Adobe’s October 2013 data breach was not only one of the largest breaches ever, it could have been prevented if the company had stored the user passwords correctly. They didn’t and to their great embarrassment, 150,000,000 records were exposed.
…here is our minimum recommendation for safe storage of your users’ passwords:
- Use a strong random number generator to create a salt of 16 bytes or longer.
- Feed the salt and the password into the PBKDF2 algorithm.
- Use HMAC-SHA-256 as the core hash inside PBKDF2.
- Perform 10,000 iterations or more. (November 2013.)
- Take 32 bytes (256 bits) of output from PBKDF2 as the final password hash.
- Store the iteration count, the salt and the final hash in your password database.
- Increase your iteration count regularly to keep up with faster cracking tools.
Whatever you do, don’t try to knit your own password storage algorithm.
It didn’t end well for Adobe, and it is unlikely to end well for you.
This also got me to thinking about password length and complexity again, so stay tuned for my latest cogitations on that matter.
[Editor's Note (Skoudis): A few years ago, Marcus Sachs mentioned to me an intriguing idea. He said, someday, it is possible that pretty much every system will have some malware on it, just as our bodies are chock full of viruses and bacteria. But, our bodies handle it ok as long as the infection doesn't get out of hand and cause damage. The notion was that it will be impossible to be 100% clean, but you can in fact still be operational if you have good defenses (like the body's immune system). I didn't like hearing what he had to say then, as it sounded defeatist. But, stories like this remind me of that view of the future and make me wonder if we are heading there. ]
I have recently cleaned several PCs that showed evidence of infection by Trojans and spamware, yet they were performing fine and behaving themselves on the network; the items were sitting in Symantec’s quarantine, having been caught by the AV engine at some point. I guess you could consider that these machines were infected, similar to someone who had the flu virus in their system, but was not suffering from the illness. In the former case, the AV engine acted as the PC’s immune system; in the latter case, the body’s biological structures and processes to locate, isolate, and/or destroy pathogens are its immune system. This view seems to validate Mr. Sachs’ idea.
With all of the malware, old and new, that is already traveling around the internet, I believe we’ve already reached a certain level of ubiquitous infection if only of the infrastructure. As malware continues to get more sophisticated, it’s inevitable that some will slip by our defenses and end up on every PC.
We’ll need a better digital immune system to fight it.
Hackers claim to have hacked the site adobe.com on 2013-11-03 and we’ve detected that your email address was included in the data published as part of the leak. The full description of the leak is as follows:Adobe Systems announced on October 3rd of 2013 that hackers broke into Adobe network and stole source code for a range of products, including ColdFusion and Acrobat family of products. The breach also affected what was at that time estimated to be 2.9 million users but later was revised to include at least 38 million users. Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. The breach happened in early October but the stolen accounts were not published on the web until early November. The published data includes 10s of millions of accounts with IDs, email addresses, encrypted passwords and more.
Please update the password for your adobe.com account immediately. The LastPass Security Challenge, located in the Tools menu of the LastPass addon, will help find any other accounts using the same password as the leaked account.
The LastPass Team
Seems that I had to change some passwords just a short time back when this happened. I sure wish someone would come up with viable, secure replacements for Adobe apps so we could breathe a little easier.
Black Friday (or Thursday, or Monday, or whatever) is approaching and marks the “official” kickoff of the holiday shopping season. According to the National Retail Federation, if the trend holds, this season will be busier than last for online merchants, increasing approx. 4.9% to $602 billion this year. That’s good news for merchants, who make most of their profits for the year during the holiday season.
It’s also good news for cybercrooks.
Criminals will be vying for their share of the revenues by victimizing unwary shoppers seeking to get the most out of their holiday shopping dollar. Offering super low prices on name brand and designer merchandise is their favorite trick. Here are ten tips for secure online shopping that will help you avoid online shopping fraud this season.
- If the price seems too good, it probably is. That cheap Rolex watch is either a fake, stolen or is really a “Rolev.” Beware.
- Crooks duplicate well-known websites to the last detail. Check the domain. If it’s different than the site, leave quickly.
- Poor grammar and obvious mistakes in spelling are a good reason to avoid shopping on the site.
- Never shop on an insecure website. Make sure you see “https://” in the URL.
- Avoid merchants with no customer service phone number. If there is a number, call it to verify it’s real.
- Avoid merchants with email addresses that don’t match the site’s domain name, e.g., gmail or yahoo addresses.
- Don’t use a debit card; you risk your entire bank account. Use a credit card with buyer protection. Pay Pal is a good option.
- Check public reviews of the site to see what others have experienced.
- Keep all receipts and emails related to the transaction until you have received your products.
- The safest option by far is to simply shop at known reputable sites or sites you have prior successful dealings with.
There is no such thing as being 100% secure online, but if you follow these guidelines, you should be OK.
Security is a dynamic process, never a one-time set-it-forget-it thing. As such, I periodically review and attempt to improve the security of my systems. For some years now, I have been a loyal and happy user of LastPass. Every login to every site I use on a regular (and not-so-regular) basis is stored there. One of the services that LastPass provides is their Security Challenge which examines your password vault, gives you an overall security score, and tells you what to do to improve your security. Here’s my most recent result:
I just scored 73% on the LastPass Security Challenge ranking 69029th overall. It securely analyzes the strength of your passwords, alerts you if you have any duplicate or weak passwords, and tells you how to make them more secure.
Give it a try and see if you can beat my score!
Not a bad score — probably much better than the average person — but I’m not happy with it. Out of carelessness, or just plain laziness, I’ve been guilty of the the biggest password no-no of all: using duplicate passwords on different sites. Seems I’ve used 22 different passwords multiple times on 65 different sites. Moreover, I have 24 passwords that are considered weak and (yikes!) three blank passwords.
So, I’ll spend a few hours of my weekend changing passwords and eliminating duplicates and weak ones.
It’s that special day again: Halloween! And this is once again my Happy Halloween message to you. I thought about changing it to something different, but I honestly can’t think of a more appropriate message.
IMHO, no writer in history embodies the essence of Halloween more than Edgar Allen Poe whom I consider the creator of the horror genre (yes, I know he’s credited as the creator of detective-fiction and contributor to the science fiction genre but he dealt more in the macabre than anything else).
Poe’s short story, “The Gold Bug,” is what got me interested in ciphers and encryption as a young boy; a collection of his most popular short stories is what inspired me to become a writer.
So, on this Halloween 2013 I present a very special reading of Poe’s famous poem, “The Raven.” Enjoy!
The bad guys love to trick people into downloading their malicious garbage and will use just about any tactics to do so. It’s Halloween season, so people will be searching for all kinds of scary stuff to decorate, dress up and generally celebrate the creepy. The hackers know this and will have already started putting up poisoned search results. Haven’t heard about any yet? Believe me, they are out there lying in wait for some unsuspecting victim.
How can you tell if you click on a poisoned search result? Video codecs are a favorite vehicle for hackers. If you get a pop-up saying you have to install such-and-so codec or some sort of image viewer, chances are it’s an attempt to infect you. But this isn’t the only method used; when you click on a search engine result, be aware of anything that doesn’t look or feel right. Lots of drive activity, very slow page loading, unusual error messages, any of these things can indicate an attempt to infect your system.
Hackers love holidays and news events because people can be counted on to search for related information, but the above advice applies to routine searches as well. Nothing is immune to being exploited or used as a vehicle for malware, so keep your eyes (and ears) open all the time. I know how my systems act so well that I can spot trouble long before the system crashes.
Don’t let Halloween malware ruin your day.
Since it’s National Cyber Security Awareness Month, I think it’s fitting to re-post my short 2008 piece on using the hosts file to block unwanted sites. I looking it over, I discovered that FaltronSoft no longer exists, hence the strikethrough. The MVPS.org site, however, still exists and is actively maintained with current information. You can sign up at the site to be notified of updates.
Using a HOSTS file to block access to malicious or unwanted web sites is an old trick and it’s excellent protection against malware. I’ve been using the mvps.org hosts file for about five years, and I have never been infected with any malware, despite, for testing purposes, intentionally visiting sites known to host it. The thing just works. It’s a great way to add an additional layer of security to your machine. You’ll also notice that many of those annoying ads no longer display in your browser.
Today, I found a cool utility that will let you download, install, and update your HOSTS file directly from the mvps.org site: Hosts File Updater, a freeware program by FaltronSoft. This single 16K executable checks the mvps.org site for a new version of the HOSTS file. If it finds one, it asks you if you want to update. Give your permission and the program backs up your existing HOSTS file and downloads and installs the new one. It also automatically sets the file to read-only, a nice feature.
In Using the Windows Host File for Privacy and Security, techsupportalert.com has this to say:
Employing the Windows Hosts file to prevent a PC from connecting to undesirable web addresses is a very old practice that is still being used by some as a security measure or to block ads and cookies. Experienced PC users will be familiar with the Hosts file but, if it is a new concept to you, you can read about how this simple text file works at this link. You should also look at what Gizmo wrote about the file in his newsletter ten years ago.
I, for one, have been using this method successfully for years. Give it a try.
CryptoLocker is a particularly nasty piece of malware that encrypts dozens of file types including .doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf then demands you pay a “ransom” to get the key to unlock your data. If you see this pop-up on your PC, you’ve been infected:
They make it sound bad, don’t they. Truth is, there is probably no way to get your data unless you risk paying the money to the criminals. Here’s what Windows Secrets has to say about it:
There are no patches to undo CryptoLocker and, as yet, there’s no clean-up tool — the only sure way to get your files back is to restore them from a backup.
Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it’s the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don’t want to add the insult of identity theft to the injury of data loss.
That last part is very good advice, but you still risk losing your money and not getting your data back. How can you trust a criminal to keep their promise?
You best strategy at this time is prevention. Antivirus software won’t catch CryptoLocker and limiting admin rights on your computer has no effect, either. To ensure that you will be able to recover your data, the most reliable method is frequent backups. Should CryptoLocker slam you, restoring your data from backup will save your bacon.
If you are running Windows XP Professional or higher, you can set Group Policy to prevent execution of the malware. If you are technically inclined and adventurous, BleepingComputer.com has a comprehensive guide of some things you can try that might work to help you recover data.
We probably all agree that passphrases can be easier to remember than complex, random passwords. IhaveABIG2013truck! can be memorized in just a couple of minutes whereas Ih*^29xB@@!dude would take a lot longer to commit to memory. This isn’t to say that passphrases can’t also be difficult to remember.
Athletes, artists, musicians, craftsmen – anyone who develops a particular manual skill – rely on muscle memory to a greater or lesser extent. As a musician, I know that repetitive practice of scale patterns, chords, picking patterns and melodic riffs trains the muscles in my fingers to “remember” those patterns. At first, I feel awkward and perform slowly, but after a while, the patterns come second nature and take little thought to perform.
You can do the same thing with passphrases and passwords. In fact, the best typists usually don’t think about what they are typing: the key patterns for whole words are trained into the muscle memory of their fingers.
An innovative approach to utilizing muscle memory is to choose passwords and passphrases that alternate between left hand and right hand on the keyboard. The rhythm 0f going back and forth will soon be ingrained into your fingers. This requires some knowledge of touch typing, but don’t worry, you can get familiar enough with it in just a few short lessons on line. Here’s something that may help you. The image shows the “home” keys and you can probably easily figure out which hand goes with which keys.
A random password like A*#9tU is a left, right, left, right pattern. For passphrases, there are hundreds of words that alternate in this manner. Below is a sampling from a list called lrwords.txt that you can find here:
Add in some numbers or special characters that alternate hands and you’ve got the advantage of unusual passphrases that use both your mental and physical memory. How about fiendish1927emblem? Easily memorized and has a nice rhythm on the keyboard. Type it a few times and it’s not likely you’ll forget it.