{"id":172,"date":"2012-06-13T15:13:01","date_gmt":"2012-06-13T02:13:01","guid":{"rendered":"http:\/\/burn.co.nz\/blog\/?p=172"},"modified":"2012-11-14T13:23:08","modified_gmt":"2012-11-14T00:23:08","slug":"linkedin-breech-are-we-missing-the-point","status":"publish","type":"post","link":"https:\/\/burn.co.nz\/blog\/?p=172","title":{"rendered":"LinkedIn breech &#8211; are we overlooking the real problem?"},"content":{"rendered":"<p>There has been a <a title=\"Washington Post - LinkedIn, eHarmony, Last.fm hacks highlight bad passwords\" href=\"http:\/\/www.washingtonpost.com\/business\/technology\/linkedin-eharmony-lastfm-hacks-highlight-bad-passwords\/2012\/06\/08\/gJQAq6ktNV_story.html\" target=\"_blank\">lot<\/a> <a title=\"PC World - LinkedIn Confirms Account Passwords Hacked\" href=\"https:\/\/www.pcworld.com\/article\/257045\/update_linkedin_confirms_account_passwords_hacked.html\" target=\"_blank\">of<\/a> <a title=\"The Guardian - LinkedIn investigates hacking claims\" href=\"http:\/\/www.guardian.co.uk\/technology\/2012\/jun\/06\/linkedin-hacking\" target=\"_blank\">press<\/a> recently about 6.45 million <a title=\"Wikipedia - Cryptographic hash function\" href=\"https:\/\/en.wikipedia.org\/wiki\/Cryptographic_hash_function\" target=\"_blank\">password hashes<\/a> from <a href=\"https:\/\/www.linkedin.com\">LinkedIn<\/a> appearing online. A 120MB Zip file showed up last week on a Russian hacking site without any related account information (although the hackers likely have these details). Large volumes of account information being stolen is a common occurrence. eHarmony and Last.fm also both suffered <a title=\"smh.com.au - Last.fm and eHarmony passwords stolen\" href=\"http:\/\/www.smh.com.au\/digital-life\/consumer-security\/lastfm-and-eharmony-passwords-stolen-20120608-1zzrq.html\" target=\"_blank\">breeches<\/a> just last week.<\/p>\n<p><!--more--><\/p>\n<p>I find the LinkedIn breech particularly interesting as the company has over 150 million registered users, who share significant amounts of personally identifiable information. Typical information associated with an account includes your current and previous employers, job titles, education, and a <a title=\"Wikipedia - Social graph\" href=\"https:\/\/en.wikipedia.org\/wiki\/Social_graph\" target=\"_blank\">social graph<\/a> of your professional contacts. All of this information can make targeted attacks against individuals and organizations a lot easier.<\/p>\n<p>Without more information it is impossible to know how many users have been affected by this breech, and LinkedIn haven&#8217;t been very forthcoming with details on the <a title=\"LinkedIn Blog\" href=\"http:\/\/blog.linkedin.com\/\" target=\"_blank\">company blog<\/a>. What is know, is that there are 6,458,020 unique hashes (<a title=\"Light Blue Touchpaper - On the (alleged) LinkedIn password leak\" href=\"http:\/\/www.lightbluetouchpaper.org\/2012\/06\/06\/on-the-alleged-linkedin-password-leak\/\" target=\"_blank\">roughly 10%<\/a> have leading 0&#8217;s and may be duplicates). It is possible this could represent tens of millions of unique user accounts.<\/p>\n<p>Many <a title=\"Qualys Security Labs - Lessons Learned from Cracking 2 Million LinkedIn Passwords\" href=\"https:\/\/community.qualys.com\/blogs\/securitylabs\/2012\/06\/08\/lessons-learned-from-cracking-2-million-linkedin-passwords\" target=\"_blank\">Security<\/a>\/<a title=\"PC World - How Charles Dickens Helped Crack Your LinkedIn Password\" href=\"https:\/\/www.pcworld.com\/businesscenter\/article\/257201\/how_charles_dickens_helped_crack_your_linkedin_password.html\" target=\"_blank\">IT<\/a> sites and blogs have covered <a title=\"Errata Security - LinkedIn vs. password cracking\" href=\"http:\/\/erratasec.blogspot.co.nz\/2012\/06\/linkedin-vs-password-cracking.html\" target=\"_blank\">cracking<\/a> the LinkedIn hashes in fascinating detail (<a title=\"Sophos nakedsecurity - LinkedIn confirms hack, over 60% of stolen passwords already cracked\" href=\"http:\/\/nakedsecurity.sophos.com\/2012\/06\/06\/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked\/\" target=\"_blank\">more than 60%<\/a> of the hashes have been cracked). There has also been a great deal of discussion around the security of <a title=\"PHKs Bikeshed - Md5crypt Password scrambler is no longer considered safe by author\" href=\"http:\/\/phk.freebsd.dk\/sagas\/md5crypt_eol.html\" target=\"_blank\">MD5<\/a>\/<a title=\"Schneier on Security - Cryptanalysis of SHA-1\" href=\"https:\/\/www.schneier.com\/blog\/archives\/2005\/02\/cryptanalysis_o.html\" target=\"_blank\">SHA-1<\/a> hashing, and how the passwords weren&#8217;t <a title=\"Wikipedia - Salt (cryptography)\" href=\"https:\/\/en.wikipedia.org\/wiki\/Salt_%28cryptography%29\" target=\"_blank\">Salted<\/a>. It is great to see active discussion, and hopefully it improves security at large.<\/p>\n<p>But, I can&#8217;t help but think everyone is missing the point &#8211; how on earth were these passwords stolen? Once an attacker is inside the network and has access, they can get account information in many ways. A lot of these don&#8217;t even require access to user databases.<\/p>\n<p>Securing one part of a system really well doesn&#8217;t stop an attacker using other methods, we as IT professionals really need to practice <a title=\"Wikipedia - Defense in depth\" href=\"https:\/\/en.wikipedia.org\/wiki\/Defense_in_depth_%28computing%29\" target=\"_blank\">Defense in depth<\/a>. Now is a really good time to start.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There has been a lot of press recently about 6.45 million password hashes from LinkedIn appearing online. A 120MB Zip file showed up last week on a Russian hacking site without any related account information (although the hackers likely have these details). Large volumes of account information being stolen is a common occurrence. eHarmony and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[15],"tags":[27],"class_list":["post-172","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2duNU-2M","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=\/wp\/v2\/posts\/172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=172"}],"version-history":[{"count":7,"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=\/wp\/v2\/posts\/172\/revisions"}],"predecessor-version":[{"id":228,"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=\/wp\/v2\/posts\/172\/revisions\/228"}],"wp:attachment":[{"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/burn.co.nz\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}