A careless finger fumble can easily put the security of your organisation at risk.
All you need to do is click on the wrong link, open a malicious attachment, enter your password on a dodgy phishing site, or – in the case of Adobe – publish your private PGP key for anyone to see on your security blog.
Yes, you read that right – Adobe’s security team published the private PGP key for its [email protected] email account.
There aren’t enough face-palming GIFs in the world to express just how much of a goof that is.
It was an accident, of course. One assumes a member of staff was updating the public key used by Adobe’s security team for encrypted communications with the infosecurity community and simply cut-and-paste more than they should have done.
But the consequences could have been serious. An opportunistic hacker could have used the private key to create PGP-signed messages that appeared to really come from Adobe’s security team. Furthermore, the key could have been used to unlock messages sent to Adobe’s security team from researchers who had discovered zero-day vulnerabilities in – say – Flash Player. That’s not the kind of information you want to fall into the hands of a sophisticated hacking group or intelligence agency.
One also has to wonder how long it would have taken for the key to be revoked if security researcher Juho Nurminen had not privately informed Adobe about the problem.
After Adobe hurriedly revoked the PGP key, Juho was safe to publicise his discovery.
Adobe has issued a statement reassuring customers that it doesn’t believe any harm was done.
Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key. The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers.
Well, no harm apart from the damage down to Adobe’s reputation, of course. People will be joking about this finger fumble for years.