Posts

LinkedIn Password Breach

Six and a half million users of the ubiquitous business networking site LinkedIn have apparently had their passwords stolen.

Online security experts say site members should change their passwords right away.

As of this morning, PC World reported, only a minority of the passwords appeared to have actually been exposed. A file containing the 6.5 million security codes showed up on a Russian online forum, but the codes were “hashed”—meaning they’d been encrypted. However, according to PC World, the algorithm used allows hackers to decipher simple passwords fairly easily because it does not include “salting,” or the addition of random characters.

The uploaded file did not include usernames, but experts say that doesn’t mean that whoever stole the passwords does not have those as well.

LinkedIn has said it’s looking into the reports. At 11:18 this morning, the company tweeted “Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.” However, many users are reporting that they’ve been able to find their own hashed passwords in the leaked file.

LinkedIn has a total of 150 million users worldwide, so ZDNet writer Zack Whittaker points out the breach appears so far to affect a small portion of the user base. However, Whittaker also notes that the breach could be a major blow to the site’s reputation.

The incident comes on the heels of a report that a LinkedIn calendar app on iOS operating systems sends information back to the company without explicit permission. LinkedIn responded that this is done only if users opt in and that the information sent is kept secure.

IT Security and Training reduce Cyber Attacks

Increase in cyber attacks cost firms nearly $50K per year 

Cyber attacks for reasons political, financial or fun have spread exponentially over the last year. Increased spending on security and training is doing much to stem the flow of information into the wrong hands. A Symantec survey of 1, 425 IT managers across 32 countries revealed that the $35 billion currently spent on it support services and security support is expected to rise to over $49 billion in the next three years, with many companies opting for security through cloud computing packages. With data breaches effecting even the biggest corporations (the recent hacking of Zappo comes to mind), everyone is taking security more seriously. The survey found that cyber attacks in 2011 cost companies an average of $470,000 in lost revenue, downtime and loss of brand confidence.

Cyber attacks include spam, viruses, fraud, data theft, vandalism and denial of service. A poll by Juniper Network had 77% of respondents saying cyber attacks are more frequent and severe than they have been in the past, while 90% of respondents claimed to have suffered a data breach in the last year.

The rapid increase of attacks comes as employees bring their own devices into the workplace. 29% of breaches in security occurred on tablets and Smartphones and 34% on employee laptop computers. As employees increasingly introduce personal devices into the workplace, security has to be installed and protocols established to secure sensitive data.

Companies who turn to IT consulting specialists and invest in security and training for employees suffer a far lower rate of security breaches. The survey revealed that top-tier companies who used IT consulting firms to bolster security and staff training benefitted from two and half times fewer attacks than companies who did not invest in security.

Downtime is by far the most frustrating consequence of compromised security. Here the advantage of investing in an IT consulting firm to provide security is self-evident. The companies which had not made adequate investments in security suffered 2 765 hours of downtime a year in comparison to the relatively few 588 hours that secure companies endured.

Not utilizing IT consulting specialists or investing in security and training means damage and downtime that is sure to cost more than the initial security investment would have. It makes financial sense to invest in protecting customers and data from cyber attacks. As more employees bring their own devices to the workplace, it is imperative to establish security across the board and protocols aimed at securing data on all devices.

Weak passwords and their drawbacks

The topic of password strength is an important one, especially since passwords are used everywhere these days. When creating a password, it is generally a good idea to make it at least 8 characters and use numbers throughout it. Using symbols will make it even stronger. Let’s go over some reasons why weak passwords are bad and talk about common methods that are used to crack them.

The first and most obvious reason that weak passwords are bad is they are easy to crack. One of the most commonly used methods for cracking weak passwords is called a dictionary attack. This is when someone takes a huge list of words and runs each word against your password to see if it can be revealed. There are many “custom” dictionaries floating around the internet specifically for this purpose. To the attacker, the benefit of a dictionary attack is it’s incredibly fast and will usually reveal most weak passwords with no numbers or symbols. A major drawback of dictionary attacks is they rely on the password being weak and using a word that’s in the list (usually an English word). Therefore, it is important to not use an English word that may be in a dictionary as your password. Many of the custom dictionaries have been modified so they will catch words like “passwd” and other words with numbers attached to the end. Sometimes, patterns of numbers like “123456” are included.

If you use the same password for most everything you use, you’ll want to pay attention to this point. If you’re using a weak password and someone attempts to crack it using a dictionary attack, there’s a relatively good chance that they will succeed. If that’s the case, attackers will try the credentials they just stole from you on other sites as well. It’s fairly common for people to use the same password for multiple services. Now, not only has someone gained your information for one site, but for many sites. By using a weak password in combination with reusing it at other places, you’re effectively compromising many of your accounts.

Let’s take an example of someone using a stronger password with numbers and symbols, but only 4 characters in length. There is another method of cracking passwords that’s called a brute-force attempt. This method will try to guess the password in question using every combination of letters, numbers, and symbols possible. The major drawback to brute-force attacks is that they can take an incredibly long time, and are sometimes impractical due to this reason. Brute-force attacks take considerably more time for each additional character a password has. So you can imagine that a password that’s 4 characters in length wouldn’t take nearly as long to crack as a password that’s 10 characters or more.

As you can see, it’s not just using numbers, symbols, and a mix of capital and lowercase letters that makes a password strong. The password’s length contributes an enormous amount to its strength. Also, keep in mind that sometimes brute-force attacks are combined with dictionary attacks to improve speed and efficiency. Sometimes this is effective, sometimes it’s not. It really all comes down to the password in question.

Think twice when using public or unsecured Wi-Fi

Public Wi-Fi has always been an insecure environment, but it’s gotten much worse lately. Not too long ago, there was a Firefox add-on released called Firesheep. It works by capturing or “sniffing” packets on the network you’re connected to. It will look for any connections to the sites it recognizes. If a user logs in to one of those sites, it will capture the cookie that the site sends to the user’s computer after their login has been authenticated. Note that once the user has been authenticated, many of these sites will no longer use an HTTPS connection, and will use the cookie that was sent after logging in to allow that specific user to access to other parts of the site. Once Firesheep has that cookie, an icon will show up in the add-on’s window indicating what site and user it has hijacked. All the attacker needs to do after that is double click on the icon that appeared and he will then be logged in as you on the corresponding site.

The creator said its purpose is to make sites like Flickr, Twitter, Facebook, and Google aware of their security flaws so they will fix them. The best thing sites like these can do to mitigate Firesheep is utilize SSL (HTTPS) everywhere, not just when you login. It is uncertain whether these companies are going to implement that or not. One of the worst things about this add-on is that it makes session hijacking or “hacking” easy enough for anyone to do. Before Firesheep, the same kind of session hijacking attacks were possible and were frequently exploited, but it required a good amount of knowledge and an understanding of networking, sessions, and various protocols.

There are workarounds currently out there. There’s a Firefox add-on called HTTPS Everywhere and another called Force-TLS that will help, but I would personally recommend to not use any social networking, banking, or other sensitive websites over public hotspots. If you really know what you’re doing, one of the better alternatives is to set up a proxy server and set your laptop to use that proxy server for internet access via an SSH tunnel.