06 October 2013

A major breach of Adobe security

Many of you have heard that hackers (or some government entity) has broken into Adobe's computer systems and stolen information affecting millions of customers:
Software company Adobe just disclosed a significant security breach of its systems in which it said customer user names, passwords and credit card numbers may be affected. “We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” Adobe chief security officer Brad Arkin said in a corporate blog post.
Of particular note for those who don't have personal accounts at Adobe:
The attackers apparently made off with source code for several Adobe products, Arkin wrote. In a separate post on that incident, the company said it is not yet aware of any “specific increased risk to customers.”
There was more analysis of this today:
Security experts said  this is serious business. “This is a source code breach not just a data breach,” said Dan Hubbard, CTO of web security vendor OpenDNS. “Having source code is a huge advantage because they can more easily hunt for and find weaknesses in the code. Before they’d have to run lots of black-box testing to do that.”

Another security specialist who could not speak on the record because he works with many of these vendors, agreed. “The issue here is that these guys will be able to find vulnerabilities and develop custom malware and use it privately before it ever goes public,” he said.
And there's a long discussion thread at Reddit.

ELI5.  How does this (potentially) affect those of us who have Adobe products (flash etc) on our computers but don't have accounts with the vendor.  Are we at risk for having the security of our home computers compromised?

4 comments:

  1. Computer tech here. If you've never given Adobe money for anything, or at least don't have an account with them that has a valid CC number, your financial info isn't at risk.

    If your computer is at risk via Flash, Reader, etc. depends on whether or not the source code for those programs was among the stuff taken. However, those programs are so universal that they're constantly under attack by hackers. Same goes for Java, Windows, the major browsers, and the like. That's why there are frequent security updates. (Don't ignore those, they're important.) One more hacker getting access to the source code doesn't actually make a big difference in the risk to your computer.

    It's also worth noting that to most hackers, there's not a lot on your computer that's of interest. Businesses that have long lists of financial information or corporate secrets are much more interesting targets. Though it's frightening to hear news reports like this, it's unlikely to have a measurable effect on your life.

    ReplyDelete
  2. I must respectfully disagree (slightly) with Mel... This is an unusually threatening situation because 1) Adobe Flash is an extremely common browser plug-in and is also commonly exploited as an entry-way for malware of all kinds. 2) Having the source code makes a major difference in the ease in which such breaches can be discovered. 3) Although people willing/able to exploit these breaches may not be interested in your computer/data per se, they are surely interested in gathering large numbers of computers to be used in a botnet.

    For preventative measures, the usual advice applies. Be careful when opening email attachments and following links from emails. Update your software.

    Additionally, you could also replace Adobe Reader with an alternative reader (OS X already has Preview by default, for Windows, there is Fox It).

    If you want to take a more drastic step, the anti-Flash crowd has links to removal how-tos here. Whether or not you "need" the Flash plugin depends on the websites you visit, but without it, there is no attack surface in the browser for whatever new exploits are discovered.

    This will not be Internet Armageddon as some hype might suggest. But it would not be foolish to be a little extra prudent in the next few months.

    ReplyDelete
  3. This is one more reason to make sure that you use a different password on every single site you have an account with.

    One of the things they will do is attempt to figure out what your password was at Adobe. I'm pretty sure that Adobe saved a hash of it. But even with a hash, good hackers can figure out a good percentage. Especially those that used simple passwords, dictionary words, etc.

    Once they have your email address and password from your Adobe account, they will find that a sadly large number of people also used the same email and password for other services, or their email account. If they get in to your email account, then they can ask for password reset on financial institutions, etc. That allows them to access your bank accounts.

    I can't recommend strongly enough using a password manager. I use LastPass. I let it generate long, strong passwords that are unique for everything. I use two factor authentication to get in to LastPass. Then I let LP manage the passwords for my banks, emails, etc.

    In addition to the passwords, I also let LastPass record bogus answers to challenge questions that some sites use (First pet's name...). I always use random characters as the answer. I record my answers in the LastPass profile for the service. When challenged, I open up LastPass and cut and paste my bogus answer. This technique helps thwart social engineered attacks on my accounts.

    One last trick. If you have Gmail, use their "+" alias service. This lets you generate a unique email address for every account, and they are all aliases for your email address. When you log on to a service with your email account, then that service records your Gmail alias. For example, myname+xxhh44@gmail.com is the same as myname@gmail.com. Since LastPass takes care of the logon details for you, you don't have to remember your alias email address. If someone hacks the service and gets your email address, they don't know the alias you used at other services. So it greatly reduces the value of your email address.

    ReplyDelete