Get it together, Adobe
|Last month, Adobe, not a fan of candid transparency, “thanked” Brian Krebs for pressuring them to confirm vaguely that Adobe’s own systems had been hacked into and that its prized source code of its marquee products including Acrobat, ColdFusion and Photoshop, in addition to 2.9 million customer credit cards, purportedly over 40GB of source code and account credentials for somewhere between 38 and 152 million users were in the wind, found by a security professional on a server associated with criminal hackers, believed to be the largest corporate hack in history.
By “in the wind” I mean I’m two gigs into my own download of this data from a quickly-googled Mega link. Everyone has access to it from rubberneckers to bad guys and security experts have confirmed it’s the real deal. According to the NYTimes last week, whatever encryption present in these Adobe files is not effective.
More and more news items are being tied to this, including “tip of the iceberg” toned articles, most recently Facebook’s decision to prompt its users who Facebook discovered had used the same credentials in the Adobe breach to change their Facebook password and answer security questions.
Other large companies are following their lead (and keeping the story in the news, which is hopefully prompting many more Adobe customers to take precautions), including the redoubtable Diapers.com, Soap.com and WordPress.com which made their announcement just last Wednesday.
Who else? The US Army, Department of Energy, Department of Health and Human Services are in the news for being advised by the FBI that their systems were compromised due to Adobe software being infiltrated.
Earlier in the year, PR Newswire’s network and systems were compromised, including their user data, found on the same server the hackers used to store the Adobe source code and that their ColdFusion systems were subjected to a large-scale distributed attack shortly before the breach reportedly occurred. That doesn’t prove it wouldn’t have happened without the source code breach, but in the court of the media, of course it does.
Also in the news last week, Adobe was hit with a class action lawsuit for security incompetence and a failure to reveal the extent of the damage and warn its users accordingly and timely. And Photoshop’s source code was added to the list of what was confirmed to have been leaked.
Adobe Acrobat, Acrobat Reader and Coldfusion, along with most of Adobe’s other software, have had their share of vulnerabilities and exploits over the years. Hackers having a program’s source code makes their job of finding vulnerabilities much easier which is why companies go to extreme lengths to keep a lid on that data. Among the things that are unclear is if any sensitive Adobe data wasn’t leaked. A number that’s tough to ballpark is how many people in the world need to worry about identity theft and their organization’s digital security as a result of the breach.
A few more items from last week, Google’s developer release of Chrome, rather than launching Adobe Acrobat, loads PDFs with its own built-in reader that is sandboxed. That feels related to me, a move that would have made less sense if Adobe ran a tighter ship.
The kicker: Wall Street’s take on this clusterfudge? Adobe’s stock closed at an all-time high Friday.
Doug Simmons
Of course the stock is high. It has been proven time and again that people will look past security issues for their own reasons which I suspect is mainly due to laziness and indifference. Adobe really does have to get it together. They’ve been at this for far too long and you just know someone, perhaps Google, and provide a suitable replacement for their products.
Well.. this is just trippy, I’m looking at the chunk my computer is capable of displaying of a ten gigabyte email/username/password/hint text file, and on another screen I’ve got this NYTimes article about the same text file explaining how the encryption on the passwords (hashing) isn’t so bulletproof. Glad I used alternative methods of payment than .. actual payment for my Adobe stuff and am not on this list.
http://bits.blogs.nytimes.com/2013/11/12/adobe-breach-inadvertently-tied-to-other-accounts/?_r=0
“Adobe could not be reached for comment.” Indeed. Too busy to talk to the Times.
As for their stock, while this is embarrassing to them and actually damaging to a lot of people and organizations that pay Adobe, things blow over and Wall Street knows people will continue to give Adobe money at roughly the same, steadily-increasing rate. Also, luckily for Adobe, this situation is unfolding during this Obamacare disaster, which is providing good cover to everyone with a snafu to try to conceal.
Anyway, if you ever need a zillion email addresses to stress-test an smtp server in a real-world scenario, I’ll hook you up. Otherwise I think I’ll zap this file and use the space to try to develop an anime obsession. A ten gig text file, and that’s not even the motherload. I wonder how their “investigation” is going.
Managed to count the lines with a handy little ported linux tool (wc): 153,004,874 lines. That’s Charlie Sheen territory.