Shock
What a surprise. And here it looked like Adobe was starting to relax because Oracle has taken over their place as the biggest pariah security wise in the industry.
Adobe's systems have been hit by numerous "sophisticated attacks" that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products. The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and …
With all the constant 'security' and other updates Adobe pesters me for free Reader, it's not shock to me. Since Reader is the only point for their existence for the vast majority of people (I use Gimp for example), why don't they just abandon all their other junk, and do ONE job right?
NO NO NO NO!
There are plenty of alternatives to Reader; even to the full fat Acrobat Pro. What's more, almost all of them are better! I'd be happy for Adobe to drop it like a hot potato.
What they should carry on with is CS which doesn't have an equivalent, but unfortanely they dropped like a hot potato :(
And why exactly is that the fault of Adove?
I'd take a look at those developing, maintaining and hosting the site first, not the platform it was built on.
For what it's worth, I look after a very busy CF powered ecommerce site and the only downtime we get is after Patch Tuesday's.
"Security firm Hold Security claims to have found 40 gigabytes in encrypted archives on a hacker's server, apparently containing source code on some of Adobe's biggest products."
And how, pray tell, did Hold Security gain access to the hacker's server in order to find the encrypted archives?
I must be the only person adding 2+2 together: 'encrypted third-party server was found to have data, says Hold Security'.
No red flags raised? Hmmm. Yep yep: hacking is OK if *we* do it, just not the other way around.
Two ways to look at this: If they knew of the exploits, they wouldn't be zero day; or, they are simply lying. My money is on the latter. I don't trust adobe at all. Products are crap, documentation is crap, support is crap.
This post has been deleted by its author
That's actually not open source, but selective opening to the source. That's the worst way to do it. It allows malevolent people to get the source code to find bugs they will just exploit for their own gains, while it doesn't allow benevolent people to search for bugs to report to the public so they get fixed.
This post has been deleted by its author
One should never use the same password in more than one place. Ideally all of your passwords would be different.
Given the ease with which weak passwords can be cracked, Adobe are warning folks not only to change their Adobe passwords, but also the passwords of any other services that happen to use the same passwords. Because entire user profiles were lifted (apparently), there is a good chance that if the data were decrypted, it could be used to leverage an attack against a users bank account, for example.
Every blinkin' website, including this one, requires you to register in order to comment, not to mention banks, software suppliers like Adobe etc etc. How are you supposed to remember all these passwords? OK, you put them in a password manager program. How do you secure that? Another password you have to remember. You're supposed to change that regularly of course, but it still has to be something that is a) hard to crack, but b)easy (or at least possible) to remember. If that gets cracked, they get everything. It's still better than nothing, but suggesting there is a security process that works reliably is highly misleading.
The difference is that you don’t normally publish your password safe on the Internet, and so it’s less likely to be compromised. A reasonably good password on your own machine should be reliable.
The real problem is when you entrust your passwords to others who can’t or won’t look after them properly.
The real problem is when you entrust your passwords to others who can’t or won’t look after them properly.
The worst thing is there's no way to know upfront whether they will (or are capable of).
How many sites do you register a nice strong password for only to find it instantly compromised because they've included it in the signup email? Let alone those stupid enough to still be storing plaintext.
OK, you put them in a password manager program. How do you secure that?
Set a random 20 char password, buy yourself a Yubikey and configure that to send the password for you, assuming you're not using a service that works with the OTP functionality. Works on any machine as it's basically a USB keyboard as far as the OS knows.
It's still not ideal, but it beats whining about how hard it is to maintain security on the accounts that you should want to protect.
Set a random 20 char password, buy yourself a Yubikey and configure that to send the password for you, assuming you're not using a service that works with the OTP functionality. Works on any machine as it's basically a USB keyboard as far as the OS knows.
Yep, something like LastPass will work across all major browsers and devices. Use two-factor where possible with a Yubikey or Google Authenticator - LastPass, Facebook, Google, Dropbox, Evernote accounts at least can all be made more secure this way.
I use LastPass and have it automatically generate 20 character random passwords for every site I need to log into. I don't even know the passwords myself in most cases so even hammer decryption won't work on me.
Nonetheless although we can do everything possible to be secure we'll always be at the mercy of the likes of Adobe clowns who are able to get my credit card details hacked. Changing my password for my Adobe account is no big deal, but changing my card is a PITA.
>How are you supposed to remember all these passwords?
You don't. You re-use the same dumb, easily remembered and typed, password for the 50 dumb sites that are just registration-happy. If it doesn't have your CC# number and real email or some relevant s**t, why are you bothering with security on it? Do make a supreme effort and avoid 12345 tho ;-)
Then, on the other 10-20 sites that matter (CC# for example), you use secure passwords, all different from each other, and put them into a password manager. Of course, you never re-use passwords anywhere where it would matter. You memorize your password mgr password and maybe some other key passwords.
Facebook? Pretty useless, but a hit to your reputation if racist propaganda appears posted under your name. So you give it a big-boy password. Ditto LinkedIn. Not the Reg.
When the passwords get hacked on one of the 50 trivial sites, you can run off and change them, if you want, on the others. I know my Reg pwd remained the same after the PS3 hack.
Write them down.
I have a book of passwords that lives in my house with a page for every website or service.
The likelihood that someone is going to steal a small notebook with handwriting in it is almost zero... even when i carry it around...
It may sound crazy but actually physical access to me and my computer is probably the biggest barrier to a hacker.
Actually I'm surprised it's so low. There must be more than 2.9m people who are printers, commercial artists etc. who are - unfortunately - dependent on Adobe's products for their livelihood. They were all pretty pissed when Adobe announced the creative cloud shit and now they're likely to pay the price. If the hackers have any decency, they'll not exploit details other than to force Adobe to go back to selling boxed product. Some dream though.
You use a payment provider, and let them sort it out.
We handle thousands of transactions a day, many of them recurring payments, and yet we don't store a single credit card number, encrypted or otherwise.
What we do store is a token that we pass to our payment provider that lets them know who to charge etc. Even if you got hold of the tokens it would do you no good, as the tokens are unique to our account, can only be used in conjunction with out account details, and will only be processed if the transaction originates on our IP.
Of course it lowers the risk - you hand the sensitive data to a company whose only vested interest is to protect it - it's their job, and if they have a breach then they're going to be finished. As it's their vested interest, they'll spend far more time and money making things secure, and economies of scale mean you'll get a vastly superior offering to doing it yourself.
Otherwise what we'll end up with is every Tom, Dick and Muhammad Retail Ltd kludging together a badly implemented payment system which they don't understand and have no interest in keeping secure - they sell you their wares, not payment security. So long as it works and does the bare minimum, they're not going to improve it - they have their vested interests elsewhere.
I recently purchased an iphone for the first time in an Apple Store (regent st - first time in apple store, not iphone purchase). The only ever other time I've purchased an Apple product with my existing card is on the Apple.fr website last year for my wife's iphone.
Fanboi jokes aside, I was shocked that the salesfloor dear, after she swiped my card she asked if I'd like my receipt to my email (she had the correct email) and made a remark about the fact I had purchased 2 iphones in 1 yr that showed she had my purchase history on that shitty handheld terminal, after only a swipe of my cc.
Does make one wonder how they are hashing stored ccards to be able to easily index it to an account and it's purchases, as well as how that damn terminal can wirelessly take my swiped cc and access all that info in a secure manner.
Not everyone who has signed up to CC has done so willingly. With limited time discount offers, Adobe has effectively forced many customers into signing up now - against their will - rather than risk getting left behind with outdated software. Many subscribers would, I'm sure, leap at the chance to return to boxed products, if only Adobe would reinstate them. This debacle only reinforces the case for customers to be given that option.
There's an online petition here, in case anyone wants to add their voice:
https://www.change.org/petitions/adobe-systems-incorporated-eliminate-the-mandatory-creative-cloud-subscription-model
I think the offering of credit checking may be a legal requirement.
Three times in the past dimwit banks holding my mortgage have "lost" tapes containing ID theft information, carefully collected to be logically adjacent and mightily encrypted as ECIDIC. Said banks were reassuringly positive that "no one could read the tapes in question" and that they were thinking of encrypting the information more robustly some time real soon now (apparently the thought that getting hold of a reel-to-reel tape deck and the equipment to drive it might be trivially easy, especially for people who keep "finding" these "lost" tape reels has not found popular acceptance with banking IT).
And each time I got a year of credit checking out of it. Since banks never give anything away in the US for free I have to think there was some piece of needless left-wing liberal legislation forcing their hands.
I had to buy a font from Adobe a few months back. At the time I thought their whole online purchasing "system" was a joke from the mid 1990s and hey guess what...it is. I am now in receipt of an Adobe "Dear John" email. The "you're shafted" email only mentions checking your credit card statements, there's nothing about the "complimentary" ass saving checks that the press seems to have been spun.
First and last time I go near that bunch of twats
When this broke, I already had the email from Adobe and decided to do a quick PW change and check the details. Having been through a process of updating PWs the week before and renewing many, I was confident that we had done what would could - very little in my control, thanks Adobe.
On signing in to my Adobe account, a download diaglogue box opened up. I cancelled and backed out immediately. I didn't note the name of the file other than it being something like templatefile but with an exe extension. Nothing was downloaded - close shave.
I checked again today and didn't get this and so assume Adobe has cleaned this up. Anyone else had similar?