Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: FYI - Adobe account compromise
From: Gary Warner <gar () CIS UAB EDU>
Date: Mon, 11 Nov 2013 15:06:56 -0600

Andrew, 

One must remember that a password should be strong enough to protect the value of the system it is on.  I believe it is 
probably forgivable to have absolute trash passwords on a system that forces you to register to download a free 
software update.  There really isn't any personal data being protected there.

That said, we've been having fun playing with the "same as" passwords -- such as "Same as Work VPN". I'd watch for 
"Stanford.edu" folks who mention "SUNet" in their hint . . . just choosing the first one as an example:  

102792539-|--|-cgoldenberg () stanford edu-|-GXmAMPNONSTioxG6CatHBw==-|-sunet id|--

For other schools - "what do you call your local University ID?"   Might be worth seeing which of your students/staff 
told Adobe that there ID was a match.  (We use BlazerID's at UAB - many listed there - but fortunately we just went 
through a big mandatory password change anyway!)

Then script something to search for the crypted version of their hash.  If there are LOTS of matches, it might mean a 
bad password choices.  If there are very FEW hashes, it may mean that it would be time to talk about not using the same 
password everywhere.  (For instance, I'm guessing CGoldenberg () stanford and ClaudeG () stanford and CoachCrikket () 
gmail are all the same guy based on password re-use of a "rare" password.)

Does that make sense?

----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
gar () cis uab edu

-----------------------------------------------------------

----- Original Message -----
From: "Brian Helman" <bhelman () SALEMSTATE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Sunday, November 10, 2013 7:19:37 PM
Subject: Re: [SECURITY] FYI -  Adobe account compromise

Yeah, that was it.  Sorry about the confusion.

-Brian

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Keller, Alex 
[axkeller () STANFORD EDU]
Sent: Thursday, November 07, 2013 1:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI -  Adobe account compromise

http://sophos.com/adobe doesn't resolve...

But this seems like a likely candidate for the article Brian referenced:
http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

Best,
alex

Alex Keller
Information Technology
Stanford School of Engineering
axkeller () stanford edu
(650) 736-6421



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Helman
Sent: Thursday, November 07, 2013 6:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI - Adobe account compromise

There's an excellent description at sophos.com/adobe and on this week's Security Now podcast.

-Brian

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Andrew Daviel 
[advax () TRIUMF CA]
Sent: Wednesday, November 06, 2013 4:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FYI -  Adobe account compromise

FYI

Per http://xkcd.com/1286/ and others, hackers have leaked 130 million user records from Adobe, containing email 
address, 3DES encrypted password, and hint, with lines like:

63498551-|--|-mxxxxxxx () wisc edu-|-eYxxxxxxxxxxxxx==-|-kunsan cutie|--

2 million of these are .edu addresses

From what I have read, the passwords are encrypted using a symmetric key but the key is unknown. For now. As a mailing 
list for spam, it needs washing, badly.

All that user education is having some effect, at least.
The most popular password is now "123456", an improvement over "12345" a couple of years ago and "1234" before that.
Per http://stricture-group.com/files/adobe-top100.txt

See also
http://www.hydraze.org/2013/10/some-information-on-adobe-135m-users-leak/
http://www.leemangold.com/2013/11/02/adobe-data-breach-faq/
http://tobtu.com/adobe.php
http://anonnews.org/forum/post/64784
http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/
Password reset: https://www.adobe.com/ca/account/sign-in.adobedotcom.html

I'm not sure it's really a big cause for concern, though I guess a lot of people use the same password for everything 
and there's their password hint "dog's name" sitting out there. The etymology of user names on Hotmail should we worth 
a sociology paper or two.


--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]