Adobe data breach possibly the largest ever

  Follow me: Follow Bruce Kirkpatrick by email subscription Bruce Kirkpatrick on Twitter Bruce Kirkpatrick on Facebook
Sun, Nov 10, 2013 at 4:35PM

According to Adobe's official response regarding the recent data breach - possibly the largest in history - a "backup server" admittedly had passwords and credit cards stored with encryption that can be reversed which is a bad practice.   Others like Sophos and Ars Technica has said that they believe the algorithm used was Triple DES ECB and the passwords weren't salted.   The algorithm is known to be weaker, and it's not considered good enough for military / top secret use by the US government.

Among source code & files on Adobe's network that were stolen, it has been revealed now that 150 million email + password combinations as well as password hints were stolen.   Unlike some attacks that seem to go away, this hacker made the 10gb database public, and now anyone can download it through IRC or other private servers.   In some cases, a targeted attack against anyone on adobe's list can now be attempted thanks to this information going public.

If you try to login to Adobe now, they pretty much require everyone to change their password and confirm it by email now.   You'd want to make sure you're not using the same password on other sites anymore too since when (not if) people decrypt the Adobe database, they can attempt to attack your accounts at other companies.  

Lastpass.com has a tool to reveal if your data was stolen.  I found that mine was stolen: https://lastpass.com/adobe/index.php

Here is the article by arstechnica.com:
http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/

and Sophos:
http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

Adobe claims their new approach to password storage uses a one way hash (sha-256) with salting and more then 1000 iterations, which is pretty safe today, but some obvious passwords can still be guessed if the database is stolen again. 

You have to wonder if Adobe has on-going security issues and I'm sure the full impact of the breach will be a lot more expensive.

Companies should do more to protect user data, especially passwords and financial data.

They also had significant data breach a year prior, which is probably why they started using the new password approach a year ago:
http://www.voiceofgreyhat.com/2012/11/Hacker-Leaked-150000-Customer-Details-of-Adobe.html

Both the old and new attack occurred via SQL injection attacks, which is really pathetic since it is relatively easy to prevent those.   Clearly, their web server software is written so poorly that they can't be trusted.

How I handle security on my application

On my application, Jetendo CMS, there is an open source SQL analysis system I built called db-dot-cfc that parses SQL, and detects numbers or strings that aren't escaped with the db.cfc param or trustedSQL functions.  As a result, it refuses to run queries that allow unescaped dynamic parameters across the entire application.  I also don't have to run this "slower" analysis on the live server because all queries are tested before going live, so the live server stays fast.  It's pretty much impossible for Jetendo to be hacked due to SQL Injection.

Let's say someone did get past the RSA / smart card, brute force protection, firewall and other protection on my server.  Such an attack might allow the attacker to download my entire database before I am able to block them out.   Well, I worked hard to reduce the risk to my users back in February 2013 by implementing extreme hashing on all the passwords, so they can't be quickly recovered on modern hardware.  Previous articles:

Jetendo CMS now supports encrypted passwords for user accounts

Automatic login now implemented with unique secure tokens

Today, I announced that I took our login & password storage protection even further by implementing scrypt hashing, and an automated password expiration/deletion system.  As users login again, they will be upgraded to the new security.

Jetendo CMS login security upgraded - again

Jetendo CMS is serious about security best practices.


Bookmark & Share



Popular tags on this blog

Performance |