Adobe on Thursday announced what has become depressingly familiar news to consumers and security experts: It has been hacked, and on a large scale.
"Very recently, Adobe's security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products," said Brad Arkin, the company's chief security officer. "We believe these attacks may be related."
The attackers accessed customer IDs and encrypted passwords on Adobe's systems, Arkin said, and removed information relating to 2.9 million Adobe customers, including their names, encrypted credit or debit card numbers and expiration dates -- but not, the company believes, decrypted credit or debit card numbers.
Adobe is working internally and with external partners and law enforcement to address the incident, he added. Meanwhile, it's also resetting relevant customer passwords and notifying affected customers of the breach; those customers will be offered credit monitoring services.
'A Massive Source Code Trove'
Also being investigated, meanwhile, is the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products. Adobe is not aware of any zero-day exploits targeting Adobe products, but it does recommend customers run only supported versions of the software.
That attack was first discovered about a week ago by KrebsOnSecurity and Hold Security, which jointly discovered "a massive 40 GB source code trove stashed on a server used by the same cybercriminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll," said Brian Krebs, author of the KrebsOnSecurity blog.
"The hacking team's server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat," he explained.
Adobe did not respond to our request for further details.
Rating Adobe's Response
To Adobe's credit, it did encrypt the customer credit card numbers, Aaron Titus, chief privacy officer at Identity Finder, told TechNewsWorld.
Offering credit monitoring services is never a bad move in such events, Titus continued, but in some ways it's like shutting the barn doors after the horse is out, he said
"They've also reset passwords, though they haven't directly acknowledged that passwords were compromised," he observed.
All in all, it was an adequate response, but "no response can ever put the toothpaste back in the tube, and a far better response is to engage in sensitive data management practices that stop breaches" before they impact the end user, Titus concluded.
Proceed at Your Own Risk
Adobe's customers will definitely have to be on the lookout, as will the security industry, Dave Jevans, chief technology officer and founder of Marble Security, told TechNewsWorld.
"Consumer information has been stolen and will likely be resold by criminals to cyberfraudsters," Jevans explained. "Consumers and businesses who have done business with Adobe should cancel credit cards and monitor their credit reports."
Also, "consumers who used the same password on Adobe's websites as on other websites could find that password gets used by attackers to break into their email or other sites," he warned.
As for businesses and websites that run Adobe products such as Cold Fusion, they should make sure they are up to the latest patch levels and "in constant contact with Adobe in case new patches are issued based on this breach," Jevans advised.
'You Have Free Run'
Indeed, users should take the breach very seriously, urged Tom Keigher, a senior penetration tester with Foreground Security.
"Even before the source code had been stolen, there had been a steady stream of vulnerabilities in Adobe Acrobat," Keigher told TechNewsWorld. "Now, with the source code exposed, any attacker looking for new vulnerabilities will have a much easier time of it. They have everything they need to see and understand how Adobe's products work, down to the very last technical detail."
One clear mistake Adobe has made is relying on encryption alone, Joseph Santangelo, principal consultant with Axis Technology, told TechNewsWorld.
"Encryption is good for situations like laptop and storage devices, but if you're a victim of an attack where access to applications is compromised, such as a SQL injection or phishing scam, you might as well leave your wallet on the sidewalk, because that's how vulnerable your data will be with encryption.
"The problem with most enterprise application security is that it's pretty black and white: If you gain access, you are who you say you are as far as the applications are concerned," Santangelo continued. "So that means, encrypted or not, you have free run of the data within because, well, you're authorized to be there. Companies should be adding additional layers such as data masking in addition to encryption."