Now that we’ve had a little time to absorb the impact of the Adobe breach, there’s a few lessons we can learn already. First, a link for those who have been living in a cave and don’t know what I mean: Krebs on Security has had great coverage.
What we know:
- Adobe was breached via a vulnerable Cold Fusion web application server exposed to the Internet. Cold Fusion is an Adobe product.
- The vulnerability was known for months, a published vulnerability, and was not patched
- 38 million user’s accounts were compromised
- Source code for Acrobat, Reader, Coldfusion and PhotoShop has been compromised
Two Initial Lessons
User accounts are a huge target for attackers. Basically, every big breach you read about includes breached user accounts. Even if there is no financial data in the account, compromising user name and password allows the bad guy to begin attacking the user’s other accounts since it is quite common to use the same ID/PW combination for most accounts. If an email account can be compromised, then the process of breaking in to financial accounts gets really easy. First thing all users should do is differentiate the passwords for email accounts, product sites like Adobe and financial sites.
Organizations continue to be compromised, breached and exploited through vulnerabilities and bugs in their systems that are well known and published. Although the vulnerabilities are known and patches published, companies are not patching their systems. Contrary to the belief that it is because companies don’t care about security, I will argue that it is essentially to the point of impossibility now. When a large organization does a vulnerability scan of its systems, it turns out a print out the size of the Manhattan phone book. There is no way, in the midst of every other priority out there, for the IT teams to deal with all of these vulnerabilities. They don’t even know which ones are important or how to prioritize the vulnerabilities. The key lesson here is that patching vulnerabilities requires tackling the problem by determining where and how the adversary will attack you, and defending there. It basically requires that we do something new and disruptive.
Finally, we know that much of Adobe’s source code for their software has been compromised. This from a company that has a really bad track record of serious security flaws in their software anyhow. Now the bad guys have direct access to Adobe source and will be able to discover all sorts of previously undiscovered vulnerabilities. If at all possible, you should stop using software from Adobe right now.
*Update 10/31/13 – Welcome Instapundit readers …. take a look around. This blog is primarily about Information Security, which is my profession, but also has some interesting stuff on my chickens, cigars and backyard home offices. 🙂