So much for cloud security. Basically everything you have given Adobe is out in the wild. Adobe is offering credit monitoring..that’s a joke. If you have given a credit card to Adobe..cancel it immediately. Also if you have used a password on Adobe’s site you’ll need to change that password on EVERY OTHER SITE you have an account on. Once again a major company has had its systems taken over by somebody else and everything in those systems is compromised(there’s tons of linked stories..read those too):
Read the linked article. Adobe is trying to play this down but the source code for their popular web server, Coldfusion< is now in the hands of miscreants. It is also unclear if these folks didn’t make some code changes to Adobe’s codebase that may not ever be detected.
Karl Denniger has an excellent take on it:
The exact scope of this is not clear at all (no thanks to Adobe, which may not even know) but this is not good. And what’s even prettier is that if they got into the systems and started “rooting around” it appears they may have been able to commit changes to Adobe’s software.
Software that is then pushed out to people all over the web.
And not just any software either. ColdFusion (used all over the place for various web pages) and even worse, Acrobat, which is used to produce PDF documents,including those in senstive applications such as government, health care and more.
The company also said that allegedly-encrypted credit card numbers were grabbed, probably for people who are subscribers to Adobe’s “Cloud Services” — Creative Cloud.
The latter is very problematic. See, the systems in question have to be able to decrypt the credit cards to use them, which means the key(s) necessary to do so are also on the network somewhere.
There are two problems that come up immediately: (1) the hackers may have stolen the key as well, whether they know they have it (yet) or not and (2) they can now perform an offline attack on the credit card database and since credit card numbers both have a format that is known and a checksum that has to be good for the card number to be valid it is not difficult to know if you have the correct key to break the encryption. When you have an entire database full of credit card numbers it suddenly becomes very worthwhile to investigate whether the clown-car brigade that let you at the database also used crappy (and therefore breakable) encryption.
The obvious (and unanswered by Adobe) question is how did they get in? If in fact they broke in using flaws in the very products they now allegedly accessed…
Software hackers and break-ins are a fact of life. One of the problems that arises from this fact of life is the more trust you place in such institutions and software companies the more at-risk you are.
Still think it’s a great idea to give the government all this health-related (and financially-related) data eh? Still think it will all be ok?
Second, this throws a whole bucket of cold water over the entire “cloud everything” model, which Adobe is desperately trying to force everyone into, as is Microsoft (with Office365.) This sucks folks, as you are trusting not only payment information but also all your data to that cloud provider and if they blow it your data gets stolen.