Sunday, July 19, 2015

One of the hazards outsource vendors face. A breach of one client can panic all your clients. If there have been multiple breaches (possible if you didn't compartmentalize your data) the costs may prove fatal.
And then there were more. Like Walmart Canada and CVS before it, Costco also suspended its photo center in the wake of a breach of third-party vendor PNI Digital Media:
PNI removed a list of its clients after Brian Krebs reported on the list, but Brian notes that other clients are also posting notices: posted that it is “down for maintenance” and Rite Aid’s photo service posted a notice concerning the breach.
Sam’s Club has also posted a notice:
The privacy and the security of our members’ data is of the utmost importance. In an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam’s Photo website,, we are temporarily suspending access to the site. At this time, we do not believe customer credit card data has been put at risk. This decision does not affect any other Sam’s website or our in-club operations, including in-club photo centers.
Other clients of PNI Digital include “Samsung, ASDA (Wal-Mart UK), Hallmark UK, Blacks Photo, Loblaws, Fujifilm, Kodak, Fred Meyer, Marks & Spencer and more.”

I wonder how rapidly and aggressively law enforcement will pursue these hackers? On the other hand, if that database happens to fall into their hands...
From, a site that describes itself as a “directory listing of independent escorts, exotic dancers, strippers’ adult entertainers, masseuse and escort agencies,” here’s part of their Terms & Conditions:
Secure technology is used to ensure your sensitive information is secure and protected from unauthorised access or improper use.
Your personal password is confidential and is encrypted to ensure its secrecy.
So why is there a data dump by @ElSurveillance of an alleged hack that shows 2,500 users’ email addresses with clear-text passwords? sent an inquiry to last night to ask them to confirm or deny the data is from their database, and why, if it is their data, the passwords are in clear text. No response has been received as of this post, but this post will be updated if one is received.
MeetMeInYourCity is not the only escort-related site attacked by @ElSurveillance, whose profile says “An owl #Hacktivist – I aim to deliver a tiny message to the escort agencies, #EscortsOffline is their actual flag – I always use the front doors – #Dos.” See numerous instances of defacements on Zone-H. In the defacements, ElSurveillance leaves the following message:
Dear Admin and the clients
What such a great example you have given to the world
On how we can teach and raise our next generations
So they can live a much better life, Server and save our
Planet instead of just wasting their money and help
Spread the viruses just like every single stupid
Government in every single country do these days
Since you came all the way to here, They’re two things
That you can do while still viewing this page
1 – Turn on your volume and listen to the Qur’an & Just
Listening to your feelings instead of listening to the
Media and the stupid ISIS
2 – Have a look at your Logs which includes your IP
In the meantime, if you ever signed up for, you might want to change your password for that site and any other sites if you re-use passwords across sites.
Update: still has not responded to the notification and request for response, but @ElSurveillance provided the screencap below as proof of access to their server:

Here's a suggestion. Redesign the forms so private information is submitted on a document that is “Not for Public Inspection.”
IRS, nonprofits unwittingly leak 630K Social Security numbers
… More than 630,000 Social Security numbers — including tens of thousands of numbers of Pennsylvanians — have become public record inadvertently on tax-exempt Form 990 filings with the Internal Revenue Service since 2001,
… Federal law deems Form 990 documents public records — a transparency trade-off in exchange for nonprofits getting tax breaks, and a mechanism that helps ensure charities act in the public interest.
In its instructions for filling out 990s, the IRS warns, “Reminder: Do Not Include Social Security Numbers on Publicly Disclosed Forms.” The label “Open to Public Inspection” appears in the top right corner of the first page of each form. The IRS urges organizations to file 990s electronically to reduce security risks and to refrain from including unneeded personal information.

Now the virtual assistant built into your smartphone can tell you that the person across the breakfast table is mad at you – but not that it's because you pay more attention to your phone than to her.
Dawn Of The Emotionally Aware App, Possible Future ‘Emotion Chip’ To Herald Devices That Respond To Feelings
… with today's super-fast computers, and even mobile devices, we're now able to detect emotion with far greater granularity.
To see an example, we just have to turn to facial recognition expert Rana el Kaliouby. She gave a talk at TED last month to highlight just how accurate emotion-detection has become, and depending on your perspective, the result is either amazing, or downright scary.
… Through research with this software, a couple of interesting factoids are revealed. In the United States, women are 40% more likely to smile. In France, that number becomes 25%. In the UK? Interestingly enough, men and women there apparently smile just as often.

Another “backgrounder” for my IT Governance students.
Improving Program Management in the Federal Government
by Sabrina I. Pacifici on Jul 18, 2015
A White Paper by a Panel of the National Academy of Public Administration sponsored by the Project Management Institute July 2015 Improving. Program Management in the Federal Government. PANEL – Peter Marshall, Chair; Dan Chenok; Joseph Wholey.

No comments: