Since 2002, LinkedIn has been the social networking platform of choice for professionals to network and is the number 12 ranked site in the world. In early 2012, an estimated 150 million users were registered to the site and growth is continuing to rapidly expand. All this attention also had the unfortunate side effect of being coveted by hackers.
In early June 2012, a user on an online Russian user forum claimed to have downloaded about 6.5 million hashed passwords from LinkedIn. It was soon circulated around the internet in an apparent bid to have the user community help crack the passwords.
More alarming, 76% of the weaker passwords (such as "secret") had already been marked by the attacker within the file as already being cracked, so it was the more complex ones he wanted assistance with. It was assumed that the attacker also had a corresponding file for user names.
Since the attack, a $5 million class action lawsuit has been filed against LinkedIn for failing to implement tighter security controls. It has also resulted in loss of goodwill by its user community for having failed to protect them better.
What Went Wrong
LinkedIn has not disclosed what lead to the attack but security professionals have already chimed in with what LinkedIn did wrong. It all centers primarily around encryption.
First, LinkedIn failed to enforce using the HTTPS protocol for encrypting data when users log into the site. Even now, it's possible to log on via an unencrypted channel, meaning that your user ID and password are sent in plaintext. It's a major oversight considering other social networks like Facebook have been more proactive at pushing HTTPS.
The second issue is with the encryption scheme, SHA-1, used to store user passwords. Since 2005, it has been known to have weaknesses and is now considered to be broken. Granted, it takes considerable computing power to crack even one password, however technological advances each year make it easier to crack.
It also does not stop weaker passwords from being discovered quicker. Hackers typically use what's referred to as "rainbow tables" which are precomputed values that can be matched in the encrypted file. Typically only weaker passwords would be found in these tables. Passwords which are more complex would require cracking which is a very long process.
To prevent rainbow table lookups, websites typically use an extra layer of protection known as "salting". Salting adds a random value to the equation that determines a password's encrypted value. By doing so, two users with identical passwords would have different encrypted values. LinkedIn failed to provide salting and this is what made rainbow table lookups possible.
How LinkedIn will Increase Encryption
LinkedIn has acknowledged its lack of security and has already begun salting passwords. This at least provides the additional layer of security required for users who choose poor passwords. Due to the ongoing investigation however, LinkedIn has chosen to remain quiet on other security measures it will take.
As of this writing, LinkedIn will now also reject poor passwords. Typing in "secret" as a password choice will result in an error message, "Please choose a more secure password".
It's fair to say though that LinkedIn will likely enforce the HTTPS protocol when using the site in the future. Passwords would therefore be encrypted as soon as they leave the user's machine.
It's unfortunate that LinkedIn failed to take precautions to improve security in advance of their data breach, but they are on the right track. Let's just hope that other websites have learned from this incident and increase their own encryption. If you have any questions about your own IT security, contact an iCorps representative.