Saturday, April 02, 2011

Another third party (Cloud Computing?) breach. I wonder if companies using such “outsourced services” gain any reduction in liability?

Kroger customer data stolen from Epsilon (updated)

April 1, 2011 by admin

Yet another email service provider has been compromised for customer names and email addresses.

Kroger Co. is letting customers know a breach of a database with its customers’ names and email addresses.

The breach occurred at Epsilon, a national third-party email fulfillment company headquartered in Dallas.


In the email Kroger sent to customers, the nation’s largest traditional grocer assured them the only information that was obtained was customers’ names and email addresses. Also, it relays the message that Kroger would never ask a customer to email personal information such as credit card numbers or Social Security numbers.

Read more in Business Courier .

No statement appears on Kroger’s web site at the time of this posting, but a brief notice on Epsilon’s web site says:

On March 30th, an incident was detected where a subset of Epsilon clients’ [More than one, less than all? Bob] customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Update: A reader kindly sent me a copy of the email Kroger sent to customers:

From: Kroger
Sent: Fri, April 1, 2011 4:16:23 PM
Subject: Important Information from the Kroger Family of Stores

To ensure receipt of your Kroger emails, please add to your address book.

If you are having trouble viewing this email, please click here ([redacted to protect reader's name] ).


Kroger wants you to know that the data base with our customers’ names and email addresses has been breached by someone outside of the company. This data base contains the names and email addresses of customers who voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience.

Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

If you have concerns, you are welcome to call Kroger’s customer service center at 1-800-Krogers (1-800-576-4377).


The Kroger Family of Stores

If you wish to create or edit your online Kroger profile, please click here
([redacted to protect reader's name]).

The Kroger Co.
1014 Vine Street
Cincinnati, OH 45202


Epsilon breach also affects JPMorgan Chase customers

April 1, 2011 by admin

The Epsilon hack reported earlier as affecting Kroger customers also affected JPMorgan Chase customers. From the financial firm’s web site, this press release:

JPMorgan Chase (NYSE: JPM) Chase announced today that we were informed by Epsilon, a marketing vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some Chase customers. We are advised by Epsilon that the files that were accessed did not include any customer financial information, but are actively investigating to confirm this. As always, we are advising our customers of everything we know as we know it.

Chase will never ask customers for personal information or credentials in an email.

Information for Chase customers is available on

They have your credit card and all they do is buy music?

Hackers compromising some iTunes accounts

April 1, 2011 by admin

Matt Liebowitz reports:

Hacked accounts and fraudulent purchases are leaving iTunes users singing a sad song — again.

Crafty computer criminals are compromising users’ iTunes accounts and purchasing hundreds of dollars worth of music, apps, gift cards, ringtones and games, the security firm Kaspersky Lab reported.

The hacks, discussed in detail in an Apple Discussions blog and an “iTunes Account Hacked!” Facebook page, all share similar characteristics: The assailants gain access to the victims’ credit card information, modify the billing address and use the stolen info to make the fraudulent purchases.

Read more on MSNBC.

Even Security firms are not immune...

RSA Says SecurID Hack Based On Phishing With Flash 0-Day

"RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."

Is the RIAA crazy? Is Amazon 'crazy like a fox?'

Amazon’s Cloud Player Tests The Limits Of The Record Labels’ Patience

Amazon may have introduced its digital locker music service, the Cloud Player, before similar services from rivals Google and Apple (that are widely believed to be launching this year), but that doesn’t mean it will be an easy existence. Not long after the company published a note on its Web site inviting users to give Cloud Player a try did one of the major record labels offer a warning. “We are disappointed that the locker service that Amazon is proposing is unlicensed by Sony Music,” a Sony spokesman said. [Why would Amazon need a license from Sony for me to store my music on their servers? Bob]

… The idea of streaming music isn’t new. Services like Spotify in Europe and Rdio in the U.S. have long given users the ability to stream music using a variety of desktop and mobile applications. The key difference between these services and the Amazon Cloud Player is that Amazon’s allows you to upload your own music to its servers (“the cloud”), and then access those as you see fit.

… Sony Music has been the most vocal opponent thus far. It told Reuters that it didn’t think its licensing agreement with Amazon would permit streaming music. (The record labels differentiate between giving users the ability to download a song once versus being able to call upon that same song as you see fit. Think you own a song when you download it from iTunes? Think again, as you’ve only purchased a license to download the file once. Ownership of digital music is a thing of fiction.) More ominously for Amazon, it also said that it was “keeping its legal options open.” But what type of problems could Amazon run into?

Julie Samuels, a staff attorney at the Electronic Frontier Foundation, says that Amazon may model its defense on how Cablevision successful argued for its remote storage digital video recorder, or RS-DVR, in 2006TKTK.

(Related) Or, you could do it yourself...

DIY Cloud: Two Hard Drives That Let You Access Files Anywhere

Some other Cloud Computing tools for individuals...

4 Great Uses For Amazon’s S3 Web Services

Despite Amazon being most well known for their retail services, they actually also offer a host of web services for developers and home users that take advantage of Amazon’s experience and scalability with massive amounts of data warehousing.

[My pick: Storage

5GB free, then $0.15/GB per month (100GB = $15)

Backup Your Computer Files

The most obvious use is for cloud-backup of your important files. While I don’t suggest you spend the next 6 months uploading your entire 4TB video collection to S3, they do claim to achieve 99.999999999% file durability, which means anything you upload will most certainly not get destroyed. For critical files you couldn’t stand to lose, it is the most cost effective and secure way of ensuring you have a solid backup.

Ubiquitous surveillance. You might as well start subjecting them to 24/7 surveillance at birth... (It must be Okay, it's for the children!)

Evoz: Baby Monitoring 2.0 Comes Of Age

One of those unbearable things young parents need to purchase without further ado, is a baby monitoring system.

Me and my wife already bought one, but while we were evaluating existing systems I couldn’t help but notice that even the more advanced ones on the market today seem little more than glorified walkie-talkies.

A couple of weeks ago, knowing that I would soon become a dad, Jyri Engestrom nudged me and said he had stumbled upon a fledgling company, Evoz, that set out to build a baby monitoring system for the always-connected generation, and that I should check it out.

… Imagine if you had an iPhone or iPod touch to spare, and that you’d simply install it in a charger in your young child’s room like you would any baby monitor.

Now imagine that an always-on application installed on the device would let you call in from anywhere in the world to hear how your baby is sleeping (or exactly how hard he or she is crying, or if you’re lucky, laughing or playing). Imagine that you could also opt to receive ‘quiet’ alerts by SMS or email whenever your kid cries for longer than, say, 5 minutes, so you can give the babysitter a quick call to see what’s up after e.g. a meeting or dinner.

Imagine that the app also automatically collects data on the sleeping and crying behavior of your child, and that you could analyze that data to see if he or she matches the behavior of children of the same age. And that you could just as easily get in touch with a network of baby health experts or sleep consultants if you have any questions or concerns.

Evoz lets you do all that, and more. The company isn’t quite ready to launch yet, but intends to roll out its service more broadly in the next few months.

Video for my Computer Security students.

How to Remove Keyloggers


Personnal Digital Disasters

No comments: