Richi Jennings

OOPS! Adobe abode hacked: Credit cards copied, source silently snatched

October 04, 2013 6:02 AM EDT

Adobe Cloud Security FAIL
Adobe has egg on face.

Adobe (NASDAQ:ADBE) is in a deep hole (perhaps it should stop digging). It regrets to announce that hackers have broken in and grabbed a bunch of customer details, including payment card data and some source code.

Adobe Chief Security Officer, Brad Arkin, maintains that the card details were encrypted, but isn't giving us any details that would reassure much. All this on top of Adobe's chronically poor reputation for security practice, and widespread dissatisfaction with the company forcing customers to the cloud.

In IT Blogwatch, bloggers wax critical of Adobe and its CSO. [Updated Oct. 5, 7.20am]

 
Lucian Constantin is our constant companion:

Hackers broke into the...network of Adobe Systems and stole information on 2.9 million customers, as well as source code for several...products.
...
Attackers managed to access Adobe customer IDs and encrypted passwords...information on 2.9 million customers, including names, encrypted...card numbers with their expiration dates, and other customer order details. ... Adobe is in the process of resetting the passwords...notifying customers whose credit or debit card information was involved [and] has alerted the banks processing customer payments.
...
This is not the first time hackers have compromised Adobe's internal computer systems. Last year, attackers gained access to an Adobe code-signing server and used it to digitally sign malware.  MORE


 
Brian Krebs had, uh, advanced knowledge:

[I] became aware of the source code leak roughly one week ago, when...working in conjunction with fellow researcher Alex Holden, CISO of Hold Security...[I] discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into...LexisNexis, Dun & Bradstreet and Kroll. ... [I] shared several screen shots of the code repositories with Adobe. Today, Adobe responded...that it has been working on an investigation into a...breach into its networks since Sept. 17.
...
The revelations come just two days after [I] published a story indicating that the same attackers...were also involved in the intrusions into the networks of the National White Collar Crime Center. ... The attackers appear to have initiated the intrusion...using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion. ... Many networks apparently run outdated versions of the software, leaving them vulnerable to compromise.  MORE


 
Adobe CSO Brad Arkin clarifies that last point:

We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments.  MORE


 
But Alex Holden thinks the theft of source code is "a serious concern":

While it is unclear at this time how the hackers obtained the source code and whether they analyzed or used it for malicious purposes, it appears that the data was taken and viewed by unauthorized individuals.
...
Adobe products are installed on most end-user devices and used on many corporate and government servers. ... We fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities...may have opened a gateway for new generation of viruses, malware, and exploits.  MORE


 
Cue much grumbling about Adobe Creative Cloud, such as this from David Roberts:

Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla. They have ignored industry best practices and been a thorn in the side of the rest of the industry for years while being oblivious to the damage their customers have suffered.
...
This is the same company that wants you to rely on their security as the only way to their products now that they only rent a cloud based versions. ... People need to learn that there is nothing magical about the 'cloud'. [It] necessarily expose[s] all of their customers when they get cracked.
...
Do you really think a company with their track record is going to get their act together?  MORE


 
But Leonardo Soler says why there's no real alternative, IHHO:

[It's] the freaking industry standard. If my client uses it, I have to use it too. ... They will send me projects that contain Adobe data, like an After Effect with a Cinema4D file inside, that you cannot edit in any other software. ... They need ME to send THEM a project their media lab can play with.
...
Don’t get me wrong, I’m pissed that this happened. ... But the tools they provide are second to none. Deal with it.  MORE


 
Meanwhile, Douglas Hawks quips thuswise:

See... this is why I torrent cracked versions.

It's too risky to give your credit card number to a company like Adobe.  MORE


 
Dan Ramos says the news damns Adobe's security stance:

They've had some of the most insecure platforms for decades now and never really seemed to take security seriously--and now they've allowed sensitive customer financial information (credit card numbers) to get hacked. Given that, I can't say I feel too bad for them--had to happen sooner or later.  MORE


 
Sam Bowne appears newly-informed about CSO Brad Arkin's existence:

Adobe has a security director?  MORE


 
And zlajoie responds, oh-so hilariously:

He's not real. He was Photoshopped in.  MORE


 
But HP's Rafal Los begs to differ, with this helpful suggestion:

Unless you've been a successful CISO of a massive software company, please refrain from throwing rocks.  MORE


 

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.