The 2009 edition of the RSA Conference is right around the corner, but it's still not too late to join us. This year's conference will be held at the Moscone Center in downtown San Francisco from April 20 through April 24th, 2009. Register here and learn about all the great sessions, speaking engagements, and events planned for the week.

We are excited to announce that this year we will be participating as a co-host in the Arcot Systems booth. Arcot is a leader in protecting and verifying digital identities. Financial institutions, pharmaceutical companies, and eShopping sites rely on the company's software-only solutions to prevent online fraud and identity theft.

On the show floor, we will be offering demos for Adobe's Electronic Signature offerings as well as LiveCycle Rights Management ES, so please stop by the Adobe pod within the Arcot booth! Also, please don't forget to check out John Landwehr, Director of Security Solutions and Strategy, at Adobe, for a lively panel discussion on Cloud Computing.

We look forward to meeting you!

Arcot is part of Adobe's Security Partner Community, a growing ecosystem of ISV and solutions partners that allow Adobe to offer best of breed security offerings for our customers.

Click here to visit the Arcot website.

Posted by John Carione at 7:26 AM | Permalink

Castilla-La Mancha, a Spanish community government is using Adobe LiveCycle to streamline and secure their complex document management and review process for the executive office and community council. Specifically, the organization uses Adobe Acrobat Pro and Adobe Reader software for the development and review of the documentation, and Adobe LiveCycle Rights Management ES software to apply the maximum level of security to control access to the documents.

The secure documents can be accessed online using a web browser via JCCM’s intranet or offline. Updated authorization is required for both methods of access, providing the system with complete traceability of its use, which in the case of printing consists of a watermark. Downloads are completely controlled, identifying each user, and preventing the document from being opened on a computer where it was not originally downloaded. An expiration date is also applied for each document’s use.

Click here for the full story.

Posted by John Carione at 7:08 AM | Permalink

Adobe Acrobat and Adobe Reader have been tested and meet the NIST FDCC compliance guidelines according to the testing process provided in OMB memo m08‐22. Compliance was verified by testing the product using the following procedures:

The Federal Desktop Core Configuration (FDCC) is a list of security settings managed by the National Institute of Standards and Technology (NIST) for US government computers. The Office of Management and Budget (OMB) has issued instructions to agencies to use these settings with a vendor's self-assertion of desktop applications working with FDCC settings.

Testing Procedure:
The testing on Adobe Acrobat 9.0 and Adobe Reader 9.0 was completed for both XP and Vista with the following steps:

1. Take a baseline scan of FDCC settings using SCAP validated Secutor Prime Pro
2. Install as Admin any required software required for functional testing
3. Take a second baseline scan of FDCC settings before installing Adobe Product
4. Install Adobe Product as Admin
5. Scan system for changes to FDCC settings
6. Log onto standard user level account
7. Perform Application Testing in all Functional Areas
9. Scan system for changes to FDCC settings
10. Uninstall Product as Admin, and Restart
11. Scan system for changes to FDCC settings

The application performed correctly on a standard user level account in all functional areas on both operating systems with a few minor exceptions. There are two main pieces of functionality lost in the FDCC configuration:
1. Product update via the Help menu in the application is unavailable for Standard User (can be accessed when logged in as Admin). We believe this to be due to security mechanisms put in place by the operating system. However, we tested downloading the standalone update from adobe.com and were successfully able to patch the application as a workaround.
2. Acrobat toolbar for Internet Explorer is unavailable. There is an explicit FDCC requirement to disable toolbars in IE, making this issue by design.

In addition, two cases do not work as expected due to FDCC policy number CCE 598 which disables the ability of Internet Explorer to launch COM add-ons known as browser helper objects. The two cases are:
1. Using the “Back” button in the browser, when the web server sends any one of FDF/XFDF/XDP to the PDF loaded in the browser as a response to a POST, will cause a re-submission to the web server.
2. Using template-based assembly of a new PDF in a received FDF in the browser will cause the assembled PDF to open, however the data is not populated.

Some functional areas required use of the Flash Player, however installation of ActiveX controls is disabled by default, thus we had to download and install the stand-alone Flash installer as Admin.

Issues encountered during testing:

XP:
Firewall Settings: Throughout the testing process, two FDCC settings had to be turned off due to the testing setup so that we could remotely test the settings using an SCAP scanner. These two settings from the standard profile are:

Allow file and printer sharing exception
Do not allow exceptions

Security Updates: The system was set up with XP Service Pack 3, which rolled into it the hot fix corresponding to Knowledge Base article number 923191 (MS06‐057), however the SCAP test has an error that has been acknowledged by NIST in which it still looks for the registry key corresponding to the hot fix regardless of whether the service pack is installed. This failure can be seen throughout the testing process.

Vista:
Security Updates: Like XP, there is a conflict between Service Pack 1 being installed and a specific hot fix that FDCC is looking for (MS07‐032 KB931213) which has been rolled into SP1. This issue has also been acknowledged by NIST representatives.

Overall:
For some testing procedures, certain FDCC settings were turned off explicitly in order to allow for testing procedures to succeed. These settings were:
1. Logon options – in order to perform certain automated testing, the logon options needed to be disabled for message text to users and enabling automatic logon. These are not necessary for normal use of Acrobat or Reader and were only changed in specific machines used for automated testing.
2. Enable Telnet – In one instance, this setting was changed due to connection issues for the testing machine; however this was an isolated case that was explicitly changed by the tester and is not necessary for normal use of Acrobat or Reader. These settings were only changed for the purpose of testing.

While testing Internet Explorer, six of the settings are located in the per user section of the registry and could not be accessed from the remote machine when logged into the standard user. These settings failed in scans if the user was logged into the standard user, but to not reflect the settings current state, rather a deficiency in FDCC testing abilities.

Additionally, Acrobat and Reader interact with various third party applications such as Microsoft Office which require further Microsoft hotfixes to be installed in order to remain compliant with FDCC. 3rd party products and associated hotfixes are necessary post install. Please note that none of these setting changes are caused explicitly by Adobe Products and can be easily mitigated through Windows Updates.

Posted by John Landwehr at 4:19 PM | Permalink

Version 9.1 of Adobe Acrobat and Adobe Reader are now available with critical security updates and other product improvements. Adobe strongly recommends all users update using the built-in software update system or manual download from adobe.com. Here are some additional details on this release:

The full release notes are available here, and the following are significant enhancements to information assurance functionality:

* Long term signature validation: The ability to validate a digital signature after certificates have expired or the certificate authorities are no longer available. This has been available in PDF by embedding the CRL or preferably OCSP revocation information and certificate path into the document -at signing time. 9.1 now allows this information to be embedded into a document -after signature, to extend the life of previously signed documents and any documents that may have been signed offline or otherwise unable to obtain revocation information.

* Mac OS X Keychain: Supports digital signatures and encryption using software credentials and hardware tokens/smartcards accessible in the Keychain.

* Apply Ink Signature: Provides mouse/pen input for ad-hoc handwritten signatures on a PDF document. This is available under the Sign toolbar button and does not require a form field in the document or any cryptographic operation.

* Credential provisioning in PDF: For encrypted document/statement delivery, Acrobat and Reader facilitates PKCS#12 and ArcotID provisioning inside a PDF to a consumer's desktop. This provides two-factor authentication using strong credentials that are easily distributed to recipients.

Additional details and demonstrations of these capabilities will be discussed in upcoming blog posts.

OBTAINING THE 9.1 UPDATE

The auto-update mechanism should alert you of this update. You can manually force a check by going to:
Top Menu: Help -> Check for Updates.

Alternatively, you can download the installers from adobe.com as follows:

If you have Adobe Reader on Windows or Mac, the latest full installer is available here:
http://get.adobe.com/reader/

If you have Acrobat on Windows, the latest update installers are available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

If you have Acrobat on Mac, the latest update installers are available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Posted by John Landwehr at 12:15 PM | Permalink

If you are attending the 2009 RSA Conference in San Francisco this April, be sure to check out this panel discussion on cloud computing security

Session Code: GOL-201
Session Title: Head in the Clouds...Feet on the Ground?
Scheduled Date/Time: Wednesday, April 22 08:00 AM - Orange 132

Session Abstract: While some legal challenges in cyberspace have started to become more clear, the use of cloud computing and hosted applications adds a new dimension of legal risk. Compliance, privacy, and security problems are compounded by the use of remote, distributed services operated by third parties. Businesses employing these new technologies must look anew at their online risk, and learn how to assess and manage it.

Panelist: Rena Mears Partner Deloitte & Touche, LLP; Marc Zwillinger Partner, Sonnenschein Nath & Rosenthal
Moderator: John Landwehr Director, Security Solutions and Strategy Adobe Systems Incorporated

Posted by John Landwehr at 8:54 AM | Permalink