Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lingering Questions On the Extent of the Adobe Hack

Posted by Soulskill on from the known-unknowns-and-unknown-unknowns dept.

chicksdaddy writes "In the wake of Adobe's warning on Thursday about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers. Writing on Thursday, Brad Arkin, Adobe's Senior Director of Product Security And Privacy, reassured customers that the company's source code wasn't stolen, nor did the hackers have access to code for any of Adobe's core products like Adobe Reader or Flash. However, those with expertise in breaking into networks and cleaning up after hacks said the nature of the attack – which Adobe has described as having the characteristics of an 'APT' – or advanced persistent threat – make it difficult to know what attackers did or did not have access to and whether or not the threat has been removed. 'If you put yourself in the hacker's position you realize how much they must have known about Adobe internals to perform the hack they performed,' said Dave Aitel of Immunity Inc. 'If they had that kind of access it's very hard to say that they were limited in their access and are completely removed from the network.'"

22 of 97 comments (clear)

  1. Wouldn't it be just if ... by John+Bokma · · Score: 5, Funny

    They got in by having an employee of Adobe open a PDF or watch Flash...

    --

    Perl Programmer for hire
    1. Re:Wouldn't it be just if ... by EdIII · · Score: 3, Insightful

      most pdfs you can download from the internet anyway.

      Except all the ones used by businesses like insurance companies, financial companies, banks, etc. So many of them actually require Acrobat to open and run. More than a couple of the websites used for employees and 3rd party companies use embedded PDF to exchange documents relating to customers.

      Adobe is not making any money on the majority of PDFs freely available for download. It's the corporations actually purchasing Acrobat and its related products that are creating revenue. You won't see any of that stuff on a public site.

  2. I'm getting concerned.... by dgatwood · · Score: 4, Interesting

    I've been trying to order the Lightroom 4 upgrade all weekend, and their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment, depending on which payment method I choose. These may be isolated incidents, but the timing of these server failures is disconcerting, at the very least.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

    1. Re:I'm getting concerned.... by machine321 · · Score: 4, Funny

      their servers keep failing to accept the order at the very last step, either after accepting credit card information or after PayPal has processed the payment

      They're not Adobe's servers any more... someone else 0wns them.

    2. Re:I'm getting concerned.... by Zero__Kelvin · · Score: 3, Funny

      Why do you keep repeating the process? The hackers already got your credit card number during the first failed attempt ;-)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:I'm getting concerned.... by dgatwood · · Score: 2

      Insanity. You know, doing the same thing over and over, but expecting different results.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re:I'm getting concerned.... by cerberusss · · Score: 3, Funny

      Knowing Adobe, I would actually expect the service to get better.

      --
      8 of 13 people found this answer helpful. Did you?
    5. Re:I'm getting concerned.... by Cruciform · · Score: 2

      Let's see... 50 dollars a month which I can afford. Or several thousand dollars all at once which I can not afford.
      There is no better legitimate deal for a hobbyist learning all the tools. And I don't download warez.

  3. Why the fuck by Anonymous Coward · · Score: 2, Insightful

    would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?

    Easiest way not to get compromised (from the outside at least) - don't connect *everything* to the fucking Internet.

    1. Re:Why the fuck by muon-catalyzed · · Score: 3, Insightful

      Source code? I want them to immediately and clearly state whether my credit card info is safe. If they can't tell then we must assume all CC data have been compromised.

    2. Re:Why the fuck by EdIII · · Score: 4, Insightful

      Not having Internet access to every site you want is not cubicle prison. Sometimes security is quite necessary, because as you can see, shit like this happens.

      While you sit there and complain about cubicle prisons are you also thinking about the risks to the customers? How would they be impacted if your company lost their private data? Security is about cooperation. You're not there to surf the Internet. You're there to work.

      How many horror stories and tanked companies do you need to hear about before it sinks in that security, especially when dealing with business data, is paramount?

      You would not be downloading source to your laptop at my company. In fact, your laptop could not even connect to the corporate network at all. Fuck that BYOD hippie utopia shit. USB is even disabled to prevent data leakage. Not just from you either. You know that the majority of the day you are not actually sitting in front of those computers right?

      All this may make me sound like a tyrant, but I am huge proponent of breaks. I provide guest wireless everywhere in the company, and as long as it a personal device, you can go nuts doing whatever you want.

      I still think people have become far too addicted to online communications to the point where it is unhealthy. You don't need to be running a full check on the Internet every 5 minutes to see if somebody twittered something new and interesting. Hey, as long as you are meeting your deadlines and getting stuff done, it's not my business where and when you take your breaks.

      Anon does have a point about a sense of entitlement. It really does seem like all the new workers coming into companies these days believe that if they can't have full control over the system and access anything in the world they want, when they want it, that it is all of the sudden "fascism" and "cubicle prisons". When you try to calmly explain why security is important to protect business data, invariably, they roll their eyes and exclaim that you are too uptight and paranoid.

      One of the side affects of all of the loss of privacy. None of those sadly naive little children will understand when the company goes out of business after being sued by customers. Ironically, I am sure they will ask why IT was not doing its job to protect them....

      Bless your little hearts...

    3. Re:Why the fuck by EdIII · · Score: 2, Insightful

      Sorry, I just don't buy into the "the only way to guarantee software developers don't screw up is to lock down every single thing they do". I've worekd there. Bosses that monitor every URL visited by their employees, Companies that don't trust their developers to work, and instead make them fill out time cards for every 15 mintues spent on a task throughout the day (not for billing purposes), Internet firewalls that only let through a whitelist of sites, Full Disk Encryption on Desktop PCs so that build times go up by 4x but we can check the box with some IT blowhard, IT departments that control every single piece of software that goes on your computer, Threats of firing unless you comply with some silly IT regulation (really, you threaten to FIRE HIGHLY PAYED EMPLOYEES as a matter of general procedure??). Man, the list goes on and sounds whiny, I guess. But it sucks, it's an awful atmosphere to work in.

      It's not about you screwing up. I paid you to develop software, not be a security expert. Machines are locked down to an extent, but some developers may not have some restrictions.

      White list and Internet firewalls? Absolutely. Not going to change anytime soon. You don't need Facebook to do your job, or Twitter, or CNN, or Slashdot, etc. StackOverFlow? Sure. Any reasonable site, that is trustworthy enough, can get on the white list if it is beneficial to the job.

      Threats of firing? Only if you are persistent in violating or circumventing the security policies. I don't care what software you install, as long as it is relevant to the job. Actual termination would only occur in extreme circumstances. In the few times that is happened, quite frankly, there were laundry lists of other actions and character flaws. IT related stuff was minor.

      If I'm going to write software for you for a living, there is a better way. It's called trust.

      I work for a company that trusts its employees. However, you're not all security experts, nor do you have an expert grasp on what is and is not a threat. The security policies exist not because I don't trust you, but that I need to protect the company.

      Do remember that people can use your credentials to access data and systems too. While I trust you, that does not mean I can give you root access to everything. You don't need to be insulted just because your access is limited. That's like being mad at your operating system because it wants you to run as a user most of the time instead of God Mode.

      Sometimes thieves steal things. No IT policy prevents it 100%

      Of course not. However, good security policies can greatly mitigate the damage and in quite a number of cases catch people before they can harm the company fatally. For instance, if you are logging all access to customer files, and heavily restrict direct access to any systems that have customer data, you can see that Bob in customer service attempted to access 6000 customer files when the average customer service agent only accesses maybe 50 per day. Stuff like that.

      Some security can prevent you from doing your job. Lack of unfettered access to the Internet is not one of them. Restricting developers to exactly what programs they can install and run is pretty stupid though. Depending on what you are developing, you might even need root access to do it.

      The OP (AC) said "would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?". I would not work at that company. If I can't get to the internet while I work (and access the source code), I won't work for you. Call that entitled, call it childish, but I call it normal business in 2012

      It's not normal business for anyone that is serious about staying in business. Quite frankly, it is entitled.

      Question. If I refuse to give you access to the Internet on your computer to check Facebook, Twitter, etc. but provided separate access for you

    4. Re:Why the fuck by EdIII · · Score: 2

      You're right.

      I'm a CTO, not a manager. Won't say which company since I value my privacy and keep a strong separation between my Internet identities and real life.

      In any case, my arguments should be weighed on their merit. Not whether or not I may actually hold a position.

      Do you have any positions or just profanity?

  4. Fire this guy by RonVNX · · Score: 4, Insightful

    Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

    1. Re:Fire this guy by Anonymous Coward · · Score: 5, Insightful

      It's actually too bad. If Adobe's source code got stolen, maybe a few bugs would actually get fixed instead of them just constantly punting the problems down the road until they become zero-day security exploits.

    2. Re:Fire this guy by Black+Parrot · · Score: 4, Insightful

      Their director of security "reassured" customers Adboe's source code wasn't stolen? You want to know why Adobe's got problems that never end, that tells you everything you need to know about Adobe's attitude about security right there. The guy in charge of security doesn't even know what that word means.

      It sounded like the reassurance was for shareholders, not customers.

      --
      Sheesh, evil *and* a jerk. -- Jade
  5. Re:Good thing... by hoboroadie · · Score: 2

    Amen.
    It was actually the weirdo updates that ended it for me, but I find I still get plenty of useful data from the web without enabling any Adobe security breaches on my machine.

    --
    They feared that it could be used to suppress protest or support unpopular rule.
  6. Security is NOT an issue with The Cloud. by Anonymous Coward · · Score: 5, Funny

    Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

    The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

    And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

    My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

  7. * unless you use Windows by Zero__Kelvin · · Score: 2

    "would you have ANY machine with access to the source code, connected in any way whatsoever to the outside world?"

    There are several reasons, but they all boil down to because it is 2012, and people want to actually be able to get work done. For example, much of the information you need to get the job done is on the internet, and manually typing commands that you find with google searches by reading them from one computer connected to the internet into another that is not is just slow and stupid. How do you propose the guys in New Zealand share their code base with the developers in California and vice versa? Snail mail? It is entirely possible to have a computer safely connected to the internet*.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. There are other nasty implications for this by DarkOx · · Score: 4, Interesting

    What I am about to describe is certainly a well know whole but when it happens to a big popular vendor it makes the problem a whole lot more significant.

    We now have all these systems out there that make us safe :-P by only running signed code. We have all these policy mechanisms like Microsoft's Applocker that encourage admins to start white listing applications not by secure hash but by x.509 properties on a certificate. Its less work after all I want users to be able to run acrobat and flash, I don't want to have to update my GPOs every five hours when adobe releases a patch.

    Guess what most of these devices don't do? Revocation checks, or at least its default permit when they can't do a revocation check. Leaks and other PKI fails like this are a very real threat to environments we otherwise think of as hardened.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  9. 48 times dupe... by xded · · Score: 2

    Plenty of slashdot posters keep copy/pasting talks like this... and get +5 Funny for it.

    http://www.google.com/search?q="I+don't+know+about+you+but+that+sounds+damn+secure+to+me"+site%3Aslashdot.org

  10. The issue is not the extend of the breach by gweihir · · Score: 3, Informative

    The issue is that it was possible in this way in the first place. Only absolute incompetents place signing certificates of this importance on systems connected to the network. Adobe either does not care about security at all, or worse, does not understand even the basics. Now, _that_ is a cause for worry.

    If you even have basic understanding, the code signing certificate goes onto an isolated system (e.g. laptop, stored in a safe) which is never connected to the network and does one thing: Signing. If you are a bit more careful, the signing system never sees the distribution packages, but just the hashes, which are typed in and exported on media the system never reads, only writes. All this is _easy_ to do. A Linux or OpenBSD box with openssl and some scripting is enough. System updates are not necessary. A competent security expert could set this up in a day as a demo and in a week with documentation and risk analysis. The signing process would require maybe 10 minutes of manual work per signature. All not a problem and cheap to do, as long as you have that one competent security expert and follow his/her security advice.

    So my guess is that Adobe actually has zero competent security experts. And that after public reports of CAs being compromised and SecureID being hacked. This actually seems to indicate that Adobe does not even have half-competent security experts or does not listen to them at all. Now, _that_ is grounds for very real worries.

    The only way I see to fix this is personal criminal liability for the ones responsible for such cases of gross negligence by making it a regulatory requirement, i.e. send the incompetent bean-counters to jail for failing to hiting security experts or failing to let them do their job. The only way to get out of that should be that they can prove a) sound security architecture, design and implementation and b) independent review by competent experts and implementation of the expert recommendations. Of course, mistakes can happen. For those, the company should still be fined heavily, but no personal criminal liability, unless they pile up. Without something this strong, cretins with an MBA but no understanding of the subject or the world will always break security by trying to do it too cheap or not at all (or plain wrong). There need to be real and very unpleasant personal consequences for not using effective IT security measures.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.