Friday, October 4, 2013

Adobe hacked: information on 2.9 million customers compromised; company has known about breach since August

     Adobe is a firm AKSARBENT loves to hate and hopes it is majorly sued over this.
     No commercial software company of which we are aware makes its customers jump through more hoops to register its programs or makes transferring licenses more complicated or is more intrusive at requiring customers to surrender information about themselves.
     Evidently information about about 3,000,000 customers was taken from Adobe, including customer IDs, encrypted passwords, names, credit and debit card numbers, and other information.
     Obviously Adobe is far less careful with customer information as it is about preventing unauthorized use of its software.
     A couple years ago, AKSARBENT purchased a Premiere/Photoshop combo at Best Buy, only to discover that the number on the package wasn't really a serial number, just the beginning step of a scavenger hunt to access a real serial number based on the package number. Ugh.
     Said software shuts down direct uploads of videos to YouTube based on the length of the video, even though (in our case) YouTube long ago expanded our upload file size limit, allowing for videos that exceed Adobe's moronic, inflexible and outdated criteria, but the product, like John Boehner, offers no way out of the problem it created.
     Adobe stinks.

Update: KrebsOnSecurity reports that:
Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers.
     Krebs noted that it shared several screen shots of Adobe source code repositories with Adobe that it found on a server used by cyber criminals.
Adobe has now admitted that being confronted with outside knowledge of the breach “helped steer our investigation in a new direction.”
Yeah, we bet it did, but the story gets worse:
The revelations come just two days after KrebsOnSecurity published a story indicating that the same attackers apparently responsible for this breach were also involved in the intrusions into the networks of the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime. As noted in that story, the attackers appear to have initiated the intrusion into the NW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application server.
     Adobe's ColdFusion security vulnerabilities were fixed "many months ago," but hey — why would the network of an agency aiding the prosecution of cybercrime bother to keep its application server software up to date to discourage cyber criminals from finding out what the feds were working on to arrest them?
     Expect yet another Acrobat reader security update.

No comments:

Post a Comment