Friday, November 1, 2013

Can someone be targeted using the Adobe breach?

Note: As a professional courtesy to those at Adobe who are doing their absolute best to mitigate this breach, I have partially redacted all full hashes and email addresses from this blogpost, besides those found in the image published by arstechnica.com.

We all know about the recent 153 Million account dump from Adobe. As arstechnica showed, the format looks something like this:

Image source: http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/

As you can see, there's some sort of ID number, the email address, the encrypted password (which from the arstechnica article we now know is 3des) and the password hint.

Password hints are great and all, but they can be unreliable, unclear, or flat out wrong.
HOWEVER, when you have thousands of people using the same password (same encrypted string) looking at all of those password hints together can make the cleartext password painfully obvious.
For example. Let's get the most common encrypted password strings from the dump (with numbers on the left showing how many times they were used):

1911867 EQ7fIp*****=
 446144 j9p+********************==
 345833 L8qbAD**********CatHBw==
 211659 BB4e6X+b*************w==
 201569 j9p*****2ws=
 124248 dQ*****PYvQ=
 113880 7*****Veq8I=
  83409 PMDTbP**********FUvYGA==


Now let's take that first, most common password string, and go get all the users' hints who used that same password. Let's also uniq those and sort them by how popular that actual hint is:


One can reasonable guess what password corrisponds with EQ7fIp******=

Now let's see what else we can do with this. Let's use this same method to see if we can target an individual account in the Adobe dump. Funny enough, there's an entry for an account edwardsnowden@******mail.com.
6**58***-|--|-edwardsnowden@******mail.com-|-B***************CatHBw==-|-|--


Now let's see if any other people in the dump have the exact same password hash as this account, and if so then how many.
[jdustin@localhost passwords]$ grep B***************CatHBw==  cred | wc -l


Okay, let's grab those 207 the lines containing all accounts who used that same password, cut out just their password hints, and then sort them by how often that hint is in the list:
[jdustin@localhost passwords]$ grep B***************CatHBw==  cred | cut -d"|" -f5 | sort | uniq -c | sort -nr | head -n50


So, Metal? 74W on the table of elements? The usual Tung?
"tungsten" perhaps? Your guess is as good as mine. :)




10 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Where did you download the file?

    ReplyDelete
  3. I was discussing this last week in the context of password reuse. I did a bit of "research" and found that of the brute forced pws from the dump many are used across major sites. Password reuse is a real problem and people don't appreciate the implications.

    ReplyDelete
  4. Hey ,
    I will try it and discuss it in our Community of graphic designers .password reuse is a biggest problem but the people..............

    ReplyDelete
  5. I enjoyed the tips you are providing on your website. Adobe support can make one’s help technical service. Thanks for the information……..
    Adobe Support please visit the link.

    Thankyou
    Lacy Brown

    ReplyDelete
  6. I am very happy to see your blog, good article and interesting,

    *reach your marketing lists or Sales Leads*

    Email Appending list is continuously updated with most accurate, quality and verified contacts.

    Ehealthcarelists can provide Adobe Users

    Email
    complete marketing information such as

    · First Name, Last Name
    · Business Name
    · Practice Specialty, Specialty Code
    · Email, Postal Address and Zip Code
    · SIC /NAICS Code and NPI Numbers.
    · Phone Number and Fax Number
    · License Number
    · Web address

    Thanks for the information and Greetings

    ReplyDelete
  7. I am glad to see this post which I was finding. It is incredible post. The personal statement length are available here for those who are thinking about to draw the graph.

    ReplyDelete
  8. Collections from the design labels such as pas cher trx and other beauty are released after every six months.
    With every new launch, a new penny skateboards cheap online technology is developed.
    This had led to making TRX For Sale remain competitive in the International market.
    The entire pas cher trx packaging process is paid into detail to enhance the collections quality and appearance.
    Now everyone can own high-end designer trx france.
    TRX Suspension Training Sale being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
    The fashion world, with a higher concentration on Discount TRX Sale, needs to provide the best packaging services that the modern world has ever seen.
    TRX Suspension Training On Sale plays a major role in creating a brand name that fashion lovers want to identify with.

    ReplyDelete
  9. Support for adobe +1877-339-8403. Our highly knowledgeable Adobe technical support online staff is readily available at all times for our well- regarded clients to help out with their Adobe issues at the earliest possible time.

    ReplyDelete
  10. TollFree +1(855)837-9965! Repair All PC, LLC in Cleveland Ohio. Our Microsoft certified professionals & System Engineers which provide Best Tools and Expert Solutions to all you issues on repairallpc.net

    ReplyDelete