Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lingering Questions On the Extent of the Adobe Hack

Posted by Soulskill on from the known-unknowns-and-unknown-unknowns dept.

chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"

6 of 97 comments (clear)

  1. Fire this guy by RonVNX · · Score: 4, Insightful

    Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

    1. Re:Fire this guy by Anonymous Coward · · Score: 5, Insightful

      It's actually too bad. If Adobe's source code got stolen, maybe a few bugs would actually get fixed instead of them just constantly punting the problems down the road until they become zero-day security exploits.

    2. Re:Fire this guy by Black+Parrot · · Score: 4, Insightful

      Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

      It sounded like the reassurance was for shareholders, not customers.

      --
      Sheesh, evil *and* a jerk. -- Jade
  2. Re:Why the fuck by muon-catalyzed · · Score: 3, Insightful

    Source code? I want them to immediately and clearly state whether my credit card info is safe. If they can't tell then we must assume all CC data have been compromised.

  3. Re:Wouldn't it be just if ... by EdIII · · Score: 3, Insightful

    most pdfs you can download from the internet anyway.

    Except all the ones used by businesses like insurance companies, financial companies, banks, etc. So many of them actually require Acrobat to open and run. More than a couple of the websites used for employees and 3rd party companies use embedded PDF to exchange documents relating to customers.

    Adobe is not making any money on the majority of PDFs freely available for download. It's the corporations actually purchasing Acrobat and its related products that are creating revenue. You won't see any of that stuff on a public site.

  4. Re:Why the fuck by EdIII · · Score: 4, Insightful

    Not having Internet access to every site you want is not cubicle prison. Sometimes security is quite necessary, because as you can see, shit like this happens.

    While you sit there and complain about cubicle prisons are you also thinking about the risks to the customers? How would they be impacted if your company lost their private data? Security is about cooperation. You're not there to surf the Internet. You're there to work.

    How many horror stories and tanked companies do you need to hear about before it sinks in that security, especially when dealing with business data, is paramount?

    You would not be downloading source to your laptop at my company. In fact, your laptop could not even connect to the corporate network at all. Fuck that BYOD hippie utopia shit. USB is even disabled to prevent data leakage. Not just from you either. You know that the majority of the day you are not actually sitting in front of those computers right?

    All this may make me sound like a tyrant, but I am huge proponent of breaks. I provide guest wireless everywhere in the company, and as long as it a personal device, you can go nuts doing whatever you want.

    I still think people have become far too addicted to online communications to the point where it is unhealthy. You don't need to be running a full check on the Internet every 5 minutes to see if somebody twittered something new and interesting. Hey, as long as you are meeting your deadlines and getting stuff done, it's not my business where and when you take your breaks.

    Anon does have a point about a sense of entitlement. It really does seem like all the new workers coming into companies these days believe that if they can't have full control over the system and access anything in the world they want, when they want it, that it is all of the sudden "fascism" and "cubicle prisons". When you try to calmly explain why security is important to protect business data, invariably, they roll their eyes and exclaim that you are too uptight and paranoid.

    One of the side affects of all of the loss of privacy. None of those sadly naive little children will understand when the company goes out of business after being sued by customers. Ironically, I am sure they will ask why IT was not doing its job to protect them....

    Bless your little hearts...