Educause Security Discussion mailing list archives
Re: FYI - Adobe account compromise
From: Gary Warner <gar () CIS UAB EDU>
Date: Mon, 11 Nov 2013 15:06:56 -0600
Andrew, One must remember that a password should be strong enough to protect the value of the system it is on. I believe it is probably forgivable to have absolute trash passwords on a system that forces you to register to download a free software update. There really isn't any personal data being protected there. That said, we've been having fun playing with the "same as" passwords -- such as "Same as Work VPN". I'd watch for "Stanford.edu" folks who mention "SUNet" in their hint . . . just choosing the first one as an example: 102792539-|--|-cgoldenberg () stanford edu-|-GXmAMPNONSTioxG6CatHBw==-|-sunet id|-- For other schools - "what do you call your local University ID?" Might be worth seeing which of your students/staff told Adobe that there ID was a match. (We use BlazerID's at UAB - many listed there - but fortunately we just went through a big mandatory password change anyway!) Then script something to search for the crypted version of their hash. If there are LOTS of matches, it might mean a bad password choices. If there are very FEW hashes, it may mean that it would be time to talk about not using the same password everywhere. (For instance, I'm guessing CGoldenberg@stanford and ClaudeG@stanford and CoachCrikket@gmail are all the same guy based on password re-use of a "rare" password.) Does that make sense? ---------------------------------------------------------- Gary Warner Director of Research in Computer Forensics The University of Alabama at Birmingham Center for Information Assurance and Joint Forensics Research 205.422.2113 gar () cis uab edu ----------------------------------------------------------- ----- Original Message ----- From: "Brian Helman" <bhelman () SALEMSTATE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Sunday, November 10, 2013 7:19:37 PM Subject: Re: [SECURITY] FYI - Adobe account compromise Yeah, that was it. Sorry about the confusion. -Brian ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Keller, Alex [axkeller () STANFORD EDU] Sent: Thursday, November 07, 2013 1:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FYI - Adobe account compromise http://sophos.com/adobe doesn't resolve... But this seems like a likely candidate for the article Brian referenced: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ Best, alex Alex Keller Information Technology Stanford School of Engineering axkeller () stanford edu (650) 736-6421 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian Helman Sent: Thursday, November 07, 2013 6:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FYI - Adobe account compromise There's an excellent description at sophos.com/adobe and on this week's Security Now podcast. -Brian ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Andrew Daviel [advax () TRIUMF CA] Sent: Wednesday, November 06, 2013 4:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FYI - Adobe account compromise FYI Per http://xkcd.com/1286/ and others, hackers have leaked 130 million user records from Adobe, containing email address, 3DES encrypted password, and hint, with lines like: 63498551-|--|-mxxxxxxx () wisc edu-|-eYxxxxxxxxxxxxx==-|-kunsan cutie|-- 2 million of these are .edu addresses
From what I have read, the passwords are encrypted using a symmetric key but the key is unknown. For now. As a mailing list for spam, it needs washing, badly.
All that user education is having some effect, at least. The most popular password is now "123456", an improvement over "12345" a couple of years ago and "1234" before that. Per http://stricture-group.com/files/adobe-top100.txt See also http://www.hydraze.org/2013/10/some-information-on-adobe-135m-users-leak/ http://www.leemangold.com/2013/11/02/adobe-data-breach-faq/ http://tobtu.com/adobe.php http://anonnews.org/forum/post/64784 http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/ Password reset: https://www.adobe.com/ca/account/sign-in.adobedotcom.html I'm not sure it's really a big cause for concern, though I guess a lot of people use the same password for everything and there's their password hint "dog's name" sitting out there. The etymology of user names on Hotmail should we worth a sociology paper or two. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- FYI - Adobe account compromise Andrew Daviel (Nov 06)
- Re: FYI - Adobe account compromise Brian Helman (Nov 07)
- Re: FYI - Adobe account compromise Keller, Alex (Nov 07)
- Re: FYI - Adobe account compromise Louis Aponte (Nov 07)
- Re: FYI - Adobe account compromise Brian Helman (Nov 10)
- Re: FYI - Adobe account compromise Gary Warner (Nov 11)
- Re: FYI - Adobe account compromise Brian Helman (Nov 11)
- Re: FYI - Adobe account compromise Gary Warner (Nov 12)
- Re: FYI - Adobe account compromise Keller, Alex (Nov 07)
- Re: FYI - Adobe account compromise Brian Helman (Nov 07)