...So I write a blog post about security awareness and the following week LinkedIn publish details of a hack.
I've not found official confirmation yet but it sounds like they were hashing data items such as passwords with SHA-1. Which could be classified as a weakened encryption algorithm on it's own, but LinkedIn may not have been salting passwords.
I've also found another potential vulnerability across devices / platforms after changing my own password on LinkedIn. Will let them know and hope they add that to the list. Doesn't look like a big problem but could create an attack vector in < 1% of scenarios.
If you're affected by this situation I'd recommend the following for browser-based applications:
Bottom line, problem fixed. From everything I've been reading in the press about the company it's been a policy of denial in an attempt to save face.
I've not found official confirmation yet but it sounds like they were hashing data items such as passwords with SHA-1. Which could be classified as a weakened encryption algorithm on it's own, but LinkedIn may not have been salting passwords.
I've also found another potential vulnerability across devices / platforms after changing my own password on LinkedIn. Will let them know and hope they add that to the list. Doesn't look like a big problem but could create an attack vector in < 1% of scenarios.
If you're affected by this situation I'd recommend the following for browser-based applications:
- Don't use "password", "123abc", "123456" or your own name as your password. Don't use the same password across different applications / accounts
- Change your LinkedIn password (if you haven't already done so)
- Change it again in a week and then the following week. If the people at LinkedIn haven't shored up the breach in defences there could be following penetrations
- Change your account password on any related email address accounts that are held on your LinkedIn account. Double defensibility probably isn't necessary but is a good idea
- Always hit the "Log Out" or "Sign Out" button / link when you're done instead of just closing the browser window
- Don't have Facebook, Gmail / G+ / etc, Hotmail or Twitter open at the same time as LinkedIn in the same browser, just in case there's a potential XSS or XSRF vulnerability across any of the applications
"He's just paranoid!", I hear you say. Guess what - Sony got hacked again this week so what's to say we won't see repeats here either?
Update - 5th July
It took LinkedIn four days to get back to my initial report / request for contact, guess they must have been pretty busy at the time *cough*. Essentially the response was "There's nothing to see here, move along" and when I retested about a week later I couldn't reproduce the problem.Bottom line, problem fixed. From everything I've been reading in the press about the company it's been a policy of denial in an attempt to save face.
