Adobe data breach possibly the largest ever
According to Adobe's official response regarding the recent data breach - possibly the largest in history - a "backup server" admittedly had passwords and credit cards stored with encryption that can be reversed which is a bad practice. Others like Sophos and Ars Technica has said that they believe the algorithm used was Triple DES ECB and the passwords weren't salted. The algorithm is known to be weaker, and it's not considered good enough for military / top secret use by the US government.
Among source code & files on Adobe's network that were stolen, it has been revealed now that 150 million email + password combinations as well as password hints were stolen. Unlike some attacks that seem to go away, this hacker made the 10gb database public, and now anyone can download it through IRC or other private servers. In some cases, a targeted attack against anyone on adobe's list can now be attempted thanks to this information going public.
If you try to login to Adobe now, they pretty much require everyone to change their password and confirm it by email now. You'd want to make sure you're not using the same password on other sites anymore too since when (not if) people decrypt the Adobe database, they can attempt to attack your accounts at other companies.
Lastpass.com has a tool to reveal if your data was stolen. I found that mine was stolen: https://lastpass.com/adobe/index.php
Here is the article by arstechnica.com:
http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/
and Sophos:
http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
Adobe claims their new approach to password storage uses a one way hash (sha-256) with salting and more then 1000 iterations, which is pretty safe today, but some obvious passwords can still be guessed if the database is stolen again.
You have to wonder if Adobe has on-going security issues and I'm sure the full impact of the breach will be a lot more expensive.
Companies should do more to protect user data, especially passwords and financial data.
They also had significant data breach a year prior, which is probably why they started using the new password approach a year ago:
http://www.voiceofgreyhat.com/2012/11/Hacker-Leaked-150000-Customer-Details-of-Adobe.html
Both the old and new attack occurred via SQL injection attacks, which is really pathetic since it is relatively easy to prevent those. Clearly, their web server software is written so poorly that they can't be trusted.
How I handle security on my application
On my application, Jetendo CMS, there is an open source SQL analysis system I built called db-dot-cfc that parses SQL, and detects numbers or strings that aren't escaped with the db.cfc param or trustedSQL functions. As a result, it refuses to run queries that allow unescaped dynamic parameters across the entire application. I also don't have to run this "slower" analysis on the live server because all queries are tested before going live, so the live server stays fast. It's pretty much impossible for Jetendo to be hacked due to SQL Injection.
Let's say someone did get past the RSA / smart card, brute force protection, firewall and other protection on my server. Such an attack might allow the attacker to download my entire database before I am able to block them out. Well, I worked hard to reduce the risk to my users back in February 2013 by implementing extreme hashing on all the passwords, so they can't be quickly recovered on modern hardware. Previous articles:
Jetendo CMS now supports encrypted passwords for user accounts
Automatic login now implemented with unique secure tokens
Today, I announced that I took our login & password storage protection even further by implementing scrypt hashing, and an automated password expiration/deletion system. As users login again, they will be upgraded to the new security.
Jetendo CMS login security upgraded - again
Jetendo CMS is serious about security best practices.
Bookmark & Share
Previous Article
Next Article
Popular tags on this blog
Performance |Most Popular Articles
- Mass virtual hosting security tip when using a reverse proxy to connect to other servers
- Solution for MariaDB Field 'xxx' doesn't have a default value
- How to lock Windows immediately upon smart card removal
- Stop using sleep mode with Windows Bitlocker for better security. Learn how to use hibernate in Windows 8.
- Is Google Public DNS actually better then your ISP?
- Planning a system to visually create responsive data-driven web page layouts & widgets in the Jetendo CMS browser interface
- Pros and Cons of CFML vs PHP and other languages
- Run Windows Guest in CentOS 6 Linux Host using Virtualbox 4 via the command line