You must have heard about recent breach at LinkedIn, which led to exposure of 6.5 million hashed passwords available for download at hacker site. Many of such passwords were decoded and published on an un-authorized website. Feds are involved in investigation to find out possible perpetrator(s) behind this criminal activity but I see there are certain takeaways from this incident and probably which would make us better prepared for possible future breaches.
- Many phishers took advantage of a post breach situation. I compare it with aftershocks, which generally happen after an earthquake or likewise natural calamities. Everybody is scared of it; still in fear, not sure if it will repeat again and they do everything possible to come out of situation. You can ask almost anything at this time in name of safety or security, people will be ready to give or follow it.Phishers creates a phish website and asked users to enter their credentials to verify if they are victim of this compromise. Here the fear factor acts and users tend to provide their credentials in order to verify whether they are the victim or not. Few of them could be legitimate sources but others could be created by phishers to gain access to user account and their passwords. Ensure that you do not fall prey to such phish tricks.
- I must say the way, how LinkedIn handled the breach was very mature. Instead of following standard process to reset passwords for possible compromised users, LinkedIn first disabled all accounts, which they believed those are compromised. Then members were sent an email explaining the reset process and there was no link given in the email to reset password. Rather, affected members received second email from customer support team explaining the context of situation, and why they are being asked to change the password.As I mentioned earlier (aftershocks), these kinds of tricks (reset password) can be used by Phishers to entice users in visiting phish website which looks like Linked In website and make user reveal their credentials.
- I am sure that LinkedIn would continue to work on enhancing the security of data of their 160 million members. However, you need to play your part of security by having long and complex password which includes alphanumeric and special characters. The password needs to be changed periodically (say every few months) and same password should not be repeated in the same account or over multiple sites and accounts.
- You might not have received an email from LinkedIn to reset your password. It essentially means that your password was not there in the dump of 181 MB passwords, which was available for download on unauthorized website. However, it is highly recommended that you change your password to something complex, not easy to guess or decode. It is time to do so NOW, if you have not done.
- LinkedIn is assumed to be using SHA-1 security protocol for hashing passwords in backend database. No doubt SHA-1 hash (one-way hash) technique is much stronger than MD5 (another one-way hash) technique, but probably SHA-1 is not the best one. It is always advised to use salted hash (where a random string of characters are appended to a password before it is hashed) to make password cracking much harder. It is also possible to use salt in such a way that regardless of two passwords being identical (which is very much possible), their hashes are unique. This would also ensure that the hackers cannot utilize rainbow tables to crack hashed passwords.
- An Illinois woman has filed a $5 million lawsuit in California against LinkedIn Corp, saying the social network violated promises to consumers by not having better security in place when more than 6 million customer passwords were stolen. Remember whenever there is breach, no matter how big or small it is, it does have financial implications and causes reputation damage.
- It makes me wonder that how the passwords were retrieved by an outsider. Generally, the application is the only layer through which outsiders can access the database, here I have assumed the fact that the underlying network is secure enough.Looking at recent breaches, it possibly could be SQL Injection, an application level vulnerability; but there were no evidence about how the passwords were leaked. The important take away is that we need to ensure that online applications are free from application level vulnerabilities and underlying network infrastructure is well secured before the application is made available on internet.
(Read more: Tackling the Cyber Security challenges faced by SMEs)
Even though we witnessed such a massive breach, we did not stop using LinkedIn or any other social networking site for that matter. And I don’t think we are going to, since they are so integrated in our day to day life. It reiterates the fact that risks die hard, and we need to find new ways to manage the risks.
Original Blog at : http://www.phishnix.com/blog/2012/07/7-key-lessons-from-the-linkedin-breach/