Slashdot Mirror
Lingering Questions On the Extent of the Adobe Hack
chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"
They got in by having an employee of Adobe open a PDF or watch Flash...
Perl Programmer for hire
I've been trying to order the Lightroom 4 upgrade all weekend, and their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment, depending on which payment method I choose. These may be isolated incidents, but the timing of these server failures is disconcerting, at the very least.
Check out my sci-fi/humor trilogy at PatriotsBooks.
would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?
Easiest way not to get compromised (from the outside at least) - don't connect *everything* to the fucking Internet.
Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.
...that I stopped using Adobe products a long time ago.
Just unplug the goddamn thing...
If hacker cat iz in yoor netwirkz, stealin' yer codez, UNPLUG IT.
"Reassured customers?"
Huh?
Surely customers would rather have the source code, no?
Now that Adobe's pushing customers to run the cloud-linked Adobe Creative Suite, this means hackers have a better likelihood of hacking Adobe's customers. Great job.
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
What OS did this normal provisioning build server run on, Windows, Linux, Apple or what?
Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.
The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.
And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.
My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.
They own an analytic suite that is used by large corporations (including some banks). So I wonder if they got access to that as the information on there has a much higher resell value then something like the photoshop sourcecode.
And yes they host all the data as it is a SaaS.
There are several reasons, but they all boil down to because it is 2012, and people want to actually be able to get work done. For example, much of the information you need to get the job done is on the internet, and manually typing commands that you find with google searches by reading them from one computer connected to the internet into another that is not is just slow and stupid. How do you propose the guys in New Zealand share their code base with the developers in California and vice versa? Snail mail? It is entirely possible to have a computer safely connected to the internet*.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Really?
What has he been doing for the last 10 years or so?
Apparently nothing. Flash & Acrobat probably have the worst security record in history. Not sure if Java or IE ranks higher.
Oh please, Flash just has the worst PUBLISHED security record because its incredible pervasiveness made it a highly attractive attack vector. There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.
There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.
Windows? /me tiptoes away..
Insert
What I am about to describe is certainly a well know whole but when it happens to a big popular vendor it makes the problem a whole lot more significant.
We now have all these systems out there that make us safe :-P by only running signed code. We have all these policy mechanisms like Microsoft's Applocker that encourage admins to start white listing applications not by secure hash but by x.509 properties on a certificate. Its less work after all I want users to be able to run acrobat and flash, I don't want to have to update my GPOs every five hours when adobe releases a patch.
Guess what most of these devices don't do? Revocation checks, or at least its default permit when they can't do a revocation check. Leaks and other PKI fails like this are a very real threat to environments we otherwise think of as hardened.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Plenty of slashdot posters keep copy/pasting talks like this... and get +5 Funny for it.
http://www.google.com/search?q="I+don't+know+about+you+but+that+sounds+damn+secure+to+me"+site%3Aslashdot.org
Gleefully I don't wish them well.
And how long has Adobe been pushing Acrobat down peoples's throats with that damned "must have Acrobat to read PDFs" BS?
The issue is that it was possible in this way in the first place. Only absolute incompetents place signing certificates of this importance on systems connected to the network. Adobe either does not care about security at all, or worse, does not understand even the basics. Now, _that_ is a cause for worry.
If you even have basic understanding, the code signing certificate goes onto an isolated system (e.g. laptop, stored in a safe) which is never connected to the network and does one thing: Signing. If you are a bit more careful, the signing system never sees the distribution packages, but just the hashes, which are typed in and exported on media the system never reads, only writes. All this is _easy_ to do. A Linux or OpenBSD box with openssl and some scripting is enough. System updates are not necessary. A competent security expert could set this up in a day as a demo and in a week with documentation and risk analysis. The signing process would require maybe 10 minutes of manual work per signature. All not a problem and cheap to do, as long as you have that one competent security expert and follow his/her security advice.
So my guess is that Adobe actually has zero competent security experts. And that after public reports of CAs being compromised and SecureID being hacked. This actually seems to indicate that Adobe does not even have half-competent security experts or does not listen to them at all. Now, _that_ is grounds for very real worries.
The only way I see to fix this is personal criminal liability for the ones responsible for such cases of gross negligence by making it a regulatory requirement, i.e. send the incompetent bean-counters to jail for failing to hiting security experts or failing to let them do their job. The only way to get out of that should be that they can prove a) sound security architecture, design and implementation and b) independent review by competent experts and implementation of the expert recommendations. Of course, mistakes can happen. For those, the company should still be fined heavily, but no personal criminal liability, unless they pile up. Without something this strong, cretins with an MBA but no understanding of the subject or the world will always break security by trying to do it too cheap or not at all (or plain wrong). There need to be real and very unpleasant personal consequences for not using effective IT security measures.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Yea, keep telling you that. And when you pull your head out of the sand, maybe look at the facts.
What makes is a highly attractive attack vector is its pervasiveness _combined_ with the incredible ease it can be attacked with. If it were hard to attack, nobody (except maybe TLAs with no economic accountability) would attack it. Remember that writing exploit code for well secured systems can take man-years of qualified experts. Flash can be attacked on the cheap with a small budget.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I think you missed my point, which was: Flash may be historically easy to exploit, but then so is most of the software out there. However, most software is not subjected its constant proddings.
Oh please, Flash just has the worst PUBLISHED security record because its incredible pervasiveness made it a highly attractive attack vector. There's plenty of software out there that makes Flash look like a digital Fort Knox by comparison.
Windows is a very large, very complex bit of software. Flash is TINY, around 10 megabytes.
It's entirely feasible with good software practices to write a very secure program of that size.
Adobe just doesn't give a shit.
..still don't see a problem. They are too busy sending PDFs to Chinese "business partners", I assume. At the corpo I work, Adobe crap is forced on me, despite the fact that I removed it and want to use evince. It comes back like the Plague in a town without sanitation.
if all the security problems were an issue to the "MBA elite", they would have voted with their money and Adobe would be bankrupt. What does that mean ? They are already selling out all the hard-won secrets of American and European corporations by other means. Just relax and wait until the unemployed masses hoist them up the lanterns. Most of security is a fucking show for the non-illuminated.
As long as our elite are traitors to their own people, there will not be proper security. The Chicoms are real patriots and they trick our Traitor Elite into handing them our secrets one way or the other. Ours are egotist scumbags and have 0% patriotism and loyalty to their respective people left. I'll applaud when the masses will rise. I am not a commie, but neither will I protect these scumbags.
I did not miss the point. The point is just plain wrong, however often repeated. The number of deployed systems is just one factor among many.
For one thing, the probability of a compromise does not depend on the intensity of prodding, but the attacker competence vs. the level of software security. This is not a randomized process except in some details (fuzzing). To build the actual exploit once you have fuzzed a vulnerability is not randomized at all, but solid engineering work. Now, fuzzing is easy and can be done automatically. Building the exploit code is not. The level of effort and skill needed directly depends on the security level of the target. For things like Flash, it is very, very easy, i.e. weeks of effort and many people can do it. For things like, say, the Linux kernel or Apache (not its modules), it is very, very hard, i.e. not many people can do it in the first place and it takes many months to years (a figure of 6-12 expert engineer months was floating around a few years back in security circles). The overall effort is not dominated by the fuzzing, but by the exploit creation.
This also means attacking secure systems requires a significant up-front investment. Attacking insecure systems (like Flash) can be done by hobbyists over the weekend.
Another example is web-servers running Linux get a higher level of hacking attempts (more competent) than those running Windows. Why? Better network connectivity, better reliability, less risk some script-kiddy takes it away from you after you hacked it. Of course that never makes it into the press, but is well known in sysadmin circles. Still they get compromised less. Why? Better security architecture, default configurations and administrators. This does not seem to hold for the xBSDs though, likely because they are even harder to attack and there are really not a lot around of those. So in the end, number of deployed systems is one factor, but value of the target and difficulty level in building the exploit are at the same importance.
So stop defending bad software that everybody and their grandmother can hack by the "number of deployed systems" argument. It is just bogus.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
From your reply it is obvious that you think I am defending Flash on its security record. I am not. Nor am I talking about your beloved Linux; most software is not as well-hardened as it is. What I'm saying is not that Adobe/Flash is good at security, but that most software is equally as bad. Card Maker 1-2-3, SuperCloud!, Fashionable DB, Hipster Web Stack 3.0, Robot Bunny Attack, and their ilk are just as full of holes. So, the statement "Flash has the worst security record of any software" is misleading at best simply because all the other shit software out there doesn't get equally attacked and doesn't attract attention from the press.
You need to tell that to the rest of the world, who have been doing it that way for decades.
Really? Again, you don't know how best practices work.
If only there was a way to do it right! You are missing the whole point, which is that if you make it impossible for people to get and build the code they are working on without jumping through a million hoops, they will simply work around it by grabbing a local copy on their poorly secured machines, including laptops. This is security 101, actually.
Also, there is no commercial viability to stolen proprietary code. Anyone who tries to package it and sell it as their own will be caught. It is also more costly to try to reuse a code base when nobody has any experience with it than it is to simply do it yourself. Only a complete moron would try to steal proprietary and try to leverage it commercially. The only place where an air gap makes sense is between the code signing infrastructure and the rest of the world. An air gap between your code base and your developers is the absolute last thing you want.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Don't just fire the director of security. Fire the Adobe CEO. Adobe is TERRIBLY managed.
If you are saying that insecure software gets attacked more when it is more widespread, then I can agree to that.
And no, I do not "love" Linux at all. It sucks. It just sucks less than everything else.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If I can't get to the internet while I work (and access the source code), I won't work for you. Call that entitled, call it childish, but I call it normal business in 2012.
For security, this is FAIL. You should have two computers at your desk.
One is purely for the internet. The only services are network fundamentals (DHCP, DNS, etc.), printers, and external email. Email between employees should be blocked to reduce temptation.
The other is purely internal. It gets continuously monitored to detect an accidental or illicit connection to the internet. If an internet connection happens, an alarm goes off and/or power to the internet router is cut. You run all sorts of servers on this network: email, irc, wiki, slashcode, voip, etc. For this network, NO WIRELESS.
If you need to move data, burn a DVD. Normally, data should only move from the internet to the secure network.
You really need to get those development machines disconnected from the internet. A firewall is not enough. OTOH, less-restricted internet access is very useful for a developer. The solution is separate computers on separate networks.
Yes, it is an expense, but only the development machine needs to be nice hardware. For example you could use a Pentium II with 512 MB RAM for the internet, but use the latest Core i7 with 16 GB RAM on the development network. (adjust both as required for the budget) The internet equipment might get 100 megabit ethernet or worse, while the development equipment gets gigabit ethernet or better.
On the internet side, make a policy of frequently (randomly) doing clean OS installs. This keeps people from leaving company-proprietary stuff on them. Don't allow network services there except printers and external email. (No shares!) Don't allow email that could be sent on the internal network.
This year I happened to be a paid up member of the Apple Developer program for Mac OS X. After I paid, I went to their web site and downloaded my signing keys, for the installer and for the application. It seems to me that sending the keys over the internet at all is a gross security violation. Off the top of my head, I don 't see a practical was of transporting these keys from Cupertino to a worldwide collection of developers. I agree that the signing keys should never be on a machine connected to the Internet. What is wrong with this picture, and how do we make this better?