-
Latest from the Blog
- Cyber Group Offers Special Update on Chinese Threats on May 29
- Assume the Enemy is Already on Your Network and Look for Them
- Caswell to Speak at Healthcare Security Summit in Los Angeles on May 21
- When Your High Walls and Wide Moats Fail
- Discovery of Confidential Records are Potential Identity Theft Danger
- So Your Twitter Account was Hacked…
- AP Hack Proves that Social Engineering Awareness is Necessary for Businesses
- Compliance and Forensics Experts Talk to Two Nashville Groups Thursday
- BYOD Is Great for Business, But Is It Secure?
- The New HIPAA Omnibus Rule and Your Business
-
Archives by Date
Archives by Category
Blogroll
- Anton Chuvakin
- AverageSecurityGuy
- CloudAve
- DarkReading – All Stories
- Electronic Discovery Law
- Emergent Chaos
- ExploitSearch *
- Forensic Focus Blog
- HolisticInfoSec
- InfoSec Daily Podcast
- Jeremiah Grossman
- SANS Application Security Street Fighter
- SANS Computer Forensic Investigations and Incident Response
- SANS Internet Storm Center
- SANS Mastering Windows (In)Security
- SANS Security Leadership Blog
- Schneier on Security
- SecuriTeam Blog
- Security Bloggers Network
- Security Catalyst
- Security Padawan *
- Security Sociability
- Securosis
- Staff Twitter Bill Dean *
- Staff Twitter John McNeely *
- Storefront Backtalk
- TaoSecurity
- The Ashimmy Blog
- Twitter – Adam Compton
- Twitter – Adrian Sanabria
- Twitter – Stephen Haywood
- Vicious Circle of Security *
- Vitalsecurity.org
- Windows Incident Response
800-810-1885
Your Partner for a Secure Future
© 1997-2013 Sword & Shield Enterprise Security, Inc.
LinkedIn, Are You Kidding Me?
Stephen Haywood
This LinkedIn security breach has put me in a foul mood. I can’t decide if these developers were lazy or stupid. Right now, I’m inclined to believe they are both. The dangers of unsalted password hashes have been known for many years.
A quick Google search will show you this article from 2004 that explains why salting is important and even gives you code to do the salting. There is absolutely no excuse for any web developer anywhere in the world to store plaintext, or unsalted password hashes, period.
The best part of this breach is LinkedIn’s own blog. My favorite quote:
It’s not enhanced security. It is the most basic thing you can do to protect your customer’s data. It costs next to nothing to add salted password hashes to a database. If LinkedIn can’t be trusted to protect your data at such a low cost, what can they be trusted with?
I also love this line:
Don’t get too excited about the email addresses not being published and lose sight of the fact that they were stolen in the first place.
Here is another gem:
Just thinking out loud here, but if someone broke into LinkedIn’s database months ago and stole the passwords and LinkedIn didn’t know about it until the passwords were published, do you think LinkedIn is qualified to determine if any unauthorized access has taken place? Let that sink in for a minute.
I don’t usually rant like this but I’m so tired of seeing stupid security mistakes. Everyone worries about advanced persistent threats (APT), which account for maybe 1 in 100 data breaches. The other 99 data breaches occur because people aren’t doing Information Security 101.
Stephen Haywood is a security analyst at Sword & Shield Enterprise Security. He has more than ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), and GIAC Penetration Tester (GPEN). His blog is www.averagesecurityguy.info. Follow him on Twitter @averagesecguy.