Adobe Security Breach Adobe Systems is one of the big computer application and software firm has recently

revealed on 3rd October 2013 that one of the biggest security breach has occurred in their history. Adobe security officer revealed that in the breach, hackers manage to get access to most of the Adobe software and services but especially to Acrobat PDF document-editing software and ColdFusion web application. Adobe has also revealed that the hackers stole parts of the source code to Photoshop, its popular picture-editing program. Adobe Systems have reported that about 2.9 million customers data has been stolen from their website. This includes names contact and details also their credit and debit cards details as well. The information could allow programmers to analyze how Adobe's software works and copy its techniques. Later on, Adobe Systems reported that the no. of users whose data is being compromised is not 2.9 million but its actually 38 million which one of the biggest security breach in the history. The diverse customer base of Adobe was being reflected in the database. In the analysis it was found that there were 234,379 military and government email addresses, encrypted passwords and password hints in the compromised database. In total of the 38 million accounts involved in the breach over 2 million accounts were related to educational intuitions. Out of which more than 6,000 accounts were from defense contractors such as Raytheon, Northrup Gruman, General Dynamics and BAE Systems we also found. Also, from the federal side, there were 433 FBI accounts, 82 NSA accounts and 5,000 NASA accounts were compromised in the breach.

This breach has also created panic among other big online based companies like Facebook; who immediately alerted their customers after this incident. People usually have the habit of having same password in two or more websites. Facebook doubted that their users may have the same password which they were using on the Adobe Systems website. Many other websites did the same by alert their users of the security breach.

Adobe Bad Security Record- Possible reason for the security breach In the last five to six years Adobe has faced some or the other problem related to cyber security. This is an evidence of the fact that the cyber security of the Adobe Systems was not good enough. Their website was always vulnerable and nothing big was really done by them to stop that. Certainly Adobe Systems needed the improvement in their cyber security years ago itself.

2007- Adobe Reader bug allowed hackers access to all the files on people's computers. 2008- More than 1,000 hacked websites infected computers by delivering fake Flash Player updates that posed as CNN news notifications. 2009 - Vulnerability in Reader let hackers open back doors into people's computers. 2010- Attackers created malicious PDF attachments to hack into several companies, including Adobe, Google and Rackspace. 2011-Bug gave hackers remote access to people's computers -- this time in Flash Player. 2012 -Hackers gained access to Adobe's security verification system by tapping into its internal servers.

Adobe Flash Player and Acrobat Reader both which are the product of Adobe systems stood in the second place in one of the most vulnerable programs of the fortune 500 companies in 2009. After which Adobe Reader topped in the annual list of vulnerable programs in 2010. In the similar way Adobe Flash Player in the year 2012. Therefore, the recent security breach of the Adobe Systems should not a surprise for everyone. Although, it one of the biggest breach in Adobe as well as cyber security history. Because of the enormous use of the Adobe products it has become a target for enormous bad guys. Adobe security history suggests that the organization has to take a long, hard look in the mirror.

Checking whether your account was a part of Adobe security breach or not and creating a safe password Lookout is a security firm which has provided some of the steps which might be helpful in first checking whether your account was a part of Adobe security breach or not. Also, the creation and changing of the password as per the requirement. Following are some of steps which will help in managing your password while dealing with the Adobe security breach:-

1. First step is to visit https://lastpass.com/adobe/ to check whether your account was a part of security breach or not. This can be done just by entering your email id after which it shows the result by comparing with the compromised accounts list.

2. In case you dont remember that whether you have created any account with Adobe or not. You try to confirm it and reset your password because many of the accounts which were being compromised were inactive accounts as well. This can be done from the following link https://www.adobe.com/go/passwordreset 3. Change the passwords which you have kept same as the Adobe account if any. Otherwise there is a higher probability that if someone has got your Adobe password in the breach; they will easily able to log in the other accounts where you have same password. 4. Setting a password which not easy to guess and which is unique and complex is a good way to deal with such issues. Never use the same password for two or more account is also one of the good practice to be safe.

Cause Effect Analysis of Adobe Security Breach

Cause effect diagram of the Adobe security breach is given by a cyber-stuff based firm Selil has explained that how the breach was connected to People, process & policy, technology, processing, transmission and storage & certainly how it has significant impact on all these.

How it happened: Breaking of passwords was easy on Adobe It came in light that one out of every six passwords were easily breakable because of the usage of hashing by Adobe which led to mashing up the user with the mathematical algorithm. The company did not apply the level of security required for the passwords not to be broken easily. Hashed version of the password along with the associated email id has been searched on the internet to check the list of the people who are using the same password. There were hundreds of users who were using the same password. It has been found that some of the account has Social Security Number (SSN) as their password. There were thousands of instances in which people wrote a hint for password as same as Facebook or same as bank account. Brian Krebs, an investigating reporter said that it seems Adobe did not put much of the efforts to save their customers precious information. He also said that the approaches used in the most of the organizations including the larger ones are still relying on the older ways of security to protect the password of their customers.

What went wrong- probably the 16 characters-Passwords cannot protect us anymore

Adobe did not match their password protection up to industry standards because of which hackers were able to exploit that. Also in case of the stored passwords; the users password hints were in clear text.

Hints used were really weak and easily exploitable by the third parties Hints made the discovery of passwords easy not only for the Adobe account but for the others websites as well. Usage of Paraphrases or long passwords makes it difficult for the hackers to hack. Recycling of the same passwords for multiple places should not be practice for avoiding the hacking of the accounts.

Adobe Systems tries to notify each of his individual customer via email about the same and recommended them to change their password. However, it is still under doubt that all of the Adobe users might have changed their password just by the email notification. There are two probabilities- first it might have been filtered as spam mail and the second being it might have been disregarded as a phishing message.

Impact: People who were using same password which they are using for other accounts related to banking, social media, etc. they might be at risk. If things like that happens then it may be lead to anything like fraud banking transactions, illegal activities through social media on the name of someone else or may be damaging your social and personal life.

Steps taken by Adobe Systems after the breach Brad Arkin is the Chief Security officer and spoke person for Adobe Systems. He has apologized from the organization side for the same and made an important customer security announcement. These kind of cyber-attacks are the harsh reality of the in today business. He also express regret for customers whose confidential data or credit/ debit card information has been stolen. Some of the steps taken by the organization are:

First thing was as a precaution passwords of all the relevant customers has been reset, in order to avoid any further unauthorized access to the accounts of the valuable customers. The customers whose account was involved in the breach will be notified by the email with the instructions for how to reset the password. It was also recommended by Adobe systems to change the password of any account which has the same password as of Adobe account to be on the safer side.

Adobe is also in a process to inform the customers whose debit or credit card information was being involved in the breach. If such an information is being involved for any

customer then, then they will receive a notification letter from Adobe with the additional steps other than the password reset for protecting the account against misuse of such kind of information. Apart of this, a special service option of enrolling into one year complimentary credit monitoring membership was made available for the customers whose credit or debit card information was involved. This was one of the crucial steps taken by Adobe to regain their customer trust. Adobe has also notified the banks who process the payments for them. Therefore, they can work with the payment card organization as well the banks to protect their customers accounts. Adobe systems have also contacted federal law enforcement and they are assisting in them in investigating the same.

Recommendations Following are some of the general recommendations for the Adobe security breach:-

1. Reset your Password For the people who have same password for Adobe and some other accounts; it is highly recommended that they should change their password(s) at the earliest. For the other people who doesnt have similar password; they should also change their Adobe password to be on the safer side. For changing the password instead of using the email notification try resetting it directly from the website which is much safer.

2. Using LastPass Tool Online tool created by a security firm named LastPass has made it easy to check whether your Adobe account is a part of the security breach or not. You just need to enter your email id

through which you may come to know within few seconds that whether you are a part of the breach or not.

3. Never reuse your password Reuse of the password should not be practiced i.e. never use same password for the two or more accounts for the internet services. Because if you use the same password for two or more accounts chances are that if any one of your account is comprised that the other may also be compromised in no time. The best practice is to use different password for different accounts. Although its difficult to do so if you have numerous accounts online but should be ideal to do it.

4. Create a Strong Password Creation of strong password is highly recommended as its not easy to guess and probably may not be compromised easily. Always create the strongest password possible as per the guideline of the individual websites. As each website can have certain protocol in terms of accepting of the passwords; so by following those protocols strong passwords needs to created.

5. Unique Password Hint Password hint which is being used for the recovery of the password should be unique so that it can be understood only by the user. It should not be like same as Facebook, pet name etc. because such kind of password hint makes it easy for the hackers to guess the password. In case of Adobe as well many of the passwords are being compromised based on the hint.

6. Password Paraphrasing Passwords should at least 13 characters long; phrasing of passwords can be done instead of usage of words. Paraphrasing usage of passwords making it difficult for hackers to identify the passwords and hence the breach will not happen. Also, the longer password, much more protected you are from hacking.

References

1. Pagliery Jose, Adobe has an epically abysmal security record, October 8, 2013, http://money.cnn.com/2013/10/08/technology/security/adobe-security 2. Threat to Computer Accounts Due to Adobe Security Breach, Champsupport, November 15, 2013, http://champsupport.wordpress.com/2013/11/15/alert-threat-to-computer-accounts-due-toadobe-security-breach 3. Samuel Liles, 2013 Adobe Data Breach (on going analysis), November 4, 2013, http://selil.com/archives/4938 4. Ken Westin, Adobe Breach compromised 234,379 military and government accounts, Nov 13, 2013,http://www.tripwire.com/state-of-security/vulnerability-management/adobe-data-

breach-compromised-234379-military-government-accounts/ 5. Lookout, Security Alert: Adobe Password Breach, November 12, 2013,

https://blog.lookout.com/blog/2013/11/12/security-alert-adobe-password-breach 6. Adobe hack: At least 38 million accounts breached, 30 October

2013,http://www.bbc.co.uk/news/technology-24740873 7. Brad Arkin, Chief Security Officer, Important Customer Security Announcement, http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html 8. Michael York, Adobes security breach and the impact to you, November 21, 2013,http://www.postmanmojo.com/blog/adobes-security-breach-impact 9. Jay Nancarrow, Facebook Warns Users After Adobe Breach, November 13, 2013, http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach 10. Nick Bilton, Adobe Breach Inadvertently Tied to Other Accounts, November 12, 2013,http://bits.blogs.nytimes.com/2013/11/12/adobe-breach-inadvertently-tied-to-otheraccounts