[dba-Tech] A good read on Adobe's password hack

Jim Lawrence accessd at shaw.ca
Wed Nov 13 11:14:10 CST 2013


It doesn't have to be a little back office company to be foolish but when a company holds a large amount of client information that does not even use the simplest form of protection, that company should be held to a higher level of responsibility. 

Isn't there some sort of laws to that end?

Aside: Gustav, from the tech list posted a link to a new Microsoft product, built initially by a private security consultant, which is designed to protect information flow from data trolls whether governments or hostile businesses:   
 
http://technet.microsoft.com/en-us/security/dn283932.aspx

Jim

----- Original Message -----
From: "John Bartow" <jbartow at winhaven.net>
To: "DBA-Tech" <dba-tech at databaseadvisors.com>
Sent: Tuesday, November 12, 2013 8:41:52 AM
Subject: [dba-Tech] A good read on Adobe's password hack

Adobe Arrogance: Anatomy Of A Password Disaster 
By now you all know that Adobe was completely owned and all their accounts
were stolen by hackers. The total number of passwords they got away with has
again increased. A huge dump of the offending customer database was recently
published online, weighing in at 4GB compressed, or just a shade under 10GB
uncompressed, listing not just 38 million breached records, but 150 million!


Our friends at Sophos commented: "As breaches go, you may very well see this
one in the book of Guinness World Records next year, which would make it
astonishing enough on its own. But there's more. We used a sample of
1,000,000 items from the published dump to help you understand just how much
more." 

The internal IT team at Adobe must have thought that they would never get
hacked, and that they would be able to get away with a relatively simple
form of encryption. They made the baffling mistake to not use any "salting"
in their encryption process. In short, these passwords are as easy to find
as solving a crossword puzzle. This cartoon explains it in a very humorous
way:
http://xkcd.com/1286/ 

The moral of this story is to not fall into the same trap. Do not be
arrogant and think the bad guys will never get in. Assume that your network
will be (or has already been) breached, and do everything you can to be the
hardest target possible. 

Learn from Adobe's mistakes, do not let this happen to you, and read the
blog post at Sophos. Very instructive:
http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-ad
obes-giant-sized-cryptographic-blunder/

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


More information about the dba-Tech mailing list