learning from adobe
play

Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack - PowerPoint PPT Presentation

Dec 13, 2022 •138 likes •478 views

Better PHP Security Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly, about me Consultant Senior Engineer Developer Senior Developer Director of Tech Hosting Manager Support

  1. Better PHP Security Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  2. Quickly, about me Consultant � Senior Engineer � Developer � Senior Developer � Director of Tech � Hosting Manager � Support Tech Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  3. 2014: Digital Director Lunne Marketing Group Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  4. Not a Drupal guru. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  5. What Happened? • October 4th: Adobe admits that attackers accessed their network and all passwords have been reset. They believe 3 million accounts are included. • November: Account total bumped to 38 million • November: Account total again bumped to 150 million, and with additional data (names, password hints, etc.), the total file size is 10GB. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  6. Is it significant? • Adobe listed the data as “encrypted”. Experts stated that this was probably in error and what they really meant is that it was hashed... and the experts were wrong. • The dataset includes rich plaintext emails, usernames,password hints and encrypted password hashes. Additionally, credit card data was also accessed and is said to use similar encryption. • Because the frequency of matching password hashes, we know that the data is unsalted and likely uses 3DES. • No one has publicly announced that they have accessed the private key, however it’s only a matter of time before it’s found. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  7. Why this is a huge problem • At 150 million accounts, many people will have reused passwords for other sites, and because Adobe uses emails for login, those will most likely match too. (Hello banking/Facebook/etc)? • Adobe has the credit card data on file for every Creative Cloud customer and people who have purchased other products. • Once cracked this provides an even better (larger) dataset for commonly used passwords than lists from Gawker and others. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  8. What Adobe did right • Changing people’s passwords • Hey, at least they didn’t store their private key with everything else Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  9. What Adobe did wrong • Encrypting and not hashing passwords • Not salting passwords • Storing plain text password hints with the other data • Allowing poor passwords • Allowing poor password hints • Slow response Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  10. LastPass: Lookup Tool Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  11. LastPass: Password Hints Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  12. Password Hints Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  13. Adobe FAQ Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  14. Facebook’s Response Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  15. TaskRabbit’s Response Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  16. Eventbrite’s Response Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  17. Password Hashing Things that are fast. • MD5 • SHA-1 • SHA-256 • SHA-512 Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  18. … so, don’t use them (alone). Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  19. Password Hashing Things that are slower. • mcrypt/blowfish • scrypt Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  20. … use mcrypt, consider script in the future. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  21. Passwords in 5.5 • string password_hash ( string $password , integer $algo [, array $options ] ) • boolean password_verify ( string $password , string $hash ) Anthony Ferrara twitter.com/ircmaxell blog.ircmaxell.com Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  22. So, what about Drupal? Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  23. Quick Note: SALT • Adds a unique string of characters (hopefully per user) that helps keep the password hashes different for users that have the same password. • Think about it, without SALT, your password hash may be the same value on ALL of the sites that you use. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  24. Rainbows Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  25. Garbage in, garbage out • Having no password policy at all. • Allowing common passwords like ‘password’, ‘123456’. • Allowing common dictionary words. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  26. Don’t help the enemy • Policies that enforce things such as “first character must by upper case” and “must end in a special character”. Allows masking. • To an extent, disclosing the minimum requirements for lower case, upper case, numeric, and special characters. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  27. Arguments for Password Security Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  28. #1 Prevent PR Issues Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  29. #2 Cost vs Risk • Doing security correctly is less expensive upfront. The opportunity cost is minimal compared the reduction in risk. Cost * Risk = Likelihood Cost • What does it cost to cleanup the mess: reset the passwords, scan the servers, added support calls/ requests, etc… Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  30. #3 Predictability • Help project/business managers in being able to minimize unexpected security response events. • Better understand how your week is going to go. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  31. Summary • Store passwords with a good hash, and a unique user-level salt. • Enforce password rules correctly. • Be aware of the breaches of other sites. • Know how to justify good security to management. Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

  32. Thanks • @mavrck • I’m shameless: I want @mavrck back next year to talk about #drupalcampohio • slideshare.net/billcondo • billcondo@gmail.com Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adobe Illustrator By Amy and Rachel What is Adobe Illustrator? Vector graphics editor

Adobe Illustrator By Amy and Rachel What is Adobe Illustrator? Vector graphics editor

Adobe Illustrator By Amy and Rachel What is Adobe Illustrator? Vector graphics editor Used to create logos, artwork, incorporate type Part of the Adobe Creative Suite family If Creating a Logo Pay attention to the basic

68 views • 5 slides
Adobe Forms Katrina Boyd, MPH, CAP-OM May 15, 2014 IAAP Table of Contents What is Adobe

Adobe Forms Katrina Boyd, MPH, CAP-OM May 15, 2014 IAAP Table of Contents What is Adobe

Adobe Forms Katrina Boyd, MPH, CAP-OM May 15, 2014 IAAP Table of Contents What is Adobe Forms? Pricing Tiers Nuts and Bolts Pros/Cons Adobe Forms vs. Google Forms FAQs Your Questions What is Adobe Forms? What is

857 views • 39 slides
Good Morning! MCS2273/MJR2204 Introduction to Web Design January 2017 Ulrich Werner Adobe

Good Morning! MCS2273/MJR2204 Introduction to Web Design January 2017 Ulrich Werner Adobe

Good Morning! MCS2273/MJR2204 Introduction to Web Design January 2017 Ulrich Werner Adobe Software in Web Design A short Introduction Adobe Photoshop Adobe Illustrator Adobe Animate Lynda.com: Adobe AnimateforWeb Design Adobe

351 views • 8 slides
Peralta Adobe,1900 The Peralta Adobe is the oldest building in San Jose, northern California.

Peralta Adobe,1900 The Peralta Adobe is the oldest building in San Jose, northern California.

A Celebration Of Our History Ron Appleby February 12, 2018 Peralta Adobe,1900 The Peralta Adobe is the oldest building in San Jose, northern California. The adobe was built in 1797, and is named after Luis Mara Peralta, its most

435 views • 20 slides
Uploading Adobe Presenter Presentation through FTP These step-by-step instructions will

Uploading Adobe Presenter Presentation through FTP These step-by-step instructions will

UTHSC Teaching and Learning Center Uploading Adobe Presenter Presentation through FTP These step-by-step instructions will demonstrate how to successfully upload your published Adobe Presenter Presentation to the web server through FTP. I. Once

72 views • 5 slides
Make It an Experience adobe.com/government @AdobeGov Adobe Summit: Government The My

Make It an Experience adobe.com/government @AdobeGov Adobe Summit: Government The My

The Business of Government: Make It an Experience adobe.com/government @AdobeGov Adobe Summit: Government The My Health Record Digital Journey Rachel de Sain Executive General Manager, Innovation & Development Australian

741 views • 34 slides
{adobe.io} open source https://github.com/adobe-apiplatform dragos dascalita haut | project lead

{adobe.io} open source https://github.com/adobe-apiplatform dragos dascalita haut | project lead

{adobe.io} open source https://github.com/adobe-apiplatform dragos dascalita haut | project lead | adobe.io Docker Container with Openresty + API Gateway Source: https://github.com/adobe-apiplatform/apigateway Whats special: - tiny - based

474 views • 8 slides
Licensing Information for Adobe Products Tony Parsley Licensing Information for Adobe Products

Licensing Information for Adobe Products Tony Parsley Licensing Information for Adobe Products

Licensing Information for Adobe Products Tony Parsley Licensing Information for Adobe Products Current State Future State Whats Next? Current State Adobe Creative Cloud & Adobe Acrobat DC/Pro Licensed by install

287 views • 7 slides
Adobe Presenter - Uploading Adobe Presenter Presentation Through FTP These step by step

Adobe Presenter - Uploading Adobe Presenter Presentation Through FTP These step by step

Adobe Presenter - Uploading Adobe Presenter Presentation Through FTP These step by step instructions will demonstrate how to successfully upload your published Adobe Presenter Presentation to the web server through FTP . 1 . Once your presentation

508 views • 5 slides
Data Driven Guides: Supporting expressive design for Information graphics Nam Wook Kim Zhicheng

Data Driven Guides: Supporting expressive design for Information graphics Nam Wook Kim Zhicheng

Data Driven Guides: Supporting expressive design for Information graphics Nam Wook Kim Zhicheng Leo Liu Eston Schweickart Harvard Adobe Cornell Jovan Popovi Wilmot Li Hanspeter Pfister Mira Dontcheva Adobe Adobe Adobe Harvard

1.13k views • 87 slides
Adobe Connect and WiFi Adobe Connect: https://cdphe.adobeconnect.com/reclaimedwat er/ Audio :

Adobe Connect and WiFi Adobe Connect: https://cdphe.adobeconnect.com/reclaimedwat er/ Audio :

Adobe Connect and WiFi Adobe Connect: https://cdphe.adobeconnect.com/reclaimedwat er/ Audio : 1-857-216-6700 Conference ID: 425132 CDPHE WiFi network: Network name: guest Password: Healthy3ating Reclaimed Water Stakeholder

402 views • 12 slides
Adobe Brick Design Civil Engineering Kuwaiti Women Adobe Brick Design Civil Engineering

Adobe Brick Design Civil Engineering Kuwaiti Women Adobe Brick Design Civil Engineering

Adobe Brick Design Civil Engineering Kuwaiti Women Adobe Brick Design Civil Engineering Kuwaiti Women Instructor : Mark Lamer TA: Thomas Nelson Team Members : Zahraa Alqallaf, Zahraa Alhusaini, and Hawraa Farman Introduction Project

560 views • 28 slides
9 to Thrive 9 Tips For Success In Your New Job Maddy Beard Adobe Career Bootcamp MADDY BEARD

9 to Thrive 9 Tips For Success In Your New Job Maddy Beard Adobe Career Bootcamp MADDY BEARD

Maddy Beard Adobe Career Bootcamp 9 to Thrive 9 Tips For Success In Your New Job Maddy Beard Adobe Career Bootcamp MADDY BEARD Creative Resident, Adobe Maddy Beard Adobe Career Bootcamp Im a strategic designer with a focus on UI/UX

716 views • 44 slides
Migrating from Adobe Connect The Victory of FOSS Over Proprietary Software Jess Portnoy

Migrating from Adobe Connect The Victory of FOSS Over Proprietary Software Jess Portnoy

Migrating from Adobe Connect The Victory of FOSS Over Proprietary Software Jess Portnoy jess.portnoy@kaltura.com, Kaltura, Inc Adobe dictionary definition a kind of clay used as a building material. Migrating from Adobe Connect the

462 views • 17 slides
EXPORT LETTER OF CREDIT PRESENTATION FORM You need Adobe Reader 9.0 to view this form. You can

EXPORT LETTER OF CREDIT PRESENTATION FORM You need Adobe Reader 9.0 to view this form. You can

EXPORT LETTER OF CREDIT PRESENTATION FORM You need Adobe Reader 9.0 to view this form. You can download Adobe Reader free of charge. To: The Manager ANZ Trade and Supply Chain Date (dd/mm/yyyy) Branch Mumbai From (customer name and address,

767 views • 3 slides
EXPORT COLLECTION PRESENTATION FORM You need Adobe Reader 9.0 to view this form. You can download

EXPORT COLLECTION PRESENTATION FORM You need Adobe Reader 9.0 to view this form. You can download

EXPORT COLLECTION PRESENTATION FORM You need Adobe Reader 9.0 to view this form. You can download Adobe Reader free of charge. PLEASE ENSURE THIS FORM IS COMPLETED ONLINE (TYPED) To: The Manager ANZ Trade and Supply Chain Select (Branch)

262 views • 3 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner

MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner <gd@samba.org> Red Hat May 21th, 2015 Andreas Schneider <asn@samba.org> G

1.17k views • 29 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you are doing online This includes your passwords! Who has access to my packets? Your ISP at home UBIT on campus Tier 1 Networks

232 views • 22 slides
AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

August 13, 2013 DIAC 2013 AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide 1 Ren Struik (Struik Security Consultancy) August 13, 2013 DIAC 2013 Outline 1. Highly Constrained Networks

559 views • 30 slides
Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting passwords Illustrates

1.38k views • 56 slides
Governor Mike Rounds FY2010 Budget Address Budget Highlights A Very Cautious Budget An

Governor Mike Rounds FY2010 Budget Address Budget Highlights A Very Cautious Budget An

Governor Mike Rounds FY2010 Budget Address Budget Highlights A Very Cautious Budget An Uncertain Economy Running out of Reserves Funding only Our Basic Needs Taking Care of People Protecting the Public

704 views • 42 slides

More recommend