The large commercial software company, Adobe, has admitted to having been breached with attackers accessing customer data as well as the source code of undiclosed products which may include Acrobat and Flash Player. If compromised, these products could introduce vulnerabilities to millions of private and corporate users.
Dwayne Melancon of Tripwire has his theories about how the attackers had managed to gain access to one of the largest software companies in the world. He told us: "This breach is rumored to have been perpetrated by the same attackers that compromised LexisNexis and a number of other organizations, so they likely used the same techniques. That means the attackers planted a rogue executable on the targeted systems and used that to create a command & control channel back to the attackers. These breaches underscore the importance of continuously monitoring your systems for suspicious changes, verifying any unrecognized programs on your systems, and establishing strong foundational controls so you can tell 'good' from 'bad' in your production environment - and to prepare before something bad happens, rather than after the damage has already been done.
"Maintaining a good baseline of known, trusted, and secure system configurations and application binaries is essential in today's environments so you can quickly tell which systems, applications, and components you can trust."
Adobe quickly detected the breach and acted on the information immediately, the right course of action for protecting itself from further damage and reducing the risk of exposure to its customers.
According to Tim Keanini of Lancope, this proves that even companies like Adobe aren't immune. "15 years ago, a company would get hacked and it seems like the end of the world. The threat is so advanced today that every company has to prepare for a fitness level that Adobe is displaying at this moment. The timely and accurate detection of the incident and the craft of Incident response across all departments are imperative to business continuity in this day and age and while you may not like to hear this, you have no choice because of the advanced threat."
This inevitability of bad stuff happening is something we should all be prepared for, says Lancope's Tom Cross:
"The first question that corporate management teams usually ask when they hear about a major breach like this Adobe incident is "how do we prevent this from happening to our company." I think that corporate leaders also need to consider how they are going to react when it inevitably does happen. Organisations of all kinds experience breaches. What is your company's incident response plan? Are you able to investigate incidents and determine their cause and impact? Do you have a plan for interacting with the public in the event of a breach? Many organisations are woefully unprepared, and that can exacerbate the pain and cost associated with an incident like this. "
However, it isn't just direct attacks from these perpetrators that are the worry, according to Trusteer, since the attackers gained access to the source code of popular products, this in itself puts users of these products at risk. Trusteer told us:
"If the source code for Adobe Reader or Flash was stolen, it means that cyber-criminals now have the opportunity to search this code for new unknown vulnerabilities, and develop malicious code that exploits these vulnerabilities. So you can expect that we will soon have a stream of new, nasty zero-day exploits. Zero-day exploits are notoriously difficult to defend against since they are unknown. Since Adobe products are widely used, and users are accustomed to receiving pdf attachments and watching flash animations, exploitation of zero-day vulnerabilities in these applications is highly successful and therefor a favored way to compromise user endpoints." (Truster expands on this issue in "Adobe breach could compromise software code")
This view is backed up by Chris Petersen of LogRhythm who challenges Adobe's claim that there is no specific increased risk to consumers. Chris told us: “When it comes to the source code breach, the first risk Adobe is concerned with is that malicious code was inserted into product source code and then distributed to customers in a compiled form. The second risk is their source code being out in the open to would be attackers. Having access to product source code can allow attackers to identify software vulnerabilities that have been undiscovered to-date. Both risks could result in a treasure trove of zero-day exploits against Adobe software. If indeed the source code stolen pertains to ColdFusion and Acrobat, this could leave thousands of web servers open to at-will compromise and make it easier to compromise end-user systems. This breach is a chilling reminder that all software companies should be on guard, as they too could be a stepping stone to other targets.”
But what of the customer data that was lost including names, passwords and encrypted credit card details. Thank goodness for sound encryption, says Thales e-Security's Richard Moulds:
“It is almost impossible for businesses to guard against data leakage, whether it’s an external hack, lawful interception, or human error. Faced with this reality, the only option for businesses is to use encryption, as Adobe has done, to ‘detoxify’ their data, and insulate against the impact of a data breach. Of course, technology can rarely neutralise the reputational impact associated with a data breach, though it does allow organisations to retain crucial control of their data. Providing the business employs strong encryption and keeps tight control of the keys, any compromised information is of no use to external attackers. The Adobe breach should serve as a powerful reminder that no data is safe. Businesses need to invest time in understanding what their data is worth – encrypt what you care about and keep control of your data.”
So it seems that credit card details may be safe which will come as a relief to many but what about unencrypted data that was compromised? Paul Ayers of Vormetric is not so sure that all is as well as Adobe is making out.
“It is good that Adobe protected their customer PII with encryption, which should protect credit card numbers. However, Adobe didn’t mention the protection of customer addresses, owned software licenses, email addresses and perhaps a lot of other useful targeting information for a hacker. This information could potentially be used for a very targeted spear phishing attack coming from “Adobe”, one that recommends a necessary software update is available to be downloaded with an email that seems very real because of all the accurate details it contains.
“From the reports out so far and the information available, you could draw the conclusion that Adobe used encryption to meet compliance requirements but not to protect what matters. Obviously the rest of their customer information and certainly their source code significantly matters to them – yet they were unable to defend that data. Now, they have joined the ranks of Cisco and RSA which have lost valuable source code to a hacker.
“We don’t know enough at this time to know if firewalling their data would have helped. However, what we do know is that controlling and limiting data access to only those who need it significantly reduces the risk surface. We also know that closing back doors to data access by controlling what privileged users can do significantly reduces the risk of hackers compromising these users in order to gain access to servers. Lastly, there is a good chance that this attack has been in the works for many months. If Adobe had the appropriate security intelligence there was a much better chance that we would have never read these reports about their breach.”