Attacks/Breaches
6/26/2012
09:45 AM
50%
50%

LinkedIn Password Breach: 9 Facts Key To Lawsuit

LinkedIn's privacy policy promised users "industry standard protocols and technology," but a class action lawsuit claims LinkedIn failed to deliver. Take a closer look at the security issues.

6. Password Best Practice: Salt
Of the information currently available about the LinkedIn security breach, one notable fact is that the business didn't salt its passwords. "Salting password hashes has been good practice for 20 years or more. LinkedIn wasn't salting its password hashes. As a result, in my opinion, LinkedIn failed to meet minimal standards that users would expect them to follow to secure their information," said Graham Cluley, senior technology consultant at Sophos, via email.

"Of course, that doesn't mean that LinkedIn are the only ones who are failing to reach such a minimal standard. My expectation is that there are many other websites are out there making similar mistakes--but we just don't know about them," said Cluley. Notably, two password breaches that came to light the same week as the LinkedIn breach, involving eHarmony and Last.fm, likewise revealed that neither site had salted its passwords.

7. Security: Where To Find Standards
Failing to salt passwords suggests a more widespread lack of effective security practices, and there are a number of not just standard practices, but actual standards that all businesses should be pursuing. "In particular, the OWASP top 10 are commonly seen as industry standard, and referred to in other standards like PCI," said Johannes Ullrich, chief research officer at SANS Institute, via email. For example, here's what the OWASP top 10 section on "insecure cryptographic storage" has to say about passwords: "Ensure passwords are hashed with a strong standard algorithm and an appropriate salt is used."

Ullrich also pointed to the common weakness enumeration (CWE) system, which is billed as a "community-developed dictionary of software weakness types," and which specifically calls out the use of a one-way hash without a salt as one of the top 25 most dangerous software errors.

8. Security Involves More Than Hashing
When it comes to LinkedIn, however, take the related password discussion with, yes, a grain of salt. "No salting is indeed a bad practice, but I think the whole hashing and salting discussion is missing the main point," said Imperva's Be'ery. "It's very natural to focus on it, as the only thing we know for a fact is that 6.5 million of LinkedIn's hashed passwords were leaked. It's like having a bank robbery that was discovered by finding the bills in circulation, and [having] the press discussing whether and how the bills should be marked, while the real question is: How was the bank robbed in the first place?"

Or as F-Secure's Sullivan said, when it comes to LinkedIn, "I'd be curious to know how the internal production systems were secured."

9. LinkedIn: Security Facts Still Outstanding
In other words, a few password facts aside, very big questions about LinkedIn's security practices have yet to be publicly detailed. "Hashing and salting, much like bill marking, is a secondary measure of protection," Be'ery said. "The main protection is supposed to keep the bad guys away from the data or the money."

"So the real question here is, how the data was breached," he said. "Did LinkedIn use 'industry standard protocols and technology' with respect to breach protection? Did they pen test their app? Did they use a Web application firewall? Did the hackers use some super new '0 day' attack, or did they use some very common Web application attacks such as SQL injection or remote file inclusion?"

Until those questions get answered, expect discussions of LinkedIn's security to remain largely academic.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
7/24/2012 | 4:08:57 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
RE #8 and 9- Another question is what the bad guys can do once they have the passwords.

This is like the identify theft problem where a bad guy with a name, birthdate, and social security number can get a credit card. The focus has been on protecting those 3 pieces of data but NOT on how easily they can use the data to get a credit card.

Really secure sites check IP addresses and ask for additional verification if the logon is from a new location.
Mark532010
50%
50%
Mark532010,
User Rank: Moderator
6/28/2012 | 8:33:32 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
It is still early in the process and I don't think LinkedIn has revealed many details yet but my guess is that they followed the classic management fallacy of too much "world class security" worries and too little worries about the mundane practical details that are the root cause of most breakins...Default passwords, unpatched servers, unwatched security consoles, unknown services running, elevated rights, unwatched file changes, etc. Its not sexy and the "World class experts" don't spend much time down there but that's where most of these problems are allowed to happen.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4497
Published: 2015-08-29
Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token...

CVE-2015-4498
Published: 2015-08-29
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point i...

CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.