Far Beyond Code LLC

Bruce Kirkpatrick

Click here to see how google sees this page | Change Font Size: Smaller | Normal | Larger

Offering the best for less

Generate more leads and manage your online business with the best technology platform in the real estate industry. This online marketing solution for agents, teams and offices helps you increase your sales to new levels.

Look your best with our design services

Your web site is probably the first thing customers see before choosing to do business with you. Our designers understand how to communicate the image you want to represent.

"Search engine optimization" only means something when it actually works.

We don't sell you wonderful stories about your amazing online future. We know that most of our competitors just can't deliver. We'll make it easier for you through honesty, affordability and transparency.

Let us modernize the way you do business

Integrating disparate systems, enterprise search, custom intranets, ecommerce systems, automation, advanced reporting and analysis, online collaboration. You name it, we have done it.

Experience + Passion = MAXIMUM RESULTS

Since 2001, this labor of love has provided endless challenges. While many people struggle, Bruce eagerly solves complex computer problems. You need a passionate expert like Bruce on your team.

Adobe data breach possibly the largest ever

Follow me:

Sun, Nov 10, 2013 at 4:35PM

According to Adobe's official response regarding the recent data breach - possibly the largest in history - a "backup server" admittedly had passwords and credit cards stored with encryption that can be reversed which is a bad practice.   Others like Sophos and Ars Technica has said that they believe the algorithm used was Triple DES ECB and the passwords weren't salted.   The algorithm is known to be weaker, and it's not considered good enough for military / top secret use by the US government.

Among source code & files on Adobe's network that were stolen, it has been revealed now that 150 million email + password combinations as well as password hints were stolen.   Unlike some attacks that seem to go away, this hacker made the 10gb database public, and now anyone can download it through IRC or other private servers.   In some cases, a targeted attack against anyone on adobe's list can now be attempted thanks to this information going public.

If you try to login to Adobe now, they pretty much require everyone to change their password and confirm it by email now.   You'd want to make sure you're not using the same password on other sites anymore too since when (not if) people decrypt the Adobe database, they can attempt to attack your accounts at other companies.

Lastpass.com has a tool to reveal if your data was stolen. I found that mine was stolen: https://lastpass.com/adobe/index.php

Here is the article by arstechnica.com:
http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/

and Sophos:
http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

Adobe claims their new approach to password storage uses a one way hash (sha-256) with salting and more then 1000 iterations, which is pretty safe today, but some obvious passwords can still be guessed if the database is stolen again.

You have to wonder if Adobe has on-going security issues and I'm sure the full impact of the breach will be a lot more expensive.

Companies should do more to protect user data, especially passwords and financial data.

They also had significant data breach a year prior, which is probably why they started using the new password approach a year ago:
http://www.voiceofgreyhat.com/2012/11/Hacker-Leaked-150000-Customer-Details-of-Adobe.html

Both the old and new attack occurred via SQL injection attacks, which is really pathetic since it is relatively easy to prevent those. Clearly, their web server software is written so poorly that they can't be trusted.

How I handle security on my application

On my application, Jetendo CMS, there is an open source SQL analysis system I built called db-dot-cfc that parses SQL, and detects numbers or strings that aren't escaped with the db.cfc param or trustedSQL functions. As a result, it refuses to run queries that allow unescaped dynamic parameters across the entire application. I also don't have to run this "slower" analysis on the live server because all queries are tested before going live, so the live server stays fast. It's pretty much impossible for Jetendo to be hacked due to SQL Injection.

Let's say someone did get past the RSA / smart card, brute force protection, firewall and other protection on my server. Such an attack might allow the attacker to download my entire database before I am able to block them out. Well, I worked hard to reduce the risk to my users back in February 2013 by implementing extreme hashing on all the passwords, so they can't be quickly recovered on modern hardware. Previous articles:

Jetendo CMS now supports encrypted passwords for user accounts

Automatic login now implemented with unique secure tokens

Today, I announced that I took our login & password storage protection even further by implementing scrypt hashing, and an automated password expiration/deletion system. As users login again, they will be upgraded to the new security.

Jetendo CMS login security upgraded - again

Jetendo CMS is serious about security best practices.

Bookmark & Share

Securing all Jetendo Site Managers with a wildcard SSL certificate

Using scrypt hashing with Coldfusion or Railo

Popular tags on this blog

Performance |