LinkedIn Password Leak – Whose Interests Are Being Served?

As I’m sure most of you have heard, there is a LinkedIn password breach going on. As breaches continue to happen, they seem to move faster and faster. Within 24 hours of the breach occurring, 60% of over six million passwords were cracked. Since people are also reading blogs more quickly these days, I’ll leap straight into what you need to do. Then, you’re still interested, keep reading for a bit of analysis.

  • Change your LinkedIn password to something random, long and complex… at least 20 characters.
  • Do not use this password anywhere else.
  • If you don’t remember these sorts of passwords easily, use a tool like KeePass, LastPass or 1Password.
  • If you are responsible for the security of others, get them to change their passwords too.

That’s it.

Now, let’s look at what happened. First of all, a set of six million encrypted passwords appeared within the attacker community and help was asked for in cracking them. Now, the passwords are referred to as unsalted SHA1. This means that, while the passwords were encrypted using a reasonable algorithm, they were not salted. This means they are much easier to crack and this explains the speed with which they were found out.

The passwords were posted without email addresses. However, it is not reasonable to assume that malicious attackers would ask for help cracking passwords that they couldn’t use, so it is very likely that they have this information. They may well also have a pile of passwords that were NOT posted because they had already cracked those passwords. So, understanding these facets of the attacker community, let’s look at LinkedIn’s response.

  • Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  • These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
  • These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

On the face of it, this is reasonable. After all, if LinkedIn sent you an email with a password reset link, it’d look a whole lot similar to a fraudulent email with a password stealing link. So, props to LinkedIn for thinking this through.

However, there is still the matter of trust.

See, the key to this whole response is “Members that have accounts associated with the compromised passwords”. This concerns me as it implies that LinkedIn pulled encrypted passwords from their database and compared them to the PUBLIC breach data. This is will necesarilly miss any accounts that the attackers have not released. This could be accounts with simple passwords or particularly sensitive accounts. Suppose they filtered out all accounts that started as “ceo@” or “president@”. Intelligent criminals would want to keep those sorts of accounts to themselves, even if they took a while longer to crack.

One of the core rules of dealing with a data breach is that if you don’t know how it happened and can prove that it only affected a limited number of accounts, you must assume that they are compromised. In this case, a better security response would be to put information about the breach on the front page. At this time, there’s nothing there. Once I log in, though, there is a tiny link under “LinkedIn Today” that references an article on CNN about the breach. Basically, there is nothing prominent or official other than their blog… which you must be following to notice.

The response that I would like to see would involve the following pieces:

  • Information as to what happened and what LinkedIn is doing to prevent a recurrence.
  • Information about how to select a good password and change it on the system.
  • This information sent out via email, posted on the blog and highlighted after logging in to the system.

Instead, the best we get is this advice, which is inadequate. Let’s pick this apart. The original is in italics. My commentary will be in bold.

Changing Your Password:

  • Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
    • I agree with this.
  • You can change your password from the LinkedIn Settings page. 
    • If your account has been compromised, you should be locked out and unable to access the Settings page. They should direct people to the next bullet instead.
  • If you don’t remember your password, you can get password help by clicking on the Forgot password? link on the Sign in page.
    • This is good, as it requires any password to involve an out-of-band mechanism like access to your email account.
  • In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter.
    • Bad bad bad! Needing to change passwords frequently implies poor security on the part of the administrators. If they are monitoring their systems and capable of knowing when an event occurs, they will tell you when to change your password. People that are forced to frequently change passwords tend to select weaker passwords and use them on more sites. This means that if ANY site is breached, ALL accounts are placed at risk. This is probably the worst advice they give.

Creating a Strong Password:

  • Variety – Don’t use the same password on all the sites you visit.
    • Good. Also, don’t use the same base. For example, if you pick “password123” as a base, and your LinkedIn password was “password123LI”, it’s not a big stretch to “password123FB” for Facebook or “password123WF” for Wells Fargo.
  • Don’t use a word from the dictionary.
    • I think we put too much emphasis on this. The fact is that the dictionaries we use in the security world are very different from your average Mirriam Websters or OED.
  • Length – Select strong passwords that can’t easily be guessed with 10 or more characters.
    • I think that 10 is too short. I say 20 above. Most of mine are over 30. The longer the password, the more time you have to deal with resets in the event of a breach.
  • Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
    • Passphrases are good… completely random strings are better. I like to use passphrases to access my password wallets, and the wallets to store the real passwords.
  • Complexity – Randomly add capital letters, punctuation or symbols.
    • I agree with the general intent here, but humans are bad at randomness. Let a computer generate your passwords and you’ll be a lot better off.
  • Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
    • Bad advice. Most attacker dictionaries include these substitutions so it only makes things more difficult for you.
  • Never give your password to others or write it down.
    • Well, never give your password to others anyway. If you can’t remember a good password, write it down.  Just store the paper in a secure place… like a safe. Better yet, store it in a password wallet system that keeps the datafile in a digital “safe”, properly encrypted and away from prying eyes.

A few other account security and privacy best practices to keep in mind are:

  • Sign out of your account after you use a publicly shared computer.
    • You know what would be better? “Don’t sign into your account from a public computer.”
  • Manage your account information and privacy settings from the Profile and Account sections of your Settings page.
    • If you understand the privacy settings in each social media system you use, give yourself a gold star. Might be better if sites like LinkedIn had secure defaults and users could choose to weaken them.
  • Keep your antivirus software up to date.
    • Yes, because of all the LinkedIn viruses we see running amok. This is like a car company issuing a brake recall with the advice “remember to only drive on roads”. The truth is that anti-malware systems are needed because our operating system and application vendors have failed in their jobs. It’s not LinkedIn’s fault, but the advice doesn’t really belong here either.
  • Don’t put your email address, address or phone number in your profile’s Summary.
    • Really?  I mean, REALLY?  Isn’t the whole point of LinkedIn to share your contact information with others? Hmm… perhaps LinkedIn’s stock does better if people only contact one another through LinkedIn’s “mail” system. Then again, perhaps more people would use that system if it worked more reliably. Perhaps I’m editorializing a bit more than I should be. ;)
  • Only connect to people you know and trust.
    • This is interesting advice, given that many people use LinkedIn to meet new people and get new opportunities. LinkedIn offers very little to people that would actually follow this rule, as if you already know and trust someone, you already have their contact information. LinkedIn never really took off as a content platform like MySpace, Facebook or even Google+. Everyone knows that no one is going to follow this advice.  Besides, the greater risk here is leaking your personal information to someone you “know and trust” whose account has been compromised. This is a case for a security tradeoff and careful consideration of what you share. A blind prohibition is not useful.
  • Report any privacy issues to Customer Service.
    • Here’s a bit of advice. Only refer people to your customer service when you know it’s good.  Just sayin’.

 

Basically, what we have here is a situation where LinkedIn has strong incentives to downplay the issue. They look bad already, so the smaller and less significant the breach, the less immediate damage they face. They also very much do not want the world to seriously consider the weigh the risks of sharing their personal information via the Internet. After all, the entire business model of social media is riskier than we’d like to think. The sooner everyone figures this out, the less money the owners make and the more people in the industry lose their jobs.

This is in direct conflict with that the users (or product) of LinkedIn need. We need to be able to trust the people we give our information to. We need to know that they are doing what they should, investing in good technology, people and processes and being forthright with us as to what is going on. We need a partner that communicates with us with our own needs in mind, not just their own.

When one person is best served with honesty and the person they are talking to is best served by lying, there are going to be problems. Consider this in the wake of any breach, whatever side you land on. The long term future of any relationship in conflict is less than rosy.

 

 

 

 

 

Site Review – LinkedIn – Part 2

As a followup to my previous post on LinkedIn, I would like to recount a story that a friend told me the other day.  I was visiting with Adam Steen of 25 Connections. Adam’s business is knowing people, and he knows pretty much everyone in the Des Moines business world. If you need a connection in this area, Adam is the guy to go to.

As with many of us in the small business world, he uses LinkedIn to help manage his contacts. However, his business is all about personal connections. This is great for his business, but does introduce a new type of attack that I had not previously considered.

Several months ago, Adam met someone who works in the financial industry. After a pleasant first meeting, he received a LinkedIn connection request. As we all do, he accepted the connection and thought no more of it. Then, last week, Adam got a call from a friend of his who informed him that this connection was using LinkedIn to call Adam’s friends and set up appointments. Of course, he accepted this appointments because the person knew Adam trusted him. After all, if Adam says someone’s good to work with, they usually are. However, Adam didn’t actually vet the connection. Instead, the attacker was using social engineering to make it appear as though he had. Once the appointment was made, Adam’s friend found himself sitting through one of the most uncomfortable high-pressure sales situation he had ever experienced.

So, how did this attack work?

First of all, it is entirely dependent on the nature of the social networking site.  If the site is configured to allow your contacts to see one another, you have to consider whether the individuals to whom you are connecting are worth this level of trust.

Secondly, the attack is only useful if the connections are generally trustworthy. If Adam’s name hadn’t meant anything to the person being called, the appointment wouldn’t have been set up and the attack would have been foiled.

Third, if you have a number of close personal contacts who know you but not each other, and you use a social network that allows your friends to see one another, you may be vulnerable.

Now, in Adam’s case, he was able to identify the untrustworthy individual and remove him from his network. Since this particular variant was based on personal contact, the removal of the personal connection foils it. However, it would be trivial to make such an attack far more malicious. An attacker could forge an email from the trusted link that carries a malicious attachment or link. The target then, thinking that the message came from someone very trustworthy, would be fooled into running the code, allowing the attacker to get whatever information they wanted.

So, how do you protect yourself… and more importantly, your contacts?

Think about who you’re connecting to and if you get a request from a friend of a friend, make sure that it’s legitimate. This could be as simple as picking up the phone and calling the purported shared link. (Odds are that you don’t talk often enough anyway.)  Also, if you are in the habit of connecting people to one another, try to connect them at the same time. I find that it’s easiest to send an email to yourself and copy them both on it. That way, they get one another’s address, see that you are vetting them both and you have a copy of the connecting email should you need it later. This also makes it more likely that someone who bypasses the process would be more likely to be caught, as it would seem more unusual from the start.

This may be a good time to review your contacts and make sure that they’re really what they should be.

Site Review – LinkedIn

Who doesn’t know about LinkedIn by now?  This business-focused social networking site has been around seemingly forever (2003 is forever ago, right?).  There are even blogs dedicated to helping you maximize your use of LinkedIn.  Really, what more can I add?

You probably already know the basics.  If you have an account on LinkedIn, you can add all the businesses associates you know to your account.  This gives you a sort of online Rolodex that you can access from anywhere.  Digging deeper, you can use groups to find the contact info for people you know, but perhaps not well.  You can ask and answer questions and try to use the network to find contacts deeper within an organization.

It’s very useful for sales people and job hunters… and since everyone will likely be one or the other at some point in their career, most people are on it.

However, like all systems, there is a dark side. Many security practitioners constantly caution about putting personal information online. This information can be used in social engineering attacks against a business or to engage in identity theft. If someone manages to get your LinkedIn credentials, they also get access all of your contacts. For a sales person, this can result in loss of competitive advantage. Moreover, if someone untrustworthy manages to link into your network, they can see everyone you know. This information can be used to target existing clients or uncover information about the structure of yours and related companies.  On the other hand, this same design allows legitimate people in your network to leverage your extremely valuable connections, which can strengthen your relationships to all parties involved.

This is a fairly typical risk management problem. If you put data into the system, you run the risk of its being misused. But if you do not, your competitors can leverage their networks better than you. What can you do?

The solution that most people take is to simply ignore the risk. They assume that everyone is who they claim to be and will link willynilly to all and sundry. Some of them even claim to be LIONs (LinkedIn Open Networkers) and will link to anyone who expresses an interest, often attempting to link to complete strangers.  (In the physical world, we use a different word to describe this behavior, but that veers from the topic at hand.)

Another solution is to ignore the site altogether. If your data isn’t online it can’t be compromised. Many in the security community approach it this way. It is the most secure solution, but you also lose all the benefits.

Of course, there is a middle ground. By using out of band techniques, you can have a reasonable assurance of a person’s identity. For example, if you receive a LinkedIn invitation, you should first check out their profile and make sure that it matches what you expect. Then, you should send them an email or give them a call outside of the LinkedIn system and make sure that they intended to send you the request. If they say “yes”, then you know that they are legitimate and you can add them to your network if you know them to be trustworthy. This doesn’t address all of the risks, but it does hit the major ones while still allowing you to use the system to your advantage.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.