How An Adobe Flaw Let Anonymous Into The FBI

Sean Michael Kerner

Adobe users’ passwords were stolen and the FBI got hit. Sean Michael Kerner smells password reuse

In early October, Adobe admitted that it was the victim of a breach that exposed the usernames and passwords of millions of its users. According to a report from Reuters published late Friday, the impact of the Adobe breach has been felt within the US government.

According to an FBI memo seen by Reuters, the hacktivist group Anonymous has gained access to multiple US government agencies. The report alleges that the infiltration of the US government agency sites came by way of flaws in Adobe’s ColdFusion Web building software. As part of the October breach at Adobe, hackers allegedly also got access to the ColdFusion source code.

Adobe ColdFusionColdFusion confusion

How does one breach at a software company leave the US government exposed to risk? It shouldn’t work that way, should it? For one, to the best of my knowledge, Adobe has done an admirable job of patching its software, such that the pilfered source code wouldn’t be all that much use against organisations that aggressively keep up with Adobe patch updates.

Additionally, the way good security best practices should work is that organisations have multiple layers of authentication and security access, such that there isn’t a single weak link. It’s unclear precisely how Anonymous got into the US government and whether it breached multiple layers of security or just one.

The real weak link that I personally expected to see from the Adobe password breach was from password reuse. Many people reuse the same passwords on multiple sites, making a username/password list a very juicy target for an opportunistic group like Anonymous. Adobe itself has reset user passwords in its own system, but password reuse means that the same users could now be at risk on countless other sites and services.

While the obvious recommendation is for users to not have the same password for multiple sites, that’s just not the current reality for most people who don’t want to remember a different password for every site they visit. There is a way for sites and agencies to protect themselves and their users from single passwords, and that is with some form of two-factor authentication. With two-factor authentication, there is an additional password (or factor), which typically is randomly generated, that is needed for a user to get access to a site or service.

Security in the modern era is no longer just about one application or one company, as so many systems and technologies are intricately interconnected. For security professionals, that means there is now a very broad attack surface that needs to be defended. Multiple layers of security, authentication and access might not prevent all breaches, but it will make it somewhat more difficult for attackers to exploit organizations.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

How well do you know data security? Take our quiz!

Originally published on eWeek.