1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Adobe breach leaks source, millions of customers' details

Discussion in 'Article Discussion' started by Meanmotion, 4 Oct 2013.

  1. Meanmotion

    Meanmotion bleh Moderator

    Joined:
    16 Nov 2003
    Posts:
    1,652
    Likes Received:
    19
  2. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    The don't believe ! i would hope they know for certain. And have they just admitted they actually store decrypted credit or debit card numbers on their systems :eeek:
     
  3. fix-the-spade

    fix-the-spade Multimodder

    Joined:
    4 Jul 2011
    Posts:
    5,593
    Likes Received:
    1,375
    Welcome to the subscription business model Adobe, with all that comes with it!
     
  4. Guest-16

    Guest-16 Guest

    As long as all those pirates have been stopped, that's OK, right?

    :rolleyes:
     
  5. greigaitken

    greigaitken Minimodder

    Joined:
    26 Aug 2009
    Posts:
    431
    Likes Received:
    14
    If a bank stores your stuff and gets robbed, then the bank will pay you the value of stuff they stored unless it goes under.
    If companies had to pay a value of compensation when your data gets robbed, i bet they'd think twice about needlessly storing it.
     
  6. Kovoet

    Kovoet What's a Dremel?

    Joined:
    26 Aug 2009
    Posts:
    7,128
    Likes Received:
    348
    To true

    Sent from my GT-I9505 using Tapatalk 2
     
  7. Silver51

    Silver51 I cast flare!

    Joined:
    24 Jul 2006
    Posts:
    2,962
    Likes Received:
    287
    I hope they had everything backed up on the cloud.

    Oh... wait...
     
  8. Big Elf

    Big Elf Oh no! Not another f----ing elf!

    Joined:
    23 Apr 2009
    Posts:
    3,980
    Likes Received:
    614
    Yet another large organisation proves it can't be trusted with personal data.
     
  9. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    They have a subscription model. That requires ability to periodically charge fees against your credit card. To do that, they need to have your credit card number. That means the credit card number cannot be hashed, unlike passwords. Credit card number can be encrypted, but to have the ability to use that number for anything the decryption code must be there on the server too. Which means encrypted credit card number is as good as the unencrypted.

    In short - everyone who has to charge you more than once must have your credit card number in their system stored, and encrypted/plain text doesn't really matter, because if they breached the system the encryption key is there as well.
     
  10. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    15,682
    Likes Received:
    3,161
    Yet more proof that if they want your details badly enough there's not an awful lot you can do about it...

    Poke hard enough in the right place and you'l find/make a hole in even the most robust security... Look at what's just happened to Barclays and Santander...
     
  11. Big Elf

    Big Elf Oh no! Not another f----ing elf!

    Joined:
    23 Apr 2009
    Posts:
    3,980
    Likes Received:
    614
    There's a lot can be done about it but I doubt anyone will have the guts to do it.

    For a private organisation hit them hard in 2 places, the pocket i.e. massive fine, head of security fined and/or sacked. Chairman of the board heavily fined.

    For a public organisation same thing except no massive fine but multiple sackings.

    That might just give them enough incentive to stop it happening again.

    Edit: you can't really hold Santander or Barclays up as examples of competent organisations.
     
  12. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Well if a company is doing that i wouldn't trust them with my details.

    In the end nothing is %100 secure, but storing credit card details in plain text or on the same system used to decrypt the hashes is asking for trouble. If you needed to go in and out of your house on a regular basis you wouldn't leave your keys in the lock, or under the mat.
     
  13. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    Means you can never use credit card online, ever. It is irrelevant if it is one same system or other - once you can access the other database (and you need it so users can change their details) via any means, so can the attacker.
     
  14. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Well most of the time i have used a CC online it redirect to another server to authenticate, even when i make regular purchases. Like i said no system is %100 secure, but storing CC details or the hashes on a separate system to the one that authenticates/decrypts those details means you double the chances of spotting that the system has been compromised.
     
  15. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    That doesn't redirect you to another server, but to the payment processor website. That is all good and nice in case you are doing one time payment, but absolutely unusable for recurring payments.
     
  16. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    So contrary to you saying "Means you can never use credit card online, ever." you are more secure when being redirected to the payment processors website. Having both the lock and the key on the same system is asking for trouble, its as dumb as keeping the source code for your products on the same system. There are reasons backups are stored of site, if something happens to the main systems you don't risk compromising all your data.

    2.9 million peoples personal data has been put at risk by Adobe because they put all their eggs in one basket. Its even more worrying when you learn this actually happened mid-August, and its only when a third party discovered Adobe source code in the wild that they notified people.
     
  17. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    @Corky42: But again, you cannot do it that way for recurring payments. What you describe is good only for one time payments - Creative Cloud is a recurring payment, not one time fee.
     
  18. gcwebbyuk

    gcwebbyuk Dib Dabbler

    Joined:
    16 Feb 2010
    Posts:
    1,260
    Likes Received:
    18
    As stated previously though, nothing is 100% secure. So you can take it out on Adobe as much as you like, but at the end of the day, it's the hackers who did this. I was one of the 2.9 million who had their details taken (although I think I am as Adobe have sent me the email). I have changed my password, and will keep an eye on my bank account to see if any payments are taken. If that does ever happen, then I will see what form of compensation is available from Adobe. There really isn't anything else you can do, other than never use your credit card for recurring payments on-line.
     
  19. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    @faugusztin, So you are saying they had to keep all the source code, customers personal details, hashed CC details, decryption keys, and login details all on the same network/system ? It doesn't matter if its a one time payment or a recurring payment, you don't keep all your critical data on one system.

    Its beyond stupid, anyone with half a brain would segment critical data so if an attack is successful you only compromise part of your data, you also have more chances for any IDS to pick up a compromise.

    As i keep saying its not about %100 security, its about delaying and identifying the attack so something can be done about it. Adobe kept everything on one system and they didn't even know they had been hacked for around three weeks.

    If they split the critical data across different systems it would have been simple for any IDS to pick up suspicious activity, like the 2.9 million accounts being access all at once, or the 40GB of data download.
     
  20. gcwebbyuk

    gcwebbyuk Dib Dabbler

    Joined:
    16 Feb 2010
    Posts:
    1,260
    Likes Received:
    18
    But how do you know that? From a news article? Do you know how their system is setup? Has there been several attacks - to several networks? Unless you have ALL of the facts, you can't really judge - can you?
     
Tags: Add Tags

Share This Page