Security Watch

June Just Got 'Patchier'

Adobe inaugurates cyclical patching schedule; T-Mobile looks into hacks; most security pros favor data breach laws

• By Jabulani Leffall
• 06/08/2009

Security and system administrators in the enterprise space definitely have their work cut out for them this week.

To say nothing of the mammoth patch slate from Microsoft, another big software vendor will roll out fixes every third patch Tuesday. Adobe Systems is taking a cue from Microsoft and this Tuesday will be the start of a regular patch release cycle for them.

For Adobe's first ever formal patch slate this coming Tuesday, the updates will affect Adobe Reader and Acrobat versions 7.x 8.x and 9.x for Windows and Mac OS X. The hotfixes have been deemed critical.

Although the patch rollout will be quarterly, Adobe has chosen to put out its fixes on the same second Tuesday of a given month in tandem with Redmond's release -- giving administrators an opportunity to test and install everything at once. Because hackers have recently probed Adobe files incessantly, many security pros are applauding the move.

"The (new) Adobe program of providing a predictable patch cycle will be very helpful to the IT admin community," said Wolfgang Kandek CTO of Qualys, via e-mail. "It will raise the visibility of the Adobe patches both on the IT admin and IT management side and will increase the attention paid to these vulnerabilities."

T-Mobile Hacked?
In a sign that m-commerce is increasingly as venerable to hackers as the world of enterprise PCs and Macs, cellular telecommunications giant T-Mobile said Monday it was looking into a possible incursion on its servers after an anonymous note surfaced on the hacker and IT security portal and chat room site Full Disclosure.

It is not known, whether this is a hoax, a shakedown or the real deal. Nonetheless, in the security list section of the Full Disclosure Web site would-be hackers said information obtained from the hack of T-Mobile's network has been "owned for some time. We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009."

In the post there was a list of what appear to be coding for different databases. So far, nothing has been confirmed. In a statement T-Mobile said, "Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."

Data Breach 'Laws' Would Improve Security: Survey
A survey from security services firm nCircle reports that both American and European security pros feel that that enactment of specific data breach legislation would help the cause of enterprise security as it relates to personal data and also incentivize public and private sector collaboration.

At RSA's recent conference, about 56 percent of American security professionals favored some kind of uniform federal breach law. It turns out that IT pros in the Euro zone were even more gung ho about a wide, sweeping European Union-sanctioned data breach law. Of respondents attending the InfoSecurity Europe conference last month, 72 percent said yes to a data breach law.

"The idea of more stringent laws around data breaches is a major step in the right direction," said Tyler Reguly, senior security engineer for nCircle. "Without government regulation, many companies will never fully admit to breaches and related losses and harm."

Reguly added though that statutes alone wouldn't fully do the trick. He said "non-compliance" among enterprises not adhering to safety standards set by these potential laws "must be met with reasonable punishments, and this is unlikely if breaches are self-reported."