Tydda Jon - Lonza Slough
jon.tydda at lonza.com
Wed Nov 13 11:29:20 CST 2013
There are in the UK - the Data Protection Act for a start. You have a duty of care to preserve the safety of the information you hold. Facebook put an announcement out today warning people that if they used the same email address/passwords on FB as they did for Adobe, then their profiles may well already be compromised. Jon -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence Sent: Wednesday, November 13, 2013 5:14 PM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] A good read on Adobe's password hack It doesn't have to be a little back office company to be foolish but when a company holds a large amount of client information that does not even use the simplest form of protection, that company should be held to a higher level of responsibility. Isn't there some sort of laws to that end? Aside: Gustav, from the tech list posted a link to a new Microsoft product, built initially by a private security consultant, which is designed to protect information flow from data trolls whether governments or hostile businesses: http://technet.microsoft.com/en-us/security/dn283932.aspx Jim ----- Original Message ----- From: "John Bartow" <jbartow at winhaven.net> To: "DBA-Tech" <dba-tech at databaseadvisors.com> Sent: Tuesday, November 12, 2013 8:41:52 AM Subject: [dba-Tech] A good read on Adobe's password hack Adobe Arrogance: Anatomy Of A Password Disaster By now you all know that Adobe was completely owned and all their accounts were stolen by hackers. The total number of passwords they got away with has again increased. A huge dump of the offending customer database was recently published online, weighing in at 4GB compressed, or just a shade under 10GB uncompressed, listing not just 38 million breached records, but 150 million! Our friends at Sophos commented: "As breaches go, you may very well see this one in the book of Guinness World Records next year, which would make it astonishing enough on its own. But there's more. We used a sample of 1,000,000 items from the published dump to help you understand just how much more." The internal IT team at Adobe must have thought that they would never get hacked, and that they would be able to get away with a relatively simple form of encryption. They made the baffling mistake to not use any "salting" in their encryption process. In short, these passwords are as easy to find as solving a crossword puzzle. This cartoon explains it in a very humorous way: http://xkcd.com/1286/ The moral of this story is to not fall into the same trap. Do not be arrogant and think the bad guys will never get in. Assume that your network will be (or has already been) breached, and do everything you can to be the hardest target possible. Learn from Adobe's mistakes, do not let this happen to you, and read the blog post at Sophos. Very instructive: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-ad obes-giant-sized-cryptographic-blunder/ _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com ________________________________ This communication and its attachments, if any, may contain confidential and privileged information the use of which by other persons or entities than the intended recipient is prohibited. If you receive this transmission in error, please contact the sender immediately and delete the material from your system.