Posts in Category "General"

Recap: BlackHat 2015 and r00tz@DefCon 2015

This year Adobe security team members were out in force attending BlackHat 2015 and – new this year – helping inspire the next generation of security professionals at the r00tz @ DefCon conference for kids. Adobe was a major sponsor of the r00tz conference this year helping to set up and run a 3D printing workshop and hackfest for the young attendees.

BlackHat brings together the top experts in the security field to discuss and expose current issues in the information security industry. While there were a variety of talks covering a wide breadth of topics, here are some talks that stood out to us during our time there.

In the discussion panel “Is the NSA Still Listening to Your Phone Calls?” Mark Jaycox from the Electronic Frontier Foundation (EFF) and Jamil Jaffer, former member of the House Permanent Select Committee on Intelligence (HPSCI), talked about government surveillance, and the tradeoffs between keeping our privacy and using surveillance to defend against current threats. It was interesting to see two people on opposite sides of the spectrum openly discussing this complex issue. I felt that by listening to the two parties discuss their points I was able to walk away with a more informed opinion on the current stance of government surveillance in the country today.

James Kettle from Portswigger talked about server side template injection and showed techniques to identify and exploit it on popular template engines such as FreeMarker, Velocity, Twig and Jade. This vulnerability occurs when users are allowed to edit templates or untrusted user input is embedded in the template. It was interesting to see how this vulnerability can be used to directly attack web servers and perform remote code execution instead of cross site scripting. The talk raised awareness on the damage one can do if an application is vulnerable to template injection. Our researchers and security champions will be able to apply the information gained from this talk to identify and mitigate template injection in Adobe products.

In “The Node.js Highway: Attacks are at Full Throttle” talk, Maty Siman and Amit Ashbel discussed the security issues and demonstrated new attack techniques against Node.js applications. The attack on pseudo random number generator in Node.js which allows an attacker to predict the next number given 3 consecutive numbers was quite interesting. This means an application generating password using PRNG might reveal the passwords of all the users. The talk educated our researchers and security champions on new vulnerabilities to look for while reviewing a Node.js application.

In addition to all of the great learnings and networking at BlackHat 2015, many from our team stayed around after BlackHat to attend DefCon and help out at the r00tz @ DefCon conference for kids. This was Adobe’s first year sponsoring the r00tz conference. With the help of our awesome Photoshop engineering teams, we were able to get kid-ready workstations set up with our creative tools and hooked up to cool MakerBot 3D printers. It was a lot of fun helping kids take all of the ideas in their heads and translate them into physical objects they could then take home with them – with, of course, a lot of hacking involved to get many of the ideas to work. In addition to our 3D printing workshop, there were other exercises including a capture the flag contest and robot building contest. It was very rewarding for all of us to sponsor and be a part of inspiring these kids to pursue careers in technology.

 

Tim Fleer
Security Program Manager

Karthik Thotta Ganesh
Web Security Researcher

Why Moms Can Be Great at Computer Security

As a new mom, I’ve come to a few realizations as to why I think moms can be really innovative and outright great when it comes to solving problems in computer security. I realize these anecdotes and experiences can apply to any parent, so please take this as purely from my personal “mom” perspective. This is not to say moms are necessarily better (my biases aside), but, I do think there are some skills we learn on-the-fly as new mothers that can become invaluable in our security careers. And vice-versa – there are many skills I’ve picked up throughout my security career that have come in really handy as a new mom. Here are my thoughts on some of the key areas where I think these paths overlap:

  • We are ok with not being popular. Any parent who has had to tell their kid “no,” ground them, or otherwise “ruin their lives” knows that standing firm in what is right is sometimes not easy – but, it is part of the job. Security is not all that different. We often tell people that taking unsafe shortcuts or not building products and services with security in mind will not happen on our watch. From time to time, product teams are mad when we have to go over their heads to make sure key things like SSL is enabled by default as a requirement for launch of a new service. In incident response, for example, we sometimes have to make hard decisions like taking a service offline until the risk can be mitigated. And we are ok with doing all of this because we know it is the right thing to do. However, when we do it, we are kind but firm – and, as a result, we are not always the most liked person in a meeting, and we’re very OK with that.
  • We can more easily juggle multiple tasks and priorities. My primary focus has always been incident response, but it was not until I had a child that I realized how well my job prepared me for parenthood. A security incident usually has many moving pieces at once – investigate, confirm, mitigate, update execs, and a host of other things – and they all need to be done right now. Parents are often driving carpools while eating breakfast, changing diapers on a conference call while petting the dog with a spare foot (you know this is not an exaggeration), and running through Costco while going through math flash cards with our daughters. At the end of each workday, we have to prioritize dinner, chores, after school activities, and bedtime routines. It all seems overwhelming. But, in a matter of minutes, a plan has formed and we are off to the races! We delegate, we make lists, and somehow it all gets done. Just like we must do with our security incident response activites.
  • We trust but verifyThis is an actual conversation:

Mom: Did you brush your teeth?
Kid: Yes
Mom (knowing the kid has not been in the bathroom in hours): Are you sure? Let me smell your breath
Kid : Ugggghhhh… I’ll go brush them now…

I hear a similar conversation over and over in my head in security meeting after meeting. It usually is something like this:

Engineer: I have completed all the action items you laid out in our security review
Mom (knowing that the review was yesterday and it will take about 10 hours of engineering work to complete): Are you sure? Let’s look at how you implemented “X.”
Engineer : Oh, I meant most of the items are done
Mom: It is great you are starting on these so quickly. Please let me know when they are done.

Unfortunately, this does indeed happen sometimes – hence why I must be such a staunch guardian. Security can take time and is sometimes not as interesting as coding a new feature. So, like a kid who would rather watch TV than brush his teeth because it is not seen as a big deal to not brush, we have to gently nudge and we have to verify.

  • We are masters at seeing hidden dangers and potential pitfalls. When a baby learns to roll, crawl, and walk, moms are encouraged to get down at “baby level” to see and anticipate potentially dangerous situations. Outlet covers are put on, dangerous chemical cleaners no longer live under the sink, and bookcases are mounted to the walls. As kids get older, the dangers we see are different, but we never stop seeing them. Some of this is just “mom worry” – and we have to keep it in check to avoid becoming dreaded “helicopter parents.” However, we are conditioned to see a few steps ahead and we learn to think about the worst case scenario. Seeing worst case scenarios and thinking like an attacker are two things that make security professionals good at their jobs. Many are seen as paranoid, and, quite frankly, that paranoia is not all that dissimilar to “mom worry.” Survival of the species has relied on protection of our young, and although a new release of software is not exactly a baby, you can’t turn off that protective instinct.

It was really surprising to me the similarities between work and parenthood. Being a parent and being a security professional sound so dissimilar on the surface, but, it is amazing how the two feed each other – and how my growth in one area has helped my growth in the other. It also shows how varying backgrounds can be your path to a successful security career.

 

Lindsey Wegrzyn Rush
Sr. Manager, Security Coordination Center

FIPS Validation Certificate for LiveCycle ES3

Adobe LiveCycle ES3 includes a FIPS 140 Certified RSA BSAFE Crypto-J 3.5 (cert#590) encryption module.  FIPS mode is configured in the product installer.

Rights Management as a Service?

R-MaaS: Rights Management as a service?

I participated in a panel session this week at the Cloud Computing Summit in Washington D.C. sponsored by the 1105 Government Information Group. Over the course of the day, there was a healthy debate being waged about exactly when and how government agencies should deploy cloud applications. Some postulated that the cloud was merely a marketing term for hosted services that had been around for years, while others believed that significant technology advances such as virtualization make today’s cloud computing deployments something altogether different and more valuable. One area that lacked any debate was that the number one area of concern for both commercial and government customers regarding cloud deployments is security. Part of this debate focuses on whether or not applications that housed PII or other highly sensitive information should ever be deployed in a cloud infrastructure due to the assumed lack of control. This topic triggered some thoughts about another way security and the cloud are coming together quickly today: deploying Enterprise security software in the cloud as a managed service.

Perhaps we’ll coin the term R-MaaS for now, Rights Management As A Service. There are many layers of security that needs to be built into a cloud infrastructure, from physical security, to access controls, firewalls, and even encryption for archived data at rest. But this concept is using the power of the cloud to actually deploy security tools such as LiveCycle Rights Management, which provides persistent document protection regardless of whether the recipient is internal or ecternal to the organization, regardless of the document type (PDF, CAD, or Microsoft Office) and regardless of where the documents ultimately travel (at rest in storage or file systems, in motion over email or to the web, or in use on laptops or removable media devices). LiveCycle Rights Management as a Managed Service has already garnered a lot of interest as all of the features available on premise are also available in the cloud. This includes the ability to protect documents both inside and outside the firewall via free, widely available Adobe Reader for PDF, support for strong user authentication including VPN access for internal employees and a variety of PKI based authentication mechanisms for identity federation across organizations. As well as the ability to expire or dynamically revoke documents, link users automatically to the latest versions, or even provide anonymous access to particular documents as a way to track how documents are being consumed.

Some of these capabilities customers have been using since 2003, but now in 2010, we have added this new deployment option that not only brings rights management to the cloud, it’s actually rights management in the cloud. LiveCycle Managed Services is our new cloud deployment option for LiveCycle that allows customers to deploy software in a simple annual subscription pricing model that includes all hardware, software, maintenance, upgrades, and 24/7 monitoring of the system. We still work with a customer’s internal IT and security resources to help build out the appropriate security policies, but the mundane tasks of maintenance and upgrades are performed by Adobe. Besides all the benefits that come with a fully managed service, deployments times can be accelerated from weeks down to a couple of days or less. This allows you to get the application up and protecting documents quickly for the business without the costly delays associated with approvals, hardware and software procurement, and installation.

Now getting back to the original concerns at this week’s conference about relinquishing control of sensitive information to the cloud…. Where LiveCycle Rights Management deployed as a Managed Service circumvents these objections is through an elegant architecture that is absent the need to ever house sensitive documents in the cloud itself. In fact, only the document policies and associated keys are stored in the cloud, the documents remain in the organization’s datacenter, within their control. Keys are passed back and forth from the Rights Management server sitting in the cloud to allow user access based on the document policies. So what started as an interesting philosophical discussion about whether or not applications which transact sensitive information should leverage a cloud computing architecture, ends with the notion that some of these concerns can actually be mitigated by none other than, the cloud.

Are you redacting PDF documents properly?

There was recently another news story about a PDF document not being redacted properly. As a result, sensitive information leaked out. We’ve covered this topic before, but we’ll cover it from a different angle this time…

Continue reading…

Feature Spotlights – Flexible Authentication in LiveCycle ES2

Adobe released updates of all of the LiveCycle components when we released our “ES2” version in November 2009. As a part of this we made some significant strides to expand how you can integrate our product suite into other directory, identity management, and authentication systems.

I’d like to take this opportunity to explain some of what is new, as well as show you several videos that go into each area in more depth.

First, our integration with ActiveDirectory and LDAP directories executes substantially faster, as we have optimized the system to only pick up records that have changed recently. More info:
DeltaSync.jpg

Second, our integration with Smartcards and PKI certificates for strong authentication is much more flexible, and supports many more types of certificates. More info:
CertRegEx.jpg

Third, several customers have asked us to query one directory for user information, but integrated with a second instance for high performance authentication. We’ve listened and now support this — more info:
DeltaSync.jpg

Finally, all of our web- and Flex-based components now support SAML-based federated identity for authentication. Technically, this means that LiveCycle is substantially more flexible in terms of the Single-Sign-On (SSO) and authentication facilities that be used. In practice this means that it is very easy for you to integrate LiveCycle into your processes for interacting with customers and engaging with citizens without deploying additional identity provisioning or management software. More info:
SAML.jpg

Announcing the McAfee Data Protection Suite for Rights Management

Today McAfee announced the availability of a new joint offering with Adobe called the McAfee Data Protection Suite for Rights Management. This joint solution combines the classification capabilities from McAfee’s Host Data Loss Prevention (DLP) product with persistent protection from LiveCycle Rights Management ES. The joint value proposition allows customers to discover and classify sensitive information on laptops or desktops and automatically and proactively protect it from a single, uniform policy. This will significantly reduce the cost, complexity, and risk associated with sensitive IP and compliance information located on endpoints throughout the enterprise.

This is the result of a global alliance partnership between Adobe and McAfee, previously announced September 28, 2009 aimed at offering more comprehensive security to our Enterprise customers.

Learn more about the new offering available now from McAfee here. Please contact your local McAfee or Adobe sales representative for more in depth information or to schedule a demo of the solution.

Update on reported attacks

Here are some links to the latest statements by Adobe, McAfee, and iDefense concerning reports of cyberattacks this past week. Additional information will be available on these links should new information become available.

Adobe Secure Software Engineering (ASSET)

McAfee Security Insights Blog

Statement by iDefense

Conquering Information Risk Management

Managing information risk is a complex business these days, especially when you look at (1) the range of information you need to protect, (2) the breadth of risks you need to mitigate, and (3) the management policies and tools available to today’s IT security professionals to protect that information. However:

“A well-realized information risk management strategy has other benefits [beyond security]: enhanced business agility, competitiveness, efficiency and cost savings.”

In other words, you can’t do without it!! 

The problem?  According to Deloitte, on
average, only half of the companies surveyed in their annual Global Security and Privacy Survey had formal security
policies or strategies.  Not a great foundation on which to build risk management on!

I wrote a recent article in Security Products magazine which confronts these challenges head-on, and provides some tips on navigating the “mind-boggling” task of information risk management.

Read the article here.

Straight Talk about PDF & Digital Signatures – ISSE 2009

Jim King, PDF Architect, senior principal scientist at Adobe and one of the key drivers behind the PDF format and its adoption and continuing development by ISO as a standard (ISO 32000), recently delivered a keynote presentation to the ISSE (Information Security Solutions Europe) 2009 Conference in The Hague, Netherlands.  He discussed the evolution of the PDF format and standard, and spent most of his talk introducing the new PAdES signature standard and what it encompasses.

During that conference, Jim sat down with Roger Dean, executive director of eema UK, for a conversation about PDF, the need for digital signatures, challenges of communicating the benefits of digital signatures, and finally a description of the PAdES standard.  This interview is now available below (and here)…enjoy!