Forgot your password?
typodupeerror
Security IT

Lingering Questions On the Extent of the Adobe Hack 97

Posted by Soulskill
from the known-unknowns-and-unknown-unknowns dept.
chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"
This discussion has been archived. No new comments can be posted.

Lingering Questions On the Extent of the Adobe Hack

Comments Filter:
  • by John Bokma (834313) on Saturday September 29, 2012 @08:25PM (#41502733) Homepage
    They got in by having an employee of Adobe open a PDF or watch Flash...
  • by dgatwood (11270) on Saturday September 29, 2012 @08:25PM (#41502735) Journal

    I've been trying to order the Lightroom 4 upgrade all weekend, and their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment, depending on which payment method I choose. These may be isolated incidents, but the timing of these server failures is disconcerting, at the very least.

  • Why the fuck (Score:2, Insightful)

    by Anonymous Coward

    would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?

    Easiest way not to get compromised (from the outside at least) - don't connect *everything* to the fucking Internet.

    • Re:Why the fuck (Score:4, Insightful)

      by muon-catalyzed (2483394) on Saturday September 29, 2012 @08:45PM (#41502839)
      Source code? I want them to immediately and clearly state whether my credit card info is safe. If they can't tell then we must assume all CC data have been compromised.
    • "would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?"

      There are several reasons, but they all boil down to because it is 2012, and people want to actually be able to get work done. For example, much of the information you need to get the job done is on the internet, and manually typing commands that you find with google searches by reading them from one computer connected to the internet into another that is not is just slow and stupid. How do you

      • by HiThere (15173)

        "Because it's 2012" is not a valid reason. Sorry.

        OTOH, it is quite reasonable that machines should have libraries of the code to link, and the source code that the developer is working on. But you NEED air-breaks in your network for security. Where you put them is optional. If you have all the code on a machine, then that machine can't be connected to the internet, sorry. But if you only need one specific chunk, and the rest can be a library, then there's much less problem. So only the code that's bei

        • If you must have air gaps between the internet and data that must be secured, how do hundreds of thousands of companies process online credit card purchases again? Do you think there are a bunch of drones reading the input and manually typing it into another machine, and if so, how do they guarantee those people don't steal the numbers? You need to learn about Defense in Depth [wikipedia.org]. You also need to learn that if your security measures are an unreasonable hassle, people will circumvent it and nullify it.

          "If y

          • by HiThere (15173)

            I think you are misunderstanding how the kernel development works. Yes, there is, indeed, a public copy. But there are also several complete private copies at all times. Off-line. They may be in DVDs, or hard disks, but they aren't accessible to the internet.

            So a couple of years ago when Debian got their archives on-line penetrated, they were able to restore from known good copies. There was a bit of work required to re-mirror everything, and to bring things back up to date...the off-line copies weren'

            • "I think you are misunderstanding how the kernel development works. "

              I have been doing kernel development for years. No shit there are backups, but that isn't how it works either. You clearly have no concept of how git works. Never the less, the master copy where anyone and everyone can go to get everything from the kernel source and git source to pcitools and more is on the Internet. Of course, you are trying to change the subject, but then again If I were you, I'd try to change the subject too.

              Why don'

              • by HiThere (15173)

                I know I have a limited understanding, and I do understand that git allows everyone to have a complete copy of the software. This, however, isn't the same as a master copy (though it does facilitate reconstruction of the master copy if necessary from several independant copies). But I don't believe that the master copy is accessible on the web. A complete copy, that is the "working master", yes. But that's not the same thing.

                I don't believe that I'm "spouting nonsense". The approach of having the acces

    • what, like github?
  • Fire this guy (Score:5, Insightful)

    by RonVNX (55322) on Saturday September 29, 2012 @08:34PM (#41502793)

    Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

    • Re:Fire this guy (Score:5, Insightful)

      by Anonymous Coward on Saturday September 29, 2012 @09:00PM (#41502891)

      It's actually too bad. If Adobe's source code got stolen, maybe a few bugs would actually get fixed instead of them just constantly punting the problems down the road until they become zero-day security exploits.

    • Re:Fire this guy (Score:5, Insightful)

      by Black Parrot (19622) on Saturday September 29, 2012 @10:10PM (#41503239)

      Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

      It sounded like the reassurance was for shareholders, not customers.

    • by sjames (1099)

      I just can't tell you how happy for Adobe I am that their sacred source code wasn't stolen. Now, perhaps they'd care to talk about things the outside world has reason to care about? Things like how many downloads had a poison pill inside? We know the answer isn't zero based on previous reports and them revoking their signing cert. How about what customer info leaked?

      But yes, by all means thank God their sacred source code is safe! We wouldn't want any of the mess to get on THEIR shoes, now would we?

      • by Anonymous Coward

        Adobe's private keys floating around aren't a poison pill.

        They're the master key to 99% of desktops on the internet.

  • by Anonymous Coward

    "Reassured customers?"

    Huh?
    Surely customers would rather have the source code, no?

    • by HiThere (15173)

      No. Most of Adobe's customers would see no use in having the source code. Even most for most FOSS packages I use, I don't bother to even download, much less study, the source code. Usually only if I have a problem installing it. (And since it's usually a deb, that's quite rarely.)

      Being able to study the source code and wanting to have it are really two different things.

  • Now that Adobe's pushing customers to run the cloud-linked Adobe Creative Suite, this means hackers have a better likelihood of hacking Adobe's customers. Great job.
    • by Anonymous Coward on Saturday September 29, 2012 @10:12PM (#41503245)

      Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

      The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

      And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

      My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

    • by Anonymous Coward

      You should read up to what Adobe's cloud service encompasses before making comments like this, so you know how ridiculous that sounds. Why would a different payment model (subscription instead of up front) expose customers to hacks? Because that is the only difference between the regular Adobe products and the cloud "service"

    • by fa2k (881632)

      Adobe already has an updater that can install code on all users' computers at will, so they don't need a Cloud service for that/

  • by Anonymous Coward

    They own an analytic suite that is used by large corporations (including some banks). So I wonder if they got access to that as the information on there has a much higher resell value then something like the photoshop sourcecode.

    And yes they host all the data as it is a SaaS.

  • Really?

    What has he been doing for the last 10 years or so?

    Apparently nothing. Flash & Acrobat probably have the worst security record in history. Not sure if Java or IE ranks higher.

    • by petsounds (593538)

      Oh please, Flash just has the worst PUBLISHED security record because its incredible pervasiveness made it a highly attractive attack vector. There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.

      • by cheros (223479)

        There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.

        Windows? /me tiptoes away..

      • by gweihir (88907)

        Yea, keep telling you that. And when you pull your head out of the sand, maybe look at the facts.

        What makes is a highly attractive attack vector is its pervasiveness _combined_ with the incredible ease it can be attacked with. If it were hard to attack, nobody (except maybe TLAs with no economic accountability) would attack it. Remember that writing exploit code for well secured systems can take man-years of qualified experts. Flash can be attacked on the cheap with a small budget.

        • by petsounds (593538)

          I think you missed my point, which was: Flash may be historically easy to exploit, but then so is most of the software out there. However, most software is not subjected its constant proddings.

          • by gweihir (88907)

            I did not miss the point. The point is just plain wrong, however often repeated. The number of deployed systems is just one factor among many.

            For one thing, the probability of a compromise does not depend on the intensity of prodding, but the attacker competence vs. the level of software security. This is not a randomized process except in some details (fuzzing). To build the actual exploit once you have fuzzed a vulnerability is not randomized at all, but solid engineering work. Now, fuzzing is easy and ca

            • by petsounds (593538)

              From your reply it is obvious that you think I am defending Flash on its security record. I am not. Nor am I talking about your beloved Linux; most software is not as well-hardened as it is. What I'm saying is not that Adobe/Flash is good at security, but that most software is equally as bad. Card Maker 1-2-3, SuperCloud!, Fashionable DB, Hipster Web Stack 3.0, Robot Bunny Attack, and their ilk are just as full of holes. So, the statement "Flash has the worst security record of any software" is misleading a

              • by gweihir (88907)

                If you are saying that insecure software gets attacked more when it is more widespread, then I can agree to that.

                And no, I do not "love" Linux at all. It sucks. It just sucks less than everything else.

  • by DarkOx (621550) on Sunday September 30, 2012 @07:22AM (#41505189) Journal

    What I am about to describe is certainly a well know whole but when it happens to a big popular vendor it makes the problem a whole lot more significant.

    We now have all these systems out there that make us safe :-P by only running signed code. We have all these policy mechanisms like Microsoft's Applocker that encourage admins to start white listing applications not by secure hash but by x.509 properties on a certificate. Its less work after all I want users to be able to run acrobat and flash, I don't want to have to update my GPOs every five hours when adobe releases a patch.

    Guess what most of these devices don't do? Revocation checks, or at least its default permit when they can't do a revocation check. Leaks and other PKI fails like this are a very real threat to environments we otherwise think of as hardened.

    • by gweihir (88907)

      Very, very true. When I studied PKI more than 20 years ago, revocation was already known as possibly the most difficult problem. And yet it is absolutely critical, as expiry does not cut it. But it is even worse: While many, many devices do not handle revocation at all, those that do often do not work correctly as well. For example, I have seen a PKI system where revocation fails because they managed to clutter-up their certificate space badly enough that the revocation lists are too long for the devices to

  • Gleefully I don't wish them well.

    • by gweihir (88907)

      Time to regulate them into the ground. Terrorism is peanuts in comparison to the damage these idiots are doing.

  • And how long has Adobe been pushing Acrobat down peoples's throats with that damned "must have Acrobat to read PDFs" BS?
    • by gweihir (88907)

      Fortunately, xpdf works just as well and starts way faster. And there are alternatives on Windows.

  • by gweihir (88907) on Sunday September 30, 2012 @02:07PM (#41507323)

    The issue is that it was possible in this way in the first place. Only absolute incompetents place signing certificates of this importance on systems connected to the network. Adobe either does not care about security at all, or worse, does not understand even the basics. Now, _that_ is a cause for worry.

    If you even have basic understanding, the code signing certificate goes onto an isolated system (e.g. laptop, stored in a safe) which is never connected to the network and does one thing: Signing. If you are a bit more careful, the signing system never sees the distribution packages, but just the hashes, which are typed in and exported on media the system never reads, only writes. All this is _easy_ to do. A Linux or OpenBSD box with openssl and some scripting is enough. System updates are not necessary. A competent security expert could set this up in a day as a demo and in a week with documentation and risk analysis. The signing process would require maybe 10 minutes of manual work per signature. All not a problem and cheap to do, as long as you have that one competent security expert and follow his/her security advice.

    So my guess is that Adobe actually has zero competent security experts. And that after public reports of CAs being compromised and SecureID being hacked. This actually seems to indicate that Adobe does not even have half-competent security experts or does not listen to them at all. Now, _that_ is grounds for very real worries.

    The only way I see to fix this is personal criminal liability for the ones responsible for such cases of gross negligence by making it a regulatory requirement, i.e. send the incompetent bean-counters to jail for failing to hiting security experts or failing to let them do their job. The only way to get out of that should be that they can prove a) sound security architecture, design and implementation and b) independent review by competent experts and implementation of the expert recommendations. Of course, mistakes can happen. For those, the company should still be fined heavily, but no personal criminal liability, unless they pile up. Without something this strong, cretins with an MBA but no understanding of the subject or the world will always break security by trying to do it too cheap or not at all (or plain wrong). There need to be real and very unpleasant personal consequences for not using effective IT security measures.

    • by HiThere (15173)

      If such a law were passed, you can bet it would be the security experts going to jail, not the bosses who overruled them. If necessary, the critical reports and memos would just disappear...but the law would probably be written so that even that was only needed to avoid lawsuits. And so that if there were suits, the company, and not the manager, was responsible. At the very most the CIO might be the fall-guy...and if that were the case, the official CIO would probably be a figurehead, with the real power

  • This year I happened to be a paid up member of the Apple Developer program for Mac OS X. After I paid, I went to their web site and downloaded my signing keys, for the installer and for the application. It seems to me that sending the keys over the internet at all is a gross security violation. Off the top of my head, I don 't see a practical was of transporting these keys from Cupertino to a worldwide collection of developers. I agree that the signing keys should never be on a machine connected to the Inte

Suburbia is where the developer bulldozes out the trees, then names the streets after them. -- Bill Vaughn

Working...