November 22, 2013 No Comments-
When a criminal hacks a business’s website, the company typically asks users to change their passwords and then pleads with customers to keep using their services. But – as customers – we’re never entirely sure what information of ours has been exposed.
However, when Adobe, the company behind the Photoshop software that makes magazine models unrealistically attractive, was hacked, something different happened: the data was leaked online. While this is worse for Adobe customers, it means we can talk you through what data hackers go for when exploiting a website, so you can judge for yourself how much of a threat it is.
Under-reporting is a real concern
To start with, Adobe appear to be under-reporting the extent of the hack. Originally, it was claimed that around 38 million accounts were at risk, but research from Colin Keigher of afreak.ca suggests that the number could be nearly five times greater: 153 million!
It’s not like anyone thought 38 million was a small number in the first place, but 153 million is a gargantuan hack. If the second number is actually true, it’s shocking how incorrect the initial estimate was.
In general, the more data a company admits to having lost, the worse it is for the company. Therefore they may report the lowest possible numbers they can. If a service you use is hacked, it can’t hurt to act more cautiously than the company advises.
Not enough salt
The safest method for a company to store a password is by attaching a unique “salt” to each one. Salts are pieces of information added to passwords to make them harder to crack, should they be stolen from a company.
Companies store passwords a bit like how children create secrets codes. In simplistic terms, each letter and symbol is assigned to to a different one, to make it impossible to just read the password:
A = C, B = Z, C = R, D = M, etc.
In addition to this encryption, a “salt” is also added. Salts add additional information to the end of these secret codes, making them ever harder to understand. For example, a password might change from “DSgdfgHFFghfhFHFG” when it is encoded, to “DSgdfgHFFghfhFHFGsdfsgdfgd” with the salt added. This makes it very difficult for hackers to know where the password stops and the “salt” begins.
The problem is that some companies – like Adobe – use a single, “global” salt. This means that if someone steals many passwords, the salt starts to look obvious:
Can you see where the salt is? This makes the salt almost useless. Therefore the Adobe hack means your password is much more vulnerable than if a company was using “unique” salts. Unique salts ensure that there is a new code for each password, so you can’t tell where the salt begins or ends, even if you have every password:
Obviously, the unique salts are much more secure.
Only by looking at the hacked data can we work out that Adobe used a global salt, meaning that our passwords are quite insecure in the hacked data. And if you use the same password for every online service (you shouldn’t), the password could be discovered and used on your other accounts.
Easy reading for hackers
Finally, the leaked Adobe information means that we can see exactly what the hackers see, which is information in this format:
103252332-|–|-[...]@yahoo.com-|-N/Bo4qtibWs=-|-where is my password?|–
(data from afreak.ca)
The […] replaces real email addresses that are available to the hackers, while the big mix of letters – hbpRGiyyvW0Ix+w38j30rA – represents an encoded password. Finally, the secret question is not encrypted at all, and you can even see that someone has admitted that their Adobe password is also their Gmail one – a security nightmare!
We hope the above information shows you that the hacking of big companies can be a big, scary thing, especially if you’ve got a secret question which easily reveals your password. As we’ve said before, it can be annoying, but taking time to care about your security is very important.
Data from: https://afreak.ca/blog/what-is-known-about-the-adobe-breach-now-and-what-is-in-store/
Made up of various contributors' opinions and insights - the power of the collective.
Norman Safeground Blogs Archive