LinkedIn password leakage afternote

1. By now, most of you would have read about the LinkedIn password leakage incident. I was interacting with a number of information security researchers when the news broke out on Twitter, and after a few hours, we have understood and issued certain advisories to the community at large.
2.  
3. I was being interviewed by Dark Reading. This is my detailed writeup to the journalist, and will hopefully be of interesting read for you.
4.  
5. ++++++++++ START OF TRANSCRIPT +++++++++++++
6.  
7. My thoughts flow in the last 3 hours.
8.  
9. When news of the password hash leaks out, the first question to ask is how was the information released. What we know are:
10.  
11. 1. It was hosted inside a forum. The poster just post a link to a cyberlocker service, with very terse description.
12.  
13. 2. Folks progressively start to crack the passwords and post the results in the forum.
14.  
15. 3. All this happened at least a day ago as shown in the forum date/time stamp.
16.  
17. Note that hosting the file in a Russian cyberlocker site does not mean the attacker is a Russian. It could be anybody, and thus this is the first fallacy in general guessing so far.
18.  
19. The question next is to ascertain if the hash file is really from LinkedIn or just some other hash dumps from other web sites. For all infosec pros who are good in managing passwords, we use a different password for every website. The password has a certain signature that is very hard to duplicate by other 7 billion users out there, as it is long and has special significance to the user and the website. I converted my password to SHA1, and search for the hash in the dump file. The hash was found. Progressively in Twitterverse various infosec professionals have revealed that their passwords are also in the list. This means that the likelihood that this hash file stolen from LinkedIn is very high.
20.  
21. To those who are sceptical, there are >150 million users in LinkedIn (refer to Wikipedia), and there are 6 million hashes in the dump file, 4% of the entire user space. The likelihood that their password is not there is higher than those whose passwords are there (unlucky me and the rest). As such, the people who are sceptical have to trust those who are really affected and shared the information to the community.
22.  
23. As for what happened, none of us will have absolute clue except the guy who performed the attack. We can speculate for all we want: APT, business espionage, poor website security, etc ... it is irrelevant to the community at large at this stage about the intent. Also, I don't think this attack has anything to do with the recent vulnerability where LinkedIn uploads calendar information to their server. This is an application design issue, not a security issue. The application design issue leads to a privacy issue, so we have to be clear on that.
24.  
25. The most important question is: What are the repercussions of the LinkedIn attack?
26.  
27. First of all, let us guesstimate how LinkedIn is used. I reckon that 60-70% of the users use it *casually* for networking, probably 20% are just lurkers, people who create the account but never use it. The other 30% could be active users where they have lots of network contacts, mainly by headhunters and power connectors (people who > 300 connections). There may be about 20% premium paying customers.
28.  
29. As such, what are the risks here?
30.  
31. 1. For the premium customers, their credit card information may be divulged if the attacker logs in to their account.
32.  
33. 2. For the free but power connectors, the contact list could be valuable information. The more well-known the power connector, the more valuable their connections list is. For example, if you hacked into Warren Buffet and look at his connections, those people will probably be powerful and influential, but stay below the radar to steer clear of their relationships with Warren.
34.  
35. 3. For certain users who use the same password for their LinkedIn and their email address (which is the LinkedIn user login ID), their email accounts can be compromised.
36.  
37. 4. For the rest, there is no immediate impact as most people don't really store extremely sensitive information in LinkedIn. However, there is a catch and I will come to this later.
38.  
39. As such, there is a certain group of users that may be adversely affected. So how can they (and the rest of the users) go about protecting themselves? Until LinkedIn figures out how the password dump was conducted, there are only two immediate ways to protect yourself:
40.  
41. 1. Close your LinkedIn account. Probably not feasible, but some people may use this opportunity to leave this social network since they don't find it useful.
42.  
43. 2. Change your password. This is the interesting part. There are two arguments here: Changing password will help, and changing password will not help.
44.  
45. a. If the vulnerability remains unpatched, one camp argue that changing to any passwords is useless since it will be easily compromised again.
46.  
47. b. The other argument is to change the password, which Twitterverse has tons of tweets urging everyone to change their password. The PROBLEM is if you change from a 8 character password to another 8 character password, they will fall into the trap as described in 2a. Most people in Twitterverse don't realise this important caveat, and thus the attacker may lay hand on a fresh of usable passwords.
48.  
49. c. For me, password change is necessary, but the question is to what requirement? From my analysis on the passwords that have been recovered so far (300K+), I did some simple data processing, and found that passwords of 3 to 23 characters have been cracked. For passwords >16 characters, I noticed an interesting observation, the main bulk are alphanumeric (Uppercase, lowercase, digits), with <1% of these in uppercase, lowercase, symbol format. If you think how can a 23 character password be cracked so easily, the reason is that the passwords consist of a few dictionary words. Using a hybrid of dictionary and format attacks, these passwords can be cracked in less than 8 hours even if it is 23 character long.
50.  
51. d. So the thing to tell everyone is that password change is necessary, but it has to be long, and it has to consist characters of uppercase, lowercase, digits and symbols. Yes, all passwords can be cracked, but the important thing is to use a password strong enough that can resist brute-force and dictionary attacks for at least 1 month till LinkedIn quickly figure the issue and resolve it ASAP.
52.  
53. I mentioned in my Twitter, I think most people will not care if their LinkedIn account is compromised. But the greatest fear I have is this ...
54.  
55. Since all login IDs are email addresses, and the attacker have 6.5 million email addresses, what can he do with it?
56.  
57. Yes, you guess correctly, it is a goldmine for spamming services.
58.  
59. And this is what greatly annoys me. That LinkedIn for their failure to protect user's data, now have our email addresses made available to spammers.
60.  
61. If you refer to @peterkruse tweet at https://twitter.com/peterkruse/status/210345654004887553, he mentioned that he recovered his old LinkedIn password that was changed 7-8 months ago, meaning that the hash file was stolen quite some time back.
62.  
63. What does this mean?
64.  
65. 1. LinkedIn is going to have a HARD time going through their logs. They will have to unarchive all their web server log back at least 7 to 8 months back, no easy feat considering it is the 12th global website (based on Alexa) which means there will be millions of web server log entries they will have to scan through.
66.  
67. 2. If they already have an IPS or WAF in place, and the attacker actually makes use of SQL injection attacks to perform the hash dump, it means that the detection infrastructure is dysfunctional.
68.  
69. 3. If they don't have those, then how the hell are they protecting a portal that has >150 million user records?
70.  
71. So, can we say that whoever did this, knew how to lie low and wait for a suitable time to release these information?
72.  
73. The answer is no. To find the truth, we have to find the guy who posted the cyberlocker download link in the forum and find out what is his role to the file.
74.  
75. The reason is this: This guy may just be someone who is tasked to crack the passwords, and nothing more.
76.  
77. Think about it, he has 6 million passwords at his disposal, 4% of the 150 million users. What if the mastermind has the entire dump, breaks it up to 25 parts, and this guy happen to be responsible for cracking these 4% of the users' passwords. Moreover, if he is paid, he may have a deadline to quickly crack them all, and thus he went to the forum to ask for help from others. Others may have assist him and realise the passwords recovered are all related to LinkedIn, and thus this is how the news was uncovered.
78.  
79. So the last question is, does it seem that LinkedIn has issues with their infrastructure security? You can determine how knowledgeable the organisation is in their security design from one important clue: The use of unsalted SHA1 password hash. This is a classic textbook failure on how to store hashed passwords insecurely, and this is a serious mistake. From this alone, I guess that they do not have world-class security designs, and thus I give a very high likelihood that the passwords were obtained via SQL injection or other code injection attacks whereby the attacker manage to skim the passwords remotely across the network.
80.  
81. I think this is not a straight-forward matter, and I will say LinkedIn will have to dig hard to find out the real answers.
82.  
83. I hope the above gives you an idea of my thought flow in the last 3 hours. Please feel free to contact me if you need further clarification from me.
84.  
85. ++++++++++ END OF TRANSCRIPT +++++++++++++