Hacker Grabs 150k Adobe User Accounts Via SQL Injection

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

Awesome!

[flyerbri]

Great job, Adam! WTG!

Why am I not surprised

http://it.slashdot.org/comments.pl?sid=3250037&cid=41978225

Management at Adobe needs to get their technical **** together.

Adobe has bad security practices?

[travbrad]

A shocking revelation

Re:Adobe has bad security practices?

[fuzzyfuzzyfungus]

This is big news! Adobe has long been a dominant vendor in the market for atrocious desktop security; but here they are demonstrating their capacity for 'big data' and 'cloud-centric' server insecurity solutions. Even better, since the breach compromised the security of numerous individuals at third party companies, I'd say that this is a strong play for the lucrative 'managed insecurity' market enabled by the trend toward IT outsourcing...

I, for one, am downright bullish about Adobe's prospects for subtracting value from the software ecosystem in new and exciting markets!

Obligatory xkcd reference

[fredprado]

http://xkcd.com/327/

MD5?!

You'd think they'd use security they had more experience with, like rot-13.

Re:MD5?!

[GoogleShill]

I'm sorry but rot-13 is no longer secure. I've upgraded everything to rot-26!

Re:MD5?!

[Cruciform]

In order to fend off those with modern hardware I've been using rot-104.
I intend to double that every 18 months just to be safe.

Re:MD5?!

[fourchannel]

Amateurs, the pros use telnet.

: D

Unforgivable

[geekoid]

SQL injection? what is this, 1993?

.

Re:Unforgivable

[Nyder]

SQL injection? what is this, 1993?

.

About right, I think they took security out of the budget in 1992.

Re:Unforgivable

My thoughts exactly.

I mean, this stuff is so thoroughly known that it can be explained to pretty much anybody: http://www.unixwiz.net/techtips/sql-injection.html

Now a-days REST vulnerabilities are all the rage but I guess it is easier to just use known attacks against companies that are incompetent and sit on their patents.

Re:Unforgivable

[davydagger]

MD5, what is this 1993?

I am sick of hearing how large companies somehow automaticly make good decisions on technology.

MD5 is long broken and should have been discontinuted 10 years ago.

Re:Unforgivable

[Bengie]

SQL injection "exploits" shouldn't be considered "hacking". It's more akin to someone leaving the door to the bank open than someone having to do any serious work.

Re:Unforgivable

The correct name is "Code Kiddie" aka "Script Kiddie".

Re:Unforgivable

[larry+bagina]

NoSQL injections are the hot new thing.

Re:Unforgivable

[AK+Marc]

Nah, the bank analogy is if they honored all withdrawal requests, and processed them overnight. If you walk up with a withdrawal for $1,000,000,000 in the name of Bobby Tables, they give you the cash and don't find out until the next day that they do not now, nor have ever had a Bobby Tables with an account there, and the account number 1234 is not in their system either.

Re:Unforgivable

[a_hanso]

Actually, a bank analogy is more like you walking up to the bank manager and saying "Hi, I have a complaint about a $100 discrepancy in my WRITE DOWN YOUR BANK VAULT COMBINATION." and the manager hypnotically doing just that.

Re:Unforgivable

[helix2301]

SQL injection is a common type of hack. The MD5 piece is a bit crazy its only 128 bit encryption. I have no idea why they would even do that. MD5 hashes are also used to ensure the data integrity of files hash is NOT encryption.

Re:Unforgivable

[P-niiice]

Made me spit up my coffee. I thank you sir.

Re:Unforgivable

sure, thats probably the last time the server was patched. Big heads and ego's working in IT theses days but very little work getting done. I first started in IT back in 1990. Now so called engineers just talk a lot but do little.

Re:Unforgivable

[Chris+Mattern]

Is that anything like drinking no tea?

Re:Unforgivable

[geekoid]

Yes, it is a common attack, and it's still an unforgivable error on the developer side. They should be fired and move into a field they are more qualified for. I'm thinking something in the service industry.

Re:Unforgivable

[a_hanso]

Welcome to slashdo.. oh wait. I see your user number. So, welcome me to slashdot?

impervia make WAF...

[johnjones]

although they did a good job verifying the DB I have to wonder why the hacker mentioned this...

Tal Berry

Can someone post pics of Tal Berry? She sounds like a hot Israeli computer geek, and I'm sure I won't be disappointed.

Poor security standards

[NetNinja]

Poor network security standards.

A simple Web Application Firewall would have prevented that.

If they can't do something as simple as secure thier own website, thier products are even worse.

Re:Poor security standards

[El_Oscuro]

I'm not sure how a firewall would prevent SQL injection, as the attack pass through the normal HTTP/HTTPS traffic and their own crappy web application is the attack vector. Then again, setting up any firewall is far more complex than the few lines of code or bind variables need to stop SQL injection attacks.

Re:Poor security standards

[ark1]

A Web Application Firewall will inspect layer 7 traffic and can provide some protection against layer 7 attacks such as SQL injections. They act more like Intrusion Detection/Prevention Systems rather than traditional network firewalls.

Re:Poor security standards

[El_Oscuro]

That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

Re:Poor security standards

[Charliemopps]

Ya, it'd be easier to just do it right, but I imagine you could setup a firewall to... I dunno... not allow an entire database of several hundred meg to be dumped to a single request.

Re:Poor security standards

[ark1]

Like you said it should be part of a defence in depth strategy. Good secure coding practices are fundamental and a must but you can't rely on that alone. Deadlines get tight, people/QA get sloppy. Also sometimes you have no choice but to rely on 3rd party applications and who knows how these were developed (what is powering forums at connectusers.com? Site is offline at this time).

Even with a layered approach, bypassing any security mechanism is still possible but you should keep at least the less skilled attackers out.

Re:Poor security standards

[wmbetts]

Mod Security is a good example of a web application firewall.

Re:Poor security standards

[thetoadwarrior]

No it wouldn't. Unless they made the site unreachable.

Re:Poor security standards

[fourchannel]

I think they should just wire C4 into the servers, and inspect the traffic. If an SQL injection is in the stream, detonate C4 charges.

Simple.

: D

Something tells me you will be disappointed...

[denzacar]

http://www.securityweek.com/authors/tal-beery

How the heck would he know?!?

[Kergan]

Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old.

Color me puzzled... How the heck does Mr Beery have the slightest damn clue that the list appears to be valid and that -- even more incredibly -- the database was relatively old? He's hacking it every day?

Re:How the heck would he know?!?

Age can be determined by the domain names of the emails. Too many hotmail.coms and aol.coms leads him to believe it's an old database. It must be valid, most of the emails are photog@ or psuser@.

Re:How the heck would he know?!?

Most enterprise databases store timestamps on absolutely everything, so he probably just looked at the last value.

Re:How the heck would he know?!?

[CrispBH]

I'd assume there's a timestamp column or two for things like last login etc. That would reveal how used the application that uses the database is. Imperva sell WAFs though... and the hacker is focusing on the lack of a WAF? That seems a bit odd to me, but I could be reading too much into it. In any case, it's no bad thing to have a WAF as an extra layer of security, but you should still be immune to such attacks even without one. It should be a nice to have, not a silver bullet (which it never will be) against all attacks. Prepared statements and so on should be mandatory for anyone wishing to call themselves a developer.

just another crappy day in paradise?

[k6mfw]

I keep reading headlines one right after another about security hacks. And I feel like I'm getting warning fatigue*, I cannot comprehend how you IT security people are dealing with it. For me I got some computers that ***never*** connect to internet, and damned if I put critical stuff in The Cloud.

*Warning fatigue: Described in the book, "Breaking The Mishap Chain" http://www.nasa.gov/connect/ebooks/break_mishap_chain_detail.html where authors describe when crews of a B1 flight test kept getting caution warnings that were not urgent so habitually ignored even though one of those warnings was center-of-gravity parameter. Ignoring this warning was serious as it caused aircraft to go out of control when wings were swept and aircraft not balanced.

Re:just another crappy day in paradise?

[davewoods]

Hmmm... I never thought of anything like warning fatigue. It has definitely happened to me though:

I was a System Admin for a ~50 user company, I had notification alerts on the three servers that would show me anything that appeared in event viewer that was anything higher than "Warning". I got so used to seeing so many random warnings that had no relevance (i.e. Print Spooler service being unable to start, not an issue until I need to print, not worth the time it would take to fix) I eventually pretty much stopped paying attention to the warnings entirely. Luckily, the one day I actually glanced at them was the same day one of the HDDs in the NAS got a predictive SMART error. I was incredibly fortunate, and was able to get a spare ordered and replaced before any real damage was done.

I bet the B1 situation was significantly more dangerous than my HDD thing, but you know.

What's a WAF?

[Zaiff+Urgulbunger]

What's a WAF? I found Wife Acceptance Factor but it seems doubtful this is the correct answer given the context!

Re:What's a WAF?

Really? Couldn't be bothered to spend 30 seconds looking WAF up? Gimme a break: http://bit.ly/SNBaxt *sigh* modern slashdot...

Re:What's a WAF?

Web Application Firewall.

See https://www.owasp.org/index.php/Web_Application_Firewall

Re:What's a WAF?

To be fair, googling the term isn't very helpful here.

Result #1 is a google code project for git.
#2 is wikipedia's wife acceptance factor quoted by GP
#3 is the wikipedia article covering #1
#4 is acronyms.dictionary showing: WAF, Women in the Air Force (USAF; obsolete). WAF, Warendorf. WAF, WAF, We Are Family ...
#5 is urban dictionary showing "Wack As Fuck"
#6 is a website for World Architecture Festival
#7 is WPF Application Framework, "The WPF Application Framework (WAF) is a lightweight Framework that helps you to create well structured WPF Applications"
#8 is a sub-page of #1 containing documentation

#9, the last result on the search, is finally "Web Application Firewall (WAF) - Real time protection from Web ..." from http://www.imperva.com/products/wsc_web-application-firewall.html

Your snarky "let me google that for you" provides eight incorrect answers to his question!
If you don't even know the answer and can't be bothered to even pretend to, perhaps you should stop complaining about others who actually put in effort to remove part of their ignorance.

Re:What's a WAF?

I Googled "WAF" and got meaningless results, so I Googled "WAF Security" and found out the term.

I think if anything, it's the fault of the editors for not including a definition.

Re:What's a WAF?

[Zaiff+Urgulbunger]

Yeah, I blame the editors too -- quite frankly, standards here have slipped!

Anyway, thanks for all the replies. For the common good, WAF in this article = Web Application Firewall

Re:What's a WAF?

[rwise2112]

Seems to me that #5 "Wack as fuck" most describes the Adobe security situation.

In Other News...

[fred911]

Adobe is found guilty of wasting billions of their windows customers CPU processes with their "update me now?" tsr...

Adobe needs to be taken out back...

[HerculesMO]

And shot.

There's really no security team in place at Adobe, is there?

Don't really need daily hacker updates anymore

[Andy+Prough]

A simple once-per-year post reminding us that ALL of our private data has been sucked out of insecure online databases and is being sold on the Russian (or Indonesian or Egyptian or Chinese or Pennsylvanian) black-market should suffice.

After Adobe is executed

[tepples]

If Adobe and its products were put to death, what would replace Photoshop and Illustrator for print work? What vector animation tool would replace Flash CS?

Re:After Adobe is executed

[BitZtream]

On a Mac, Pixelmator would quickly replace Photoshop. You'd be going back several years ... back to when Photoshop sucked a fuckton less than it does now in reference to ... price, features and most importantly UI, but the injection of cash the Pixelmator team got would allow them to build in all the crud/crap you don't want from Photoshop fairly quickly anyway. Medicine would take a minor hit as Medical Photoshop is a weird beast that basically makes any sane person wonder how medical studies are given any credibility at all.

I'm glad Flash is dying

[bigsexyjoe]

It is pretty scary that many people write their frontends in a technology made by these people. And they think that gives them extra security!

Adobe has crappy security. I've recently had the misfortune of having to work with Flash. I had to send files to the server from the client. Flash had some annoying restriction that you can't send a file to the server unless the user opened a dialog to pick a file. But guess what? It didn't matter because you can still send the files if you use don't use a convenience method. There stupid security measure wasted a half hour of my time. And it does nothing for security because I'm completely new to Flash and I still beat the measure.

Re:I'm glad Flash is dying

Wrong. The Flash security model does not attempt to require applications to pop a dialog box in order to upload a file to a server. I have absolutely no idea how you got that impression, but it's clearly written in their documentation that there are methods for uploading data without this. The real key is that things like that generally require a user action, such as clicking.

Spending 30 minutes with a technology doesn't qualify you to review it. And Flash isn't dying. Sorry.

Wait...

[sycodon]

...I thought they were called "Researchers"

Now I'm all confused.

Little Bobby Tables

[epp_b]

Strikes again!

That's why I pirate my Adobe software

Thank goodness I too precautions.

Re:That's why I pirate my Adobe software

[BitZtream]

Owners of Adobe software are probably not at risk nearly as much as all the people who now rent Adobe software for a monthly fee.

Adobe doesn't give a shit about security

[JDG1980]

Adobe's level of public irresponsibility is crazy. Every week new vulnerabilities are found in Flash and Reader – more often, and more serious security holes, than in Windows, even though Windows is a whole OS and these programs should be much easier to keep bug-free in comparison. And now we find that they can't even keep their own internal databases safe. Preventing SQL injection really isn't that difficult; there are plenty of websites that tell you what you need to do. Just using parameterized queries will weed out most of the common SQL exploits. How much of Adobe's programming is being conducted now by people who just don't have any fucking idea what they're doing?

There really needs to be a good alternative to Photoshop (no, GIMP doesn't count). Flash needs to be phased out as quickly as possible, and people need to stop using Adobe Reader if at all possible, and try to move away from any Reader-specific PDF "features". Most people who use the full version of Acrobat are wasting their money (it's amazing how many people have it installed just so they can print to PDF, when there are free programs that do the exact same thing just as well).

Re:Adobe doesn't give a shit about security

[SpzToid]

Agreed. If I was Microsoft, or Apple for that matter, I'd be all over Adobe for ruining The Platform. Linux users are SOL so far as Adobe is involved, but the linux users already knew that.

did he use www.md5crack.com ?

[sproketboy]

http://www.md5crack.com/ uses google to find MD5 strings that have been indexed. No algorithm required.