The massive theft of customer data and product source code recently revealed by Adobe has security experts concerned that the compromised data could be used to launch more criminal attacks on users of Adobe products.
Adobe said that the breach compromised the IDs, passwords, and credit card information of nearly 3 million customers, while a separate but possibly related incursion of its network netted unknown attackers the "source code for numerous Adobe products."
While the software company said the stolen password and credit card information was encrypted, the revelation that product source code is now in the wrong hands has some security experts particularly worried.
"The main headline is that 3 million credit card numbers were hacked from Adobe. While this is a serious breach by any measure, to Adobe's credit the numbers seem to have been encrypted," said Aaron Titus, chief policy officer and general counsel for Identity Finder.
"The under-reported, but far more worrying story is that hackers apparently have obtained 40GB of Adobe source code, which may include Adobe's most popular products, Adobe Acrobat and ColdFusion," he continued. "Security professionals in organizations around the world should be on high alert for an increase in Acrobat-related attacks as hackers analyze the code for possible zero-day exploits."
Adobe has not named the products with source code that were stolen. But security researchers Brian Krebs of Krebs on Security and Alex Holden of Hold Security reported their discovery of "a massive 40GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll [Background America]."
As Titus noted, that stash of compiled and uncompiled code "appeared to be source code for ColdFusion and Adobe Acrobat," Krebs reported.
Chester Wisniewski, a senior security advisor at Sophos, said the source code theft added a wrinkle to the Adobe incident that made it different from typical security breaches suffered by companies storing large amounts of customer data.
"What's interesting about this case is that Brad Arkin, Adobe's chief security officer, suggests this attack may be related to earlier attacks on the company where source code was accessed/stolen. If this is true, it certainly deviates from previous billing information compromises and could be used to not just harm Adobe, but to conduct phishing attacks against the company's nearly three million customers," Wisniewski said.
Bala Venkat, chief marketing officer for web application security firm Cenzic, put it simply: "Adobe has lost their 'crown jewels' and because every enterprise worldwide uses Adobe in one way or another, the impact is enormous."
As for all that stolen billing information and user data, Rajesh Ramanand, CEO of e-commerce fraud prevention platform Signifyd, said the thieves could make use of it even if it is encrypted.
"In this scenario, it's going to be hard to immediately monetize the stolen information unless someone finds a way to decrypt it. Having said that, there is an underground economy for credit cards and even accounts such as PayPal, etcetera," he said.
Ramanand outlined a likely path for the fencing of stolen credit and debit card information, which would entail the thieves or their brokers selling cards "in the black market for £5 to £10 a pop" to fraudsters who would "hit up as many sites as soon as possible to buy goods from these stores" before the cards were shut down by Adobe's affected customers. The stolen user data could also be used to create fake Internet identities by purchasers, he added.
So what can companies like Adobe do to ward off such attacks? And how can affected Adobe customers deal with the situation facing them?
Eric Chiu, president and co-founder of cloud infrastructure firm HyTrust, said the old "outside-in" model of trying to keep the bad guys out of the network isn't doing the job anymore.
"Companies need to shift their thinking to an 'inside-out' model of security and assume the bad guys are already on their network. There is too much at stake with customer data, intellectual property, confidential and top secret information," Chiu said.
"Companies need to secure access to sensitive data by implementing fine-grained access controls, including the NSA's new two-man rule, as well as role-based monitoring in order to detect potential breaches and data center disasters. This is increasingly important in cloud and virtualization environments where the risk is ten times greater," Chiu said.
As for individuals concerned about having their bank information stolen, Signifyd's Ramanand suggested people go with banks using real-time transaction monitoring services like his company's, which calculates trust scores for transactions based on a number of variables like a card's frequency of use, consistency of user behaviour, and where purchases are being made versus where a card was issued.
"Because we see traffic from thousands of merchants through our network, we can see if a card is being used or abused multiple times. This is incorporated into our velocity variables and added to the final score of a transaction," he said.
Cards being used suspiciously can then be suspended by their issuers until the legitimate user confirms any fishy transactions or determines that it was indeed hijacked.
Image credit: Flickr (boodahjoomusic)