Lingering Questions On the Extent of the Adobe Hack 97
chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"
The issue is not the extend of the breach (Score:4, Informative)
The issue is that it was possible in this way in the first place. Only absolute incompetents place signing certificates of this importance on systems connected to the network. Adobe either does not care about security at all, or worse, does not understand even the basics. Now, _that_ is a cause for worry.
If you even have basic understanding, the code signing certificate goes onto an isolated system (e.g. laptop, stored in a safe) which is never connected to the network and does one thing: Signing. If you are a bit more careful, the signing system never sees the distribution packages, but just the hashes, which are typed in and exported on media the system never reads, only writes. All this is _easy_ to do. A Linux or OpenBSD box with openssl and some scripting is enough. System updates are not necessary. A competent security expert could set this up in a day as a demo and in a week with documentation and risk analysis. The signing process would require maybe 10 minutes of manual work per signature. All not a problem and cheap to do, as long as you have that one competent security expert and follow his/her security advice.
So my guess is that Adobe actually has zero competent security experts. And that after public reports of CAs being compromised and SecureID being hacked. This actually seems to indicate that Adobe does not even have half-competent security experts or does not listen to them at all. Now, _that_ is grounds for very real worries.
The only way I see to fix this is personal criminal liability for the ones responsible for such cases of gross negligence by making it a regulatory requirement, i.e. send the incompetent bean-counters to jail for failing to hiting security experts or failing to let them do their job. The only way to get out of that should be that they can prove a) sound security architecture, design and implementation and b) independent review by competent experts and implementation of the expert recommendations. Of course, mistakes can happen. For those, the company should still be fined heavily, but no personal criminal liability, unless they pile up. Without something this strong, cretins with an MBA but no understanding of the subject or the world will always break security by trying to do it too cheap or not at all (or plain wrong). There need to be real and very unpleasant personal consequences for not using effective IT security measures.