10-07-13 | Blog Post
Adobe was hit with a data breach last week that compromised their source code of several products, including Adobe Acrobat, ColdFusion Builder and other Adobe products. Hackers also accessed and removed 2.9 million customers’ data, including names, encrypted credit/debit card numbers, login data and other information related to customer orders/accounts, making it a significant PCI DSS data breach.
While the information reported by Adobe is limited as investigation is ongoing, KrebsOnSecurity.com, a security blog written by a former Washington Post reporter in collaboration with Hold Security Chief Information Security Officer Alex Holden, found that 40 GB of source code was stored on the same server used by hackers that accessed other data companies earlier this year, including LexisNexis. Adobe’s Chief Security Officer (CSO) Brad Arkin has verified and used KrebsOnSecurity.com’s findings to direct their investigation, according to the website.
Why is this such a serious breach? According to Holden as reported by ThreatPost.com, a breach of the source code of an end user product allows hackers to write new malware and viruses. Additionally, the hackers have been reportedly using ColdFusion exploits since January – targeting vulnerabilities in ColdFusion 10, 9.02, 9.0.1 and 9.0 for Windows to bypass authentication schemes and remotely control Web servers running ColdFusion. Adobe has stated that hackers accessed their systems via out-of-date software of some kind, but not ColdFusion.
Vulnerability patches have been released since reports of companies being breached have surfaced, including a cloud hosting company that lost client credit cardholder data. A ‘prenotification security advisory’ for Adobe Reader and Acrobat has been issued to notify users that critical vulnerability updates will be released tomorrow, Tuesday October 8 for Windows.
This incident highlights the importance of patch management, particularly for Internet-facing servers running any type of potentially out-of-date software. Consistent updates are vital to security management, as new vulnerabilities are found as new malware is written. The Payment Card Industy Data Security Standard (PCI DSS) requires:
6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.
Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.
Since customer credit cardholder data was compromised, this signifies a major PCI DSS data breach, though the data is said to be encrypted. Encryption of data at rest is particularly important in this case, as stored data is more likely to be compromised by hackers than data in transit. You can achieve encryption of sensitive data at rest in a number of ways, including at the drive-level within a storage area network (SAN) with the use of a PCI private cloud environment maintained by a PCI compliant hosting provider.
What can you do as an Adobe customer? Adobe recommends customers change their account passwords and they are offering free credit monitoring for a year, according to their blog.
Find out more about PCI DSS in:
PCI DSS ‘Business as Usual’ Practices Provide Guidance to PCI Hosting
SearchSecurity.TechTarget.com recently reported on the PCI SSC (Payment Card Industry Security Standards Council) and their first annual PCI Community Meeting to discuss the changes made in PCI DSS 3.0 that affects merchants, ecommerce and retailers that deal with credit cardholder … Continue reading →
PCI Cloud Security Webinar with PCI SSC & PCI Compliant Hosting Experts
Join a PCI DSS panel discussion with technical and administrative experts in the field as they discuss the role that cloud service providers play in protecting cardholder data and the security issues involved. With Bob Russo from the PCI SSC … Continue reading →
PCI DSS V.3.0: Risk Assessment Frameworks for Ecommerce, Mobile & Cloud Computing
The PCI Security Standards Council recently issued a press release about anticipated changes to the PCI DSS (Payment Card Industry Data Security Standards) and PA-DSS (Payment Application Data Security Standard) as a preview for the changes in the third version … Continue reading →
References:
Adobe to Announce Source Code, Customer Data Breach
Prenotification Security Advisory for Adobe Reader and Acrobat
Adobe: Important Customer Security Announcement
Illegal Access to Adobe Source Code
Gang Behind Adobe Hack Hit Other Unnamed Companies
PCI DSS Requirements and Security Assessment Procedures v.2.0 (PDF)