BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

How the Adobe hack could fuel next wave of cyberattacks

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 4 Oct 2013 23:39:45 -0600
http://www.usatoday.com/story/cybertruth/2013/10/04/how-the-adobe-hack-could-fuel-next-wave-of-cyberattacks/2923941/

Adobe has taken several steps to calm concerns among its corporate users
about the loss of customer account data and critical source code to hackers.

The company has begun advising enterprise customers that Adobe product
users will be required to change their account password at their next login
attempt.

The breach does not affect users of Adobe Creative Cloud or Digital
Publishing Suite -- other than a password reset.

Adobe will also be sending notification letters over the next two weeks to
customers whose individual accounts were breached.

"There are no indications to date that attackers have leveraged the
illegally accessed source code to harm Adobe customers," says Adobe's CSO,
Brad Arkin. "We are not aware of any specific increased risk to customers
as a result of a potential theft of the product source code."

The fact that it took an exposé by krebsonsecurity.com to prompt Adobe to
alert customers of this devastating breach is not surprising, says Peter
Toren, a former federal prosecutor of computer crimes, who is now with
Weisbrod Matteis & Copley.

All but four states have enacted data loss disclosure laws modeled after
the pioneering California statute that was the first to require companies
to notify customers, should any personal data held by the business turn up
lost or stolen. Only Alabama, Kentucky, New Mexico and South Dakota do not
have data loss disclosure laws, according to datalossdb.org.

But adherence to such laws has been uneven. "As this highlights, data loss
disclosure laws are not nearly as effective in protecting consumers as they
should or need to be," Toren says. "Presently, there is no federal law
addressing this issue and the state laws that do exist are patchwork of
different standards and requirements."

Despite the implementation of 46 state data loss disclosure laws, corporate
execs still do not feel compelled to do the right thing. "Many companies
believe that it is worth the risk of not reporting since reporting could
mean a loss of consumer confidence in the brand," Toren says. "Until there
is a federal law with real penalties for not reporting, these type of
incidents are likely to continue."

Meanwhile, corporations would be wise to brace for a fresh wave
cybercriminal activity that is likely to spin out of the Adobe breach,
security experts say.

Now out in the Internet wild are personal and financial data for 2.9
million more individuals -- Adobe product users. Perhaps more worrisome,
source code for Adobe Acrobat PDF reader and Adobe ColdFusion web app
developer's tool has begun circulating.

Concern is brewing that the bad guys seem certain to use knowledge of
Acrobat source code to intensify already widespread attacks revolving
around corrupted PDFs.

"Having the source code to an application is like having the blueprints to
a product," says George Tubin, senior security strategist at Trusteer, an
IBM company, "having access to it expedites the vulnerability
identification process -- leading to more weaknesses being identified and
used for cybercrime."

Dave Jevans, CTO and founder of mobile security vendor Marble Security,
concurs. "It is 100 times easier to find new exploits if you have the
source code, than if you have to disassemble the binary," Jevans says.
"Plus you may discover exploits on other platforms, like the Mac."

The fact that ColdFusion's source code is out in the open is particularly
ominous. ColdFusion supports the new HTML5 standard being used for the new
generation of mobile apps, and it is widely used in building websites,
business apps and mobile apps for corporate use.

"Now that attackers have access to the ColdFusion source code they can much
more easily find exploits and attack enterprises through their own web apps
and mobile apps," Jevans says. "This could create the next wave of advanced
attacks against enterprises."

Tubin points out that the bad guys have already started using ColdFusion
vulnerabilities to deliver malicious content to computing devices.

By reverse engineering ColdFusion's code, bad guys are likely to find fresh
security holes, that "can give hackers full access to the web server, all
files on the server and admin rights to the server," Tubin observes.
"Further, this type of compromise can be used as a stepping stone into the
broader corporate network in an APT (advanced persistent threat) type of
attack."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: