We have been told through a multitude of media that we live in a dangerous world. However, if one were to throw that stereotype into the tech cauldron, it would gel in rather nicely with all the daunting ingredients that are ever present in that particular pot. Take monitoring software of computers, for instance the keylogger, I mean that little behemoth could destroy your device’s security and reduce it into microscopic shreds. So yes, we live a dangerous world, something that LinkedIn found out the hard way recently.
A file that contained around 6.5 million passwords, with 1.5 million more of a different kind, was found at InsidePro.com – a site which offers tips to crack passwords – on a Russian hackers’ forum. The passwords were not there in plain text and instead were made ambiguous through hashing. A few password strings had LinkedIn and eHarmony references, so it was discerned that those two are under the hackers’ gun, and later on it was revealed that Last.fm is also among those that have bit the dust. But of the trio it was undoubtedly LinkedIn that has suffered the most from this hacking maneuver, both in terms of the numbers and the repute.
Not Enough Salt on the Table
Here one begs the question, or at least should beg the question, that if the passwords were hashed why weren’t they secure? The answer: salt (or absence thereof). Yes, security experts opine that the hashes used by LinkedIn on their passwords weren’t “salted”, which makes it easier for automated tools to crack them open. ‘Salting’ adds another protection layer, which if it would’ve been present could’ve saved millions from surrendering their LinkedIn accounts. Absence of salt makes hashed passwords as easy to hack as one would expect via a keylogger – or any other deadly monitoring software for computer for that matter – even if not in fact, definitely in effect especially for a global hacking mafia.
So after having a quasi cardiac arrest and experiencing the sensation as if the whole universe was about to come crashing down on them, the LinkedIn hierarchy’s first step was to investigate whether or not the passwords were of their members. Once they realized the bitter truth they earmarked the users that were at risk and informed via email, while those accounts that had their passwords published were immediately disabled. And instructions were also mailed to the concerned members about resetting their passwords.
Protecting the Members
LinkedIn have assembled a pretty renowned security team, and they have been busy earning their corn of late trying to ensure that the question marks over the security of their members are dimmed if not completely erased soon. The team is now working on transforming the site from being a password database system to a system that would also have enough salt on the table, so to speak. This would mean that not only would the passwords be hashed now onwards they would also have a proper layer of salt to add enough steel to the password security as possible. Sounds like a savory move on LinkedIn’s part, let’s hope it doesn’t end up being bitter in the end.
Jane Andrew is the author of mobistealth ‘s free keylogger and monitoring software for computers. She loves to reveal tips about cell phone security. Follow her on Twitter @janeandrew01 to get the latest cell phone security tips.