On 07/06/2012, Lynda <shrdlu@deaddrop.org> wrote:
Sorry to be the bearer of such bad tidings.
I'm a very amateur cryptologist so some of this is new to me: "Any organization using SHA-1 without salting user passwords is running a great risk -- much higher than they should," said Per Thorsheim, chief information security advisor at Norwegian IT services company EVRY. "We've seen this time and time again. This is not good practice. Salt should be a minimum." http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/ This, however, is all too commonplace: "We take the security of our members very seriously." http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ This is the only security item they have and it's mission critical right? The issues are well understood and highly publicized. The procedures are simple. Taking a casual interest in security pretty much precludes mistakes here. I'm not fooled at all. http://press.linkedin.com/node/1192 The current system can work if applied correctly but time and again we're seeing failure from service providers to follow the dots. As I mentioned I'm no expert but I don't think widening the circle of trust is the correct answer regardless of the technology. There's no technology shortfall here. Self signed certificates does sound great and for most purposes, certainly in this case, fulfills all the requirements. There's no need to verify anything about me is correct other than to tie my authentication to my account. If I fail to meet the TOS then the plug is easily pulled and any further activity can be dealt with as it currently is by other means. I think there's enough risk in bringing in a CA and so little advantage that it's wrong. As far as moving the cryptographic responsibility from the service provider to us - I'm all for it. They've been telling us for some time now they'd rather not do that stuff. I'd much rather have control and introduce something a little sleeker. As far as users go, if they have to learn it to get on FaceSpace then they'll learn it - that's a given. There's no reason for it not to be optional anyway. To all the people who've figured this out, my hat's off. I'm very suspicious of any mention of a browser being involved in this process though. Shifiting some software responsibility to the client probably brings new/different danger anyway but probably the last piece of goop that should be involved is a browser. That's anecdotal aversion but I'll stand by it.
Please note that LinkedIn has weighed in with a carefully worded blog post:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
Further details: 1. The leak took place on June 4 2. LinkedIn was using unsalted SHA-1 for their password store. 3. FYI, there are two lists. The second one appears to be from eHarmony. Unsalted MD5 used there. 4. The posted passwords are believed to be ones the cracker wanted help with, i.e., they have significantly more already cracked.
Apparently phishing emails are already active in the wild based on the crack:
http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-lin...
In other words, if you have a LinkedIn account, expect that the password has been stolen. Go change your password now. If you used that password elsewhere, you know the routine. In addition, as has been pointed out elsewhere, there's no sign LI has fixed the problem. Expect that the password you change it to will also be compromised.
:-(
-- A picture is worth 10K words -- but only those to describe the picture. Hardly any sets of 10K words can be adequately described with pictures.