Luminous Landscape Forum
Raw & Post Processing, Printing => Digital Image Processing => Topic started by: daws on October 03, 2013, 07:51:57 pm
-
Los Angeles Times, October 3 (http://www.latimes.com/business/technology/la-fi-tn-adobe-hack-20131003,0,4679524.story)
Data, credit card numbers for 2.9 million Adobe users stolen
Adobe announced Thursday that it was the victim of a hack and that personal data for 2.9 million users were stolen.
The software company, known for Photoshop and other programs, said cyber attackers were able to access user information, including account IDs, encrypted passwords as well as credit and debit card numbers. The hackers were able to erase data of some Adobe users.
The hackers also illegally accessed source codes for numerous Adobe products. That's like stealing the secret formula for Coca-Cola.
The company did not specify which users of its various software programs were hit.
"We deeply regret that this incident occurred," Brad Arkin, Adobe's chief security officer, said in a blog post Thursday. "We’re working diligently internally, as well as with external partners and law enforcement, to address the incident."
The company said it has reset the passwords for affected customers and has contacted them with information on how to change their passwords. Adobe also recommends those users change their passwords for other websites.
For customers whose credit and debit card information was stolen, Adobe said it will send information on how they can protect themselves. The company will also offer those customers a complimentary one-year credit monitoring membership.
Adobe also said it has notified banks that process customers' payments about the attacks so they can help protect customers.
Finally, Adobe said it is working with federal law enforcement officials.
From CNET News (http://news.cnet.com/8301-1009_3-57605962-83/adobe-hacked-3-million-accounts-compromised/):
The massive attack exposes customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
Adobe announced on Thursday that it has been the target of a major security breach in which sensitive and personal data about millions of its customers have been put at risk.
Brad Arkin, senior director of security for Adobe products and services, explained in a blog post that the attack concerns both customer information and illegal access to source codes for "numerous Adobe products."
A few examples include Adobe Acrobat, ColdFusion, and the ColdFusion Builder. However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."
Adobe officials added that the investigation has not turned up any zero-day attacks either.
Unfortunately, the culprits have obtained access to a large swath of Adobe customer IDs and encrypted passwords.
Arkin specified that removed sensitive information (i.e. names, encrypted credit or debit card numbers, expiration dates, etc.) about approximately 2.9 million Adobe customers.
He added that investigators don't "believe the attackers removed decrypted credit or debit card numbers" from Adobe's systems.
While federal law officials are involved, Adobe stressed that there are some precautions that customers need to take action on now.
Adobe is resetting the passwords on breached Adobe customer IDs, and users will receive an email if they are affected. The software giant is also currently notifying customers whose credit or debit card information was exposed.
Adobe has also promised to offer these customers with the option of enrolling in a one-year complimentary credit monitoring membership where available.
-
I am intimately familiar with the infrastructures retail corporations use to safeguard client information. Needless to say data protection is a top priority because such breeches don't go over well with the clients and significant hits can be seen on paper by the time the bell rings.
Adobe is probably no more and no less vigilant than any other retail corporation. IMO they are guilty of several ethic concerns but not this one.
As consumers kin charge or our own finances we really should do our due diligence when dealing on-line. I personally use the one-credit card "just in time" method to finance on-line purchases. I have a debit card that maintains the minimum balance necessary for the desired free services and I transfer money into the account as needed for each purchase of group of purchases. The most I ever stand to lose is the minimum balance, the purchase amount is kept to such a limited time frame I don't consider it at risk.
This is different than the much more risky game of using a major CC for international travel. These days you can't help but assume some risks, but you can keep them minimized.
-
I wonder whether these companies whose data bases aren't adequately protected can be sued for negligence.
-
Quote Steve Reply#1
Adobe is probably no more and no less vigilant than any other retail corporation. IMO they are guilty of several ethic concerns but not this one.
unquote
Does this mean everybody with a stored credit card can feel happy? The fact that all of them can so easily be hacked mean that we don't need to feel upset. Seeing you "know" so much about it tell us do we have contact our credit card company or does Adobe do it? Your statement smacks of complacency....at the very least. >:(
-
Your statement smacks of complacency....at the very least.
On the contrary, Steve Weldon clearly assumes the worst-case and tells us what he does to protect himself.
-
On the contrary, Steve Weldon clearly assumes the worst-case and tells us what he does to protect himself.
I think he is being overly cautious because if the money is "stolen" by someone then the credit card company takes the hit. This statement might seem contradictory to my earlier concerns about money loss. However even though I know I am covered it is the hassle of changing credit card details with different vendors and at my age remembering the new code for my card. It is embarrassing in a shop when you input the wrong numbers and you have only three tries. ;D
-
I think he is being overly cautious because if the money is "stolen" by someone then the credit card company takes the hit. This statement might seem contradictory to my earlier concerns about money loss. However even though I know I am covered it is the hassle of changing credit card details with different vendors and at my age remembering the new code for my card. It is embarrassing in a shop when you input the wrong numbers and you have only three tries. ;D
...and it assumes that folk actually check their credit card and bank statements. I believe that over 80% of us do not.
-
Not much can be done about that scenario except if it does happen then vigilance becomes uppermost in someone's mind. Experience is a great teacher...or it should be?
-
I wonder whether these companies whose data bases aren't adequately protected can be sued for negligence.
While the old saying: "you can sue anybody for anything" holds even in this case I doubt they'd prevail. It's far more likely the credit card company would suspend or cancel their contract due to negligence.
-
While the old saying: "you can sue anybody for anything" holds even in this case I doubt they're prevail. It's far more likely the credit card company would suspend or cancel their contract due to negligence.
I'd be surprised if even that happened - far too much commercial interest involved to let an even massive security glitch destroy the future cash flow.
-
Does this mean everybody with a stored credit card can feel happy? The fact that all of them can so easily be hacked mean that we don't need to feel upset. Seeing you "know" so much about it tell us do we have contact our credit card company or does Adobe do it? Your statement smacks of complacency....at the very least. >:(
1. This would depend which pharmaceuticals they happen to be on.. ::)
2. To "need" to feel upset.. probably stems from anger, maybe a feeling of helplessness, possibly financial stress, and yet another draw on our time because "some minimum wage worker" failed to do their job. This indeed is a common draw on such a situation.
But what many don't know/realize is a corporations financial suite often exceeds a lifespan of 10+ years. The process starts with a lot of research identifying the needs, and then bids to the different contractors who design and build such systems, lots of internal negotiations as to the best way to proceed and of course where the money comes from (because the process is expensive) and the best time frames. And finally the teams arrive often taking from 6-18 months from arrival to roll out and testing and and finally certification. The entire process can take years. And the much smaller responses to emerging conditions (a new way to hack, new or expired hardware, etc) during the evolution take their toll as well.
3. I think this is a personality thing. Personally I've always felt the need to be proactive concerning my finances. How about you?
4. Then I failed as a writer. My apologies.
-
Adobe Breach Impacted At Least 38 Million Users
"
The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products "
http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
-
Inside job, maybe?
http://forums.adobe.com/thread/1320791?tstart=0
-
Thanks for posting this...REALLY!
As a recent ID theft victim (both credit card & IRS fake tax refund in my name) that Krebs link lead me to the Dept of Justice online press release stating the arrest of the owner of Superget.info from referencing this Krebs link...
http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service/
http://www.justice.gov/opa/pr/2013/October/13-crm-1116.html
This issue, and from what I'm seeing is shared by lot of others as well, has lead to a petition to the US gov. demanding corporations that have databases hacked to inform every individual that their personal info was stolen and not just offer some blanket email alert to change an account password.
Experian most likely is going to get sued over what they did, but I do think Adobe needs to take a more active role in informing their customers on issues like this.
I still don't know for sure how my personal information was stolen since I practically live like a hermit and have never lost my wallet. Due to the timing I know my ID theft victimization was not on account of Adobe being hacked.
It just that Krebs report is the first I've heard of what I linked above and Krebs himself. I've been quite busy this morning seeing how many other ways ID has accidentally or intentionally been released.
-
This issue, and from what I'm seeing is shared by lot of others as well, has lead to a petition to the US gov. demanding corporations that have databases hacked to inform every individual that their personal info was stolen and not just offer some blanket email alert to change an account password.
It just that Krebs report is the first I've heard of what I linked above and Krebs himself. I've been quite busy this morning seeing how many other ways ID has accidentally or intentionally been released.
Krebs is a bit like the Michael Reichman of IT Security issues impacting customers. He's very well connected, understands the details and the overall impact of info he receives and his thoughts are extremely valuable.
As far as laws are concerned, there are laws in many places nowadays, one of the first was California. Discussed here when it was announced (http://www.securityfocus.com/news/1984).
Leaving aside the fact that a large batch of hash passwords is roughly 85% as useful as a batch of plain text to competent hackers, we have to take into account that Adobe itself doesn't necessary knows and will not necessarily know what happened. The standard semi-reassuring but vague language of the initial release, which I commented a bit in another post, made that clear.
A typical incident often evolves like this
Credit Card companies identify a pattern in frauds. That pattern points to people who have been customer of company X or store Y. Credit Card contacts X and Y. They are unaware they have been compromised and start an investigation at that point. Potential breach sources are identified and examined. Depending on the logging available, on how well the forensic aspects were handled, on how competent the hackers were, this can take a long time and yield partial results. And, while in practice investigations do complete, there's still the lingering doubt of having missed something. It's not easy to see where the line has to be drawn. Even if it wanted to (which is doubtful given the initial details) there isn't a single moment where one can say "we have everything, we disclose everything, case closed".
Last but not least, replacing 38.000.000 credit cards has a cost. There will be a cost vs risk analysis at the bank and CC level. In the late 90s, the RSA factors of the French bank cards were compromised: in practice, that meant that people could withdraw cash with phantom cards. Banks and IT security specialists were aware of it, quite a few hackers as well. But changing the system for that single reason was seen as too expensive and a "fix as you go" plan was put in place. It lasted for years...
-
And now my CC company is so paranoied that they block authorization at the smallest whim, this with in less that two weeks after issuing a new number.
Should I notify them that I will not do business with Adobe ever again?
-
And, while in practice investigations do complete, there's still the lingering doubt of having missed something. It's not easy to see where the line has to be drawn. Even if it wanted to (which is doubtful given the initial details) there isn't a single moment where one can say "we have everything, we disclose everything, case closed".
So this is why a lot of the ID theft victim's experiences (a lot of them from talking to CSR types) voluntarily disclosed to me after my insistence on not giving out SSN/DOB has everyone one of them state the culprits were never caught and they (the ID victims) were never out of pocket because the CC and/or bank's insurance covered the loss.
Which helps me understand this a bit more...
But changing the system for that single reason was seen as too expensive and a "fix as you go" plan was put in place. It lasted for years...
-
And now my CC company is so paranoied that they block authorization at the smallest whim, this with in less that two weeks after issuing a new number.
Should I notify them that I will not do business with Adobe ever again?
I'm trying to remember the last time I bought any software directly off Adobe's site which I would've used my credit card, but my last purchases CS3, CS5 and Lightroom were discs bought through Amazon.
I wish I knew if Adobe REALLY had my credit card info on file, but on looking back it would had to have been the old "HSBC" Household bank version that was destroyed and reissued with a new number back in March of 2012, new info I know for a fact I didn't update on Adobe's site. And I know for a fact I didn't buy directly off Adobe's site from that point onward.
-
Adobe hack affects 38 million users, not 2.9 million.
http://www.dpreview.com/news/2013/10/30/adobe-hack-affects-38-million-users-not-2-9-million?utm_campaign=internal-link&utm_source=news-list&utm_medium=text&ref=title_0_7 (http://www.dpreview.com/news/2013/10/30/adobe-hack-affects-38-million-users-not-2-9-million?utm_campaign=internal-link&utm_source=news-list&utm_medium=text&ref=title_0_7)
No Adobe Cloud for me !!
-
Enjoy - up to 135 millions now
http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/
That's just priceless.
but I also have to apologize: in my comments I put the word encrypted in quotes because I couldn't believe that the password file was actually encrypted with a symetric algorithm and thought they used the word as a generic term for hashing or salted hashing (most non tech users wouldn't make the difference).
But, no, they actually encrypted it. :-( Apparently this was only a backup, and Adobe claims it uses standard decent methods now (salted hashes) but leaving aside questions of key length, mode for the block cipher (ECB is bad state my ... 1990 cryptographic books), known plaintext attacks, etc... one could also wonder if, since the hackers took source code, Adobe's own LDAP directory etc... if they simply did not also have access to the backup encryption key. As already noted, a careful parsing of Adobe's releases indicate that the password file wasn't decrypted on Adobe servers.
Or is it stored on a Post-It note in one of Adobe's IT security guys wallet?
EDIT wrong number corrected
-
Remember when asked if it was an employee or a ex-employee, the answers was only they were pretty sure it was not an ex-employee.
Do they have some idea of what employee is responsible.
-
On November 19th I received a new email from Adobe Customer Care (well, so it says, as I'm beginning to suspect that it might have been a fake).They tell me that my password has been reset AGAIN by them, and I'm supposed to change it. Same thing that I had been asked a few weeks ago after the big data hack.
So I typed in my new password. Today (four days later) I checked that new password and tried to log into my Adobe Account. I was denied access. I thought this a bit strange, and tried with the old one (the one I got the message that it had been reset). And - hey presto - I was logged in.
Still a big mess there at Adobe, I guess.
-
Adobe in bed with Experian.
Now this even gets stranger.
http://forums.adobe.com/thread/1341742?tstart=0
-
Interestingly, I got an email from EverNote (which I use) saying they had compared all their user email adresses with those from the Adobe hack and were reporting to anyone where they found a cross-match and recommending that EverNote passwords be changed.
That's good, proactive support from EverNote.
-
Doyle, this is life as usual in the IT Security world. Nothing that rampant malpractice can't explain.
Want to sign as Microsoft? Just ask Verisign whose sole job at the time (2001) was to ensure IDs and certificate matched.
http://news.cnet.com /2100-1001-254586.html
Want to steal a stealth fighter design? Ah, a bit more complex. Two steps...
1) hack RSA istelf to create ID tokens. Of course, RSA will first deny it, then confirm it in a limited way, which, of course, should have no impact.
http://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx
then, it becomes obvious it is not that limited
http://dankaminsky.com/2011/06/09/securid/
http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/
2) send a fishing e-mail with a compromised PDF to Lockheed Martin to executives and HR, gain a foothold in the network, then use the token to access the secure part (the fundamental mistake here was that there was a bridge between HR and R&D)
I could go on for pages and pages.
Adobe, also in 2001, managed to sell an expensive document security suite that encrypted documents and stored the encryption key and decryption routine in them. They then got the guy who revealed that slight (cough, cough) issue in jail (and backtracked when they realize they couldn't defend their position)
http://www.zdnet.com/news/dimitry-sklyarov-enemy-or-friend/116424
So, in that sense, the attack on Adobe is nothing out of the ordinary. While it may seem extraordinarily hard to pull off, it is not the case and it's not necessary to have insider collaboration.
-
Adobe in bed with Experian.
Now this even gets stranger.
http://forums.adobe.com/thread/1341742?tstart=0
Where does it say in that Adobe Forum discussion link that Adobe is in bed with Experian?
This DOJ link:
http://www.justice.gov/opa/pr/2013/October/13-crm-1116.html
...indicates the capture and indictment of one of the persons Experian sold personal information to but it doesn't say how the information exchanged hands and by what process security mechanism was used and certainly no mention of Adobe. If you're blaming it on Adobe's security holes in their PDF creation apps, please point directly to how Experian used a pdf to sell personal information.
BTW doing some calling around and research on the web what Experian did is totally against the law, so Experian is going to be the one to blame unless you all have evidence that indicates different.
-
Adobe should not be keeping that data. It is not their area of expertise so they should be using the credit card company's system. The only retailer company I trust to keep data is Amazon.
-
Adobe should not be keeping that data. It is not their area of expertise so they should be using the credit card company's system. The only retailer company I trust to keep data is Amazon.
Virtually every on-line retailer (who doesn't use a service such as Digital River) keeps payment and credit card records. The business suites that 99% of them use, come from the same software companies.
If you're depending on a internet sight to keep your data secure.. well.. that's your first mistake. Don't do that.