2013/11/06

Leak Adobe - english

Leak Adobe

During last month, some whitehats seized a rotten server full with juicy data from adobe like user source code, account and credit card information.

For the technical aspects there are some links below  [1], [2], [3] being [4] the best one. There is some weak analysis about impact [5] [6]. The best analysis consist of getting a copy of users.tar.gz and run some greps and wc.

Adobe reacted fine, there is no leak on the password recovery process and there is even a security alert on the landing page, a hard hit to marketing.

The fact that the users reuse passwords among accounts it's not adobe fault. But encrypting instead of hashing is another thing. This failure opens the door to statistical analysis and the use of the hint field to recover a pretty nice top 100 [7] and somebody says the recovered password list climbs to six millons.

When it started, they say 3 millons, then 38 millons active accounts. The fact is that the list comprises 130 millons of mail/encrypted password/hint.

An attacker can gain some insight in the victim's way of choosing passwords in the best case and using the very same password if the victim reuses it in the worst case.

The best thing to do now as an user is to stop repeating passwords, change them if you are repeating. There is no gain in using a check system like [8], as we already know that all the database is stolen.

If someone decrypts the password by brute force or because they got it with the rest of the leak, it will be the worst attack, ever.



[0] spanish version http://seguridad-agile.blogspot.com.ar/2013/11/leak-adobe.html

[1] http://7habitsofhighlyeffectivehackers.blogspot.com.ar/2013/11/can-someone-be-targeted-using-adobe.html

[2] http://www.zdnet.com/just-how-bad-are-the-top-100-passwords-from-the-adobe-hack-hint-think-really-really-bad-7000022782/

[3] http://www.hydraze.org/2013/10/some-information-on-adobe-135m-users-leak/

[4] http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

[5] http://www.welivesecurity.com/2013/11/05/tom-hanks-and-donald-trump-among-850000-victims-as-limo-firm-hack-leaks-addresses-and-amex-numbers/


[6] http://blogs.wsj.com/cio/2013/10/08/adobe-source-code-leak-is-bad-news-for-u-s-government/



[7] http://stricture-group.com/files/adobe-top100.txt

[8] http://adobe.cynic.al/

No hay comentarios:

Publicar un comentario