I finally got the email I’ve been waiting for. It’s from Adobe. It starts
As we announced on 3 October 2013, we recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorised activity on your account.
To prevent unauthorised access to your account, we have reset your password…
Let’s have a look at this. “We announced on 3 October 2013, we recently discovered…” What does recently mean? They announced on 3 October not because they had discovered the hack, but because Brian Krebs told the world that he had found stolen Adobe data on the internet. So when it was actually stolen (could have been months earlier) and when Adobe actually became aware of the theft (could have been months earlier) is not known.
Let’s be charitable and say Adobe knew about it by 1 October.
They said that just under 3 million usernames and encrypted passwords may have been stolen. Since I don’t have an Adobe account, and since 3 million is relatively few in the overall scheme of things, I thought no more about it.
A few weeks later Adobe admitted that the true figure is nearer 38 million. That’s getting a bit more worrying, so I checked my browser’s stored passwords and my more recently adopted password manager. Still nothing. No Adobe account. And anyway, Adobe said very clearly that the company had reset all the passwords and notified the 38 million users. I had not been notified. I had nothing to worry about.
But then, about a week later, it emerged that it wasn’t a mere 3 million, nor a more worrying 38 million, but a colossal 150 million. Adobe had notified 38 million out of 150 million – but that is by no means the worst of it. When Paul Ducklin got hold of the database of stolen data, now easily available if you know where to look, a quick analysis showed the user’s email in plaintext, an encrypted password, and the user’s password hint in plaintext.
email addresses – you can infer a lot from an address: usually the user’s name and company. For example, Ken Westin at Tripwire looked through the Adobe hack and found 89,997 military addresses. “This is in addition to the more than 6,000 accounts from defense contractors such as Raytheon, Northrup Gruman [sic], General Dynamics and BAE Systems we also found,” he wrote. “Also, on the federal side, there were 433 FBI accounts, 82 NSA accounts and 5,000 NASA accounts.” So, choose your company, guess the user’s name, look through LinkedIn and Facebook and you’ve got enough for a pretty compelling targeted phishing attack.
encrypted passwords – passwords should be hashed and salted with a slow hashing algorithm; they should not be encrypted. Hashing means 150 million passwords need to be cracked; encryption means that one key needs to be cracked and all 150 million passwords are known.
password hints in plaintext – oh, really! Why bother cracking the passwords when the hint will let you guess it? What do you think is the password when the hint is ‘57’; or ‘the bad disciple’?
So Adobe really cocked-up. They didn’t protect the data, they didn’t store it correctly, and they tried to minimise the extent of the damage. And still it gets worse; because they tried to suggest, don’t worry, most of these accounts aren’t real, they belong to people who just signed up to get promotions or freebies.
Here’s the real danger. In that great mass of one-off freebie-chasing accounts numbering anything between 38 million and 150 million are people who signed up, used a password that they can’t remember, and are completely unaware that their password is now compromised. What if these people signed up years ago before password thefts became a dime a dozen, and lazily used the same password as they use on their email address? There is no way that they can retrieve that password. They now have no way of knowing whether any or which or all of their other accounts have been compromised by Adobe’s failure to adequately protect this password.
One final point. I said at the beginning that I had been expecting the email from Adobe. That’s because I checked with LastPass (who has a little routine that will tell you whether you’re included in the hacked data) and learnt that although I couldn’t ever remember creating an Adobe account, at some point I must have done, because there I was.
So, at least six weeks after it knew of the breach, Adobe bothers to tell me that someone “may have obtained access to [my] Adobe ID and encrypted password” when the world and his dog has access to that encrypted password. I know; Ken Westin, Brian Krebs and Paul Ducklin almost certainly know; LastPass and the hackers most definitely know; and anyone who cares to look will also know. Adobe, however, doesn’t know and continues to insist that ‘an attacker… may have obtained access.”
How dare they, after all this time and all these mistakes, still try to save face at my expense?
What is a hack? No, seriously, I need to know.
Last weekend the People/Mirror reported that Scout7 had been hacked and Manchester City’s scouting database compromised.
Scout7 came back and said it hadn’t been hacked and the integrity of its systems was sound. But City’s database was accessed by someone other than City.
Scout7 was saying that as far as its systems were concerned, it was a legal access via genuine credentials — implying that City must have lost, mislaid, or had its password stolen. It’s an interesting idea. The implication is that if you lose your house-keys and someone finds them, gets in while you’re out, and reads your personal, private diary, you haven’t been burgled.
That, of course, is emotionally absurd. But Scout7 is saying that it (the housebuilder) cannot be blamed for the burglary and doesn’t need to do anything about it. We’ll come back to that.
Meantime, how does this apply to ‘breach notification’? Is a breach a hack? Is the illegal use of legal credentials by a clear bad guy something that will require notification? Will companies be able to claim, we weren’t breached because the hackers got in through legitimate passwords, therefore we don’t need to tell anyone?
Incidentally, Kurt Wismer has an interesting story equally hinging on lack of semantic clarity: was the poor targeting in Stuxnet down to some lax manager saying , ‘make me a virus’, when he really meant, ‘make me a trojan’? Worth reading.
But back to Scout7. No, it cannot avoid its liability by implying it was a customer’s fault for losing his/her password. We all know that passwords do not provide adequate access security. So relying on them, and not adding a second factor to the access control, is effectively building something not fit for purpose. So as far as I am concerned, it got hacked.
The Data Protection Regulation should be amended to force companies to disclose how passwords are stored
Over the last couple of days it has been disclosed that an amazing amount of personal data on 1.1 million Americans has been lifted from the US Nationwide insurance group. Passwords do not appear to be involved – it’s a storage of data rather than an interactive site. But the point is that this data would appear to have been unencrypted – at least the company concerned hasn’t specified one way or the other; and that’s the problem.
Time and again we learn of plaintext passwords being stolen. Plaintext is unacceptable, but it happens. Sometimes, they are stored hashed by SHA1. This is unacceptable because dictionary attacks and Jens Steube’s newly announced brute force attack makes them surprisingly vulnerable; but it happens. At the very least, passwords should be stored hashed with SHA1 – preferably better – and salted.
I for one would be reluctant to commit my password to any site that stores that password with anything less than salted SHA2. But they don’t tell us, do they.
So I call now for the European Commission to amend the proposed Data Protection Regulation to include a requirement for all sites that store user passwords to make it clear on their site, at registration, precisely how those passwords are stored: plaintext, hashed (with what), or hashed and salted. This is the only way we will be able to force vendors to improve the way in which they handle our data.
It’s good to see providers beginning to rethink their password policies. But this from BT?
This was the rejected password:
I cannot begin to imagine what a strong password would look like…
see also: Yahoo says my password is too weak
My recent news stories…
You don’t need to be hacked if you give away your credentials
GFI Software highlights the problems of users’ carelessness with their credentials: who needs hacking skills when log-on details are just handed over?
22 May 2012
A new solution for authenticating BYOD
New start-up SaaSID today launches a product at CloudForce London that seeks to solve a pressing and growing problem: the authentication of personal devices to the cloud.
22 May 2012
New HMRC refund phishing scam detected
Every year our tax details are evaluated by HMRC. Every year, a lucky few get tax refunds; and every year, at that time, the scammers come out to take advantage.
22 May 2012
UK government is likely to miss its own cloud targets
G-Cloud is the government strategy to reduce IT expenditure by increasing use of the cloud. It calls for 50% of new spending to be used on cloud services by 2015 – but a new report from VMWare suggests such targets will likely be missed by the public sector.
21 May 2012
New Absinthe 2.0 Apple jailbreak expected this week
The tethered jailbreak for iOS 5.1, Redsn0w, still works on iOS 5.1.1. This week, probably on 25 May, a new untethered jailbreak is likely to be announced at the Hack-in-the-Box conference.
21 May 2012
TeliaSonera sells black boxes to dictators
While the UK awaits details on how the proposed Communications Bill will force service providers to monitor internet and phone metadata, Sweden’s TeliaSonera shows how it could be done by selling black boxes to authoritarian states.
21 May 2012
Understanding the legal problems with DPA
We have known for many years that the EU is not happy with the UK’s implementation of the Data Protection Directive – what we haven’t known is why. This may now change thanks to the persistence of Amberhawk Training Ltd.
18 May 2012
Who attacked WikiLeaks and The Pirate Bay?
This week both the The Pirate Bay and WikiLeaks have been ‘taken down’ by sustained DDoS attacks: TPB for over 24 hours, and Wikileaks for 72. What isn’t known is who is behind the attacks.
18 May 2012
BYOD threatens job security at HP
BYOD isn’t simply a security issue – it’s a job issue. Sales of multi-function smartphones and tablets are reducing demand for traditional PCs; and this is hitting Hewlett Packard.
18 May 2012
25 civil servants reprimanded weekly for data breach
Government databases are full of highly prized and highly sensitive personal information. The upcoming Communications Bill will generate one of the very largest databases. The government says it will not include personal information.
17 May 2012
Vulnerability found in Mobile Spy spyware app
Mobile Spy is covert spyware designed to allow parents to monitor their children’s smartphones, employers to catch time-wasters, and partners to detect cheating spouses. But vulnerabilities mean the covertly spied-upon can become the covert spy.
17 May 2012
Governments make a grab for the internet
Although the internet is officially governed by a bottom-up multi-stakeholder non-governmental model, many governments around the world believe it leaves the US with too much control; and they want things to change.
17 May 2012
My news stories on Infosecurity Magazine for Thursday 15, Friday 16 and Monday 19 March…
Duqu: a government intelligence agency built cyberweapon?
Last week Kaspersky Lab announced that it had discovered an unrecognized programming language within the Duqu worm code. It asked the research community for help in diagnosis; and the research community responded.
19 March 2012
Four EU Member States to take part in ENISA’s ‘security week pilots’
Four EU Member States are planning to run national ‘security weeks’ during October 2012. The aim is to develop a fully-fledged combined EU and US Security Month by 2014.
19 March 2012
LulzSec’s Kayla given bail
Ryan Ackroyd, a 25 year-old Brit from South Yorkshire, was granted bail at Westminster Magistrates’ Court pending a plea and case management hearing at Southwark Crown Court scheduled for 11 May.
19 March 2012
Did Anonymous accidentally blow covert surveillance of Assad’s emails?
On 6 February hacktivist group Anonymous delivered a threatening email to Bashar Assad’s personal email account. On 7 February his use of that account ceased.
16 March 2012
Trends and truths in DDoS attacks
Neustar has analyzed the evolution of DDoS attacks over the last year, showing the techniques that are used and the problems that will come.
16 March 2012
Password managers on mobile devices – fail
Elcomsoft, a computer and mobile forensics specialist, is today presenting the results of its analysis of mobile device password managers at Amsterdam’s BlackHat Europe conference.
16 March 2012
Kaspersky’s February malware scorecard
Kaspersky Lab has published its monthly malware report for February, discussing Duqu, Google Wallet and Google Analytics, mobile threats and attacks on corporate networks.
15 March 2012
2011 Global Encryption Trends Study
Ponemon’s Global Encryption Trends Study commissioned by Thales is a treasure trove of insights into the corporate view of security.
15 March 2012
Quis custodiet ipsos custodes – Who watches the watchmen?
The Dutch Big Brother Awards for 2011 have been announced. There are three prize categories: People, Companies and Government.
15 March 2012
Elcomsoft is a hacker. A white hat hacker, one of the old school, not one of these new-fangled, bad boy (or girl) black hat criminal cracker hackers, but a hacker nonetheless.
It produces encrypted file recovery systems, usually in the form of password recovery tools. They may be used by some of the cracker hackers as password cracking tools, but they are built as honest-to-goodness password recovery tools. And most of us could have used one at one time or another. Now Elcomsoft has a new string to its bow: the very first Apple iWork file cracker – sorry, password recovery tool.
Why is this the first? Because, explains Elcomsoft, Apple’s encryption is “an industry-standard AES algorithm with strong, 128-bit keys. Brute-forcing a 128-bit number on today’s hardware remains impossible.” This effectively means that the only way to recover an encrypted iWork file is to hack the password. But, says Elcomsoft, “Apple used the PBKDF2 algorithm to derive an encryption key from plain-text passwords, with some 4000 iterations of a hash function (SHA1).” If that’s as much geek-speak to you as it is to me, the bottom line is that brute-forcing the passwords would be too lengthy to be meaningful.
Unless, and this is where thinking like a hacker comes in, you can find some way to reduce the likely number of possible passwords. First, Elcomsoft notes that the price range for iWork shows that it is a consumer rather than business product. Users are likely to be human beings rather than corporate automata. “Multiple researches,” says Elcomsoft, “confirm it’s a given fact that most people, if not enforced by a security policy, will choose simple, easy to remember passwords such as ‘abc’, ‘password1’ or their dog’s name. In addition, it’s in the human nature to reduce the number of things to remember. Humans are likely to re-use their passwords, with little or no variation, in various places: their instant messenger accounts, Web and email accounts, social networks and other places from which a password can be easily retrieved.”
From this starting point and armed with “ElcomSoft’s advanced dictionary attack with customizable masks and configurable permutations,” brute forcing the passwords suddenly becomes a lot simpler; and iWork recovery is now included in the Elcomsoft Distributed Password Recovery Tool. It is, says Elcomsoft, “the human factor and advanced dictionary attacks that help it recover a significant share of iWork passwords in reasonable time.”
The Oliver Drage case is still causing a lot of discussion; and a lot of learned and technical people are exercising their minds on how to defeat the relevant clauses within the RIP Act that requires us to surrender our computer passwords for no other reason than the police or other lawful entities tell us to. Almost all of these methodologies require us to be devious to one degree or another, and/or to tell an outright lie (and hope to get away with it simply because it cannot be disproven).
I have a problem with this. If I suspect a policeman or other authorised body to be on a fishing trip with no genuine moral reason to require my passwords, I will decline to provide them. That’s out of principle. It is ‘principle’ that will also require that I neither lie nor behave deviously. Why should I compromise my principles? It is this law that is immoral, not me.
This leads us inevitably and inexorably to the overriding question: is or should the rule of law be sacrosanct in a democracy? In reality, there is no easy definition for ‘the rule of law’; but I’m going to suggest that (in the UK) it embodies two elements: that nobody is beyond the law; and that the law is whatever Parliament declares the law to be.
So, it comes down to this: if I believe in the rule of law I would have to surrender my passwords to any authorised body simply because Parliament has declared this to be the law; if I decline to surrender my passwords, then I do not accept the rule of law. I am, in the old sense of the word, declaring myself to be outside of the law: I am an outlaw.
This is the conundrum. If I tell lies and act deviously about my password, then I am a bad person but probably free. But if I don’t tell lies and don’t act deviously, then I am a good person but locked up. Can any thinking person have any respect for either such a law or indeed those who first framed and subsequently maintain such a law?
The law is an ass. Our law-makers are asses. And Parliament is the House of Asses.