Adobe was hacked, credit card and other data of est. 2.9 million customers accessed

adobe-logoAs reported by various media outlets, Adobe said earlier this week that its source code had been accessed. This was on Thursday followed by a statement that customer information including names, encrypted credit/debit card numbers, expiration dates and “other information relating to customer orders” may have been accessed.

The firm first was made aware of the breach when journalist Brian Krebs and researcher Alex Holden, CISO of Hold Security LLC, encountered a large file with source code on the server of cybercriminals who were believed to have hacked their way into the databases of data aggregators, including LexisNexis, Kroll Background America (now part of HireRight, managed by Altegrity), and Dunn & Bradstreet. The crime group, known as the SNSDOB gang, systematically stole personal data from them and then funneled it to hard-core identity thieves, as detailed in Krebs’ coverage on his blog.

Upon Krebs’ notification, Adobe told him that they believe the access occurred in mid-August and has been investigated since Sep 17th.

As a preventative measure, the company has reset the passwords of all those customers whose accounts are believed to have been accessed. According to Adobe, US customers whose information was compromised will be offered the option to enroll in a 1-year complimentary credit monitoring membership, where available.

While the compromised customer data will not affect users of Adobe’s free products and plugins, such as Adobe Reader, Adobe Flash Player, Adobe AIR and Adobe Shockwave Player, it is of concern e.g. to many of the company’s Revel and Creative Cloud account users who by now presumably have been notified via email that they need to reset their passwords. In addition, Adobe will be sending notification letters over the course of the next 2 weeks to customers whose accounts were breached.

What is somewhat worrisome but not surprising is that Adobe did not bother to alert its customers of this breach until the aforementioned expose by krebsonsecurity.com. As USA Today points out, this is despite that fact that “all but four states have enacted data loss disclosure laws which were modeled after the the pioneering California statute that was the first to require companies to notify customers, should any personal data held by the business turn up lost or stolen.” According to datalossdb.org, only Alabama, Kentucky, New Mexico and South Dakota do not have data loss disclosure laws.

Several information security specialists expect an increase in attacks geared against previously unknown vulnerabilities in numerous Adobe products, now that their source code may be available to potential perpetrators.

For assistance in ensuring that your computer(s) are properly protected, and for help in reviewing and updating your current information security policies and procedures, contact us today.

Share

FCC investigates Google Street View data gathering

The Electronic Privacy Information Center (EPIC), which had asked the U.S. Federal Communications Commission (FCC) earlier this year to launch a probe into this, welcomed that Google is under investigation by the FCC to determine whether it violated federal eavesdropping laws by inadvertently harvesting data from unencrypted wireless networks it was gathering images for its Street View service.

In a May 18, 2010 letter to the commission, EPIC’s executive director, Marc Rotenberg, expressed concern that Google’s actions may have violated the federal Wiretap Act as well as Section 705 of the Communications Act, which forbids the interception of radio communications without authorization.

Time will have to tell if this investigation will result in more than a mere slap on the wrist for Google, which is what the Federal Trade Commission FTC was ultimately satisfied with when requiring Google to promise to delete the data it had collected and to improve its privacy training.

For capturing location information of wireless networks, no matter whether they are encrypted or not, it would have been sufficient to simply record the SSID (service set identifier). Given massive difference in data storage space requirements of storing an SSID of up to 32 Bytes length vs. storing a multitude of payload data that may include user names and passwords transmitted while the Google Street View car was within reach of any given wireless network, it stands to reason that this should have raised an internal red flag sooner rather than later.

For assistance in reviewing and updating your current privacy policies and procedures, contact us today.

Share

How to manage privacy on Facebook

I originally started out using Xing (formerly OpenBC) and LinkedIn for social networking and only recently added Facebook into the mix. Initially I thought Facebook, just like MySpace would be geared mostly towards personal contacts rather than professional networking, but as it turns out the same amount, if not more, of my professional contacts are maintaining a presence at Facebook, several of them not even listed at either one of the two more business-oriented sites listed above.

Just today a colleague of mine skyped me to let me know that she’d take me off her friends at Facebook in an effort to keep personal and professional networking separate, since she did not want too many friends of friends knowing about the mundane things in her life. While we were tossing privacy concerns back and forth, she then came upon two links providing helpful information on how to obtain more granular control over your privacy at Facebook than is afforded with the rather limited number of default options available.

http://nextsteph.com/stephblog/networking/social-networking/keep-your-personal-and-professional-life-separate-on-facebook.shtml

http://nextsteph.com/stephblog/networking/social-networking/privacy-in-facebook.shtml

Now, if I only could convince Facebook to retain the friends list assignments I am making, instead of forgetting them within minutes without any rhyme or reason to it as to for which users it keeps them and for whom not …

Share

Yahoo’s Web Beacons

As most of you likely are aware, a lot of websites are using cookies not only for your convenience but also for tracking purposes. Yahoo has gone a step further by adding so-called web beacons into the mix, which also track your browsing habits at other sites and lead to targeted advertising (in addition to the apparent profiling).

At least there is an opt-out link more or less hidden on their website:

http://info.yahoo.com/privacy/us/yahoo/webbeacons/

(this page describes their use of web beacons and features on opt-out link to the left of the page).

If you happen to use the Adblock Plus add-on for Firefox, as I do, you will have to define an exemption in order for the opt-out to work since Yahoo! uses a cookie for opting you out. Quite obviously a cookie-based opt-out also means that you will have to do this on every computer and every account you are using.

Share

Online database tracks sanctioned teachers

While teacher misconduct is the exception to the rule, a new Florida state website, MyFloridaTeacher.com, which will be available before the next school year, already contains approx. 1200 cases, indicating it may be happening more often than parents think, according to an April 27, 2008 article in the St. Petersburg Times.

Share

“Little Pac-Mans that break down molecular bonds”

In an April 27, 2008 story, The New York Times reported that Fort Bragg, California, is considering the use of mushrooms to break down dioxin in its contaminated coastline’s soil, based on a recommendation by Paul E. Stamets, author of “Mycelium Running: How Mushrooms Can Help Save the World“, who pointed out that at least two dioxin-degrading species of mushroom indigenous to the Northern California coast could work, the turkey tail and oyster mushrooms.

Share

A starting point for finding out more about potential web hosters

Logo of WebHosting.info

 

To find out how your current web hosting company is doing, enter their domain name in the search box at http://www.webhosting.info/webhosts/search/.

 

OLM.NET, a company I used many years ago, but eventually left because of quality of service issues, right now fares like this:

 

From there, I moved on to OneOnOneInternet.com, who provided pretty good service to me until they were bought out by a larger competitor, which eventually resulted in major quality of service issues:

 As  a result, I switched my sites to 1&1 Internet:

WildWestDomains.com, an affiliate of Internet powerhouse GoDaddy was another provider I had considered switching to when it was time to part ways with OneOnOneInternet.com:

While the above graphs are mere snapshots of a five-week period, they can serve as an early warning sign in case something is up at the hosting company.

Share

Smart Ways to Save

From the 19 January 2003 issue of Parade Magazine:

  • DO have an emergency account big enough to cover your core expenses for three months.
  • DON’T buy in repose to unsolicited sales pitches. “You might not go to a store to get  new down jacket, but it looks compelling on your computer screen with an offer of free shipping,” says financial adviser Deena Katz.
  • DO use your own bank’s ATMs. Paying an extra $1.50 a day for using a “foreign” ATM adds up to more than $500 a year.
  • DON’T put off paying your credit-card bills! In 200, late fees accounted for almost one-third of credit-card issuers’ profits.
  • DO save for retirement through automatic payroll deductions — and add half o every raise and bonus to your savings. It’s almost painless.
  • DON’T make impulse purchases. “Wait a day or two,” says J. Jay Hurford, a financial planner. “If it still seems important, then buy it.”
  • DO opt out of unsolicited preapproved credit offers by calling the Credit Reporting  Industry (+1-888-567-8688). “Themore credit people have, the more they’re tempted to use it,” says Hurford.
Share

10 year anniversary of the paper-alternative to the aluminum soda can

This year marks the 10th anniversary of the invention of a carbonated soft drink can made of paper. British scientist Richard Freeman and his colleagues at Scientific Generics in Cambridge used four thin layers of cardboard with seems rotated by at least 90 degrees out of phase.

This was reported by CNN on 19 August 1998.

Does anybody have an update as to its success (or lack thereof) in other countries?

Share

Be careful what you eat and drink from after having run the container through the dishwasher

In an article called “Harzards of Hydration”, Sierra Magazine in its November/December 2003 issue discussed surprise results during a 1998 animal study by geneticist Dr. Patricia Hunt at Case Western Reserve University in Cleveland.

Apparently aggressive cleaners, such as those used in dish washers, are capable of releasing bisphenol-A (BPA), a chemical mimicking estrogen, from polycarbonate plastic bottles and containers. Typically these are labeled #7 on the bottom; Nalgene is one of the best-known producers.

The article points out “that endocrine disrupters like BPA can impair the reproductive organs … reduce sperm counts … and bring about changes in tissue that resemble early-stage breast cancer, among other effects.”

Hunt explains that “the [plastics] industry says this is just rodent studies, but we know that the human egg is more fragile than the mouse egg. if we wait for really hard evidence in humans, it will be too late.”

Safe alternatives, according to Hunt, are polypropylene (#5 PP), high density polyethylene (#2 HDPE) and low density polyethylene (#4 LDPE). Reusing “single use” plastic bottles and containers made of polyethylene terephtalate (#1 PET or PETE) is discouraged.

On the other hand, switching to glass or lightweight stainless steel containers would avoid plastics altogether.

To find out more about endocrine disrupters, take a look at “Our Stolen Future: Are We Threatening Our Fertility, Intelligence, and Survival? — A Scientific Detective Story” by Theo Colborn, Dianne Dumanoski and John Peter Meyers:

Share