Wearables Authors: Pat Romanski, Liz McMillan, Elizabeth White, Yeshim Deniz, Zakia Bouachraoui

Blog Feed Post

Adobe is the New Microsoft: Maintaining Multi-Platform Security in 2012

Adobe is the New Microsoft: Maintaining Multi-Platform Security in 2012
By: Bill Mathews

I distinctly remember writing an article for a local journal back in the 90’s. In it, I discussed Microsoft’s special responsibilities concerning software security. If I recall correctly, my point was that since they were the dominant player in the operating system space, they had a duty to make their ecosystem resilient to attacks and compromise. Look, no company is ever going to be perfect at it, but some handle it a lot better than others. Fast-forwarding roughly 13 years after that article and Microsoft has gotten quite a bit better. Not necessarily for locking down their ecosystem, but for making it more resilient. Maybe even more importantly, for having an efficient response plan in place when bad things do happen. Are they perfect? Of course not! But they’re putting in the effort and it is showing some considerable gains.

Enter Adobe. I could fill a book with all the severe Adobe vulnerabilities that have valid exploits out there. And yet they simply don’t seem to take it all that seriously. More recently, their code signing infrastructure was compromised. If you’re unfamiliar, it’s basically the stuff that makes your computer trust Adobe’s software. They’ve found some pretty nasty utilities out there signed by their valid keys. Now nevermind that they’re blaming a build server compromise for this (which strains credulity) – nevermind that they claim they’ve now revoked all the keys involved – how does something like this happen and go undetected until active attacks start occurring?

The answer, sadly, is a simplistic one. They simply don’t take the security of their software, or apparently infrastructure, seriously. Code signing is a really important thing these days (Do I think it’s useful? Let’s save that for another post.) So why can, even a compromised build server, just randomly sign some piece of code not actually found in your ecosystem without detection? Simple: You weren’t paying attention to it. All systems can be compromised, the trick is knowing when it happens (monitoring) and dealing with the aftermath (response). Knowing about it and responding to it after it’s out in the wild is probably too late.

You might ask why I’m comparing Microsoft of the 90’s to Adobe of today, a fair question. Adobe has the same special responsibility today that Microsoft had (and still has) and one that Apple needs to wake up to in the mobile space. When you are ubiquitous and on pretty much every device, as Adobe is, you have a duty to your customers and yourself to focus on security and pay attention to those little details. It is no coincidence that once Microsoft started really paying attention to security that their code started getting a bit better and a little more stable. One man’s random crashing is another man’s buffer overflow waiting to happen.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.

IoT & Smart Cities Stories
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER gives detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPOalso offers sp...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.