LinkedIn password file disclosure: the biggest social engineering attack ever?
What is the real security value of having end-users to authenticate with a static password and accounts on multiple sites and services in a public environment? The disclosure of a password file that belonged to LinkedIn by Russian hackers proved again that end-users do not realize the risk of using a single password for multiple sites but also showed another risk due to lack of awareness around password use.
In summary what happened on the 6th of June: Russian hackers obtained and disclosed a password file that is used on the LinkedIn social media site systems to store password hashes. A “hash” is the one-way encrypted value string calculated from the original password that can be stored on systems that process authentication requests. Unfortunately LinkedIn did not follow best practice security rules that dictate to use a “salt” in their hash function to create the hashes using an extra key other than only the password itself. Due to this weakness, the password file was vulnerable to simple attacks.
Depending on the encryption algorithm and digest length used, it is quite difficult and CPU-intensive to re-generate the passwords from the hash values only. However, with the help of pre-computed tables, also called “rainbow tables” it is not needed to crack the encryption algorithm as just comparing hash values with the data in the rainbow tables will do the job. Rainbow tables are made up from many sources like dictionaries, books, commonly used passwords and other lists where the words are used to pre-calculate the hashes and store it in a table.
Even Charles Dickens helped to deliver common words in order to generate password dictionaries.
What's interesting is what happened after this attack became public; many news sites reported about this attack and their readers wanted to know if their password was inside the disclosed list of 6,5 million hashes. This list seemed to only contain hashes and no account information like username or email address, so it was quite worthless to start with. “Smart” commenters on those news sites however, suggested to use online tools where you can input your password in order to calculate the hash. With that hash, they suggested, you can use another online tool to search in the disclosed password file to see if your password was inside.
Obviously, if strong passwords (more than 8 characters, not found in dictionary) are used, the chance is much less that a password already exists in those rainbow tables today. However, it is just a matter of time when strong passwords will appear in those tables as well.
Getting your hash online is simple, Google will help you find the tools. And you can find examples of huge rainbow tables on the Internet that are using the input of many visitors to expand their tables.
Would you share your password or hash on those sites and have them figure out your password and provide your IP address as a bonus, too? No, that is not very smart...
It is hard to say how many people did follow that “advice,” but the people who did have been very helpful to further complete the existing rainbow tables on the internet. A more important implication is that those users, unaware of their actions, now revealed their password, hash AND their IP address to the owners of those sites. You can imagine that many black hat hackers are very interested in tables that link passwords and hashes to IP addresses which can be sold for a lot of money. Although not organized, this could be the biggest social engineering attack ever..
In the meantime LinkedIn have done the best they can towards their users to secure and lock their accounts and added an extra "salt" to compute the hashes but damage has already done. Users are being advised to change their passwords in all systems on the internet in case they used the same as for their LinkedIn account. Needless to say, an incident like this can happen to any internet site that needs a username/password for login and do not properly manage their security controls.
What we have learned here, well.. actually we knew this already for many years.. the end-users and especially those that are not aware of security risks are the weakest link.
Specifically in this case, using the same weak passwords in multiple systems on the Internet is not a good idea. The implication here is that users cannot remember many different passwords and they will be forced to store them in special password safes, in their browsers, or even in clear text documents on their devices.
Password safes are quite secure but also protected with a single password that may be used everywhere else… the risk is even much greater considering the fact that many people, unaware of the risk by their actions, started to use tools on vague websites in which they entered their credentials, including passwords that may be used in their private and their business environment and on many different devices such as smartphones.
Organisations but also individuals working with sensitive data can only mitigate this risk by implementing an authentication methodology that does not allow usage of static passwords made up by the user. In addition to a thorough security awareness program for their users, companies should take a close look at the risk of their systems and consider two-factor and single sign-on systems everywhere. There are a variety of authentication methods available, including several types of hard- and soft tokens, USB and grid, depending on the sensitivity of data accessed and type of device used.
Now, take a look at the way you manage your own passwords: do you use the same passwords in multiple places in a mixed private, public and organisational environment?
Did you consider the risk that your end-users use the same static passwords used in your organisation and your (public) cloud applications to create accounts to create accounts to multiple Internet sites?
image © pn_photo - Fotolia.com
July 4, 2012Font-family:"Arial","sans-serif";color:black">Hi Marcel,
color:black">Great article nailing all key points. Dual-factor and SSO is
critical both at work and for all our personal websites indeed and
organisations should be helping their employees learn about those security
practices as well as point them towards possible tools. This is necessary given
that as you pointed out employees - who are also consumers - use the same
passwords for both work and personal web services so exposing the
organisation's corporate assets indirectly. I referred to your article and
shared one of the way to better secure passwords (disclosure:
I'm just a fan!)
June 26, 2012This turn of events has reminded me of a couple things
regarding social networks, security & passwords. First, no social media
network is immune to being hacked, and having its "dirty laundry" aired to the
world. Anytime one chooses to share or publicize information via social
networks, whether it be geo-localized information (e.g., via 4Square, Yelp
check-ins, Facebook check-ins, etc), travel plans (e.g., TripIt), relationships
(e.g., via Twitter, Facebook), there's a risk that that information is going to
make its way to public view, or that someone will be able to leverage it
for unintended purposes. What was surprising about this leak is that it wasn't
an early start-up or some novice company; it was a leading professional social
network that was exposed.
Second, protecting the hashes inside the passwords file with a salt should be standard anytime a company is entrusted with data from clients; there should
be a minimum level of security that users can expect a website to use when they
collect user data.
And, lastly, people/users need to start to take the passwords they use
much more seriously than they do today, and more companies need to start using two-factor authentication for access to their critical systems.