Lingering Questions On the Extent of the Adobe Hack 97
chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"
Wouldn't it be just if ... (Score:5, Funny)
Re:Wouldn't it be just if ... (Score:4, Insightful)
most pdfs you can download from the internet anyway.
Except all the ones used by businesses like insurance companies, financial companies, banks, etc. So many of them actually require Acrobat to open and run. More than a couple of the websites used for employees and 3rd party companies use embedded PDF to exchange documents relating to customers.
Adobe is not making any money on the majority of PDFs freely available for download. It's the corporations actually purchasing Acrobat and its related products that are creating revenue. You won't see any of that stuff on a public site.
Re: (Score:2)
Re: (Score:2)
if we pushed Adobe to open the format
This is a fairly common criticism of Flash, and it's also an invalid one. Flash is an open format, you can download the specification here on Adobe's website [adobe.com]. There are even open source players available, see Gnash, Swfdec, and Lightspark. Unfortunately none of them are feature complete, and most are lacking some major features.
What Flash is not is an open standard. Meaning only Adobe gets to advance the standard, and I don't believe the licensing allows for there to be a fork of their standard. They'l
Re: (Score:1)
So they can sign their own installers that look like official Adobe upgrades.
I'm getting concerned.... (Score:5, Interesting)
I've been trying to order the Lightroom 4 upgrade all weekend, and their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment, depending on which payment method I choose. These may be isolated incidents, but the timing of these server failures is disconcerting, at the very least.
Re:I'm getting concerned.... (Score:5, Funny)
their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment
They're not Adobe's servers any more... someone else 0wns them.
Re:I'm getting concerned.... (Score:4, Funny)
Knowing Adobe, I would actually expect the service to get better.
Re:I'm getting concerned.... (Score:4, Funny)
Re: (Score:3)
Insanity. You know, doing the same thing over and over, but expecting different results.
Re: (Score:2)
Re: (Score:2)
I have a subscription to Creative Cloud. This is kind of scary.
On the up side maybe really awesome art will start appearing on my computer.
Re: (Score:3)
Let's see... 50 dollars a month which I can afford. Or several thousand dollars all at once which I can not afford.
There is no better legitimate deal for a hobbyist learning all the tools. And I don't download warez.
Why the fuck (Score:2, Insightful)
would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?
Easiest way not to get compromised (from the outside at least) - don't connect *everything* to the fucking Internet.
Re:Why the fuck (Score:4, Insightful)
Re: (Score:1)
Your sense of entitlement is astonishing. You think because I want you to sit in the office and code, instead of "work from home" or fuck around on the internet, it's "still 1980" and/or you'll hate your job.
Guess what. That attitude rules you out as an employee, I don't give a flying fuck how good a programmer you are. You represent everything that's wrong with the modern work ethic.
Re: (Score:1)
Sense of entitlement... haha. Employees wanting to enjoy their jobs is entitlement now. Good job AC. Maybe the 1080s would have been a better time for you to be a "boss".
Re: (Score:1)
OK, that wasn't really helpful... I'd delete it if I could. My point is: If we can't trust each other as an employee and employer (espeically in the world of software development, where you have really smart, creative people in the job), I will find a way to screw you and you will find a way to screw me. That sucks. I'd rather work for a company that trusts and respects its developers and puts in reasonable (relative term I know) limits to protect against mistakes.
Making it so I'm working at a dumb ter
Re: (Score:1)
Not just now, but always. The purpose for going to work is not to have an enjoyable time, it's to trade labor for money. Some jobs, like porta-potty cleaning, don't even really allow for enjoying the work.
With that said, however, some people take lesser paying jobs that are more enjoyable. If it's understood as part of the compensation package that's one thing. But otherwise, when it occurs (for those lucky enough for whom it can), it really is just a
Re:Why the fuck (Score:5, Insightful)
Not having Internet access to every site you want is not cubicle prison. Sometimes security is quite necessary, because as you can see, shit like this happens.
While you sit there and complain about cubicle prisons are you also thinking about the risks to the customers? How would they be impacted if your company lost their private data? Security is about cooperation. You're not there to surf the Internet. You're there to work.
How many horror stories and tanked companies do you need to hear about before it sinks in that security, especially when dealing with business data, is paramount?
You would not be downloading source to your laptop at my company. In fact, your laptop could not even connect to the corporate network at all. Fuck that BYOD hippie utopia shit. USB is even disabled to prevent data leakage. Not just from you either. You know that the majority of the day you are not actually sitting in front of those computers right?
All this may make me sound like a tyrant, but I am huge proponent of breaks. I provide guest wireless everywhere in the company, and as long as it a personal device, you can go nuts doing whatever you want.
I still think people have become far too addicted to online communications to the point where it is unhealthy. You don't need to be running a full check on the Internet every 5 minutes to see if somebody twittered something new and interesting. Hey, as long as you are meeting your deadlines and getting stuff done, it's not my business where and when you take your breaks.
Anon does have a point about a sense of entitlement. It really does seem like all the new workers coming into companies these days believe that if they can't have full control over the system and access anything in the world they want, when they want it, that it is all of the sudden "fascism" and "cubicle prisons". When you try to calmly explain why security is important to protect business data, invariably, they roll their eyes and exclaim that you are too uptight and paranoid.
One of the side affects of all of the loss of privacy. None of those sadly naive little children will understand when the company goes out of business after being sued by customers. Ironically, I am sure they will ask why IT was not doing its job to protect them....
Bless your little hearts...
Re: (Score:1)
Cubicle prison is Hyperbole.
Sorry, I just don't buy into the "the only way to guarantee software developers don't screw up is to lock down every single thing they do". I've worekd there. Bosses that monitor every URL visited by their employees, Companies that don't trust their developers to work, and instead make them fill out time cards for every 15 mintues spent on a task throughout the day (not for billing purposes), Internet firewalls that only let through a whitelist of sites, Full Disk Encryption on
Re: (Score:3, Insightful)
Sorry, I just don't buy into the "the only way to guarantee software developers don't screw up is to lock down every single thing they do". I've worekd there. Bosses that monitor every URL visited by their employees, Companies that don't trust their developers to work, and instead make them fill out time cards for every 15 mintues spent on a task throughout the day (not for billing purposes), Internet firewalls that only let through a whitelist of sites, Full Disk Encryption on Desktop PCs so that build times go up by 4x but we can check the box with some IT blowhard, IT departments that control every single piece of software that goes on your computer, Threats of firing unless you comply with some silly IT regulation (really, you threaten to FIRE HIGHLY PAYED EMPLOYEES as a matter of general procedure??). Man, the list goes on and sounds whiny, I guess. But it sucks, it's an awful atmosphere to work in.
It's not about you screwing up. I paid you to develop software, not be a security expert. Machines are locked down to an extent, but some developers may not have some restrictions.
White list and Internet firewalls? Absolutely. Not going to change anytime soon. You don't need Facebook to do your job, or Twitter, or CNN, or Slashdot, etc. StackOverFlow? Sure. Any reasonable site, that is trustworthy enough, can get on the white list if it is beneficial to the job.
Threats of firing? Only if you are pe
Re: (Score:3)
You're right.
I'm a CTO, not a manager. Won't say which company since I value my privacy and keep a strong separation between my Internet identities and real life.
In any case, my arguments should be weighed on their merit. Not whether or not I may actually hold a position.
Do you have any positions or just profanity?
not really secure, yet not free enough (Score:2)
You really need to get those development machines disconnected from the internet. A firewall is not enough. OTOH, less-restricted internet access is very useful for a developer. The solution is separate computers on separate networks.
Yes, it is an expense, but only the development machine needs to be nice hardware. For example you could use a Pentium II with 512 MB RAM for the internet, but use the latest Core i7 with 16 GB RAM on the development network. (adjust both as required for the budget) The interne
you are security FAIL (Score:2)
If I can't get to the internet while I work (and access the source code), I won't work for you. Call that entitled, call it childish, but I call it normal business in 2012.
For security, this is FAIL. You should have two computers at your desk.
One is purely for the internet. The only services are network fundamentals (DHCP, DNS, etc.), printers, and external email. Email between employees should be blocked to reduce temptation.
The other is purely internal. It gets continuously monitored to detect an accidental or illicit connection to the internet. If an internet connection happens, an alarm goes off and/or power to the internet router is cut. You run all sorts of servers on t
Re: (Score:1)
Fuck that BYOD hippie utopia shit.
If I had any mod points, I'd give you all 5 just for that sentence right there.
* unless you use Windows (Score:3)
There are several reasons, but they all boil down to because it is 2012, and people want to actually be able to get work done. For example, much of the information you need to get the job done is on the internet, and manually typing commands that you find with google searches by reading them from one computer connected to the internet into another that is not is just slow and stupid. How do you
Re: (Score:2)
"Because it's 2012" is not a valid reason. Sorry.
OTOH, it is quite reasonable that machines should have libraries of the code to link, and the source code that the developer is working on. But you NEED air-breaks in your network for security. Where you put them is optional. If you have all the code on a machine, then that machine can't be connected to the internet, sorry. But if you only need one specific chunk, and the rest can be a library, then there's much less problem. So only the code that's bei
Riddle me this ... (Score:2)
Re: (Score:2)
I think you are misunderstanding how the kernel development works. Yes, there is, indeed, a public copy. But there are also several complete private copies at all times. Off-line. They may be in DVDs, or hard disks, but they aren't accessible to the internet.
So a couple of years ago when Debian got their archives on-line penetrated, they were able to restore from known good copies. There was a bit of work required to re-mirror everything, and to bring things back up to date...the off-line copies weren'
Re: (Score:2)
I have been doing kernel development for years. No shit there are backups, but that isn't how it works either. You clearly have no concept of how git works. Never the less, the master copy where anyone and everyone can go to get everything from the kernel source and git source to pcitools and more is on the Internet. Of course, you are trying to change the subject, but then again If I were you, I'd try to change the subject too.
Why don'
Re: (Score:2)
I know I have a limited understanding, and I do understand that git allows everyone to have a complete copy of the software. This, however, isn't the same as a master copy (though it does facilitate reconstruction of the master copy if necessary from several independant copies). But I don't believe that the master copy is accessible on the web. A complete copy, that is the "working master", yes. But that's not the same thing.
I don't believe that I'm "spouting nonsense". The approach of having the acces
Re: (Score:2)
This is where you should have stopped. You have no understanding of git. You need to learn the difference between distributed SCM and the old centralized approach [betterexplained.com].
Re: (Score:2)
Fire this guy (Score:5, Insightful)
Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.
Re:Fire this guy (Score:5, Insightful)
It's actually too bad. If Adobe's source code got stolen, maybe a few bugs would actually get fixed instead of them just constantly punting the problems down the road until they become zero-day security exploits.
Re:Fire this guy (Score:5, Insightful)
Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.
It sounded like the reassurance was for shareholders, not customers.
Re: (Score:2)
I just can't tell you how happy for Adobe I am that their sacred source code wasn't stolen. Now, perhaps they'd care to talk about things the outside world has reason to care about? Things like how many downloads had a poison pill inside? We know the answer isn't zero based on previous reports and them revoking their signing cert. How about what customer info leaked?
But yes, by all means thank God their sacred source code is safe! We wouldn't want any of the mess to get on THEIR shoes, now would we?
Re: (Score:1)
Adobe's private keys floating around aren't a poison pill.
They're the master key to 99% of desktops on the internet.
Re: (Score:3)
Amen.
It was actually the weirdo updates that ended it for me, but I find I still get plenty of useful data from the web without enabling any Adobe security breaches on my machine.
Reassured? (Score:1)
"Reassured customers?"
Huh?
Surely customers would rather have the source code, no?
Re: (Score:2)
No. Most of Adobe's customers would see no use in having the source code. Even most for most FOSS packages I use, I don't bother to even download, much less study, the source code. Usually only if I have a problem installing it. (And since it's usually a deb, that's quite rarely.)
Being able to study the source code and wanting to have it are really two different things.
Thank goodness Adobe is all about the cloud (Score:2)
Security is NOT an issue with The Cloud. (Score:5, Funny)
Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.
The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.
And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.
My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.
Re: (Score:2)
The truly sad part is that you really might be a manager. Plenty of executives walk around talking like this all day long.... and get paid for it.
48 times dupe... (Score:3)
Plenty of slashdot posters keep copy/pasting talks like this... and get +5 Funny for it.
http://www.google.com/search?q="I+don't+know+about+you+but+that+sounds+damn+secure+to+me"+site%3Aslashdot.org [google.com]
Re: (Score:2)
Re: (Score:2)
I like the sarcasm and pseudo management speak, thanks :)
Re: (Score:1)
You should read up to what Adobe's cloud service encompasses before making comments like this, so you know how ridiculous that sounds. Why would a different payment model (subscription instead of up front) expose customers to hacks? Because that is the only difference between the regular Adobe products and the cloud "service"
Re: (Score:1)
Adobe already has an updater that can install code on all users' computers at will, so they don't need a Cloud service for that/
Re: (Score:2)
It probably doesn't matter. No OS secures the user directories if you have crackable applications installed. Like just about any web browser. And since this is Adobe, you can probably count on Flash, and probably some Flash development tools being installed.
One word Omniture (Score:1)
They own an analytic suite that is used by large corporations (including some banks). So I wonder if they got access to that as the information on there has a much higher resell value then something like the photoshop sourcecode.
And yes they host all the data as it is a SaaS.
Adobe has a Senior Director of Product Security? (Score:1)
Really?
What has he been doing for the last 10 years or so?
Apparently nothing. Flash & Acrobat probably have the worst security record in history. Not sure if Java or IE ranks higher.
Re: (Score:2)
Oh please, Flash just has the worst PUBLISHED security record because its incredible pervasiveness made it a highly attractive attack vector. There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.
Re: (Score:2)
There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.
Windows? /me tiptoes away..
Re: (Score:2)
Yea, keep telling you that. And when you pull your head out of the sand, maybe look at the facts.
What makes is a highly attractive attack vector is its pervasiveness _combined_ with the incredible ease it can be attacked with. If it were hard to attack, nobody (except maybe TLAs with no economic accountability) would attack it. Remember that writing exploit code for well secured systems can take man-years of qualified experts. Flash can be attacked on the cheap with a small budget.
Re: (Score:2)
I think you missed my point, which was: Flash may be historically easy to exploit, but then so is most of the software out there. However, most software is not subjected its constant proddings.
Re: (Score:2)
I did not miss the point. The point is just plain wrong, however often repeated. The number of deployed systems is just one factor among many.
For one thing, the probability of a compromise does not depend on the intensity of prodding, but the attacker competence vs. the level of software security. This is not a randomized process except in some details (fuzzing). To build the actual exploit once you have fuzzed a vulnerability is not randomized at all, but solid engineering work. Now, fuzzing is easy and ca
Re: (Score:2)
From your reply it is obvious that you think I am defending Flash on its security record. I am not. Nor am I talking about your beloved Linux; most software is not as well-hardened as it is. What I'm saying is not that Adobe/Flash is good at security, but that most software is equally as bad. Card Maker 1-2-3, SuperCloud!, Fashionable DB, Hipster Web Stack 3.0, Robot Bunny Attack, and their ilk are just as full of holes. So, the statement "Flash has the worst security record of any software" is misleading a
Re: (Score:2)
If you are saying that insecure software gets attacked more when it is more widespread, then I can agree to that.
And no, I do not "love" Linux at all. It sucks. It just sucks less than everything else.
There are other nasty implications for this (Score:5, Interesting)
What I am about to describe is certainly a well know whole but when it happens to a big popular vendor it makes the problem a whole lot more significant.
We now have all these systems out there that make us safe :-P by only running signed code. We have all these policy mechanisms like Microsoft's Applocker that encourage admins to start white listing applications not by secure hash but by x.509 properties on a certificate. Its less work after all I want users to be able to run acrobat and flash, I don't want to have to update my GPOs every five hours when adobe releases a patch.
Guess what most of these devices don't do? Revocation checks, or at least its default permit when they can't do a revocation check. Leaks and other PKI fails like this are a very real threat to environments we otherwise think of as hardened.
Re: (Score:2)
Very, very true. When I studied PKI more than 20 years ago, revocation was already known as possibly the most difficult problem. And yet it is absolutely critical, as expiry does not cut it. But it is even worse: While many, many devices do not handle revocation at all, those that do often do not work correctly as well. For example, I have seen a PKI system where revocation fails because they managed to clutter-up their certificate space badly enough that the revocation lists are too long for the devices to
Adobe have always been jerks. (Score:1)
Gleefully I don't wish them well.
Re: (Score:2)
Time to regulate them into the ground. Terrorism is peanuts in comparison to the damage these idiots are doing.
You Must Have Acrobat (Score:1)
Re: (Score:2)
Fortunately, xpdf works just as well and starts way faster. And there are alternatives on Windows.
The issue is not the extend of the breach (Score:4, Informative)
The issue is that it was possible in this way in the first place. Only absolute incompetents place signing certificates of this importance on systems connected to the network. Adobe either does not care about security at all, or worse, does not understand even the basics. Now, _that_ is a cause for worry.
If you even have basic understanding, the code signing certificate goes onto an isolated system (e.g. laptop, stored in a safe) which is never connected to the network and does one thing: Signing. If you are a bit more careful, the signing system never sees the distribution packages, but just the hashes, which are typed in and exported on media the system never reads, only writes. All this is _easy_ to do. A Linux or OpenBSD box with openssl and some scripting is enough. System updates are not necessary. A competent security expert could set this up in a day as a demo and in a week with documentation and risk analysis. The signing process would require maybe 10 minutes of manual work per signature. All not a problem and cheap to do, as long as you have that one competent security expert and follow his/her security advice.
So my guess is that Adobe actually has zero competent security experts. And that after public reports of CAs being compromised and SecureID being hacked. This actually seems to indicate that Adobe does not even have half-competent security experts or does not listen to them at all. Now, _that_ is grounds for very real worries.
The only way I see to fix this is personal criminal liability for the ones responsible for such cases of gross negligence by making it a regulatory requirement, i.e. send the incompetent bean-counters to jail for failing to hiting security experts or failing to let them do their job. The only way to get out of that should be that they can prove a) sound security architecture, design and implementation and b) independent review by competent experts and implementation of the expert recommendations. Of course, mistakes can happen. For those, the company should still be fined heavily, but no personal criminal liability, unless they pile up. Without something this strong, cretins with an MBA but no understanding of the subject or the world will always break security by trying to do it too cheap or not at all (or plain wrong). There need to be real and very unpleasant personal consequences for not using effective IT security measures.
Re: (Score:2)
If such a law were passed, you can bet it would be the security experts going to jail, not the bosses who overruled them. If necessary, the critical reports and memos would just disappear...but the law would probably be written so that even that was only needed to avoid lawsuits. And so that if there were suits, the company, and not the manager, was responsible. At the very most the CIO might be the fall-guy...and if that were the case, the official CIO would probably be a figurehead, with the real power
A question about signing keys (Score:2)