SCAM ALERT: LinkedIn breach and eHarmony phishing, and what you should do about it

Sorry this is late in coming, I was tied up all day yesterday at an offsite. By now most people will probably have heard that about 6.5 million LinkedIn passwords were stolen and posted on a hacker Web site the day before yesterday.  (eHarmony was hit too in case you didn’t know that.) There’s good news and there’s bad news here:

The good news

1.  The only things stolen, supposedly, were passwords.  Why is that good news? Without the matching user account, they’re not very useful.

2.  The passwords were hashed, so MOST but not all of them remained encrypted.  Some were posted in clear text, but most were not.

3.  The actual password hack is an easy problem to resolve.  Just log in and change your password.

The Bad News

1.  We’ll probably see many more of the passwords compromised/decrypted soon.  Why?  Well, hashing is done by feeding your password into an algorithm that creates a meaningless string of characters, and there are many standard hashing algorithms of various sophistication and obsolescence in use (MD5, SHA-1 etc.)

Unfortunately, this means that unless the passwords were also “salted” (they weren’t), anyone with the algorithm can brute force lists of common passwords and produce the hash of that password.  I would be willing to bet a dollar that the passwords that were published in cleartext were common ones that either available libraries had pre-determined the hash for (e.g. password, 12345, mylogin, etc.) or they were simple ones that were easy to brute force. (There is by the way a wee bit of interesting stuff about how they did it, but we’ll get to that a bit further down).

2.  The really bad news is that the compromised passwords aren’t the real danger, the danger is the social engineering attacks that have already begun that play off users’ fears about the breach.  Even IF your password was published in the clear, without your account name, it’s useless.  However, most users who see only the headlines don’t know that or don’t understand the details enough to discern a scam like this one (thanks here to CBS/CNET for the example):CBS/CNET provided example of LinkedIn Phish

CBS/CNET provided example of LinkedIn Phish
http://asset3.cbsistatic.com/cnwk.1d/i/tim/2012/06/07/Screen_shot_2012-06-07_at_12.21.42_PM_610x168.jpg

So, what should you actually DO about it?

1.  Type the address for LinkedIn into your browser yourself, and change your password from the account-management screen.

2.  Use a strong password to prevent pre-published or easy decryption of the hash, and having done that, you can then ignore / distrust any email, legitimate or not that purports to come from LinkedIn regarding the breach and asking you to do anything about it.  (As usual, whenever possible, don’t click links in emails, type it in yourself and find what you need on the site you know is the real one.)

3.  Since many of us use the same password for lots of Web sites, you might want to update the password for those that shared the password you used for linkedin, and

4.  Finally and most importantly (for many reasons), read this strip from XKCD for some ideas on how to create very strong, easy to remember passwords, and for those who don’t already read it, it has the added benefit of introducing you to what is undoubtedly the greatest, nerdiest, smart-humor-est awesomest stick figure blog ever.

A final-note: For the nerd-herd, by the way, the brute forcing of password cracking was reportedly crowd sourced, which I find both neat and slightly scary.  Like the old SETI search that broke down radio noise from outer space into chunks for processing on “volunteer” pc’s all over the world, password cracking is a wonderful activity for divvying up among thousands of machines and harnessing supercomputer power without having to, you know, spring for a Cray. Wonder if the machines were voluntary, or done by renting a botnet

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: