

Adobe Hacker Says He Used SQL Injection To Grab Database Of 150K User Accounts - wglb
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240134996/adobe-hacker-says-he-used-sql-injection-to-grab-database-of-150-000-user-accounts.html

======
billirvine
Help me here. With the plethora of similar ill-gotten gains being posted to
pastebin, why is it still alive -- and more importantly -- why is there an
Adobe ad on their home page?

~~~
krapp
People do post things besides SQL dumps there. It provides a really convenient
and valuable service.

You should be more concerned that Adobe was so easy to hack. Especially
considering the existence of Creative Cloud, and its overlap with the Business
Catalyst service.

~~~
billirvine
> It provides a really convenient and valuable service.

(@@) <\--- eye-roll emoticon (not often used)

Sure. Just like the "report abuse" link actually does something.

Right now, 4 of the "public pasts" in the sidebar are ill-gotten materials. I
realize it's not always that way... but is often enough.

As for the "creative cloud," it's actually more expensive than buying the
software.

And yeah, security is really important, but so is using strong passwords on
the Interwebz.

~~~
krapp
_Just like the "report abuse" link actually does something._

Why do you assume it doesn't?

 _I realize it's not always that way... but is often enough._

This seems like confirmation bias. Pastebin gets I don't know, thousands of
pastes a day. How many did you check versus total traffic in a given time?
Stop suggesting that it's a den of thieves if, apart from legitimate usage,
thieves also find it convenient. Thieves find email convenient as well.
Getting rid of pastebin doesn't solve any problems.

 _As for the "creative cloud," it's actually more expensive than buying the
software._

I know. But my point was that, for creative cloud users access to all of their
Adobe software and the admin panels for their BC sites fall under a single
Adobe account login. It's a real problem if it turns out Adobe puts little
effort into database and password security. I mean I'm an idiot when it comes
to this stuff but even I know to use PDO and blowfish.

~~~
billirvine
> Thieves find email convenient as well.

No need to toss in a man of straw here. Anyone who's been aware of text-
sharing sites since such things existed, knows that the abuse (copyrighted,
illegal, ill-gotten material) far exceeds "legitimate" use. In fact, one could
argue rather easily that MegaUpload had several magnitudes more legitimate use
than pastebin.com (and similar).

The typical structure of an mysql dump is a rather easy thing to automatically
sense. A not-complicated regex could easily sense the pasting of alternative
formats. Mr. Vader could easily reduce his workload in dealing with takedowns
by simply injecting a little code that preemptively enforces his terms of
service.

Long text with reporter bylines, also easy to sense.

Really long text with bibliographies, also easy to sense.

I could go on. ;)

------
malkia
His name is Johnny Tables!

------
drivebyacct2
I've never been a fan of the idea that programming be treated like other
professional work like Architects or some such where people are held liable
for accidents resulting from their work, but at the same time, I'd be very
much down for some public shaming of people that implemented unsalted, or even
salted, MD5 hashing for password storage.

You should know better or you should know well enough to stay away from
security. It's like the people stumbling into a mailing list and asking "How
should I write my own password hashing function" alongside more-or-less, "How
do I do string comparisons in this language". I let out a whimper as I read
that post.

~~~
mvkel
Not only that, it's pretty pathetic to be susceptible to an injection attack
anyway.

Though, I suppose it would be easy to find a hacking target based on which
services email you your password in plain text if you forget it.

