Yet another lackadaisical network administrator has given ColdFusion a black-eye.
According to many published articles (link below) the Federal Office of Personnel Management (OPM) was a ColdFusion based application managing the data that was stolen by hackers. They were able to obtain the records of 14 million people who work for, applied for or provided services to the US Federal Government.
That is 5% of the adult population of the US. One out of twenty people (to keep this massive breach in perspective).
The cracked system was operating an older version of ColdFusion, one which used the Adobe JRun engine.
Adobe stopped using JRun over eight years ago moving to Apache Tomcat.
Eight years…. Amy Winehouse won a Grammy, Barack Obama was running for president, before Bernie Madoff was busted.
Yet the headline you will all see in computer security stories is how it is the fault of Adobe’s ColdFusion.
The story should not focus on the mark-up language of the application, but the underlining platform.
The server itself was not kept up-to-date.
If it had, the information of those fourteen-million of our neighbors and fellow Americans would not have fallen into the hands of the CHINEESE GOVERNMENT.
This information should have those who have purview over server farms and have been given the responsibility to keep them up-to-date a wake-up call.
Software companies and those who are creating the applications can only do so much to provide secure code. The servers and the supporting infrastructure is just as important as data encryption and session management.
“EPIC” fail—how OPM hackers tapped the mother lode of espionage data | Ars Technica
