The Story Behind the Breach at Neiman Marcus Group

Last week I shared the Business Week article that explains how Target stores were breached and credit and debit card information was stolen. This week I found a similar article on the breach at Neiman Marcus stores.

It is almost certain that the Neiman Marcus breach was made by a different group of hackers than those who made the Target breach because of the different method and code style used. According to the investigation, card data was stolen from July through October, 2013. The number of cards exposed is less than 350,000, a much smaller number than first estimated.

Similar to the Target attack, the hackers moved unnoticed in the company’s computers for several months, sometimes tripping hundreds of alerts daily. While the anomalous behavior was logged on the company’s centralized security system, it did not recognize the code as malicious, or expunge it. It is unclear why the alerts weren’t investigated at the time.

According to the investigative report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores.

Read the full story at

Internet Wiretapping Explained

With the revelation of the Prism program, and with warrantless wiretapping being the topic of the day, there has been much confusion and speculation in the debates. This article from the Associated Press explains in clear terms what we know, and what it means for our data.

This article from ZD Net corrects some of the misleading stories in the mainstream media.

Cloud Computing: The Security Debate

A lively debate took place last Fall at Indiana University featuring passionate arguments on the nature, status and future of cloud security in and beyond the higher education environs. The article posted by Educause captures the salient points, key quotes and a bit of the color that permeated the two sides of the discussion: Cloud now or cloud how?

After reading the article, what do you think?

Security Breach at Yale Exposes 43,000 People’s Data

Yale University notified about 43,000 staff, students and alumni that their personal data, including their names and Social Security numbers, were publicly available on a FTP server.  The breach occurred when the sensitive personal data stored on the FTP server became publicly available after Google made changes in September 2010 regarding how its search engine indexes and finds FTP servers.  Yale personnel were not aware of this change and discovered the breach in June of this year.

The breach impacts anyone affiliated with Yale University in 1999.  Yale has “secured” the file and Google has confirmed it no longer stores the data.

Read the full story at

You CAN Prevent Data Leaks at MIT

The history of cyber-criminal activity over the past few decades has shown that the bad guys will always find ways into our systems if they really want to, either through viruses, malware, tricks or brute force. This is in spite of our attempts to block such occurrences from happening with secure technology. So is it a losing battle? Not if we cover all bases.

There are three basic steps to ensure that even if a system is breached, no sensitive data is accessed.

  1. FIND IT: Know where the data resides so that measures can be taken to protect it. Take an audit of computers and servers to determine if sensitive data is stored on them or if they are being used to access data remotely.
  2. MINIMIZE IT: Remove all the sensitive data files from the places where they are no longer needed. Either secure delete them altogether or move them to a system that is less likely to be compromised. If you have multiple versions of the data, remove the unnecessary copies.
  3. SECURE IT: Comply with recommended protection methods for securing data, such as limiting access through secure authentication and encrypting systems where sensitive data resides.

Identity Finder is a software tool provided by IS&T that helps take action with all three of these steps. Identity Finder searches for data elements, such as Social Security numbers, passwords and financial account numbers. It reports when such data elements are found and gives the user the choice to shred the files, just remove the sensitive parts, or put the files in an encrypted vault. Identity Finder is supported by a console that provides centralized reporting and remote administration, remediation and scheduling.

Members of MIT who view, store or process MIT business data can obtain a free copy. For questions, please contact

The SecurID Compromise

RSA Security will be replacing the 40 million SecurID tokens currently in use as a result of a reported attack on RSA last March. The company recently sent a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin and several other clients as a result of the attack.

SecurID tokens are used in two-factor authentication systems. Two-factor authentication has been considered by many to be the gold standard for secure IT access. The idea is that you must have two things, something you have (such as a token) and something you know (such as a password). Many companies, for example, require a smart card with an imbedded identity chip to be inserted into a card reader. When the card is inserted, you’re prompted for your password.

SecurID is a token that you don’t have to insert. It will present a number to the user that changes every 30 seconds. The algorithm that matches the number to the token may be part of what was stolen from RSA’s data systems. The thieves now have one of the two factors figured out, so if you have a weak password as the second factor, the thieves will be able to penetrate your secure system.

Do you have a strong password?

Safe Computing While Away from MIT

Keeping data secure, while using your home computer or while traveling with a laptop, is a challenge. While the summer time is a period when most of us are relaxing, we can’t afford to ease off on securing important data. This article has several tips for both the telecommuter and the summer traveler.

The Cost of a Data Breach in the US

A study conducted by the Ponemon Institute on behalf of Symantec (a security software company), shows that the average organizational cost of a data breach increased to $7.2 million and cost US companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009.

The study is based on the actual data breach experiences of 51 US companies from 15 different industry sectors. For the fifth year in a row, data breach costs have continued to rise (except, notably, in the Education sector, where costs fell from $203 per record in 2009 to $112 in 2010.)

The costs are applicable to organizations that experience large data breaches (between 1000 and 100,000 compromised records). Included in the business costs are expense outlays for detection, escalation, notification, and after-the-fact response.

The study also analyzes the impact of lost or diminished customer trust and confidence as measured by customer turnover rates. As could be expected, companies who have larger numbers of records breached, pay more per record because of the higher than normal turnover of customers.

Causes of data breaches: malicious or criminal attacks led to 31% of breaches, systems failures were around 27% and negligence around 41%.

Browser History and Cache

As more and more information moves from paper- to electronic-format, it is important to make sure that when you access sensitive information you do not leave behind an electronic paper-trail. This is especially important on shared and public computers or mobile devices because of their accessibility to others. IS&T offers some recommendations for your browser settings, including removing browser history and clearing the cache.

Read the full article at IS&T News.


Get every new post delivered to your Inbox.

Join 59 other followers