It’s a tough week to be LinkedIn. Today, it’s revealed that over 6 million passwords from users of the social networking site have been leaked. From MSN:
While LinkedIn stated Wednesday morning via its Twitter account that it’s been unable to confirm reports that 6.5 million user passwords have been exposed, Sophos security firm reports that the files posted on a Russian hacker site do contain LinkedIn passwords.
"Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," writes Graham Cluley. "Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords."
The good news is here that they didn’t leak clear-text passwords. The bad news is that they didn’t salt the passwords (or so I’ve read). In plain English, that means that they are easier to break. I don’t use LinkedIn, but if you do, you should go and change your password. And if you reuse that password anywhere, you should change that, too.
And if that weren’t enough, the article continues:
News of the possible LinkedIn password leak comes less than 24 hours after mobile security researchers revealed that the LinkedIn mobile app is able to access subscriber meeting notes.
"The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes," writes Skycure Security researcher Adi Sharabani on the company’s blog.
On the other hand, LinkedIn’s app transfers the data over SSL, although they did agree to make some changes to the app – they will no longer send data from the meeting notes section of the calendar event.
And if that weren’t enough, CNN Money published an article* called LinkedIn is a hacker’s dream tool. In it, they describe how hackers can harvest LinkedIn publically posted information in order to create targeted attacks on the victims:
SAN FRANCISCO (CNNMoney) — If you use LinkedIn, you’ve probably told the site where you work, what you do and who you work with. That’s a gold mine for hackers, who are increasingly savvy in using that kind of public — but personal — information for pinpoint attacks.
It’s called "spear phishing," and it paid off last year in two especially high-profile security breaches: a Gmail attack that ensnared several top U.S. government officials and a separate attack on RSA, whose SecurID authentication tokens are used by millions. Inboth cases, the attackers successfully tricked their targets into opening e-mail attachments that appeared to come from trusted sources or colleagues.
"Businesspeople are using LinkedIn for research purposes, and headhunters and marketers use it to recruit. Why wouldn’t Chinese intelligence agents use it as well to spear phish?" said security analyst Ira Winkler, the author of "Spies Among Us."
Most of the discussion about LinkedIn’s risks was theoretical — investigators say it’s almost impossible to trace back the original source of personal data used in successful "social engineering" attacks.
The article goes on to describe a white hat attack by a hacker for hire who used LinkedIn to find a high profile company with lots of employees, create a fake LinkedIn profile, send requests to the employees and send requests to members of the company. Many responded and added him to their network.
As usual, security experts warn users to only accept connections from people they know. But because of the openness of LinkedIn, and thinking back to Kevin Mitnick’s presentation last week, it wouldn’t be that hard to mine through the web, looking for targets. Then, you send out emails (or whatever) and look for ways into the network. That’s how spear phishing works, and people do it because it works.
Security companies are going to have to figure out a different way to protect against spear phishing because current techniques are designed to hit very wide campaigns, not narrow and targeted. Countering spear phishes is a golden business opportunity.
* This article was published in March 2012 but I discovered it this week; I thought it fit well with my theme of “It’s a tough week to be LinkedIn.”