It’s time to secure Microsoft Office

This week in the office my systems have blocked 150,000 malicious Office documents. All have Office macros attached, or OLE objects. The 90s never finished as attackers learn to automate attacks using Office and old technology. If anything is a sign that the security industry needs to shift up a gear, this is it.

Kevin Beaumont has posted a fantastic (and pragmatic!) guide for best practices when working with Office documents. His guide to simple configuration management will dramatically improve your security posture by making some changes to how trustworthy Office documents are.

OLE is more popular than ever, and for all the wrong reasons.

Seagate Phish Exposes All Employee W-2’s — Krebs on Security

Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.

Source: Seagate Phish Exposes All Employee W-2’s — Krebs on Security

Verizon’s 2015 Data Breach Investigations Report

Verizon’s Data Breach Investigations Report (DBIR) is always a great resource — not only does it have the sort of broad overview that helps explain risk and threats, but digs into some of the metrics without taking a hairpin turn into absurdity and hand-wringing that so often dominates this part of the industry.

Whenever I’m asked to give a talk, I refer to the DBIR because the data is good, the information is digestible, and it always manages to steer me into topics that are relevant and realistic rather than lurching off into hypotheticals and Doom and Glooming.

Adobe Security Bulletin

It is very important that all users of Adobe Flash ensure they have the latest versions installed on all workstations — this one is pretty gnarly and will likely be getting a lot of attention in short order.

The relevant CVEs1 are:

And from Adobe’s release, the list of vulnerable versions is quite broad:

Affected software versions

  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player and earlier versions for Linux
  • Adobe AIR and earlier versions for Android
  • Adobe AIR SDK and earlier versions
  • Adobe AIR SDK & Compiler and earlier versions

Essentially, if you didn’t download a new version of Adobe Flash today, you’re probably vulnerable.

Adobe has released security updates for Adobe Flash Player and earlier versions for Windows and Macintosh and Adobe Flash Player and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.

via Adobe Security Bulletin.

  1. Common Vulnerabilities and Exposures reference number used by researchers and vendors 

Breach Notifications: Adobe

Adobe has issued an important alert for all customers of Adobe. Adobe says they have issued a mass reset of user accounts but many people I’ve spoke with haven’t received a notification via email at this time. The customer alert contains the steps users should take to reset their password without waiting, and it’s strongly recommended that all users that have Adobe accounts do exactly that. The puzzling part about this notification is that Adobe indicates that they store encrypted credit or debit card numbers and expiration dates. This is an audit-failing practice that should not have been implemented and should have been addressed by Adobe as part of a routine PCI/DSS assessment.

Worst Practices

No vendor that uses credit card data is to store credit card numbers, regardless of them being encrypted. It is not needed by the merchant to store the numbers at all, because they are authorized by a payment processing company and the merchant can safely store a token that acts as a reference to a transaction only and does not decrypt into a valid credit card number. Adobe has several products and services that use the Adobe account information, one of which is Business Catalyst; and in the course of some searching I did find one particularly interesting discussion on their support website titled PCI Compliance where a customer is asking about this service in particular and an Adobe rep informs the customer that Business Catalyst is certified as PCI Level 11.

Without knowing more details about their required assessments to maintain that certification, it’s hard to say how they were able to pass an audit and simultaneously engage in this practice of storing credit card numbers. In the case of Business Catalyst, which is a content management service for vendors, it seems very unlikely that the Adobe account system would be out-of-scope for purposes of PCI/DSS. The method used to breach Adobe’s systems and gain access to this data are also important, as Adobe is also required to follow very stringent access controls over information like this. Over the next few days and weeks it seems likely that Adobe will have to further provide additional information At this point it seems very likely that Adobe will be assessed a very large fine in the aftermath of this breach, and can lose their ability to handle credit card payments with subsequent breaches. It’s a very serious issue for them that they will need to tackle sooner rather than later. Breach notification laws exist in 46 out of 50 states in the United States, and Adobe’s status as a publicly traded company means that even more details will have to be released to the SEC. While the consumer side of this incident is terrible enough, Adobe also has reportedly had the sourcecode to their entire product offering taken as well, which can be leveraged by people to write zero-day exploits against previously-unknown vulnerabilities in their software. This is arguably far more serious than millions of encrypted credit card numbers being stolen.

Possible Dangers

Considering that Adobe’s technology is so prevalent in web browsers (Adobe Flash) and in handling forms and documents (Adobe Acrobat) not to mention the dozens of other tools and applications in their portfolio — having access to vulnerabilities that have not yet been broadly discovered will enable malicious actors to tailor their attacks to exploits Adobe and vendors like Microsoft and Symantec aren’t even aware of. These are especially important in so-called “APT” (advanced persistent threat) attacks where an organization is specifically targeted. The next few days are going to involve a lot of nail-biting for Adobe, their customers, and end-users of their products.


  • Change account credentials with Adobe immediately
  • Make use of the credit monitoring service that Adobe will be providing you
  • Monitor accounts more vigorously for fraudulent transactions
  • Report incidents of identity theft to the Federal Trade Commission2
  • Change your passwords for any website, service, or software that uses the same userID, email address, or password 3
  • Weigh the inconvenience of canceling your cards used with Adobe now versus later should it be compromised. In most cases it’s best for you in terms of level of frustration to cancel and request new cards now rather than discovering unauthorized use later when you need to use your credit card and discover that you no longer have an available line of credit.

  1. This means that Adobe handles more than 300,000 transactions annually. Level 2 vendors are anything less than that. 

  2. Currently the FTC is closed following the Congressional Republican shutdown of the United States government. 

  3. Stop doing this! You should never use the same pair of usernames and passwords for any reason! 

1Password 4 now available on OS X

My favorite password manager recently received an update for iOS, but as of today Agile’s 1Password for OS X is now also sporting numerous refinements and updates in addition to new features to delight and amaze you. My favorite item in the long list of new features that Agile has added has to be this one:
Multiple and Shared Vaults – create separate vaults to share with business or family members that each get their own sync preferences and locations

Agile Blog