Why The Adobe Breach Was Bad For Everyone

Last week, hackers broke into Adobe’s servers and stole a number of things, most notably:

  • Millions of encrypted user accounts with email, passwords and credit card numbers, and
  • Source code for Adobe’s high end products such as Acrobat and ColdFusion.

At a consumer level, you are affected by this in a couple of ways, both bad. As always, be very careful about where you obtain your software! Purchase Adobe products only from reputable sources, such as Adobe.com and Amazon.com. Cracked products usually contain malicious code that your antivirus software probably won’t detect. We also need to be concerned about Adobe products in general, until Adobe can verify that the products on their site are legitimately their code. The fact that hackers could get into the site means they had the ability to change the code for legitimate downloads from Adobe’s own site.

As for the encrypted passwords, a breach like this is a hacker’s dream — they can spend weeks or months practicing breaking the encryption. Once they do, even if you have changed your password, hackers now have a better understanding of not only how to crack passwords, but also what passwords people choose.

Again, all around bad news with the following takeaways:

  • Be vigilant about where you purchase your software, and update your Adobe products regularly!
  • Use long, strong passwords. I recommend using a password manager (Firefox’s built-in, LastPass or Roboform) and a password generator like http://www.correcthorsebatterystaple.net to generate strong passwords.

Tor is Dead – Long Live Online Anonymity!

Or, Winning a Battle and Losing a War

The recent cases in which the US government spies took down some of the largest Tor services, Freedom Hosting and Silk Road, is, in my opinion, the death knell for Tor in its current incarnation. The US has proven that Tor’s triple encryption, anonymizing servers were no match for the long, strong arm of the law which employs tens of thousands of engineers to destroy the anonymity provided by the service. I should state that the underlying technology is probably still sound, but the damage done and the vulnerabilities shown by recent events demonstrate its fragility. Tor has an article on their position.

Here is Tor’s statement on their service:

Just using Tor isn’t enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications.

The US has even forced domestic providers of encrypted email services to shut down or face treason charges if they do not provide a way for the NSA, CIA and FBI to spy on their users.

While the government may have won the battle, we as a people have lost the war. Tor was a service that was used by reporters, dissidents, whistle blowers and even victims of domestic violence to communicate and learn without fear of discovery by hostile forces. The fact that those people can now be tracked down is a beacon of hope to repressive governments and terrorists everywhere, who had despaired of finding the leaks in their countries.

It’s also true that criminals were also using Tor to make money and advertise their services. In examining the balance of allowing some degree of crime versus ripping the lid off of online anonymity, the US government agencies decided that shutting down a website and a hosting service were more important.

Essentially, the proof of concept is there: Tor is dead. There is no way the service in its current incarnation can survive. Too many weaknesses have already been exposed. Privacy advocates and criminals are not going to sit and mourn, however. They are already on their way to building a better, stronger anonymous web. There are already new private networks out there such as I2P, Phantom, FreedomBox, and more that promise much stronger privacy controls.

In a statement, the EFF has said:

Criminals can already do bad things. Since they’re willing to break laws, they already have lots of options available that provide better privacy than Tor provides….

Tor aims to provide protection for ordinary people who want to follow the law. Only criminals have privacy right now, and we need to fix that….

So yes, criminals could in theory use Tor, but they already have better options, and it seems unlikely that taking Tor away from the world will stop them from doing their bad things…

So the issue is clearly not that criminals are using and abusing these networks. Organized criminal networks already exist — in Mexico, at least one drug cartel had built their own, parallel cell phone network!

Stopping online anonymous networks won’t stop crime. It will only hinder small-time criminals and hurt whistle blowers and dissidents until a better platform comes along, and another after that until the US forces anonymous networks to become bulletproof. And that’s a good thing.

After all, in the words of V,

the people should not be afraid of the government. The government should be afraid of the people.

So there you have it. Tor is dead; long live Internet anonymity!

Layered Security

Let’s face it: the way we’re using the Internet today is way beyond what its creators had in mind. What started out as a project to allow research teams at universities to communicate with each other using text-based email programs has become the World Wide Web, e-commerce, email, virtual private networks, and more.

In a perfect world, all of that would be humming along. But some people have seen how easy it is to disrupt the flow of information for personal gain. Viruses, security breaches, email scams and more have become the bane of the Internet. The latest news, about 3 million Adobe accounts being hacked and Tor services being brought down, are evidence that careless use of the Internet is a recipe for disaster.

Layered Security is the only way to keep ourselves safe. It starts at the gateway with a device like a Fortigate 60C, and is followed up by up-to-date PCs with firewalls, antivirus, fully patched apps and browsers with password vaults and/or biometric sensors, and ends with the person sitting at the keyboard.

Be vigilant in what you click on, what you want to buy, what site you are visiting! You may no even see malicious software on your computer. Ever.

Local Computer Pros is here to help you protect yourself and your company — call us!