It’s been a while since I’ve talked about Adobe-related security problems, but Adobe security was in the news at the end of last week with the announcement of a major breach. According to Computerworld, nearly 3 million customer accounts were breached and source code was also stolen. Adobe’s spin on the breach is that the data in the accounts was encrypted – does that mean that we shouldn’t worry about the information the hackers have? Of course not, and Adobe announced that it will be contacting users whose information was compromised, telling them that they need to reset passwords.
The attack on the consumer data may have been the result of the age-old problem of not updating software. Brian Krebs wrote:
The revelations come just two days after KrebsOnSecurity published a story indicating that the same attackers apparently responsible for this breach were also involved in the intrusions into the networks of the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime. As noted in that story, the attackers appear to have initiated the intrusion into the NW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application server.
Krebs went on to say that many networks are running outdated software and this, of course, leaves them vulnerable to an attack.
But as devastating as the breach is for consumers, the enterprise needs to pay attention to the theft of the source code. As Chris Petersen, CTO and co-founder of LogRhythm, told me in an email:
When it comes to the source code breach, the first risk Adobe is concerned with is that malicious code was inserted into product source code and then distributed to customers in a compiled form. The second risk is their source code being out in the open to would be attackers. Having access to product source code can allow attackers to identify software vulnerabilities that have been undiscovered to-date. Both risks could result in a treasure trove of zero-day exploits against Adobe software. If indeed the source code stolen pertains to ColdFusion and Acrobat, this could leave thousands of web servers open to at-will compromise and make it easier to compromise end-user systems. This breach is a chilling reminder that all software companies should be on guard, as they too could be a stepping stone to other targets.
Byron Acohido at USA Today claims that this theft could lead to a new upturn in cyberattacks. It is something everyone in the security industry should be paying close attention to.