The recent hack of Adobe opened millions of customers to more risks than just stolen credit card data. This post highlights some key issues emerging from the incident and precautions that should be taken.
Adobe Systems announced a couple of weeks ago, on Thursday 3 October 2013, that it was the victim of a sophisticated attack, where information for 2.9 million Adobe customer was accessed, including customer names, encrypted credit card numbers, expiration dates, and other information relating to customer orders. Also, source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products was accessed and downloaded by the attackers.
Adobe publicised the breach after Brian Krebs and Alex Holden, independent IT security experts, contacted them about 40GBs of Adobe product source code found on a server used by hackers. Adobe told them that they were investigating a possible breach since 17 September and the attack appeared to have happened around mid-August.
Issues to ponder
The first questions that popped into my mind when I heard about the breach were, “Why did Adobe take so long to publicise the breach? And why did it take so long to discover it in the first place?” I would think that a company the size of Adobe would have the resources capable of discovering and taking faster action on these breaches.
The most serious aspect of the breach though, is the source code in the hands of hackers. While getting their hands on customer information and credit card data was nice, the source code was a nice paydirt considering the number of people who run Adobe products on their computers (me included).
With the source code, cyber-criminals can effectively find zero-day exploits (exploits for vulnerabilities where no patch exists). Usually hackers would either have to wait for a vulnerability to be discovered in the wild, or reverse engineer patches to find the vulnerabilities. Now they could find vulnerabilities on their own and save lots of time.
Cyber-criminals can even compile their own malicious versions of Adobe software and pass it off as the official version. They will still have to bypass the digital signatures of the installation, but I’m sure that many people would ignore the warning.
The possibility also exists that the hackers may have tampered with the source code on the servers. Adobe may then release the tampered version of the software to the public. It’s unlikely, but still a possibility.
Considering the scope of the breach, you should take a couple of precautions:
- Firstly, if you have an Adobe account, change the password if you haven’t already done so. Adobe would have sent out a notice, but just because you haven’t received one doesn’t mean that you shouldn’t change it.
- If you had any credit card data stored on Adobe’s site because of a purchase you made, or if you used any of their subscription services, talk to your bank about reissuing a card, just to be safe.
- Be careful where you download Adobe software, and ensure that any version you use is digitally signed by Adobe. Better, stick to downloading Adobe software directly from Adobe’s website, well, assuming that the site isn’t hacked… again.
- Install updates for Adobe immediately when released. As exploits may be released quickly, expect patches to be released fairly quickly as well.
- Be extra cautious when opening PDF files from unknown sources.
- Use other software for viewing PDFs. There are lots of good ones out there. Check out this site for some alternatives.
While I still have questions as to how the breach took place, and why it took so long to discover it and to be notified, the horses have already bolted.
In this increasingly connected world, the Internet has become the new Wild West and you can expect to see many more of these high-profile attacks to come. Cyber-criminals are getting better, and unfortunately, those who are supposed to protect us are having a hard time keeping up.
Image credit: Wikipedia