Sunday, June 10, 2012

Jinxed It

...So I write a blog post about security awareness and the following week LinkedIn publish details of a hack.

I've not found official confirmation yet but it sounds like they were hashing data items such as passwords with SHA-1. Which could be classified as a weakened encryption algorithm on it's own, but LinkedIn may not have been salting passwords.

I've also found another potential vulnerability across devices / platforms after changing my own password on LinkedIn. Will let them know and hope they add that to the list. Doesn't look like a big problem but could create an attack vector in < 1% of scenarios.

If you're affected by this situation I'd recommend the following for browser-based applications:

  1. Don't use "password", "123abc", "123456" or your own name as your password. Don't use the same password across different applications / accounts
  2. Change your LinkedIn password (if you haven't already done so)
  3. Change it again in a week and then the following week. If the people at LinkedIn haven't shored up the breach in defences there could be following penetrations
  4. Change your account password on any related email address accounts that are held on your LinkedIn account. Double defensibility probably isn't necessary but is a good idea
  5. Always hit the "Log Out" or "Sign Out" button / link when you're done instead of just closing the browser window
  6. Don't have Facebook, Gmail / G+ / etc, Hotmail or Twitter open at the same time as LinkedIn in the same browser, just in case there's a potential XSS or XSRF vulnerability across any of the applications
"He's just paranoid!", I hear you say. Guess what - Sony got hacked again this week so what's to say we won't see repeats here either?

Update - 5th July

It took LinkedIn four days to get back to my initial report / request for contact, guess they must have been pretty busy at the time *cough*. Essentially the response was "There's nothing to see here, move along" and when I retested about a week later I couldn't reproduce the problem.

Bottom line, problem fixed. From everything I've been reading in the press about the company it's been a policy of denial in an attempt to save face.