Like many bloggers I watch my logs, trying to work out what appeals to readers. One thing that has continually surprised me is the popularity of a little posting I did almost 18 months ago: Reckz0r hacks MasterCard and Visa. Anonymous says no.
Reckz0r had just claimed two major hacks. Wrongly. In fact an Anonymous contact told me at the time, “He [Reckz0r] is considered the village idiot in Anonymous circles. He pretended he hacked Sony for LulzSec; he pretended he hacked sites that UGNAZI hacked. He has just faked another hack like he always does. Pure Bieber Hacker.”
But for 18 months visitors have been landing on that page. Is Reckz0r popular? I doubt it. But what it does tell me is that he is probably much better than I am at self-publicity. And now he’s at it again. This time he claims to have hacked the PS4 — well, not personally, but he almost provides a tutorial on how to implement someone else’s hack.
“Voila! JAILBROKEN!” he concludes. “You now have the ability to run unassigned/assigned code and pirated games on your PS4.” Only, naturally, the link to the actual exploit doesn’t work.
But to support his assertion he also published a Twitter conversation between himself and Sony.
Doesn’t really sound like Sony, does it? And in the first one they have very cleverly got slightly more than 140 characters into the message.
So, once again we can say with a fair degree of certainty that this is a faking hoax. But, if you’ll pardon the vernacular, it is lame. It is lame beyond even Reckz0r’s traditional lameness. It is so lame, you even have to wonder if it’s a lame joke. But that would be cleverness beyond Reckz0r — so is it even Reckz0r?
Bugger. He’s just proved the point — he really is better at self-publicity than I am.
I finally got the email I’ve been waiting for. It’s from Adobe. It starts
As we announced on 3 October 2013, we recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorised activity on your account.
To prevent unauthorised access to your account, we have reset your password…
Let’s have a look at this. “We announced on 3 October 2013, we recently discovered…” What does recently mean? They announced on 3 October not because they had discovered the hack, but because Brian Krebs told the world that he had found stolen Adobe data on the internet. So when it was actually stolen (could have been months earlier) and when Adobe actually became aware of the theft (could have been months earlier) is not known.
Let’s be charitable and say Adobe knew about it by 1 October.
They said that just under 3 million usernames and encrypted passwords may have been stolen. Since I don’t have an Adobe account, and since 3 million is relatively few in the overall scheme of things, I thought no more about it.
A few weeks later Adobe admitted that the true figure is nearer 38 million. That’s getting a bit more worrying, so I checked my browser’s stored passwords and my more recently adopted password manager. Still nothing. No Adobe account. And anyway, Adobe said very clearly that the company had reset all the passwords and notified the 38 million users. I had not been notified. I had nothing to worry about.
But then, about a week later, it emerged that it wasn’t a mere 3 million, nor a more worrying 38 million, but a colossal 150 million. Adobe had notified 38 million out of 150 million – but that is by no means the worst of it. When Paul Ducklin got hold of the database of stolen data, now easily available if you know where to look, a quick analysis showed the user’s email in plaintext, an encrypted password, and the user’s password hint in plaintext.
email addresses – you can infer a lot from an address: usually the user’s name and company. For example, Ken Westin at Tripwire looked through the Adobe hack and found 89,997 military addresses. “This is in addition to the more than 6,000 accounts from defense contractors such as Raytheon, Northrup Gruman [sic], General Dynamics and BAE Systems we also found,” he wrote. “Also, on the federal side, there were 433 FBI accounts, 82 NSA accounts and 5,000 NASA accounts.” So, choose your company, guess the user’s name, look through LinkedIn and Facebook and you’ve got enough for a pretty compelling targeted phishing attack.
encrypted passwords – passwords should be hashed and salted with a slow hashing algorithm; they should not be encrypted. Hashing means 150 million passwords need to be cracked; encryption means that one key needs to be cracked and all 150 million passwords are known.
password hints in plaintext – oh, really! Why bother cracking the passwords when the hint will let you guess it? What do you think is the password when the hint is ‘57’; or ‘the bad disciple’?
So Adobe really cocked-up. They didn’t protect the data, they didn’t store it correctly, and they tried to minimise the extent of the damage. And still it gets worse; because they tried to suggest, don’t worry, most of these accounts aren’t real, they belong to people who just signed up to get promotions or freebies.
Here’s the real danger. In that great mass of one-off freebie-chasing accounts numbering anything between 38 million and 150 million are people who signed up, used a password that they can’t remember, and are completely unaware that their password is now compromised. What if these people signed up years ago before password thefts became a dime a dozen, and lazily used the same password as they use on their email address? There is no way that they can retrieve that password. They now have no way of knowing whether any or which or all of their other accounts have been compromised by Adobe’s failure to adequately protect this password.
One final point. I said at the beginning that I had been expecting the email from Adobe. That’s because I checked with LastPass (who has a little routine that will tell you whether you’re included in the hacked data) and learnt that although I couldn’t ever remember creating an Adobe account, at some point I must have done, because there I was.
So, at least six weeks after it knew of the breach, Adobe bothers to tell me that someone “may have obtained access to [my] Adobe ID and encrypted password” when the world and his dog has access to that encrypted password. I know; Ken Westin, Brian Krebs and Paul Ducklin almost certainly know; LastPass and the hackers most definitely know; and anyone who cares to look will also know. Adobe, however, doesn’t know and continues to insist that ‘an attacker… may have obtained access.”
How dare they, after all this time and all these mistakes, still try to save face at my expense?
Well, I guess that’s as official as we’re likely to get: GCHQ hacked Belgacom.
The reasoning is this…
The European Parliament’s Civil Liberties, Justice and Home Affairs committee (LIBE) is conducting a series of hearings to investigate the ‘Prism scandal’. Yesterday it held the latest in the series: “Allegations of ‘hacking’ / tapping into the Belgacom systems by intelligence services”. Statements were expected from two high-ranking Belgacom executives, and Sir Iain Lobban, director of GCHQ.
After the event, LIBE issued its statement. In full, it reads:
Civil Liberties Committee MEPs expressed their regret on Thursday that the British Government Communications Headquarters (GCHQ) had declined their invitation to take part in a hearing on the alleged hacking of Belgian telecoms firm Belgacom’s servers. Belgacom’s top managers would not confirm or deny media reports that UK intelligence services were behind the attack.
First of all I consider it grossly discourteous for Lobban to fail to attend. This committee comprises elected representatives of the people who pay his wages and on whom he spies.
And then – forgive me for being simplistic – but I have a general principle on such matters: The innocent will never say they are guilty, but can always say they are innocent. The guilty cannot admit guilt, cannot lie, and therefore say nothing.
By avoiding have to say anything, Lobban did not say he didn’t do it – therefore the huge likelihood is that he did. And as for Belgacom, by not saying it wasn’t GCHQ, the huge likelihood is that it was. It’s called the science of gut feeling; and is usually pretty accurate.
But there’s another issue here. The UK is a member of the European Union. What is the point of having a legal union if individuals can simply ignore the elected representatives of the union? And by what moral, if not legal, right does Lobban decline an interview to attend a hearing being held by one of the most important political committees in Europe?