On June 6th 2012, a Russian hacker called on the virtual community to assist in de-hashing a database of some 6.3million user passwords from a dump of the LinkedIn user accounts. Initially, LinkedIn did not confirm (http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/) the issue while they investigated and would only later admit to the failure (http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/) asking users to reset their passwords.
Some key points are worthy of note:
- The dump contained 6.3million password entries, but this may not reveal the true extent of the compromise. A hacker will typically only release passwords for processing keeping the most valuable information, like usernames, to themselves.
- The dump file was decoded easily because passwords were stored with a simple cryptographic hashing algorithm with no salting.
- LinkedIn has not yet explained the root cause of the security breach but has changed the password storage protocol.
- Some reports by the press and social network discussion have included links to web sites that claim to look for your password in the dump. These links could be nefarious and try to collect more information that is valuable.
LinkedIn’s wide adoption in the business world for marketing, recruitment and other activities makes it certain that staff in your company is using it. Moreover, despite IT security policies, training, and awareness campaigns, many will continue to choose the same password and usernames for many different services. This is always concerning but even more so when a security breach like that suffered by LinkedIn occurs because information available in a typical LinkedIn user profile could provide enough details to:
- Identify the user’s company and thus the primary points of entry;
- Identify the user’s username (e.g. the company e-mail address) and with the password recovered from the dump, obtain a serious vector of attack. An even more severe risk given the potential password re-use.
From this, a “hacktivist” using the right account information could post information about your company which appears authoritative but which is detrimental to your business or stock price.
IT security professional are responsible for helping mitigate risks associated with a breach like the one suffered by LinkedIn. There are some obvious lessons to be learnt:
- User awareness and training is the most important mitigation. Take the opportunity to re-launch a password campaign reminding users not to choose the same password for public, private and corporate purposes and encourages them to choose complex pass-phrases instead of simple passwords for each service they access.
- Ensure your password policies are up-to-date and promote for regular and forced change at the application level or in the credentials repository.
- Revisit Data Loss Prevention (DLP) techniques and increase monitoring of how your company’s profile and information appears on the Internet.
- Investigate the benefits of deploying Simplified Sign-On or Password Management Solutions to help users generate individual passwords for their different services.
There are also lessons to be learnt with respects to corporate applications:
- Review existing user account management solution. For internal use only applications, is it using the corporate identity store and, if not, why not? If an application is external (customer facing) examine how the account database stores and manages usernames and passwords
- If an application stores passwords, review the application code to check how. Make sure cryptographic protocols being used are implemented correctly, have optimal settings and adhere to best practices (e.g. using SHA-2 with a salt instead of SHA-1). Finally, consider using multiple cryptographic solutions to protect the stored password.
- Perform penetration testing on valuable or high-risk applications (e.g. Internet facing applications) to identify and manage any potential vulnerability that could put account information at risk.
- Review the applications and apply recommendations from industry recognized frameworks like OWASP.
Against this backdrop, one of the most important points is to deal with these and other lessons are proactively rather than reactively. A Secure Development Lifecycle (SDLC) process that engages security and development teams as well as business practitioners is essential.
Today, you can no longer think in terms of if your company is hacked but when. Consequently, your company must protect the valuable information it stores, especially account data, with adequate practices and embed sensible ways of working that minimise the impact of any security breach.