Attacks/Breaches
6/26/2012
09:45 AM
50%
50%

LinkedIn Password Breach: 9 Facts Key To Lawsuit

LinkedIn's privacy policy promised users "industry standard protocols and technology," but a class action lawsuit claims LinkedIn failed to deliver. Take a closer look at the security issues.

6. Password Best Practice: Salt
Of the information currently available about the LinkedIn security breach, one notable fact is that the business didn't salt its passwords. "Salting password hashes has been good practice for 20 years or more. LinkedIn wasn't salting its password hashes. As a result, in my opinion, LinkedIn failed to meet minimal standards that users would expect them to follow to secure their information," said Graham Cluley, senior technology consultant at Sophos, via email.

"Of course, that doesn't mean that LinkedIn are the only ones who are failing to reach such a minimal standard. My expectation is that there are many other websites are out there making similar mistakes--but we just don't know about them," said Cluley. Notably, two password breaches that came to light the same week as the LinkedIn breach, involving eHarmony and Last.fm, likewise revealed that neither site had salted its passwords.

7. Security: Where To Find Standards
Failing to salt passwords suggests a more widespread lack of effective security practices, and there are a number of not just standard practices, but actual standards that all businesses should be pursuing. "In particular, the OWASP top 10 are commonly seen as industry standard, and referred to in other standards like PCI," said Johannes Ullrich, chief research officer at SANS Institute, via email. For example, here's what the OWASP top 10 section on "insecure cryptographic storage" has to say about passwords: "Ensure passwords are hashed with a strong standard algorithm and an appropriate salt is used."

Ullrich also pointed to the common weakness enumeration (CWE) system, which is billed as a "community-developed dictionary of software weakness types," and which specifically calls out the use of a one-way hash without a salt as one of the top 25 most dangerous software errors.

8. Security Involves More Than Hashing
When it comes to LinkedIn, however, take the related password discussion with, yes, a grain of salt. "No salting is indeed a bad practice, but I think the whole hashing and salting discussion is missing the main point," said Imperva's Be'ery. "It's very natural to focus on it, as the only thing we know for a fact is that 6.5 million of LinkedIn's hashed passwords were leaked. It's like having a bank robbery that was discovered by finding the bills in circulation, and [having] the press discussing whether and how the bills should be marked, while the real question is: How was the bank robbed in the first place?"

Or as F-Secure's Sullivan said, when it comes to LinkedIn, "I'd be curious to know how the internal production systems were secured."

9. LinkedIn: Security Facts Still Outstanding
In other words, a few password facts aside, very big questions about LinkedIn's security practices have yet to be publicly detailed. "Hashing and salting, much like bill marking, is a secondary measure of protection," Be'ery said. "The main protection is supposed to keep the bad guys away from the data or the money."

"So the real question here is, how the data was breached," he said. "Did LinkedIn use 'industry standard protocols and technology' with respect to breach protection? Did they pen test their app? Did they use a Web application firewall? Did the hackers use some super new '0 day' attack, or did they use some very common Web application attacks such as SQL injection or remote file inclusion?"

Until those questions get answered, expect discussions of LinkedIn's security to remain largely academic.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
7/24/2012 | 4:08:57 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
RE #8 and 9- Another question is what the bad guys can do once they have the passwords.

This is like the identify theft problem where a bad guy with a name, birthdate, and social security number can get a credit card. The focus has been on protecting those 3 pieces of data but NOT on how easily they can use the data to get a credit card.

Really secure sites check IP addresses and ask for additional verification if the logon is from a new location.
Mark532010
50%
50%
Mark532010,
User Rank: Apprentice
6/28/2012 | 8:33:32 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
It is still early in the process and I don't think LinkedIn has revealed many details yet but my guess is that they followed the classic management fallacy of too much "world class security" worries and too little worries about the mundane practical details that are the root cause of most breakins...Default passwords, unpatched servers, unwatched security consoles, unknown services running, elevated rights, unwatched file changes, etc. Its not sexy and the "World class experts" don't spend much time down there but that's where most of these problems are allowed to happen.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.