Feeds

back to article A-D'OH!-BE: Adobe hit by 'sophisticated' MEGA HACK RANSACK

Adobe's systems have been hit by numerous "sophisticated attacks" that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products. The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Shock

What a surprise. And here it looked like Adobe was starting to relax because Oracle has taken over their place as the biggest pariah security wise in the industry.

18
0

Re: Shock

With all the constant 'security' and other updates Adobe pesters me for free Reader, it's not shock to me. Since Reader is the only point for their existence for the vast majority of people (I use Gimp for example), why don't they just abandon all their other junk, and do ONE job right?

1
0
Gold badge

Re: Shock @danR2

NO NO NO NO!

There are plenty of alternatives to Reader; even to the full fat Acrobat Pro. What's more, almost all of them are better! I'd be happy for Adobe to drop it like a hot potato.

What they should carry on with is CS which doesn't have an equivalent, but unfortanely they dropped like a hot potato :(

4
0
Anonymous Coward

Re: Shock

Adobe websites all use Linux of course....The only thing on the planet with more vulnerabilities than Adobe's own products...

0
8
Anonymous Coward

Re: Shock

erm... http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/ #justsayin

0
0

This will end well.

All those security issues in Acrobat that Adobe couldn't be bothered to find? I think that problem's just been solved. Unfortunately, not by Adobe.

24
0
Silver badge
Coat

Perhaps it's those nice "white hat hackers"...

And now they've got the source code, they're going to do the job properly for Adobe.

In my dreams. ;o)

3
0
Silver badge

Re: Perhaps it's those nice "white hat hackers"...

I thought pretty much the same thing.

One of my Very Favourite Websites/forums runs ColdFusion, and it's perpetually broken.

Maybe the hackers can fork it, eh?

1
1
Silver badge

Re: Perhaps it's those nice "white hat hackers"...

I was think the opposite: now they have the adobe source code they know how to make the worst virus teh world has ever seen. Adobe software.

11
0

Re: Perhaps it's those nice "white hat hackers"...

And why exactly is that the fault of Adove?

I'd take a look at those developing, maintaining and hosting the site first, not the platform it was built on.

For what it's worth, I look after a very busy CF powered ecommerce site and the only downtime we get is after Patch Tuesday's.

0
2

Re: Perhaps it's those nice "white hat hackers"...

Hope so.

<opens process list>

armsvc.exe

Yup, I'm still infected. Hopefully the hackers will make a patch to kill herpes-like Adobe TSR processes.

6
0
Anonymous Coward

Re: Perhaps it's those nice "white hat hackers"...

People like to forget inconvenient facts. It doesn't matter if you're running Apache, Nginx, IIS, Cold Fusion, Tomcat, whatever, if you don't keep up with security updates you're just asking for a good reaming.

2
0
Anonymous Coward

All those new Creative Cloud customers caught out then?

Can't be good for customer confidence!

17
0
Silver badge

Re: All those new Creative Cloud customers caught out then?

You beat me to it.

Time for someone to create a replacement for CS.

2
0
Silver badge

Obviously if you've bought Adobe's products as a disk from a shop and paid cash for them, you won't be affected.

OH, WAIT.

15
0
Anonymous Coward

Hold Security guilty of hacking

"Security firm Hold Security claims to have found 40 gigabytes in encrypted archives on a hacker's server, apparently containing source code on some of Adobe's biggest products."

And how, pray tell, did Hold Security gain access to the hacker's server in order to find the encrypted archives?

I must be the only person adding 2+2 together: 'encrypted third-party server was found to have data, says Hold Security'.

No red flags raised? Hmmm. Yep yep: hacking is OK if *we* do it, just not the other way around.

12
0
Silver badge

"We are not aware of any zero-day exploits targeting any Adobe products."

Have you tried looking?

24
0
Silver badge

Re: "We are not aware of any zero-day exploits targeting any Adobe products."

Why would they be looking? That's a foolhardy course of action!

If you go around looking for 0-day exploits and find them, then you have a responsibility to fix them!

4
0
Bronze badge

Re: "We are not aware of any zero-day exploits targeting any Adobe products."

Two ways to look at this: If they knew of the exploits, they wouldn't be zero day; or, they are simply lying. My money is on the latter. I don't trust adobe at all. Products are crap, documentation is crap, support is crap.

2
0
Bronze badge
Go

Open Source

Adobe have now released their software as open source. Not sure what sort of license it has now but it should ensure quite a few holes are plugged rather quickly.

Trebles all 'round.

Cheers

Jon

3
1
Silver badge
Angel

Re: Open Source

"...it should ensure quite a few holes are plugged rather quickly."

I find your remark extremely distasteful!

5
0
Silver badge

Re: Open Source

That's actually not open source, but selective opening to the source. That's the worst way to do it. It allows malevolent people to get the source code to find bugs they will just exploit for their own gains, while it doesn't allow benevolent people to search for bugs to report to the public so they get fixed.

0
0

This post has been deleted by its author

Anonymous Coward

Re: Open Source

Re: Open Source

"...it should ensure quite a few holes are plugged rather quickly."

I find your remark extremely distasteful!

Let's leave Miley out of this :)

2
0
Bronze badge

Errrm, is it just me or is it slightly strange they are asking people to change their passwords on other services? The passwords were properly salted were they not? The salt used hasn't be compromised as well has it?

0
1

Salted passwords are not about keeping one unique salt secret, it's about having a distinct sale for each user assuming that if your shit gets stolen, the salt will get stolen too.

However since each use has a distinct salt, you need a full-blown hash generation cycle for EACH user hoping your password attempts will hit jackpot for that one guy.

As opposed to having a single common salt where you just generate your hashes for your big dictionary and just see what users have hashes that match those.

All it does is make a dictionary attack less efficient by a factor of "how many users do you have".

6
0

Re:

One should never use the same password in more than one place. Ideally all of your passwords would be different.

Given the ease with which weak passwords can be cracked, Adobe are warning folks not only to change their Adobe passwords, but also the passwords of any other services that happen to use the same passwords. Because entire user profiles were lifted (apparently), there is a good chance that if the data were decrypted, it could be used to leverage an attack against a users bank account, for example.

2
0
bep

Good advice except that it's impossible

Every blinkin' website, including this one, requires you to register in order to comment, not to mention banks, software suppliers like Adobe etc etc. How are you supposed to remember all these passwords? OK, you put them in a password manager program. How do you secure that? Another password you have to remember. You're supposed to change that regularly of course, but it still has to be something that is a) hard to crack, but b)easy (or at least possible) to remember. If that gets cracked, they get everything. It's still better than nothing, but suggesting there is a security process that works reliably is highly misleading.

10
1

Re: Good advice except that it's impossible — Not Quote Impossible

The difference is that you don’t normally publish your password safe on the Internet, and so it’s less likely to be compromised. A reasonably good password on your own machine should be reliable.

The real problem is when you entrust your passwords to others who can’t or won’t look after them properly.

1
0

Re: Good advice except that it's impossible

OK, you put them in a password manager program. How do you secure that?

Set a random 20 char password, buy yourself a Yubikey and configure that to send the password for you, assuming you're not using a service that works with the OTP functionality. Works on any machine as it's basically a USB keyboard as far as the OS knows.

It's still not ideal, but it beats whining about how hard it is to maintain security on the accounts that you should want to protect.

1
3

Re: Good advice except that it's impossible — Not Quote Impossible

The real problem is when you entrust your passwords to others who can’t or won’t look after them properly.

The worst thing is there's no way to know upfront whether they will (or are capable of).

How many sites do you register a nice strong password for only to find it instantly compromised because they've included it in the signup email? Let alone those stupid enough to still be storing plaintext.

4
0
JLV
Bronze badge

Re: Good advice except that it's impossible

>How are you supposed to remember all these passwords?

You don't. You re-use the same dumb, easily remembered and typed, password for the 50 dumb sites that are just registration-happy. If it doesn't have your CC# number and real email or some relevant s**t, why are you bothering with security on it? Do make a supreme effort and avoid 12345 tho ;-)

Then, on the other 10-20 sites that matter (CC# for example), you use secure passwords, all different from each other, and put them into a password manager. Of course, you never re-use passwords anywhere where it would matter. You memorize your password mgr password and maybe some other key passwords.

Facebook? Pretty useless, but a hit to your reputation if racist propaganda appears posted under your name. So you give it a big-boy password. Ditto LinkedIn. Not the Reg.

When the passwords get hacked on one of the 50 trivial sites, you can run off and change them, if you want, on the others. I know my Reg pwd remained the same after the PS3 hack.

5
0
Thumb Up

Re: Good advice except that it's impossible

Set a random 20 char password, buy yourself a Yubikey and configure that to send the password for you, assuming you're not using a service that works with the OTP functionality. Works on any machine as it's basically a USB keyboard as far as the OS knows.

Yep, something like LastPass will work across all major browsers and devices. Use two-factor where possible with a Yubikey or Google Authenticator - LastPass, Facebook, Google, Dropbox, Evernote accounts at least can all be made more secure this way.

I use LastPass and have it automatically generate 20 character random passwords for every site I need to log into. I don't even know the passwords myself in most cases so even hammer decryption won't work on me.

Nonetheless although we can do everything possible to be secure we'll always be at the mercy of the likes of Adobe clowns who are able to get my credit card details hacked. Changing my password for my Adobe account is no big deal, but changing my card is a PITA.

2
0

Re: Good advice except that it's impossible

Write them down.

I have a book of passwords that lives in my house with a page for every website or service.

The likelihood that someone is going to steal a small notebook with handwriting in it is almost zero... even when i carry it around...

It may sound crazy but actually physical access to me and my computer is probably the biggest barrier to a hacker.

3
0
Anonymous Coward

Serves the bastards right

I've uninstalled enough of their parasiteware distributed with the Flash player and PDF Reader. Scumbags

4
0
Unhappy

Re: Serves the bastards right

Such BLOATWARE that no we longer use Adobe Acrobat Reader, thank God. They want to track us with flasn cookies, though. Is that a threat to my privacy or not? Using NoScript helps, but I'm afraid. Idiots!

0
0
Bronze badge
Devil

Surprise surprise

When I first heard about "creative cloud", I wondered who would trust Adobe enough to give them their personal information. Turns out that at least 2.9 million people did so. - That is the only surprise here in my opinion.

9
0
Anonymous Coward

Re: Surprise surprise

Actually I'm surprised it's so low. There must be more than 2.9m people who are printers, commercial artists etc. who are - unfortunately - dependent on Adobe's products for their livelihood. They were all pretty pissed when Adobe announced the creative cloud shit and now they're likely to pay the price. If the hackers have any decency, they'll not exploit details other than to force Adobe to go back to selling boxed product. Some dream though.

5
0
Bronze badge

At first

Why do they keep credit card numbers stored somewhere? Such a thing should be made illegal, and it would solve many problems...

6
1
Bronze badge

Re: At first

How else would they do monthly charges to people easily without having to figure out every country's banking system?

2
2

Re: At first

You use a payment provider, and let them sort it out.

We handle thousands of transactions a day, many of them recurring payments, and yet we don't store a single credit card number, encrypted or otherwise.

What we do store is a token that we pass to our payment provider that lets them know who to charge etc. Even if you got hold of the tokens it would do you no good, as the tokens are unique to our account, can only be used in conjunction with out account details, and will only be processed if the transaction originates on our IP.

9
1
Silver badge

Re: At first

You're an idiot. All this does is move the risk, it doesn't eliminate it. It doesn't really lower it either.

1
6

Re: At first

Of course it lowers the risk - you hand the sensitive data to a company whose only vested interest is to protect it - it's their job, and if they have a breach then they're going to be finished. As it's their vested interest, they'll spend far more time and money making things secure, and economies of scale mean you'll get a vastly superior offering to doing it yourself.

Otherwise what we'll end up with is every Tom, Dick and Muhammad Retail Ltd kludging together a badly implemented payment system which they don't understand and have no interest in keeping secure - they sell you their wares, not payment security. So long as it works and does the bare minimum, they're not going to improve it - they have their vested interests elsewhere.

6
0

Re: At first

I recently purchased an iphone for the first time in an Apple Store (regent st - first time in apple store, not iphone purchase). The only ever other time I've purchased an Apple product with my existing card is on the Apple.fr website last year for my wife's iphone.

Fanboi jokes aside, I was shocked that the salesfloor dear, after she swiped my card she asked if I'd like my receipt to my email (she had the correct email) and made a remark about the fact I had purchased 2 iphones in 1 yr that showed she had my purchase history on that shitty handheld terminal, after only a swipe of my cc.

Does make one wonder how they are hashing stored ccards to be able to easily index it to an account and it's purchases, as well as how that damn terminal can wirelessly take my swiped cc and access all that info in a secure manner.

1
0
Silver badge
Joke

Adobe Cloud

Welcome to Adobe Cloud where every user must give us credit card details and the we let hackers steal them. It's called Cloud Collaboration

.

5
0
Anonymous Coward

Re: Adobe Cloud

Isn't that a nasty new twist on 'crowd sourcing' ...?

2
0
Silver badge

Wouldn't it be wonderfully blissful if the attackers breached Adobe through a published flaw in an Adobe product.

At least I know my details haven't been stolen from Adobe's servers. I've always got my Adobe products from BitTorrent (JOKE!, I wouldn't touch Adobe products with a barge pole)

2
0

Creative Cloud protest petition

Not everyone who has signed up to CC has done so willingly. With limited time discount offers, Adobe has effectively forced many customers into signing up now - against their will - rather than risk getting left behind with outdated software. Many subscribers would, I'm sure, leap at the chance to return to boxed products, if only Adobe would reinstate them. This debacle only reinforces the case for customers to be given that option.

There's an online petition here, in case anyone wants to add their voice:

https://www.change.org/petitions/adobe-systems-incorporated-eliminate-the-mandatory-creative-cloud-subscription-model

2
0
Silver badge

Bah!

I think the offering of credit checking may be a legal requirement.

Three times in the past dimwit banks holding my mortgage have "lost" tapes containing ID theft information, carefully collected to be logically adjacent and mightily encrypted as ECIDIC. Said banks were reassuringly positive that "no one could read the tapes in question" and that they were thinking of encrypting the information more robustly some time real soon now (apparently the thought that getting hold of a reel-to-reel tape deck and the equipment to drive it might be trivially easy, especially for people who keep "finding" these "lost" tape reels has not found popular acceptance with banking IT).

And each time I got a year of credit checking out of it. Since banks never give anything away in the US for free I have to think there was some piece of needless left-wing liberal legislation forcing their hands.

2
1
xyz
Bronze badge

bugger!

I had to buy a font from Adobe a few months back. At the time I thought their whole online purchasing "system" was a joke from the mid 1990s and hey guess what...it is. I am now in receipt of an Adobe "Dear John" email. The "you're shafted" email only mentions checking your credit card statements, there's nothing about the "complimentary" ass saving checks that the press seems to have been spun.

First and last time I go near that bunch of twats

2
0

Page:

This topic is closed for new posts.