Reactions from the security community to the Adobe breach
Hackers have breached Adobe’s network and have made off with personal, account, and encrypted financial information of nearly 3 million Adobe customers, as well as the source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.
Below are comments on this breach that Help Net Security received from a variety of security professionals.
Dana Tamir, Director of Enterprise Security at Trusteer
The Adobe network breach may put organizations and users at significant risk. If the source code for Adobe Reader or Flash was stolen, it means that cyber-criminals now have the opportunity to search this code for new unknown vulnerabilities, and develop malicious code that exploits these vulnerabilities. So you can expect that we will soon have a stream of new, nasty 0-day exploits.
Zero-day exploits are used for executing drive-by downloads. They are very effective because security solutions that are designed to detect threats are not familiar with these new, never-seen-before threats therefore they do not block them. And no patch is available either. The attacker hides the zero-day exploit code within a pdf document or flash object, creating weaponized content. Then a specially crafted spear-phishing email is used to deliver the weaponized document or object to the targeted user. When the user opens the attachment, the exploit code exploits the vulnerability to silently download malware on the user’s machine. The user isn’t aware that this download has happened. But this malware, often a Remote Access Trojan (RAT) enables the attacker to access sensitive data or even gain full control over the user’s machine.
In many cases, the targeted user is an employee within a targeted organization. By compromising the user’s machine, the attacker gains a foothold within the targeted organization’s network. From here, the attacker can progress the attack and breach the organization. Since Adobe products are so widely used, and because users are accustomed to receiving pdf attachments and flash movies on a daily basis, exploitation of vulnerabilities in these applications is highly successful and therefor a popular way to compromise employee endpoints and enable APTs and targeted attacks.
Chris Petersen, CTO of LogRhythm
When it comes to the source code breach, the first risk Adobe is concerned with is that malicious code was inserted into product source code and then distributed to customers in a compiled form. The second risk is their source code being out in the open to would be attackers. Having access to product source code can allow attackers to identify software vulnerabilities that have been undiscovered to-date. Both risks could result in a treasure trove of zero-day exploits against Adobe software.
If indeed the source code stolen pertains to ColdFusion and Acrobat, this could leave thousands of web servers open to at-will compromise and make it easier to compromise end-user systems. This breach is a chilling reminder that all software companies should be on guard, as they too could be a stepping stone to other targets.
Troy Gill, Senior Security Analyst at AppRiver
These types of breaches are no longer a surprise and are occurring with far great regularity than ever before. Although we don’t know exactly how the attackers got through Adobe’s security, it seems they had access to nearly all company data. For Adobe customers, this breach will have short-term and long-term impacts. There will be the initial damage as businesses and individuals try to limit their exposure because of the loss of personally identifiable information. Then there’s the loss of source code that will open the door to a number of new exploits that can be used to compromise Adobe customers going forward.
Customers should take this breach very seriously and take some immediate steps to protect themselves. For example, anyone who uses the same customer ID OR password to access other accounts (email, banking, etc..) should change that information everywhere it is used. It is a good idea to go ahead and cancel the credit card associated with the account in the event that the encryption is broken and the card numbers are accessed. While the offer of “one year of free credit monitoring” at Adobe’s expense may seem like a too-little-too-late proposition, go ahead and take advantage of it. It is still a critical step to take to help mitigate personal financial damage.
According to initial reports, the attackers were also able to exfiltrate a great deal of source code for major Adobe products. This will almost certainly lead to an increase in malicious actors exploiting vulnerabilities in Adobe software to infect users systems with malware. Of course it will depend on what the attackers do with the information from here, but we have to assume they won’t be kind and drop it in the shredder.
Tim Keanini, CTO at Lancope
15 years ago, a company would get hacked and it seems like the end of the world. The threat is so advanced today that every company has to prepare for a fitness level that Adobe is displaying at this moment. The timely and accurate detection of the incident and the craft of Incident response across all departments are imperative to business continuity in this day and age and while you may not like to hear this, you have no choice because of the advanced threat.
Paul Ayers, VP EMEA at Vormetric
It is good that Adobe protected their customer PII with encryption, which should protect credit card numbers. However, Adobe didn’t mention the protection of customer addresses, owned software licenses, email addresses and perhaps a lot of other useful targeting information for a hacker. This information could potentially be used for a very targeted spear phishing attack coming from “Adobe”, one that recommends a necessary software update is available to be downloaded with an email that seems very real because of all the accurate details it contains.
From the reports out so far and the information available, you could draw the conclusion that Adobe used encryption to meet compliance requirements but not to protect what matters. Obviously the rest of their customer information and certainly their source code significantly matters to them – yet they were unable to defend that data. Now, they have joined the ranks of Cisco and RSA which have lost valuable source code to a hacker.
We don’t know enough at this time to know if firewalling their data would have helped. However, what we do know is that controlling and limiting data access to only those who need it significantly reduces the risk surface. We also know that closing back doors to data access by controlling what privileged users can do significantly reduces the risk of hackers compromising these users in order to gain access to servers. Lastly, there is a good chance that this attack has been in the works for many months. If Adobe had the appropriate security intelligence there was a much better chance that we would have never read these reports about their breach.
Tom Davison, UK Technical Director at Check Point
Adobe has moved quickly following the breach, resetting user passwords and notifying customers. But users should be cautious about clicking on links in emails that they receive purporting to be from Adobe, no matter how authentic the emails appear to be. There’s a risk that the details compromised in the attack may be used to mount phishing attacks, to try and harvest more personal data.
As source code for Adobe products has also been illegally accessed in a separate attack, users should update to the latest versions of Adobe products to reduce risk. Our 2013 security report on 900 firms worldwide found that 75% were not using the latest software versions in popular software such as Acrobat, which can lead to security vulnerabilities.
Tom Cross, Director of Security Research at Lancope
The first question that corporate management teams usually ask when they hear about a major breach like this Adobe incident is “how do we prevent this from happening to our company.” I think that corporate leaders also need to consider how they are going to react when it inevitably does happen. Organizations of all kinds experience breaches.
What is your company’s incident response plan? Are you able to investigate incidents and determine their cause and impact? Do you have a plan for interacting with the public in the event of a breach? Many organisations are woefully unprepared, and that can exacerbate the pain and cost associated with an incident like this.