Attacks/Breaches
6/26/2012
09:45 AM
50%
50%

LinkedIn Password Breach: 9 Facts Key To Lawsuit

LinkedIn's privacy policy promised users "industry standard protocols and technology," but a class action lawsuit claims LinkedIn failed to deliver. Take a closer look at the security issues.

6. Password Best Practice: Salt
Of the information currently available about the LinkedIn security breach, one notable fact is that the business didn't salt its passwords. "Salting password hashes has been good practice for 20 years or more. LinkedIn wasn't salting its password hashes. As a result, in my opinion, LinkedIn failed to meet minimal standards that users would expect them to follow to secure their information," said Graham Cluley, senior technology consultant at Sophos, via email.

"Of course, that doesn't mean that LinkedIn are the only ones who are failing to reach such a minimal standard. My expectation is that there are many other websites are out there making similar mistakes--but we just don't know about them," said Cluley. Notably, two password breaches that came to light the same week as the LinkedIn breach, involving eHarmony and Last.fm, likewise revealed that neither site had salted its passwords.

7. Security: Where To Find Standards
Failing to salt passwords suggests a more widespread lack of effective security practices, and there are a number of not just standard practices, but actual standards that all businesses should be pursuing. "In particular, the OWASP top 10 are commonly seen as industry standard, and referred to in other standards like PCI," said Johannes Ullrich, chief research officer at SANS Institute, via email. For example, here's what the OWASP top 10 section on "insecure cryptographic storage" has to say about passwords: "Ensure passwords are hashed with a strong standard algorithm and an appropriate salt is used."

Ullrich also pointed to the common weakness enumeration (CWE) system, which is billed as a "community-developed dictionary of software weakness types," and which specifically calls out the use of a one-way hash without a salt as one of the top 25 most dangerous software errors.

8. Security Involves More Than Hashing
When it comes to LinkedIn, however, take the related password discussion with, yes, a grain of salt. "No salting is indeed a bad practice, but I think the whole hashing and salting discussion is missing the main point," said Imperva's Be'ery. "It's very natural to focus on it, as the only thing we know for a fact is that 6.5 million of LinkedIn's hashed passwords were leaked. It's like having a bank robbery that was discovered by finding the bills in circulation, and [having] the press discussing whether and how the bills should be marked, while the real question is: How was the bank robbed in the first place?"

Or as F-Secure's Sullivan said, when it comes to LinkedIn, "I'd be curious to know how the internal production systems were secured."

9. LinkedIn: Security Facts Still Outstanding
In other words, a few password facts aside, very big questions about LinkedIn's security practices have yet to be publicly detailed. "Hashing and salting, much like bill marking, is a secondary measure of protection," Be'ery said. "The main protection is supposed to keep the bad guys away from the data or the money."

"So the real question here is, how the data was breached," he said. "Did LinkedIn use 'industry standard protocols and technology' with respect to breach protection? Did they pen test their app? Did they use a Web application firewall? Did the hackers use some super new '0 day' attack, or did they use some very common Web application attacks such as SQL injection or remote file inclusion?"

Until those questions get answered, expect discussions of LinkedIn's security to remain largely academic.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
7/24/2012 | 4:08:57 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
RE #8 and 9- Another question is what the bad guys can do once they have the passwords.

This is like the identify theft problem where a bad guy with a name, birthdate, and social security number can get a credit card. The focus has been on protecting those 3 pieces of data but NOT on how easily they can use the data to get a credit card.

Really secure sites check IP addresses and ask for additional verification if the logon is from a new location.
Mark532010
50%
50%
Mark532010,
User Rank: Apprentice
6/28/2012 | 8:33:32 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
It is still early in the process and I don't think LinkedIn has revealed many details yet but my guess is that they followed the classic management fallacy of too much "world class security" worries and too little worries about the mundane practical details that are the root cause of most breakins...Default passwords, unpatched servers, unwatched security consoles, unknown services running, elevated rights, unwatched file changes, etc. Its not sexy and the "World class experts" don't spend much time down there but that's where most of these problems are allowed to happen.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.