The Adobe Breach: Initial Lessons

Now that we’ve had a little time to absorb the impact of the Adobe breach, there’s a few lessons we can learn already. First, a link for those who have been living in a cave and don’t know what I mean: Krebs on Security has had great coverage.

What we know:

  • Adobe was breached via a vulnerable Cold Fusion web application server exposed to the Internet. Cold Fusion is an Adobe product.
  • The vulnerability was known for months, a published vulnerability, and was not patched
  • 38 million user’s accounts were compromised
  • Source code for Acrobat, Reader, Coldfusion and PhotoShop has been compromised

Two Initial Lessons

User accounts are a huge target for attackers. Basically, every big breach you read about includes breached user accounts. Even if there is no financial data in the account, compromising user name and password allows the bad guy to begin attacking the user’s other accounts since it is quite common to use the same ID/PW combination for most accounts. If an email account can be compromised, then the process of breaking in to financial accounts gets really easy. First thing all users should do is differentiate the passwords for email accounts, product sites like Adobe and financial sites.

Organizations continue to be compromised, breached and exploited through vulnerabilities and bugs in their systems that are well known and published. Although the vulnerabilities are known and patches published, companies are not patching their systems. Contrary to the belief that it is because companies don’t care about security, I will argue that it is essentially to the point of impossibility now. When a large organization does a vulnerability scan of its systems, it turns out a print out the size of the Manhattan phone book. There is no way, in the midst of every other priority out there, for the IT teams to deal with all of these vulnerabilities. They don’t even know which ones are important or how to prioritize the vulnerabilities. The key lesson here is that patching vulnerabilities requires tackling the problem by determining where and how the adversary will attack you, and defending there. It basically requires that we do something new and disruptive.

Finally, we know that much of Adobe’s source code for their software has been compromised. This from a company that has a really bad track record of serious security flaws in their software anyhow. Now the bad guys have direct access to Adobe source and will be able to discover all sorts of previously undiscovered vulnerabilities. If at all possible, you should stop using software from Adobe right now.

*Update 10/31/13 – Welcome Instapundit readers …. take a look around. This blog is primarily about Information Security, which is my profession, but also has some interesting stuff on my chickens, cigars and backyard home offices. 🙂

Advertisements

About Eric Cowperthwaite

Nearly 30 year security professional, 11 years in the US Army, and another 18 in the civilian world. Worked for EDS for 9 years, then for Providence Health & Services as their CSO for 7 years. Now I work for CORE Security as their VP, Advanced Security & Strategy. This blog is not just about security, either physical or information. You can expect to read about cigars, my life, things I think are funny and much more. And I will rail about the FUD that so many security practitioners toss around on a regular basis. Plus, once in a great while, I might actually share a thought or two about security. Did I mention that I will probably blog about cigars? Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.
This entry was posted in InfoSec, Risk Management, Security, Vulnerability Management and tagged , , , . Bookmark the permalink.

20 Responses to The Adobe Breach: Initial Lessons

  1. Ken says:

    Ironically, and only on Instapundit, my fully updated Windows 7 machine is seeing pop ups purporting to be Windows dialogue boxes telling me I need a Java update. This has been going on for at least 3 days. I suspect and ad server connecting to Reynolds’ site is carrying malware. AVG blocked a “java exploit” there, as well. I’ve been using Windows Task Manager to close these pop-ups.

    • Sigh, we get those pretty regularly. I’ll let the tech stuff know. Ken, if you could manage to get a screen cap and amil it to ask.charlie.martin AT gmail.com I’d appreciate it.

      • Ken says:

        Charlie just sent a screenshot with brief explanation that it differs from original, but it’s definitely malware-driven. Yahoo sucks for email timeliness I hope you have it by now tho.

  2. That is funny …. I’ll let him know

  3. Closing Quote: “If at all possible, you should stop using software from Adobe right now.”

    How silly. No one is going to get into my Mac because I’m running InDesign and the books I layout aren’t going to have a virus. I changed my Adobe password as soon as I heard about this breach, so that’s not a worry. My bank sends me an email with every transaction, so any trouble there will quickly appear.

    This breach is certainly bad for Adobe. But I’d be more impressed by all these cries of alarm if someone would point, after all these weeks, to someone whose credit card information has been exploited.

    • Arjuna says:

      Consider yourself impressed… my credit card information was exploited.

      • tom says:

        My American express card was on file for auto renewal at Adobe. It was used the next day after the Adobe breach from Tokyo to Chicago to NYC. AMEX told me they had a big flood of fraud after the Adobe breach. My card never left my wallet…

  4. Frank says:

    An additional observation re Instapundit: on several occasions I have had banner ad fields on his site filled with long strings of Chinese characters. No idea what they say, but may even be snarky denunciations of big-nosed running dog imperialist lackeys and their henchmen. Glen should be concerned.

  5. Koblog says:

    Heck, I’ve had *shudder* pro-Hillary Clinton banner ads displayed. I think it’s just automatic based on current topics dealt with on his site and your own search/shopping history.

  6. K. D. Johnson says:

    RE: Michael W. Perry

    My rabbi, a long time Adobe subscriber for several of their services, had his checking account emptied and his debit and credit cards used.

    It made a big impression on him.

  7. Ed Minchau says:

    Flash is an Adobe product, so not using Adobe means not viewing any videos on Youtube, Metacafe, Wimp… not playing any games on Zynga…you may as well be telling people not to use public roads. Ain’t gonna happen.

    Make sure your antivirus is up to date.

  8. Tom Daigon says:

    Thinking of signing up for the @adobe Creative Cloud? Some of these horror stories might change your mind. http://forums.adobe.com/community/creative_cloud

    Remember to change your passwords and check your bank account for the next several month to make sure the hackers that got all that sensitive data from Adobe don’t access your accounts.

    New Adobe Survey. If you are not happy with CC being the only choice, let them know. http://deploy.ztelligence.com/start/survey/survey_taking.jsp?PIN=16BNF7XXXKLNX

  9. Up to date anti-virus will not save you from what is coming if you insist on using Flash, Reader, Acrobat and PhotoShop. The exploits that will be created will be based on vulnerabilities that are unknown to anyone outside of the bad guys who have stolen the Adobe source code.

    Side note, I have a personal friend whose credit card that was entered on the Adobe site for auto-renewal was used fraudulently before Adobe publicly notified of this breach.

    Another side note, I am a cybersecurity professional and have been for well over a decade. This is what I do professionally and live every day. I am currently the VP, Advanced Security & Strategy for Core Security, a company that specializes in penetration testing and determining how cyber criminals can attack and exploit enterprise networks.

    • Ed Minchau says:

      Ok, so is there an open source alternative to Flash, Reader etc? People aren’t going to stop using all those video sites or reading PDFs just like that.

      • Difficult, it at all possible. There are numerous free pdf readers and editors available. However, many materials available for download require Adobe Acrobat Reader or one of the premium Adobe Acrobat products (Standard or Pro). I believe Apple abandoned Flash a few years ago, but not ever having owned an Apple product I don’t if they were successful implementing a workaround for Flash sites.

        This is an Adobe failure of epic proportions!

      • There are alternatives to all of them. HTML 5 implements video in browser as well as Flash. It’s up to the people running the website to rewrite it that way. A lot of sites did specifically for iPhones and iPads. As for reading and authoring PDF files, plenty of alternatives out there. Here’s 3 alternate choices: http://www.pcworld.com/article/2027961/ditch-the-pdf-headaches-three-safer-speedier-adobe-reader-alternatives.html.

        As far as authoring PDF goes, or PhotoShop, yes, there are plenty of alternatives there too. You can create PDF’s directly within Word or Pages (Apple’s word processor), for example. Here’s a very good PhotoShop alternative that is completely free and open source: http://www.gimp.org/

        Sadly, most people are going to be angry at Adobe about their credit cards, but more or less blissfully unaware of the much bigger problem that will be Adobe software for years to come.

  10. Pingback: Adobe Software Hacked | Chou Seh-fu Blog – Public

  11. Two weeks ago I received a letter from Adobe with a unique activation code to Eperian’s ProtectMy ID Alert membership, good for one year.

    Small consolation.

  12. X509v3 says:

    “There is no way, in the midst of every other priority out there, for the IT teams to deal with all of these vulnerabilities. They don’t even know which ones are important or how to prioritize the vulnerabilities.”

    The IT organizations are hamstrung at applying patches because most aren’t empowered enough or engaged with the lines of business to make these recommendations affecting availability. DevOps-oriented companies are also at an advantage because they have tighter feedback loops between developers, operations, and can typically build/test/deploy more quickly than traditionally separate engineer+IT shops.

    The security teams need to communicate with the lines of business directly and prioritize security findings like any other defect in the /product/ – patching vulnerabilities is not an infrastructure issue, it’s a business issue.

    • You know I agree with you and I disagree, all at the same time. Yes, DevOps orientation does a lot to solve the problem, No, most companies can’t accomplish that. Yes, agreed, most IT organizations are unable to navigate the lines of business. But, even when they are, they simply don’t have the resources, in most cases, to apply patches in a timely manner.

      Yes, security teams should communicate with the business directly and prioritize security findings, etc. However, that requires a very mature security team. And still, even if that is the case, it is unlikely that IT is mature enough and resourced well enough to deal with the problem.

      I firmly believe that both IT and Security teams need a new way to do this that does not involve trying to patch everything, all the time. It’s why I left Providence and went to a new organization. I’m putting my money where my mouth is to work on how to solve this problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s