The anatomy of a breach – LinkedIn

Another day, another data breach.

It is an all too familiar scenario but have you ever stopped to think about how it happened and what could have been done to prevent it?

In 2012, a spokesperson for the professional social networking website LinkedIn, wrote in a blog post “We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.” As it turns out, through further media releases that in fact, hackers downloaded files containing 6.5 million LinkedIn users passwords. What’s worse, it is reported that LinkedIn’s initial investigation did not uncover any information security breach in its information system that corresponds to or explain the reported theft of these LinkedIn user credentials. This was contrary to various individuals who reported they found their own LinkedIn passwords published and freely available online. This position of not knowing whether LinkedIn had been breached was confirmed by an official tweet which stated ”our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred”.

You may be wondering, “so what?”, well there is both financial and non financial costs to an organisation when such a breach occurs. The most obvious financial loss was seen on the day the news broke of the breach with LinkedIn seeing a fall in trading with a drop in their share volumes despite the tech markets rallying. Next, the LinkedIn CFO, Steve Sordello, stated to the market that the forensic work completed on the breach cost the organisation roughly $1 million. In addition, security upgrades needed to patch up the vulnerabilities which led to this breach was quoted at costing between $2 million and $3 million (considerably more than if security was designed into the system when it was originally built). The non monetary costs are harder to ascertain but nevertheless are just as costly. Most organisations today understand the value of their reputation with their various stakeholders – customers, investors, suppliers and employees. There are untold studies out there linking trust and customer loyalty so I don’t need to rehash this here but an organisation operating a social network site such as LinkedIn has a business model which relies on its users trusting it with information – after all – they are all about sharing information!

So what actually happened? LinkedIn has not been particularly forthcoming about when and how the compromise of its users’ passwords occurred. It may be that LinkedIn does not know all the details itself. It transpired that LinkedIn had indeed been subject to an information security breach and almost 6.5 million hashed passwords were found to be stored in text files, hosted on a server in Russia. It was discovered that the file hosted on the Russian server was made up of 6,458,021 40 hexadecimal character strings consistent with passwords that had been put through the SHA1 hashing algorithm. In other words, 6.46 million hashed passwords found. So LinkedIn were only hashing their users’ passwords and not salting them. For those of you not familiar with the term “hashing” or “salts” – it refers to a cryptographic technique (code making and code breaking) where a password chosen by the user is then manipulated with the addition of random characters so that it does not in any way resemble the actual password chosen therefore cannot be traced back to any particular user if the database was breached. The hash then becomes a digital fingerprint for an individual user.

We now know that there are some issues with SHA1, meaning that the intention of its purpose can be undermined. SHA-1 has documented vulnerabilities and while these vulnerabilities are quite academic in argument, most of LinkedIn’s users’ SHA-1 hashed passwords were leaked and made available on the public Internet. Technically, someone can use what is called a ‘massive pre-computed lookup table’ or “rainbow table” to crack password hashes. These tables store a map and legend between the hash of a password, and the correct password for that hash. In doing this, it becomes possible to read the hashed password values in plain, usable text. Having said that, It is an incredibly involved process involving a lot of mathematical functions, some ingenuity and computer science and this simplified version does not in any way truly reflect the true effort required to crack and view hashed content in any form but you get the drift. This type of captured, personally identifiable data and real-time information is bound for an underground market where data and information is sold to the highest bidder to use for further illicit gain.

In the case of this LinkedIn breach, of the 6.46 million stolen passwords posted on the Russian Hacker Forum, 3.7 million were already cracked through brute force hacking techniques – the cracked passwords were more than likely the simpler and predictable passwords which are generally included in password cracking software used by hackers.

What could have been done differently?

What LinkedIn did not do was take it one step further and salt its users’ passwords. Simply put, as already stated, SHA1 hashing is a cryptography technique which turns a phrase (such as a password) into a random collection of characters using a set formula and it is a good starting point. The other cryptography technique is the use of salts which is where the hashed output is then treated with the addition of random data. So you first randomise the password using the hashing technique which you then salt by randomising the output again so it is even further “scrambled so as to be completely unrecognisable. If a hashed password is salted with a cryptographically sound algorithm, then it becomes much harder to crack. Also the use of SHA256, a more cryptographically sound algorithm, which can be implemented into code, and onto operating systems could have mitigated the risk of password compromise. A combination of a cryptographically sound hashing algorithm, together with a salted value would have made users’ passwords much more difficult for unauthorised users (the bad guys) to decode. This is considered good security practice because it means that unauthorised users cannot use the common password-cracking techniques – such as Rainbow Tables – to discover the original password value.

We also know that poor choice of passwords chosen by users which are weak to start with are also asking for trouble. Password hygiene is critical in protecting from these brute force attacks. Examples of weak passwords include the following -

Foul language – passphrases that contain foul language are weak and are near the top of any brute force dictionary used in these attacks
Bad relationship – users who make up passwords related to a website. So in the case of LinkedIn, the use of “link”, “work”, “job”, “connect” are up there in obvious choices
Religious terms – terms such as “jesus”, “god”, “angel” are also considered obvious and very weak on their own or in a phrase

The word “Password” is an incredibly common password and is considered an obvious and weak password
Number trails – the use of “12345″, “654321″ and any version of these are all in the top 30 phrases
Knowing this information, companies like LinkedIn need to be more proactive in how they manage and secure user passwords by considering instituting a password policy which mandates what can and cannot be used as a password on their site. If you are curious about what you should consider when selecting a password, make sure your passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, control characters and aren’t part of a pattern.

How about on the database side of security? The first thing to do is configure the database in view of your security requirements. Once the database has been configured according to security requirements, system administrators should ensure auditing tools are installed to compare configuration snapshots that immediately alert whenever unauthorised changes are made. Presuming System Administrators review their logs regularly, this could have assisted LinkedIn in knowing a breach had occurred instead of not knowing what had actually happened until much later. A change management process is a very useful business process that can be used to determine whether the security of infrastructure, such as a database has been subject to a security breach or compromise. Controlling access to data and information on a “least privilege” basis is essential to ensuring full accountability, integrity and confidentiality. Further, system administrators should periodically review user entitlement reports as part of a formal audit process. Encryption of the database, or the operating system at a disc level renders data and information unreadable to those that do not have the key to unencrypt. This means that unauthorised users are not able to access data and information that they do not have legitimate access to. Encrypting the operating system at disc level also helps businesses satisfy PCI-DSS section 3.3.

Finally, my favourite security topic – securing web applications. Identifying and remediating web application vulnerabilities helps to enhance online security and this must be one of the top priorities for any security savvy online business. Today, most organisations, LinkedIn included, depend on web-based software and systems to run their business processes, conduct transactions with suppliers and deliver sophisticated services to customers. Web-based systems can compromise the overall security of an organisation by introducing vulnerabilities that unauthorised users can use to gain access to business, or a users’ personal data and information. The idea that a business can address their web application vulnerabilities by using a “secure by design” approach, testing security defects and vulnerabilities is not new, but having the ability to keep up to date with the most recent trends and hacker techniques is something that security professionals are all too aware of. Testing the security of a login page, or the ‘back-end’ process that serves business logic is crucial to realising a good security posture.

Take home message

Companies like LinkedIn need to be more proactive in how they manage and secure their systems. It is alway worthwhile keeping in mind that it is not enough to use whatever is the latest security solution available on the market and tack it onto systems without looking at the whole technology ecology with security in mind. As we have seen time and time again, internet security is something that companies and users need to be proactive about.

Whilst it is easy to blame companies for not securing user information, particularly if the company was negligent in how it took care of the information, remember security is also a collaborative effort. As a user, assume a defensive stance and presume that your information valuable, potentially vulnerable and do everything in your power to protect it.

Thanks for stopping by.