In what sounds like a worst-case scenario, Adobe Corp. admitted on Thursday that a massive breach of its corporate network resulted in the theft of information on close to three million customers and source code for two widely-used products: Adobe Acrobat, Acrobat Publisher, Cold Fusion and “other” as-yet undisclosed products. The news came in a string of announcements late Thursday on Adobe’s corporate blog as well as the news site Krebsonsecurity.com. The revelation came after Brian Krebs, the reporter behind that site, and Alex Holden, the Chief Security Officer of Hold Security, discovered what is described as “a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.” After being informed of the find, Adobe investigated and acknowledged the theft. In a blog post by Chief […]
application security
Health Exchanges Need A Fail Whale
In a blog post on Veracode’s blog today, I write about the problems encountered at government-run online health exchanges that were intended to connect millions to private insurance plans under the Affordable Care Act. The exchanges opened to the public on Tuesday, and they got off to a rocky start, with reports of web sites paralyzed as millions of uninsured Americans logged on to sign up for subsidized health insurance. In some cases, the problems appear to have been caused by “external factors.” New York State’s online health exchange was felled by the weight of more than 10 million requests of dubious origin, The New York Post reported. But other exchanges, including Healthcare.gov the federal government’s main health insurance storefront, which is used by residents or more than half of the states, were victims of their own success: overwhelmed when the doors swung open and millions of eager customers poured […]
Software Safety Should Be Treated Just Like Food Safety. Discuss.
It’s easy to agree with statements like “the food we buy in supermarkets should be safe to eat.” After all, who wants go to bat for shoddy growers pushing contaminated lettuce, or distributors sending out botulinum-laced fish and meats? But what about software safety? Suffice it to say that if people ate software applications instead of, say, cinnamon rolls, they’d be dropping like flies. That’s because the code that powers those applications is often riddled with potentially dangerous insecurities. Unlike the food industry, however, there have been only fitful efforts by government and industry to address what everyone recognizes is a widespread problem. I’ve written elsewhere about the relative lack of a “safety culture” in the software industry compared with industries like civil aviation or even food. (Remember: most of the food recalls and alerts that are issued today are voluntary.) But there’s also a decades-long track record of the government taking […]
FDA Will Regulate Some Apps As Medical Devices
In an important move, the U.S. Food And Drug Administration (FDA) has released final guidance to mobile application developers that are creating medical applications to run on devices like the iPhone and Android mobile devices. Some applications, it said, will be treated with the same scrutiny as traditional medical devices.* The statement is the final word from the FDA on the approach it will take when enforcing federal regulations regarding the safety of medical devices to the large and fast-growing category of medical applications. The agency said on Monday that, while it doesn’t see the need to vet “the majority of mobile apps,” because they pose “minimal risk to consumers,” it will exercise oversight of mobile medical applications that are accessories to regulated medical devices, or that transform a mobile device into a regulated medical device. In those cases, the FDA said that mobile applications will be assessed “using the same […]
Podcast: Securing The Internet of Things
One of the most vexing problems created by the fast-evolving Internet of Things is how to secure the massive trove of data that is transmitted and then stored by smart devices such as automobiles, consumer and household electronics and personal devices. As we’ve seen, private sector firms have been aggressive in leveraging new technology to connect their products to the Internet. But less thought has been given to the security and privacy implications of doing so. Now people are starting to take notice. In recent weeks, the FTC settled a case with a California firm, TRENDNet over balky home surveillance cameras they sold – cameras that were discovered to be easily discoverable and hackable from the public Internet. But, with so many cooks in the IoT kitchen (so to speak), where does responsibility for securing technology lie? Recently, I chatted with an expert on security and the Internet of Things. […]
