Hosted by Dave Kennedy and Beau Woods. Each episode we’re going to be talking about information security and technology security issues that matter to business, not just the technologists. This episode we talk about the recent breach at Adobe, the likely motivations and how other organizations can prevent themselves from becoming victimized as a result, as well as from the same types of attack.
Adobe Systems was recently breached. They announced this on October 3rd, conspicuously just 2 days after announcing their 3rd quarter earnings which were lower than reported. The first reports focused on the potential risk to credit card numbers. But over time the real issue of the Adobe breach has been more widely reported and commented on – that source code for Adobe’s products was leaked. Credit cards are easily replaceable, but source code breaches create huge business and security risks for Adobe as well as just about every other company in the world.
The original concerns reported from the Adobe breach were around personal and financial data theft. Adobe runs an online store, as well as has many marketing and other efforts. They maintain credit card and personal information for millions of people. The most recent reports indicate that up to 38 million people may be affected by the Adobe breach, up from the initial 2.9 million estimate. Credit card numbers are sold on the black market for as little as $3, but it can go much higher.
Initially it seems that this could be a huge haul for the attackers. But the market for stolen credit card numbers isn’t infinite. The attackers may only make a few hundred thousand US Dollars from sale of this information. That’s not a drop in the bucket, but it’s not as high as it would initially seem. Dave and Beau think there is a deeper motivation here.
Adobe makes some of the most widely used software in the world. The top application is the Adobe Reader software that is installed on just about every Microsoft Windows-based device. If attackers are able to find flaws in this software that allows them to take control of the devices, that’s a bad thing. These types of flaws have previously been used to breach major organizations, including those in the financial and technology industries, defense-industrial base and government agencies.
As you would expect, software flaws that allow attackers to take control of devices are valuable. To emphasize the value to attackers, a flaw in Adobe Reader X sold a year ago for a reported $50K USD. And having the source code gives them a much higher likelihood that they can find dozens or hundreds of such flaws. That’s a potential for Millions of US Dollars from this breach.
Adobe breach. Source code leaked (oh yeah, and some credit card numbers too)