1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Adobe breach leaks source, millions of customers' details

Discussion in 'Article Discussion' started by Meanmotion, 4 Oct 2013.

  1. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,940
    Likes Received:
    264
    I don't talk about the source code, that is a separate question. But for the rest :
    1) credit card data CANNOT be hashed. Hashing is a one way function, data cannot be restored from hash. Hashing is useless for anything else but passwords in this context.
    2) if credit card data was encrypted, then to be able to show/edit credit card information to users via website it has to have access to the credit card information, and have access to decryption keys. And because that key has to be part of the website, it is pretty much useless, unless we talk about database-only hack, which is not what happened here, as this one looks like complete hack including internal systems.
     
  2. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Maybe i cant judge, but i can form an opinion based on what is known.

    This attack happened in mid-August (6-8 weeks ago), Adobe has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17 (2-3 weeks ago), Customers only received notification this week. They have only bothered to notify their customers because a third party discovery 40GB of Adobe source code out in the wild
    http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
    It believes but doesn't have actual proof in the form of logs and such, it doesn't even know how many user names and passwords have been compromised
    Again we are told it believes (meaning without absolute proof)
    Adobe’s Chief Security Officer Brad Arkin doesn't even know what software the servers he is responsible for are running and also runs out-of-date software.
    You are free to form you own opinion on how Adobe has put millions of people at risk based on the facts we do have, but i think its safe to say the information we do have doesn't paint a pretty picture of Adobes so called security.

    @faugusztin, We both seem to have conflated hashes with encryption, when it is more than likely Adobe used a block cipher (A block cipher is reversible: if you know the key)
     
    Last edited: 6 Oct 2013
  3. gcwebbyuk

    gcwebbyuk Dib Dabbler

    Joined:
    16 Feb 2010
    Posts:
    1,260
    Likes Received:
    18
    So how do Adobe compare to other companies that we trust our data with?

    News articles can be easily written to make a situation sound good or bad.

    I agree, it doesn't sound great that Adobe chose to leave this from the public eye for so long. I would expect the reason for this to come out at some point soon, there will be someone somewhere who is willing to explain - although again, by that time Adobe could have written some spin to put on it.

    Bottom line is that data is never really safe. You gotta make the most of a bad situation - bit like life really...
     
  4. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Well Sony got fined £250k when the PSN got hacked, and you only have to look at the fines issued by the ICO to see the problem is very bad.

    2010 - 2 fines totalling £160,000
    2011 - 7 fines totalling £541,100
    2012 - 17 fines totalling £2,143,000

    Yet company's keep insisting the cloud and subscription based services are the way of the future.
    Yes news articles can be written with bias, but when it uses quotes and confirmations from an interview you tend to take them on face value.
    Yes data is never really safe its all a matter of degrees, but you would expect a third party to take the same or better security measures than you do. If i had the slightest suspicion of a data breach i would act immediately to change passwords or cancel CC's
     
  5. monkiboi

    monkiboi Minimodder

    Joined:
    5 Feb 2012
    Posts:
    106
    Likes Received:
    2
    I just want to extend a little on what Faugusztin is saying in point 1, for those who are still not following.

    When you first sign up for a service and enter a password this password is put through a hashing algorithm (there are many to choose from), which returns a random string of characters, which is then stored as your password in the database. Now you cannot reverse engineer this which is why, if you forget your password you have to reset it.

    You can increase the security further by adding in what's called a 'salt', which adds a string of characters to you password and then hashes it.

    Now, the hashing is consistent in that the same password you enter whenever you log in will always produce the same hashed string, as long as the same algorithm is used, so you log in, your password is hashed and then compared to the hashed password in the database. If they match you're then logged in.

    Obviously, this won't work for credit card details as the company providing the service to you needs to present those card details to the bank for every recurring payment and if it was hashed they couldn't retrieve those numbers. You could potentially do it if the bank used the same hashing and salt as the vendor but then the bank opens itself up to huge security risks.

    Banks also demand what's called PCI compliance from anyone using their services for online payments, which dictate how customer details are stored and the security measures you need for compliance but that's not really relevant here.
     
Tags: Add Tags

Share This Page