Adobe Digital Publishing Suite, Enterprise Edition Security Overview

This new DPS security white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your data included in applications built with Digital Publishing Suite.

The paper outlines the Adobe Digital Publishing Suite Content Flow for Secure Content, available in Digital Publishing Suite v30 or later for apps with direct entitlement and retail folios entitlement. The secure content feature allows you to restrict the distribution of your content based on user credentials or roles.

The paper also outline the security practices implemented by Adobe and our trusted partners.

Security threats and customer needs are ever-changing, so we’ll update the information in this white paper as necessary to address these changes.

Bronwen Matthews
Sr. Product Marketing Manager

A First Experiment with Chef

Security professionals are now using cloud solutions to manage large-scale security issues in the production Ops workflow. In order to achieve scale, the security processes are automated through tools such as Chef. However, you can also leverage the automation aspects of the cloud regardless of whether or not you plan to scale it to hundreds of machines. For example, one of my first cloud projects was to leverage Chef to resolve a personal, small scale issue where I might have previously used a VM or separate machine.

Using the cloud for personal DevOps

At Adobe, we’re constantly hiring third party security consultants to test our products. They require environments for building and testing Adobe code, and they need access to tools like Cygwin, Wireshark, SysInternals, WinDbg, etc. For my personal testing, I also require access to machines with a similar set up.  Using the cloud, it is possible to quickly spin up and destroy these types of security testing environments as needed.  

For this project, I used Adobe’s private cloud infrastructure – which is just an implementation detail – this approach can work on any cloud infrastructure. Our IT department also provides an internal Chef server for hosting cookbooks and managing roles.

In order to connect the Chef server and the cloud environment, I decided to set up a web server which would copy the Chef config files to the cloud instance and launch chef-client. For this, I chose Windows IIS, C# and ASP.NET because I had an unrelated goal of learning more about WMI and PowerShell through a coding project. Vagrant for Windows would be an alternative to this approach but it wasn’t available when I began the project. My personal Linux box was used to write the Chef recipes and upload the cookbook to the Chef server.

The workflow of the set-up process is as follows:

1.    Request a new Windows 7 64-bit instance from the cloud and wait for the response saying it is ready.

2.    The user provides the domain name and administrator password for the Windows 7 instance to the web page. If I need to set up additional accounts on the machine, I can also collect those here and run command lines over WMI to create them.

 3.   Using the admin credentials, the web server issues a series of remote WMI calls to create a PowerShell script on the Windows 7 instance. WMI doesn’t allow you to directly create files on remote machines, so I had to use “echo” and redirect the output.

 4.   By default, Windows doesn’t allow you to run unsigned PowerShell scripts. Although, with admin privileges you can use a command line to disable the signature check before executing the script. Once the script was done, the signature check is re-enabled.

 5.    The PowerShell script will download the client.rb file and validator.pem key needed to register the Windows 7 instance with the chef server.

 6.   WMI can then be used to run the chef-client command line which will register the new Windows 7 instance with the chef-server.

 7.    Since chef requires a privileged user to assign roles to the Win7 node, a separate chef key and a copy of the knife utility are stored locally on the web server. The C# server code will execute knife using the privileged key to assign the appropriate role to the new Windows 7 node in Chef.

 8.    Lastly, the web server uses WMI to run chef-client on the Windows 7 instance a second time so that the recipes are executed. The last chef recipe in the list will create a finished.txt file on the file system that the web server can verify that the process is completed.

Lessons Learned from Writing the Recipes

Using Chef, I was able to install common tools such as WinDbg, Cygwin (with custom selected utilities), SysInternals, Wireshark, Chrome, etc. Chef can be used to execute VBScript which allowed me to accomplish tasks such as running Windows Update during the setup process. For most recipes, the Opscode Windows cookbook made writing the recipes fairly straightforward.

Some of the installers will require a little legwork. For instance, you may have to search the web for the command line flags necessary for silent install. If you cannot automatically download an installer from the web, then the installers can be stored on the Chef server along with the recipes. For Wireshark, it was necessary to download and install winpcap before downloading and installing Wireshark. One client installer was not Chef-friendly, which lead to the creation of a Chef script that would have Windows Task Scheduler install the software instead. 

As a specific example, Cygwin can be one of the more complicated installs because it is a four-step process. There are some public cygwin recipes available for more advanced installs but this is enough to get it installed just using the Opscode Windows cookbook. For a robust deployment, additional code can be added to ensure that it doesn’t get run twice if Cygwin is already installed. The demo workflow below uses windows_package to download the setup executable. The windows_batch commands will then run the executable to install the default configuration, download additional utilities and then install the additional utilities:

 include_recipe “windows”

 windows_package ‘cygwin64′ do
     source ‘http://cygwin.com/setup-x86_64.exe
     installer_type :custom
     action :install
     options ‘–download –quiet-mode –local-package-dir c:\\cygwin_downloads –root c:\\cygwin64 -s http://mirror.cs.vt.edu/pub/cygwin/cygwin/’
end

windows_batch ‘cygwin_install_from_local_dir‘ do
code <<-EOH

    #{Chef::Config[:file_cache_path]}/setup-x86_64.exe –local-install –quiet-mode –local-package-dir c:\\\\cygwin_downloads –root c:\\\\cygwin64

   #{Chef::Config[:file_cache_path]}/setup-x86_64.exe –download –quiet-mode –local-package-dir c:\\\\cygwin_downloads –root c:\\\\cygwin64 -s http://mirror.cs.vt.edu/pub/cygwin/cygwin/ –packages vim,curl,wget,python,cadaver,rats,nc,nc6,git,subversion,flawfinder,stunnel,emacs,openssh,openssl,binutils

   #{Chef::Config[:file_cache_path]}/setup-x86_64.exe –quiet-mode –local-package-dir c:\\\\cygwin_downloads –root c:\\\\cygwin64 -s http://mirror.cs.vt.edu/pub/cygwin/cygwin/ –packages vim,curl,wget,python,cadaver,rats,nc,nc6,git,subversion,flawfinder,stunnel,emacs,openssh,openssl,binutils -L

    Exit 0
EOH
end

Post-Project Reflections

There are definitely alternative approaches such as using a baseline VM snapshot or a pre-built AMI with all of these tools installed. They each have their own pros and cons. For instance, local VMs launch faster but the scaling is limited by disk space. I chose Chef recipes because it provides the flexibility to create custom builds and ensures that everything is current. If needed, the system is able to scale quickly. The extra work in writing the server meant that I could make the process available to other team members.

Overall, despite having to be creative with some recipes, the project didn’t require a huge investment of time. A large portion was written while killing time in airports. The fact that I was able to go from a limited amount of knowledge to a working implementation fairly quickly speaks to the ease of Chef. If you are interested in learning more about the cloud, you don’t need a large, massively scalable project in order to get your hands dirty. It is possible to start with simple problems like creating disposable workstations.

PeleusUhley
Lead Security Strategist

Approaching Cloud Security From Two Perspectives

Last month, I was in Amsterdam to give a talk at SecureCloud 2014, a conference hosted by the Cloud Security Alliance. The conference attendees included a number of governmental policy-makers, and provided an opportunity for people from around the world to discuss the future of cloud computing security.

This conference was co-sponsored by the European Union Agency for Network and Information Security, or ENISA. They are actively working toward assisting Europe in adopting cloud technologies and simplifying governmental regulations across Europe. Therefore, they were able to attract representatives from several governments to share ideas on leveraging the cloud for the betterment of Europe.

EU Governments are Adopting Cloud Technology

To set context for the state of cloud adoption, Udo Helmbrecht, the Executive Director of ENISA, shared this slide during his presentation depicting the deployment model of government clouds in different countries. This information was from ENISA’s  Good Practice Guide for securely deploying Governmental Clouds

EU Slide

 

According to their numbers, at least 14 EU countries have developed a national cloud strategy or digital agenda. The European Commission is spearheading a number of initiatives, such as “Unleashing the Potential of Cloud Computing in Europe“, aimed at encouraging further uptake of cloud computing services in the EU, both in the public and private sector. ENISA is working together with the European Council on several of those initiatives such as defining the role of cloud certification schemes.

One example of governments taking advantage of the cloud was given by Evangelos Floros, the product manager for Okeanos. Okeanos is a public cloud built for the Greek academic and research community. In addition, Arjan de Jong presented on how the Dutch government is experimenting with a closed, government cloud for internal use. If their experiment is successful, then they will progress towards expanding the scale of their cloud offerings. Many of the presentations from SecureCloud can be found on their website.

A Different Perspective from Amsterdam

It was interesting to see all the different top-down, government perspectives from policy-makers at the CSA SecureCloud conference last month. This month, I will be back in Amsterdam for the Hack in the Box conference and Haxpo. This will be a very different group of people who help secure the Internet from the bottom up through innovative exploit techniques and secure implementations. Karthik Raman and I will be presenting there on the topic of securing cloud storage. Our presentation will involve a mix of cloud strategy as well as some technical implementation solutions. If you are attending, please come by our talk or the Adobe booth to say hello.

Peleus Uhley
Lead Security Strategist

 

 

ColdFusion 11 Enhances the Security Foundation of ColdFusion 10

Tuesday marked the release of ColdFusion 11, the most advanced version of the platform to date. In this release, many of the features introduced in ColdFusion 10 have been upgraded and strengthened, and developers will now have access to an even more extensive toolkit of security controls and additional features. 

A few of the most significant ColdFusion 11 upgrades fall into three categories. The release includes advances in the Secure Profile feature, access to more OWASP tools, and a host of new APIs and development resources.

1.       More OWASP Tools

 In ColdFusion 11, several new OWASP tools have been added to provide more integrated security features. For instance, features from the AntiSamy project have been included to help developers safely display controlled subsets of user supplied HTML/CSS. ColdFusion 11 exposes AntiSamy through the new getSafeHTML() and isSafeHTML().

In addition, ColdFusion 11 contains more tools from OWASP’s Enterprise Security API library, or ESAPI, including the EncodeForXPath and EncodeForXMLAttribute features. These ESAPI features provide developers more flexibility to update the security of existing applications and serve as a strong platform for new development.

2.       Flexible Secure Profile Controls

Secure Profile was a critical feature in ColdFusion 10, because it allowed administrators to deploy ColdFusion with secure defaults. In the ColdFusion 11 release, admins have even more flexibility when deploying Secure Profile.

In ColdFusion 10, customers had the choice to enable secure install or not, only at the time of installation,depending on their preferences. But with ColdFusion 11, customers now have the ability to turn Secure Profile off or on after installation, whenever they’d like, which streamlines the lockdown process to prevent a variety of attacks.

Further improvements to the Secure Profile are documented here.

3.       Integrating Security into Existing APIs

 ColdFusion 11 has many upgraded APIs and features – but there are a few I’d like to highlight here. First, ColdFusion 11 includes an advanced password-based key derivation function – called PBKDF2 – which allows developers to create encryption keys from passwords using an industry-accepted cryptographic algorithm. Additionally, the cfmail feature now supports the ability to send S/MIME encrypted e-mails. Another ColdFusion 11 update includes the ability to enable SSL for WebSockets. More security upgrade information can be found in the ColdFusion 11 docs.

Overall, this latest iteration of the platform increases flexibility for developers, while enhancing security. Administrators will now find it even easier to lock down their environments. For information on additional security features please refer to the Security Enhancements (ColdFusion 11) page and the CFML Reference (ColdFusion 11).

Peleus Uhley
Lead Security Strategist

Using Smart System to Scale and Target Proactive Security Guidance

One important step in the Adobe Secure Product Lifecyle is embedding security into product requirements and planning. To help with this effort, we’ve begun using a third-party tool called SD Elements.

ADO867-Security-SPLC_V1-live

SD Elements is a smart system that helps us scale our proactive security guidance by allowing us to define and recommend targeted security requirements to product teams across the company in an automated fashion. The tool enables us to provide more customized guidance to product owners than we could using a generic OWASP Top 10 or SANS Top 20 Controls for Internet Security list and it provides development teams with specific, actionable recommendations. We use this tool not only for our “light touch” product engagements, but to also provide our “heavy touch” engagements with the same level of consistent guidance as a foundation from which to work.

Another benefit of the tool is that it helps makes proactive security activities more measurable, which in turn helps demonstrate results which can be reported to upper management.

ASSET has worked with the third-party vendor Security Compass, to enhance SD Elements by providing feedback from “real world” usage of the product. The benefit to Adobe is that we get a more customized tool right off the shelf – beyond this, we’ve used the specialized features to tailor the product to fit our needs even more.

We employ many different tools and techniques with the SPLC and SD Elements is just one of those but we are starting to see success in the use of the product. It helps us make sure that product teams are adhering to a basic set of requirements and provides customized, actionable recommendations on top. For more information on how we use the tool within Adobe, please see the SD Elements Webcast.

If you’re interested in SD Elements you can check out their website.

Jim Hong
Group Technical Program Manager

New White Paper on Creative Cloud for teams Security Architecture and Functionality

At Adobe, we take the security of your digital experiences seriously.

The Adobe Creative Cloud for teams Security Overview white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and data.

The paper provides details related to the security architecture and functionality available in Creative Cloud for teams. It also outlines the security practices implemented by Adobe and our trusted partners as part of the ongoing development of Creative Cloud. From our rigorous integration of security into our internal software development process to the tools used by our cross-functional incident response teams, we strive to be proactive and nimble.

Security threats and customer needs are ever-changing, so we’ll update the information in this white paper as necessary to address these changes.

Bronwen Matthews
Sr. Product Marketing Manager

NetWars: My Experience at the Minnesota Cyber Aces State Championship

Adobe has always been very supportive of professional development for its employees. It is a great way to work on projects that might not be directly related to one’s main responsibilities. While I am currently responsible for managing engineering and quality engineering on the Adobe Photoshop architecture team, I have been using my professional development time to research cybersecurity.

I recently learned about Cyber Aces, founded by Alan Paller, co-chair of the Secretary of Homeland Security Task Force on Cyberskills and founder and research director of the SANS (SysAdmin, Audit, Networking, and Security) Institute. The goal of Cyber Aces is to “fill a critical shortage of skilled cybersecurity professionals by growing the talent pool, discovering those with high potential, and offering a fast track to cybersecurity jobs.”

In order to qualify for the Cyber Aces Minnesota State Championship, I had to take a series of online quizzes in Networking, Operating Systems, and Systems Administration. Luckily, I scored high enough to be invited to participate for the championship title on a simulation called NetWars – a real-time capture-the-flag competition on March 15, 2014. NetWars was created by the folks at SANS as a way for participants to test their skills with hands-on exercises and penetration tests.

Before the competition, there was an ethics panel hosted by Dr. Kevin Gyolai, dean of STEM (science, engineering, and mathematics) at Inver Hills Community College where the competition took place. The panelists represented a range of disciplines from industry (UNISYS), to education (Inver Hills Community College), and government (FBI). They talked about the “insider threats” facing many organizations, how the US Cyber Command has hundreds of job openings that they cannot fill and how BYOD (bring your own device) is challenging university campus networks and corporations.

After the panel, we got down to business. Level 1 had a series of questions asking us to find flags by looking at the file system, and an interesting question about PDF. On a personal level, it was awesome to see a question about a PDF. I am not allowed to talk about the question as the other states haven’t completed the competition yet, but it was an excellent question.

I have earned the ASSET (Adobe Secure Software Engineering Team) brown belt certification and programs like Cyber Aces and NetWars will help me on my way to earning a black belt. Thank you to everyone at Cyber Aces for hosting a fantastic event.  I encourage anyone interested in developing their security skills to take a look at Cyber Aces and participate.

Jeff Sass
Engineering Manager, Photoshop

Top 10 Hacking Techniques of 2013: A Few Things to Consider in 2014

For the last few years, I’ve been a part of the annual ranking of top 10 web hacking techniques organized by WhiteHat Security. Each year, it’s an honor to be asked to participate, and this year is no different. Not only does judging the Top 10 Web Hacking Techniques allow me to research these potential threats more closely, it also informs my day-to-day work.

WhiteHat’s Matt Johansen and Johnathan Kuskos have provided a detailed overview of the top 10 with some highlights available via this webinar.  This blog post will further describe some of the lessons learned from the community’s research.

1. XML-based Attacks Will Receive More Attention

This year, two of the top 15 focused on XML-based attacks. XML is the foundation of a large portion of the information we exchange over the Internet, making it an important area of study.

Specifically, both researchers focused on XML External Entities. In terms of practical applications of their research, last month Facebook gave out their largest bug bounty yet for an XML external entity attack. The Facebook attack demonstrated an arbitrary file read that they later re-classified as a potential RCE bug.

Advanced XML features such as XML external entities, XSLT and similar options are very powerful. If you are using an XML parser, be sure to check which features can be disabled to reduce your attack surface. For instance, the Facebook patch for the exploit was to set libxml_disable_entity_loader(true).

In addition, JSON is becoming an extensively used alternative to XML. As such, the JSON community is adding similar features to the JSON format. Developers will need to understand all the features that their JSON parsers support to ensure that their parsers are not providing more functionality than their APIs are intended to support.

2. SSL Takes Three of the Top 10 Spots

In both the 2011 and 2012 Top 10 lists, SSL attacks made it into the top spot.  For the 2013 list, three attacks on SSL made it into the top 10: Lucky 13, BREACH and Weaknesses in RC4. Advances in research always lead to more advances in research. In fact, the industry has already seen our first new report against SSL in 2014.  It will be hard to predict how much farther and faster research will advance, but it is safe to assume that it will.

Last year at BlackHat USA, Alex Stamos, Thomas Ptacek, Tom Ritter and Javed Samuel presented a session titled “The Factoring Dead: Preparing for the Cryptopocalypse.” In the presentation, they highlighted some of the challenges that the industry is facing in preparing for a significant breach of a cryptographic algorithm or protocol. Most systems are not designed for cryptographic agility and updating cryptography requires a community effort.

These three Top 10 entries further highlight the need for our industry to improve our crypto agility within our critical infrastructure. Developers and administrators, you should start examining your environments for TLS v1.2 support. All major browsers currently support this protocol. Also, review your infrastructure to determine if you could easily adopt future versions of TLS and/or different cryptographic ciphers for your TLS communication. The OWASP Transport Layer Protection Cheat Sheet provides more information on steps to hard your TLS implementation.

3. XSS Continues to Be a Common Concern for Security Professionals

We’ve known about cross-side scripting (XSS) in the community for over a decade, but it’s interesting that people still find innovative ways to both produce and detect it. At the most abstract level, solving the problem is complex because JavaScript is a Turing-complete language that is under active development. HTML5 and CSS3 are on the theoretical edge of Turing-Completeness in that you can implement Rule 110 so long as you have human interaction. Therefore, in theory, you could not make an absolute statement about the security of a web page without solving the halting problem.

The No. 1 entry in the Top 10 this year demonstrated that this problem is further complicated due to the fact that browsers will try to automatically correct bad code. What you see in the written code is not necessarily what the browser will interpret at execution. To solve this, any static analysis approach would not only need to know the language but also know how the browser will rewrite any flaws.

This is why HTML5 security advances such as Content Security Policies (CSP) and iframe sandboxes are so important (or even non-standards-based protections such as X-XSS-Protection).  Static analysis will be able to help you find many of your flaws. However, due to all the variables at play, they cannot guarantee a flawless site. Additional mitigations like CSP will lessen the real world exploitability of any remaining flaws in the code.

These were just a few of the things I noticed as a part of the panel this year. Thanks to Jeremiah Grossman, Matt Johansen, Johnathan Kuskos and the entire WhiteHat Security team for putting this together. It’s a valuable resource for the community – and I’m excited to see what makes the list next year.

Peleus Uhley

Lead Security Strategist

 

Mass Customization of Attacks Talk at RSA

Business consultant Stanley Davis defined mass customization as the “customization and personalization of products and services for individual customers at a mass production price.” Anyone who has ever ordered a custom PC is no stranger to mass customization: that particular combination of components wasn’t assembled into a PC until the customer initiated an order.

As we responded to zero-day exploits in the past couple of years, we took stock of some of the properties that separated them from mass malware, which affect older, patched vulnerabilities. For example, we noticed zero-day attacks starting to target more than one version of a platform on one or more operating systems. In addition, we observed that zero-day attacks contain more than one exploit possibly affecting multiple vendors’ products. Our thesis can be stated as follows: The exploit creation industry is maturing; by combining the features of mass malware with multiple zero-day exploits, they can create mass-customized attacks.

 masscustomizedattacks

 

We expand on this thesis in our upcoming talk at the RSA 2014 conference and use several case studies to prove it.

If you’re going to be attending RSA on Tuesday, Feb. 25, please swing by our talk at 2:40 p.m. in the West Room 3006. We look forward to sharing our research and the conversations with our friends and partners in the industry!

Peleus Uhley, Platform Security Strategist
Karthik Raman, Security Researcher

Adobe Sponsors Nullcon 2014

NullCon, held annually in Goa, is one of the premier security conferences in India. This conference has emerged out of a not-for-profit society, null, which is the largest active security community in India. I will be attending the conference along with two Security Researchers from my team, Kriti and Vaibhav. We are looking forward to an interesting lineup of talks, especially the keynote session by Jeff Moss, founder of Black Hat and DEF CON.

I’m most excited about the hallway conversations, which for me has always been the most interesting part of this conference and a time to catch up with some of the brightest minds in Security. This year, Adobe will have a booth at the conference and we are recruiting for the role of Security Researcher. So in case you are interested please drop by our booth with your resume or just come by to say hello.

If you haven’t registered yet for the conference, I encourage you to go ahead. The details are on the NullCon website.

See you there.

Priyank Choudhury
Manager, Secure Software Engineering