LinkedIn Breach Blamed on Rusty Security

LinkedIn has reported that some of its users’ passwords have been stolen and published on the Internet. The company is withholding details, including exactly how many passwords were compromised.

Members with accounts associated with the compromised passwords will find that their LinkedIn account password is no longer valid, and they will be receiving an email from LinkedIn with instructions on how to reset the password, the company said.

It is continuing to investigate the breach.

LinkedIn recently enhanced its security, it said, so the new passwords and the passwords of people’s accounts that were not compromised will be protected by the “hashing and salting of our current password databases.”

From this, one can conclude that LinkedIn previously was not hashing and salting its password database, which is a major black eye for the site as that has been a security best practice for the past decade, according to Dave Pack, director of LogRhythm Labs.

“It is a good indicator of LinkedIn’s Web application security” or lack thereof, he told the E-Commerce Times.

Not having that in place “has raised a lot of eyebrows,” added Pack. “People are concerned that if this is how they treated passwords, what other protections are they lacking?”

A Big Fail

LinkedIn gets a big fail for this, security consultantRobert Siciliano told the E-Commerce Times. “They are in the business of connecting people in business and know the implications of lax security.”

There isn’t a financial issue with the loss of these passwords, such as there would be if a bank or credit card or retailer had been hacked, he explained.

However, most people tend to use the same passwords for multiple accounts, which is likely why the hackers targeted LinkedIn. They are business users who probably have multiple financial accounts that they also access online.

What LinkedIn Should Have Done

LinkedIn’s master password file presumably stored the user name and password hash for each user, explained Paul Kocher, chief scientist at Cryptography Research.

“Storing hashed passwords is better than storing the password directly, since it means that someone who steals the password list has to go through a guessing process to figure out individuals’ passwords,” he told the E-Commerce Times.

LinkedIn’s failure was a serious one, though, he acknowledged, noting that the hacker with the master password file who wants to crack passwords can do the following:

1. Make a list of all users’ hashes, sort the list and remove the duplicates;
2. For each password guess, compute its hash;
3. Look to see if the hash appears on the sorted list from step 1. If so, then go back to the original file to see which user(s) have the candidate password. [=password now cracked]; and
4. Repeat steps 2-3 for additional password guesses.

Steps 2-4 can be done very quickly, in the millions per second range, using automated tools, Kocher said.

“What LinkedIn should have done in the hashing is to include an entry-specific or account-specific field,” he added.

In crypto-speak, this is called a “salt” or “nonce,” Kocher noted.

“Salting helps reduce the speed of the attack, since each candidate password needs to be tested separately by the attacker for each user,” he explained. “Even if LinkedIn had correctly salted their passwords, exposure of the hashed password list is a very serious breach. The additional overhead of having to check each candidate password against each user isn’t a huge impediment.”

It’s quite possible that the attacker has full LinkedIn profile info as well, making cross-referencing easy, Kocher concluded. “As a result, users need to change their LinkedIn passwords immediately, and — even more importantly — also change all passwords that are in any way related to the LinkedIn password.”