Friday, November 22, 2013

How the Adobe hack could fuel next wave of cybe…

SEATTLE – Adobe has taken several steps to calm concerns among its corporate users about the loss of customer account data and critical source code to hackers.

The company has begun advising enterprise customers that Adobe product users will be required to change their account password at their next login attempt.

The breach does not affect users of Adobe Creative Cloud or Digital Publishing Suite -- other than a password reset.

Adobe will also be sending notification letters over the next two weeks to customers whose individual accounts were breached.

The fact that it took an exposé by krebsonsecurity.com to prompt Adobe to alert customers of this devastating breach is not surprising, says Peter Toren, a former federal prosecutor of computer crimes, who is now with Weisbrod Matteis & Copley.

Most states have enacted data loss disclosure laws modeled after the pioneering California statute that was the first to require companies to notify customers, should any personal data held by the business turn up lost or stolen.

But adherence to such laws has been uneven. "As this highlights, data loss disclosure laws are not nearly as effective in protecting consumers as they should or need to be," Toren says. "Presently, there is no federal law addressing this issue and the state laws that do exist are patchwork of different standards and requirements."

Despite the law, there remains minimal incentive for companies to do the right thing. "Many companies believe that it is worth the risk of not reporting since reporting could mean a loss of consumer confidence in the brand," Toren says. "Until there is a federal law with real penalties for not reporting, these type of incidents are likely to continue."

Meanwhile, corporations would be wise to brace for a fresh wave cybercriminal activity that is likely to spin out of the Adobe breach, security experts say.

Now out in the Internet wild are personal and financial data for 2.9 million more individual! s -- Adobe product users. Perhaps more worrisome, source code for Adobe Acrobat PDF reader and Adobe ColdFusion web app developer's tool has begun circulating.

Concern is brewing that the bad guys seem certain to use knowledge of Acrobat source code to intensify already widespread attacks revolving around corrupted PDFs.

"Having the source code to an application is like having the blueprints to a product," says George Tubin, senior security strategist at Trusteer, an IBM company, "having access to it expedites the vulnerability identification process -- leading to more weaknesses being identified and used for cybercrime."

Dave Jevans, CTO and founder of cloud security vendor Marble Security, concurs. "It is 100 times easier to find new exploits if you have the source code, than if you have to disassemble the binary," Jevans says. "Plus you may discover exploits on other platforms, like the Mac."

The fact that ColdFusion's source code is out in the open is particularly ominous. ColdFusion supports the new HTML5 standard being used for the new generation of mobile apps, and it is widely used in building websites, business apps and mobile apps for corporate use.

"Now that attackers have access to the ColdFusion source code they can much more easily find exploits and attack enterprises through their own web apps and mobile apps," Jevans says. "This could create the next wave of advanced attacks against enterprises."

Tubin points out that the bad guys have already started using ColdFusion vulnerabilities to deliver malicious content to computing devices.

By reverse engineering ColdFusion's code, bad guys are likely to find fresh security holes, that "can give hackers full access to the web server, all files on the server and admin rights to the server," Tubin observes. "Further, this type of compromise can be used as a stepping stone into the broader corporate network in an APT (advanced persistent threat) type of attack."

No comments:

Post a Comment