Security incident response teams are still working to determine the scope of the massive data breach at Adobe Systems, and while the breach impacted millions of customers, experts say the source code leak associated with the incident could have even more dangerous repercussions to businesses and individuals.
Adobe said it is still investigating the extent of its source code leak. The source code serves as the underlying commands in the Adobe programs, and while attackers will hunt for zero-days, there's no reason why a sophisticated attacker couldn't put a backdoor into all the software, said Thomas Kellermann, vice president of cybersecurity at Trend Micro. Kellermann, a prominent security expert who served on The Commission on Cyber Security for the 44th Presidency, called the source code leak "highly significant."
"Adobe's own brand is being used against it at this point," Kellermann said. "Instead of just building munitions, they are robbing the weapons plants; you could weaponize electronic legal forms and other electronic paperwork and basically insert a backdoor into any system you wanted and people will trust that document."
IT teams typically don't have a mature enough security team to create ways to make hacking into systems cost prohibitive, Kellermann said. Most businesses take an outdated approach to security by continually attempting to strengthen the perimeter, but hackers are already inside, Kellermann said.
"At this point, we're all dealing with an adversary that is in your house," Kellermann said. "We have to think about combining long-term defense-in-depth strategies with ways to create more of a prism in your environment instead of creating a fortress."
It's not the first time Adobe has had to deal with a security incident. Last November, the software maker acknowledged a breach of its customer website, forcing it to reset the passwords of thousands of users. The company isn't alone with its source code leak. VMware has had to deal with potential fallout from the exposure of its ESX server source code. Security firm Symantec was forced by a hacktivist group to acknowledge a 2006 breach, leaking the source code to some of its products, including an older version of its Norton enterprise software. The firm declined CRN's Friday request for comment on this story, but in previous interviews, the security vendor indicated it has added safeguards, issued software updates and end-of-lifed outdated versions of its software.
NEXT: Potential Hacking Dangers Lie AheadHaving the source code is akin to having the keys to the kingdom, said Rob Kraus, director of research on the security engineering research team at managed security services provider Solutionary. Potentially all malicious actors can either buy a zero-day exploit or, if they're sophisticated enough, create an exploit and use it in targeted attacks.
"If you have a car with the hood welded shut, it's hard for you to mess with the carburetor or anything else, but when you are able to open the hood of the car, you can get in there and tinker and find things that you don't normally see," Kraus said. "Having the source code allows the good guys as well as bad guys find dangerous programming functions that might be used in an attack."
Software developers and malware writers are very likely going to review the source code to determine if there are any workarounds or other coding weaknesses that can be taken advantage of, said Richard Henderson, security strategist at Fortinet's FortiGuard Threat Research and Response Labs. Common vulnerabilities could end up in an automated exploit kit, while more novel flaws will be kept tight, Henderson said.
"There are people who keep zero-days close to their chest and only sell them to a small amount of folks who want to maintain them such as nation-state actors," Henderson said. "Most people developing exploits take a big deep-dive, reading modules within the source code to look for fudges and workarounds; things that aren't working the way they expected them to."
A great deal of zero-day threats will use email as the main attack vector, according to security experts. The 2013 Verizon Data Breach Investigation's report found that phishing and social engineering were used in nearly all the hundreds of data breaches the firm analyzed. Experts say it is likely that security researchers will be monitoring for suspicious activity associated with Adobe threats. Researchers, said Adam Wosotowsky, a senior antispam research analyst at McAfee, monitor suspicious domains attached to certain IP addresses for changes that signal a potential threat.
"Probably 99.9 percent of malware is generic, high mutation-rate stuff," Wosotowsky said. "The advanced persistent threat, or someone who does a lot of research into their target, takes a certain amount of time and money, but it can be much more damaging because it's that much more difficult to recognize that you've got an infection like that."
The fact that Adobe's source code has been leaked increases the risk that it could be used by an attacker, but it may not necessarily be likely. Open source software is open and available for review, and, while it is open for debate, some experts believe that more eyes on the code results in it potentially being more secure, Henderson said. For example, disassembler tools are already available and actively being used by hackers to take apart proprietary software and scan it for vulnerabilities to create exploits.
Some vendors maintain open source projects to attract more eyes to review and experiment with the source code. Google has released over 20 million lines of code and over 900 open source projects. It maintains an open source repository for its Android mobile platform and Chormium, the software behind the Google Chrome browser and operating system. The company recently released the source code to its Google Glass software.
PUBLISHED Oct. 4, 2013