John Bartow
jbartow at winhaven.net
Tue Nov 12 10:41:52 CST 2013
Adobe Arrogance: Anatomy Of A Password Disaster By now you all know that Adobe was completely owned and all their accounts were stolen by hackers. The total number of passwords they got away with has again increased. A huge dump of the offending customer database was recently published online, weighing in at 4GB compressed, or just a shade under 10GB uncompressed, listing not just 38 million breached records, but 150 million! Our friends at Sophos commented: "As breaches go, you may very well see this one in the book of Guinness World Records next year, which would make it astonishing enough on its own. But there's more. We used a sample of 1,000,000 items from the published dump to help you understand just how much more." The internal IT team at Adobe must have thought that they would never get hacked, and that they would be able to get away with a relatively simple form of encryption. They made the baffling mistake to not use any "salting" in their encryption process. In short, these passwords are as easy to find as solving a crossword puzzle. This cartoon explains it in a very humorous way: http://xkcd.com/1286/ The moral of this story is to not fall into the same trap. Do not be arrogant and think the bad guys will never get in. Assume that your network will be (or has already been) breached, and do everything you can to be the hardest target possible. Learn from Adobe's mistakes, do not let this happen to you, and read the blog post at Sophos. Very instructive: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-ad obes-giant-sized-cryptographic-blunder/