Archive for December, 2008

Digital Certificate Veteran Entrust Joins Certified Document Services (CDS) Program

Following on the heels of a number of successful customer deployments, Adobe is proud to welcome another respected organization to the CDS Program.  Entrust announced today they have joined the CDS Program and will begin offering certificates under its auspices in early 2009.  This will bring to five the number of CAs in the program, along with ChosenSecurity, GlobalSign, Keynectis, and VeriSign.

CDS makes creating and receiving authentic documents easier by not requiring a recipient to explicitly trust the author of the document.  CDS signatures automatically validate in Adobe Acrobat or Adobe Reader 6.0 and above, providing integrity and long-term assurance to electronic documents of record.  Providers involved in the CDS Program are required to meet stringent requirements for identity vetting, security, and operations.

According to Entrust’s President and CEO Bill Conner:

While electronic documents are an efficient method to do business, until recently they lacked the security necessary to be accepted for official enterprise use.  With the advent of this standard and the specialized certificates, organizations can be confident that electronic documents are authentic and have not been tampered with or altered.

Read more about CDS here.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!


New state laws affect encryption practices

Nevada and Massachusetts have been in the process of enacting new state laws that target businesses and individuals who own, license, store, or maintain Personally Identifable Information (PII) about a state resident. Many other states already have these guidelines in place. Personally Identifiable Information (PII) is defined as a combination of the persons name and another unique identifier such as SS#, drivers license, or financial account number.

In Nevada, S.B 347 went into effect on October 1, 2008. This law specifically prohibits businesses in Nevada from transferring personal information through electronic transmission unless it is encrypted. This regulation even affects those companies that do business in Nevada but are headquartered elsewhere.

In Massachusetts, 201 CMR 17 is set to go into effect on May 1st, 2009. The law was initially set to go live on January 1, 2008, but has been extended to May in light of the economic crisis. This law is somewhat broader than Nevada in that it requires that any resident PII stored in laptops or removable storage devices be encrypted in addition to information transmitted over network and wireless connections. It also requires organizations to develop a security program, use updated firewall systems, enforce limits on the amount and length of time PII is retained, and allow access to sensitive PII only as necessary to perform job responsibilities. Even more detailed requirements include a need for documented security policies, prevention of terminated employees from gaining access to PII, and audit trails of employee access to PII.

Although penalties for non-compliance are not specified in either case, non-compliance may expose the business or individual if any legal action is taken subsequent to a data breach for failing to provide a minimum level of security. We recommend that companies review their security procedures in light of these new requirements and take action, if needed. For those companies in less regulated industries, a full risk assessment may be appropriate if you are moving into unchartered waters about what technology options are available to reduce exposure.

Much of the debate has been whether to apply encryption at the infrastructure layer using disk or email encryption or to implement it at a finer grain. Technology such as Adobe LiveCycle Rights Management ES or client based protection embedded in Adobe Acrobat provides this finer grain of protection aimed at protecting only the information assets considered most senstitive (such as PII). I believe each approach has it’s merit under certain circumstances, but Livecycle Rights Management and Acrobat each provide the added benefit of security that travels with the information itself.

As an example, using RIghts Management, if sensititve PII is located on a disk or removable media device and then gets transmitted over a network, it remains protected persistently throught the process. Using encryption at the infrastructure layer involves greater coordination, more layers and resources, and a higher risk of failure if not implemented properly.

Also, when considering some of the detailed requirements of the Mass regulations (along with similar requirements in other states) regarding terminated employees, RIghts Management allows an organization to revoke access to PII once that person is no longer employed. It also provides a complete audit trail of what user actions were taken on a particular document that contained PII and can help map your governance objectives to actionable, enforceable security policies. Furthermore, wIthin Content Management systems, it has the capability to create workflows that dictate when PII should be sent off to archive or even deleted.

Definitely explore all your options as you move towards improving your compliance posture with these new regulations, but do consider the advantages of a strategic strike versus a blanket approach to encryption.

We Care

Recently, when speaking with a few researchers about why they did not report vulnerabilities to Adobe, we have heard a few variations of, “I didn’t think Adobe would care.” Those responses were disappointing to the Adobe Secure Software Engineering Team (ASSET) and it was clear that Adobe needed to do more to reach out to security community and be transparent in our efforts to protect customers. ASSET strives to improve the Secure Development Lifecycle within Adobe for all products, coordinate the Adobe Product Security Incident Response Team (PSIRT) and perform security community outreach activities. Those comments indicated that Adobe needed to do more with regards to communicating the activities of ASSET to the external community. This blog is one of the methods we will use to achieve that goal.
Adobe has taken significant proactive measures to improve the security of our products over the last few years and we plan to continue to build upon that foundation moving forward. Through this blog we hope to communicate what we have achieved and where our customers can expect us to be in the future. We will be providing specific details on the current status of our individual security programs within Adobe in upcoming posts. However, to set the scene, let’s take a quick look back on the last year that led to where we are today.
First, it is very clear to Adobe that we are receiving increased attention from the security community. Adobe has been responding to this increased attention over the course of the last year by proactively investing in both internal and external security measures to further protect our customers. We have added several new people to our team including Brad Arkin who recently joined Adobe in the new role of Director of Product Security and Privacy within Adobe. For additional support internally, we have increased our efforts in disseminating security information, tools and resources to the individual product teams. One example of this effort includes our recent initiative to expand the library of online security training modules as part of a broader set of education programs for developers and quality engineering. For the external community, we have also contributed towards making more security information available to the customers who deploy our products in order to assist developers and administrators in implementing best practices with our software.
The current focus on Adobe products from the security community has also lead to an increased number of reported security issues. To that end, Adobe has become more aggressive in responding to external security incidents. One recent example was the clickjacking issue reported to us by Robert Hansen and Jeremiah Grossman. Adobe responded by implementing a cross-platform, cross-browser patch within weeks of notification. And while the complexities of the many environments our products run on can sometimes prevent us from responding as quickly to other reported issues, this specific example helped to raise the bar for what we can achieve and what we want to work towards in the future. For researchers who find issues with our products, you should know that Adobe follows industry standard responsible disclosure practices and we will give credit to all researchers who follow that process when reporting vulnerabilities.
These are just a few of the steps that Adobe and ASSET has taken to improve the security of our products and services. This blog will help describe in more detail how moving forward we plan to improve in each area of the security lifecycle. By publishing information on our security development lifecycle, we hope to convey to our customers Adobe’s efforts to ensure the security of their infrastructures. In addition, it is our hope that the information we provide about the lessons we’ve learned during these processes can help to further the industry. In short, we care.


The Adobe Secure Software Engineering Team (ASSET) is pleased to announce this new blog!
Since we care about the security and privacy of our products and we want to share our company knowledge and efforts with the security community, we are starting up this new blog. Topics may range from Adobe’s experience implementing a secure product lifecycle to new security initiatives in our products. We will most likely not dive deep into individual Adobe products here, but instead focus on more general issues. If you are interested in what Adobe is doing to improve the security of its products, read on.
For the latest information on security bulletins or advisories, please go to our PSIRT blog.

News from Adobe’s Security Partner Community: Significant GlobalSign Customer Announcements Buoy CDS Program

Since its induction into the Adobe Certified Document Services (CDS) Program, GlobalSign has been very busy working to build a customer base eager to leverage the native trust and assurance that CDS brings to any recipient opening a CDS digitally signed PDF document in Adobe Acrobat or Reader 6.0 and above.  That work has paid off in three separate customer announcements this year, including one just released today:

  • December 8, 2008: In partnership with Adobe and SafeNet, GlobalSign today announced the success of the Antwerp Port Authority project.  This port is the second largest in Europe and the fourth largest in the world.  Looking to save time and money by eliminating paper invoices, and required by law to provide for the integrity and authenticity of the resulting electronic invoices for value-added taxes (VAT), the Port of Antwerp deployed a solution combining:
    • LiveCycle ES document generation and digital signature servers;
    • DocumentSign CDS digital certificates from GlobalSign; and
    • SafeNet hardware security modules (HSMs) to protect the signing keys themselves.

    “We’ve seen a marked increase in the number of projects across the whole of Europe in recent months as the worldwide economic climate causes enterprises both large and small to re-evaluate their invoicing processes to drive down costs and remain competitive.  DocumentSign is not only a cost effective and easy solution for businesses to use, but is also compliant with European e-VAT legislation.”  -Steve Roylance, Business Development Director, GlobalSign.

  • May 2008: At the annual National Notary Association conference, GlobalSign announced the positive results of a pilot undertaken with the UK Notaries Society in which the cost efficiency and legal admissibility of eNotarization performed with GlobalSign CDS credentials was well-documented.
  • May 2008: Bodycote, a leading provider of testing and thermal processing services, announced  that it had selected GlobalSign’s DocumentSign program, based on CDS credentials, to certify its test data and reports.  With this solution Bodycote can provide results to its clients in PDF form, confident in the both the accuracy and integrity of the data contained within. 

    “DocumentSign services our security requirements but is also instantly deployable and very scalable – essential factors for rolling out a solution that can be easily understood by every person in the reliance chain.  For our clients’ customers, they simply open the test results in [R]eader.”
    Alan Slater, Head of IS & IT Architecture, Bodycote


Flexibility in identifying and authenticating users

We’ve received a bunch of good feedback lately on some of our explanations and demonstrations of the authentication types supported in LiveCycle Rights Management. We adapted some of these posts into a technical article within the LiveCycle Developer Center on Adobe’s web site. You can read it here:

Adobe Secured Customer Showcase: Government Printing Office (GPO)

Please read how the U.S. Government Printing Office has been using LiveCycle Digital Signatures ES to provide authenticity and integrity to public documents including the 2008 e-budget. Also learn how they were able to save over 20 tons of paper and $1 Million over 5 years by bringing antiquated paper based processes online in a secure way for citizens.

Acrobat 9 and password encryption

Based on some recent online discussion of Acrobat 9 and password encryption, we’re posting to provide a quick summary on what has changed, how it impacts the overall security of PDF documents, and Adobe’s commitment to providing high-assurance document security implementations.

Continue reading…