LinkedIn password database compromised

Thu Jun 7 21:56:09 UTC 2012

On 07/06/2012, Lynda <shrdlu at deaddrop.org> wrote:
> Sorry to be the bearer of such bad tidings.

I'm a very amateur cryptologist so some of this is new to me:
"Any organization using SHA-1 without salting user passwords is
running a great risk -- much higher than they should," said Per
Thorsheim, chief information security advisor at Norwegian IT services
company EVRY. "We've seen this time and time again. This is not good
practice. Salt should be a minimum."
http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/

This, however, is all too commonplace:
"We take the security of our members very seriously."
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

This is the only security item they have and it's mission critical right?
The issues are well understood and highly publicized.
The procedures are simple.
Taking a casual interest in security pretty much precludes mistakes here.
I'm not fooled at all.

http://press.linkedin.com/node/1192

The current system can work if applied correctly but time and again
we're seeing failure from service providers to follow the dots.
As I mentioned I'm no expert but I don't think widening the circle of
trust is the correct answer regardless of the technology. There's no
technology shortfall here.
Self signed certificates does sound great and for most purposes,
certainly in this case, fulfills all the requirements. There's no need
to verify anything about me is correct other than to tie my
authentication to my account. If I fail to meet the TOS then the plug
is easily pulled and any further activity can be dealt with as it
currently is by other means. I think there's enough risk in bringing
in a CA and so little advantage that it's wrong.

As far as moving the cryptographic responsibility from the service
provider to us - I'm all for it. They've been telling us for some time
now they'd rather not do that stuff.
I'd much rather have control and introduce something a little sleeker.
As far as users go, if they have to learn it to get on FaceSpace then
they'll learn it - that's a given.
There's no reason for it not to be optional anyway.

To all the people who've figured this out, my hat's off.

I'm very suspicious of any mention of a browser being involved in this
process though.
Shifiting some software responsibility to the client probably brings
new/different danger anyway but probably the last piece of goop that
should be involved is a browser.
That's anecdotal aversion but I'll stand by it.

> Please note that LinkedIn has weighed in with a carefully worded blog post:
>
> http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
>
> Further details:
> 1. The leak took place on June 4
> 2. LinkedIn was using unsalted SHA-1 for their password store.
> 3. FYI, there are two lists. The second one appears to be from eHarmony.
> Unsalted MD5 used there.
> 4. The posted passwords are believed to be ones the cracker wanted help
> with, i.e., they have significantly more already cracked.
>
> Apparently phishing emails are already active in the wild based on the
> crack:
>
> http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-linkedin-breach-for-phishing-attacks/
>
> In other words, if you have a LinkedIn account, expect that the password
> has been stolen. Go change your password now. If you used that password
> elsewhere, you know the routine. In addition, as has been pointed out
> elsewhere, there's no sign LI has fixed the problem. Expect that the
> password you change it to will also be compromised.
>
> :-(
>
> --
> A picture is worth 10K words -- but only those to describe
> the picture.  Hardly any sets of 10K words can be adequately
> described with pictures.
>
>
>