Malware infection count is likely to surge due to the end of support for various software and operating systems.
  4. Bad actors will increasingly use click jacking and watering hole tactics and new exploits.
  5. Attackers will target mobile device users even more, veering away from using email attachments for attacks.
  6. One major data breach will occur each month.
  7. Public distrust of privacy for individuals will continue.

Read the details online.

*NOTE: This particular attack is against two-factor authentication that works by sending SMS messages. Two-factor based on a hard token or a soft phone app are still strong. In particular the Duo Security soft tokens MIT has been working with are not susceptible to this attack vector. That said, soft tokens installed on phones are vulnerable to being directly attacked and their secret seeds stolen. Although we have not yet seen such attacks in the wild, Duo Security stores its secrets in a phones “secure element” when the phone is so equipped (for example a phone with an NFC chip, or the iPhone’s secure storage). [Thanks to Jeff Schiller, for this clarification.]

Target Store Data Accessed

Target announced on its corporate website late last week that the company experienced unauthorized access to payment card data at its US Target stores. The unauthorized access took place between November 27 and December 15, 2013. Canadian stores and the target.com website were not affected. Forensics efforts are still on-going.

Read the full notice from Target here plus some recommendations to protect yourself against potential misuse of your credit or debit card information. Note the information posted specifically for Massachusetts residents.

Why Debit Cards Are Riskier

The recent IS&T article “Tips for Shopping Safely Online” mentions that using a debit card is riskier for shopping than using a credit card. A colleague wondered how much of this was true, so I decided to do a little bit of research. These are some reasons why:

  • Payments made with credit cards are charged to the lender, who takes the risk and covers you for fraud. You can make a dispute claim and have the charge removed from your account. You simply decline the charges and don’t have to pay the bill. Debit cards are tied directly to a bank account, so payment is almost instant and charges are billed to you, the client, rather than the intermediary credit lender. Disputing a charge can take weeks to clean up, in the meantime leaving less funds in your account than you thought you had.
  • ATMs, where you withdraw cash from your bank account, are the perfect target for thieves. Outdoor ATMs are especially susceptible: the thieves install a skimming device that reads the magnetic strip on the back of the card, thereby stealing your financial information. Gas station payment machines are another place thieves install skimmers.
  • Stores are also targets for thieves. In 2009 Heartland Payment Systems discovered thieves had been stealing financial data right from the check-out card payment machines at 175,000 of their merchants, and several years later Michael’s was hit in a similar manner.

Of course, using a credit card comes with its own risks, such as interest rates and late fees. You can run up too much debt if you’re not careful. But for those of you who are financially responsible, credit cards can also earn you miles or other bonus points and rewards.

View more information about the differences between debit and credit cards at bankrate.com and this article on the NY Times.

Follow Up to Adobe Network Breach

Adobe-LogoLast month this newsletter announced that the Adobe network had been attacked.

On October 3rd of 2013 hackers broke into Adobe network and stole source code for a range of products, including ColdFusion and Acrobat family of products. The breach also affected what was at that time estimated to be 2.9 million users but later was revised to include at least 38 million users. Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts.

The breach happened in early October but the stolen accounts were not published on the web until early November. The published data includes 10s of millions of accounts with IDs, email addresses, encrypted passwords and more. (Read the full follow-up story.)

If you haven’t done so already, please update the password for your adobe.com account immediately. As an additional precaution, make sure you change any accounts using the same password as your adobe.com account.

If you use a tool such as LastPass for password management, here is an additional tip: The LastPass Security Challenge, located in the Tools menu of the LastPass add-on, will help find any other accounts using the same password as the leaked account. Go to the plug-in > Tools > Security Check.

[Source: LastPass.com]

Follow

Get every new post delivered to your Inbox.

Join 54 other followers