Americans hacked don’t know Commerce Chamber left them all alone

For years, fixing the software flaws that left Adobe Systems’s customers prey to hackers simply wasn’t a top company priority.

At Adobe, whose Acrobat and Reader programs for creating and viewing PDF documents sit on most of the planet’s personal computers, “security never made the list,” says Brad Arkin, senior director of product security and privacy at the San Jose, Calif.-based company.

Then, in 2009, what became known as the JBIG2 flaw created an existential crisis for the company. For the first time, hackers were found to be using a crack in the armor of Acrobat and Reader to infiltrate major corporations and Adobe had no available fix.

“That was the big wake-up call,” Arkin says. “We needed to make some big changes to protect our users.”

The company realized it had to defend itself against a new, sophisticated type of hacker-spy targeting the software’s corporate users and their secrets, Arkin says.

In one instance, attackers used the JBIG2 defect to get access to the computer of a Coca-Cola Co. executive in China through an infected Adobe PDF they emailed to her, according to an internal Coca-Cola document obtained by Bloomberg. The beverage maker was involved in what would have been the largest foreign takeover of a Chinese company at the time.

After finding there were too many imperfections to fix, Arkin says he instead erected a virtual wall around the programs, and focused on keeping that defense intact.

It might not be enough.

“Imagine a castle wall as long as the Great Wall of China,” says Kyle Randolph, a former senior manager of product security at Adobe, who worked there from 2008 until this year. “All you need is one hole and the whole thing is compromised.”

Flaws in the ubiquitous software on PCs, tablets and smartphones have empowered cyber intruders and plagued businesses, governments and political dissidents with sabotage, theft and physical attacks, a yearlong series by Bloomberg News shows. In part, it is the legacy of companies that eschewed vigilance, putting profit before safety.

That it took a series of attacks on corporate customers to shock the U.S. software company into making security a priority helps illustrate why today — two decades after the Internet age took off — computer users are at risk whenever and wherever they’re online.

Products used on virtually all computers, from Adobe, Apple, Microsoft and Oracle, consistently dominate industry rankings of programs most vulnerable to attack. The resulting Swiss cheese of imperfections has made every citizen a potential crack in the security walls meant to protect their governments, employers and anyone with whom they do business.

Across the industry, software makers say they are taking security seriously and making improvements to address the increasingly sophisticated hacker threat. For instance, Microsoft and Adobe have made it easier for users to get updates that patch defects, and Google fends off attacks by encrypting traffic on its Gmail service.

Adobe’s Arkin says the company’s strategy makes the software easier to defend by requiring it to safeguard about 8,000 lines of code that hackers could use to breach the protective wall, instead of tens of millions of lines in the underlying programs. While the programs won’t be perfect forever, Adobe is working to keep ahead of the hackers by making their jobs harder and more expensive, Arkin says.

The flaws have nevertheless flourished in the absence of industry standards or product liability.

Attempts to force the architects of the Internet to improve the safety of users have so far failed, in part because the U.S. Chamber of Commerce has pushed back on behalf of its business members. It helped defeat a cyber security bill backed by the White House this year that included regulation of the small fraction of corporate computer systems that, if hacked, could cause mass casualties or economic damage.

In response to questions about its opposition to the bill, the Chamber provided a letter it sent last month to the U.S. Senate, favoring a “workable” bill focused on information sharing, and voicing “serious concerns” about government interference with the private sector.

In America and Britain, about 1-in-3 computer users had contact with malicious software, just between July and September this year, according to data Moscow-based anti-virus software maker Kaspersky Lab collected from its customers.

The implications of lagging security go beyond PCs to critical infrastructure and industry, such as power grids and railroads, and to increasingly networked lives, including phone systems and videoconferencing that run over the Internet.

“Sooner or later, the people who are exploiting these security flaws will go from stealing information to breaking systems — because they can — and then it’s going to be obvious to everybody how bad things are,” says Stewart Baker, former general counsel for the National Security Agency, the U.S. spy agency, which monitors foreign communications.

Increasing the security of millions of lines of code underlying some of the world’s most popular software would be time-consuming and expensive. Behind closed doors, software makers consistently argue that while consumers may appreciate more security, there is little evidence they’d sacrifice functionality, time-to-market or cost to get it, according to three policy makers who regularly attend meetings with software company chief executive officers. They asked not to be named because the meetings were confidential.

In a series of stories that showed the global abuses and costs of cyber weapons and espionage, Bloomberg News uncovered a diverse array of attackers and targets: A hacker group linked by U.S. intelligence to the Chinese military, according to a U.S. diplomatic cable released by WikiLeaks, stole U.S. corporate secrets and pilfered bureaucrats’ emails in Brussels, while commercial spyware made in Europe hit Persian Gulf activists; and Syrians fought a cyber war via online chats and webmail with rudimentary tools and deadly results.

As different as the examples are from each other, a single thread runs through them all: flawed software or network design enabled the hacks.

The March 2009 Coca-Cola hack, which was first reported by Bloomberg News in November this year, used the Adobe JBIG2 vulnerability a month after Adobe alerted customers to the problem.

Spyware identified as being from Milan-based HackingTeam, which targeted activists in the United Arab Emirates and Morocco, used imperfections in Microsoft and Adobe software.

A commercial spy program sold to governments — and discovered by Bloomberg News to have been used in the surveillance of Bahraini democracy activists — had advertised that it was able to gain control of computers through an Apple iTunes flaw that was publicly known for three years before Apple patched it in November 2011. The manufacturer of the FinFisher software, U. K-based Gamma Group, pins the blame on Apple.

“They could have protected users,” says Martin J. Muench, the managing director of Gamma’s German unit. “Security wasn’t their highest priority.”

Apple spokesman Bill Evans said the iTunes security problem has been fixed and declined to comment on Muench’s statement.

Microsoft has taken steps to keep customers safer, says Matt Thomlinson, general manager of product security at the Redmond, Washington-based company. It ramped up the effort in 2002 with the establishment of its Trustworthy Computing initiative, which deals with security and privacy issues. Since 2004, Microsoft has made automated updates a standard setting for users of its Windows operating system.

“We’ve had some really good impact on driving down attacks through vulnerabilities, but that doesn’t mean the attackers are going away,” he says.

In the continuous battle, an informal army of hackers, security firms, academics and other bug hunters seeks out imperfections in programs that an attacker can use to compromise a computer. Some privately alert software makers to flaws they find. Others devise methods for using those defects — known as exploits — and then sell or publicize them as hacking tools.

Despite new priorities for security, some software makers give hackers head starts by failing to fix the problems quickly.

This year, Oracle didn’t patch a bug in Java, its computing platform for a range of games, trading and other programs, until almost five months after researchers alerted it about the vulnerability.

On April 2, Polish firm Security Explorations told Oracle it had discovered a defect in the product. Months went by with no solutions from Oracle, the world’s largest supplier of database software.

Oracle spokeswoman Deborah Hellinger declined to comment on the Java flaw identified by Polish researchers or its system for patching vulnerabilities.

While hacking’s dangers can’t be eliminated, they can be reduced, as the evolution of the auto industry has shown.

In 1965, consumer rights advocate Ralph Nader published “Unsafe at Any Speed,” detailing how U.S. automakers, fearing higher costs, resisted measures such as seat belts and ignored crash-test findings. The book spawned congressional hearings and modern safety requirements.

Almost a half-century later, Nader says the government and online service providers should do more to safeguard consumers from the new threat. “It does seem they can’t keep up with the genius nature of the hackers,” says Nader. “Basically it’s the cost of doing business.”