The hacker, whose email address describes himself as adam.theruler, does not disclose which Adobe server he broke in to. Yesterday, however, the Adobe Connect Blog confirmed the incident, and Adobe temporarily closed down the Connectusers.com forum website. Connect is Adobe’s web conferencing platform. At the time of writing, a notice simply says, “Site unavailable – We're sorry, the service you requested is currently unavailable... Thank you for your patience.”
“At this point of our investigation,” Adobe announced on the Adobe Connect Blog yesterday, “it appears that the Connectusers.com forum site was compromised by an unauthorized third party.” The blog noted that the company is resetting the passwords of forum members, and re-iterated advice that users should “follow password best practices and use different login credentials across different websites and services.”
This brief notice disappoints many security experts because it makes no mention of the company improving its security practice – which is currently found wanting. Writing on the Sophos NakedSecurity blog, Paul Ducklin points to three basic password flaws that can be deduced from the dumped data. Firstly, the passwords are hashed with MD5 and a single iteration. MD5 is flawed and should no longer be used; and anyway, “You simply must use many iterations of your chosen hash, to slow down crackers by making brute-force attacks harder by a factor as big as the number of iterations,” comments Ducklin.
Secondly, the hashed passwords are not salted. Again, “You simply must use salted hashes, to stop crackers using a simple precomputed dictionary to crack your passwords super-fast,” says Ducklin.
And finally, there is no password policy to ensure the use of strong passwords. Some examples include ‘admin’, ‘Adobe’, ‘redhead’ and Seattle. Strong passwords, mixing upper and lower case letters, numerals and special characters, protect the passwords from simple dictionary attacks. “You simply must use complex and non-obvious passwords, to prevent crackers from easily guessing what you chose,” notes Ducklin.
Tal Be’ery, a security researcher with Imperva demonstrated the problem. He located a record belonging to Ben Tauber, at the time a product manager with Adobe, but now a product manager with Google. The password was hashed and unintelligible – but by simply using pasting it into the md5crack website, he rapidly got Tauber’s password: ‘boinks’. A hacker would then have Tauber’s email address, his user name and his password (in this instance, Tauber now has a different email address and will almost certainly have changed his passwords when he changed his employment).
The general consensus is that at the very least, Adobe should change its password storing policy to use SHA-3 hashing. Ars Technica reports that Adobe now seems to have taken this on board. “In an e-mail,” it reported yesterday, “company spokeswoman Wiebke Lips said engineers are in the process of overhauling their password scheme to incorporate a ‘best practice approach that leverages the SHA 256 hash algorithm in combination with password salts and a large number of hash iterations’.”