The Story Behind the Breach at Neiman Marcus Group

Last week I shared the Business Week article that explains how Target stores were breached and credit and debit card information was stolen. This week I found a similar article on the breach at Neiman Marcus stores.

It is almost certain that the Neiman Marcus breach was made by a different group of hackers than those who made the Target breach because of the different method and code style used. According to the investigation, card data was stolen from July through October, 2013. The number of cards exposed is less than 350,000, a much smaller number than first estimated.

Similar to the Target attack, the hackers moved unnoticed in the company’s computers for several months, sometimes tripping hundreds of alerts daily. While the anomalous behavior was logged on the company’s centralized security system, it did not recognize the code as malicious, or expunge it. It is unclear why the alerts weren’t investigated at the time.

According to the investigative report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores.

Read the full story at


Internet Wiretapping Explained

With the revelation of the Prism program, and with warrantless wiretapping being the topic of the day, there has been much confusion and speculation in the debates. This article from the Associated Press explains in clear terms what we know, and what it means for our data.

This article from ZD Net corrects some of the misleading stories in the mainstream media.

Cloud Computing: The Security Debate

A lively debate took place last Fall at Indiana University featuring passionate arguments on the nature, status and future of cloud security in and beyond the higher education environs. The article posted by Educause captures the salient points, key quotes and a bit of the color that permeated the two sides of the discussion: Cloud now or cloud how?

After reading the article, what do you think?

Security Breach at Yale Exposes 43,000 People’s Data

Yale University notified about 43,000 staff, students and alumni that their personal data, including their names and Social Security numbers, were publicly available on a FTP server.  The breach occurred when the sensitive personal data stored on the FTP server became publicly available after Google made changes in September 2010 regarding how its search engine indexes and finds FTP servers.  Yale personnel were not aware of this change and discovered the breach in June of this year.

The breach impacts anyone affiliated with Yale University in 1999.  Yale has “secured” the file and Google has confirmed it no longer stores the data.

Read the full story at

You CAN Prevent Data Leaks at MIT

The history of cyber-criminal activity over the past few decades has shown that the bad guys will always find ways into our systems if they really want to, either through viruses, malware, tricks or brute force. This is in spite of our attempts to block such occurrences from happening with secure technology. So is it a losing battle? Not if we cover all bases.

There are three basic steps to ensure that even if a system is breached, no sensitive data is accessed.

  1. FIND IT: Know where the data resides so that measures can be taken to protect it. Take an audit of computers and servers to determine if sensitive data is stored on them or if they are being used to access data remotely.
  2. MINIMIZE IT: Remove all the sensitive data files from the places where they are no longer needed. Either secure delete them altogether or move them to a system that is less likely to be compromised. If you have multiple versions of the data, remove the unnecessary copies.
  3. SECURE IT: Comply with recommended protection methods for securing data, such as limiting access through secure authentication and encrypting systems where sensitive data resides.

Identity Finder is a software tool provided by IS&T that helps take action with all three of these steps. Identity Finder searches for data elements, such as Social Security numbers, passwords and financial account numbers. It reports when such data elements are found and gives the user the choice to shred the files, just remove the sensitive parts, or put the files in an encrypted vault. Identity Finder is supported by a console that provides centralized reporting and remote administration, remediation and scheduling.

Members of MIT who view, store or process MIT business data can obtain a free copy. For questions, please contact

The SecurID Compromise

RSA Security will be replacing the 40 million SecurID tokens currently in use as a result of a reported attack on RSA last March. The company recently sent a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin and several other clients as a result of the attack.

SecurID tokens are used in two-factor authentication systems. Two-factor authentication has been considered by many to be the gold standard for secure IT access. The idea is that you must have two things, something you have (such as a token) and something you know (such as a password). Many companies, for example, require a smart card with an imbedded identity chip to be inserted into a card reader. When the card is inserted, you’re prompted for your password.

SecurID is a token that you don’t have to insert. It will present a number to the user that changes every 30 seconds. The algorithm that matches the number to the token may be part of what was stolen from RSA’s data systems. The thieves now have one of the two factors figured out, so if you have a weak password as the second factor, the thieves will be able to penetrate your secure system.

Do you have a strong password?