More than 3.5 million people's sexual preferences, fetishes and secrets have been exposed after dating site Adult FriendFinder was hacked.

Already, some of the adult website's customers are being identified by name.

Adult FriendFinder asks customers to detail their interests and, based on those criteria, matches people for sexual encounters. The site, which boasts 64 million members, claims to have "helped millions of people find traditional partners, swinger groups, threesomes, and a variety of other alternative partners."

The information Adult FriendFinder collects is extremely personal in nature. When signing up for an account, customers must enter their gender, which gender they're interested in hooking up with and what kind of sexual situations they desire. Suggestions AdultFriendfinder provides for the "tell others about yourself" field include, "I like my partners to tell me what to do in the bedroom," "I tend to be kinky" and "I'm willing to try some light bondage or blindfolds."

The hack, which took place in March, was first uncovered by independent IT security consultant Bev Robb on her blog Teksecurity a month ago. But Robb did not name the site that was hacked. It wasn't until this week, when England's Channel 4 News reported on the hack, that Adult FriendFinder was named as the victim.

Last Updated on Saturday, 23 May 2015 18:41

PCI/DSS 3.0 What's New?

Written by Administrator

Friday, 27 March 2015 01:58

By Chris Camejo, Director of Assessment Services, NTT Com Security

Version 3.0 of the PCI Data Security Standard (PCI DSS) goes into effect by the first of next year, and it probably doesn’t come as a surprise that merchants that process credit card payments are still confused about what the changes mean for them.

While most of the changes are simple clarifications of previous requirements, they could have a major impact on merchants as they touch on everything from the definition of scope and segmentation, to formally documenting responsibilities between merchants and service providers and controls for preventing tampering and skimming at the point-of-sale.

The scope definition has always been one of the thorniest issues within PCI compliance. Many merchants will say they are compliant simply because they ran a vulnerability scan on a handful of credit and debit card data systems. But performing an external vulnerability scan is just one sub-requirement out of over 200 in the PCI DSS.

Additionally, by only focusing on the systems that actually handle credit card data, you’re ignoring all of the other potentially vulnerable servers and workstations that share a network with the credit card processing systems, which should be included based on the way the scope is defined within PCI DSS.Â It’s not necessary for attackers to go directly after the systems that contain credit card data, especially because most companies have a “flat network” where only the Internet connection is guarded by a firewall and every server has the ability to communicate without going through a firewall or other filter.Â That means attackers just need to find the easiest way to breach the network perimeter, which helps explain why we see so many phishing attacks that trick a user into running malware that opens a backdoor into their device. The attacker can then use the compromised device to launch attacks on the credit card processing systems from behind the secured perimeter.

For this reason, PCI DSS compliance is required on systems including those that actually handle card data, all the unrelated systems that connect to the same network, and the systems that can affect their security (authentication servers, firewalls, web redirection servers, etc.). This has been clarified and made explicit in the scope section of 3.0 and may come as a shock to merchants that have only addressed compliance on the systems that directly handle card data.

Last Updated on Monday, 30 March 2015 01:59