The reports in the last 24 hours about the stolen passwords from Linkedin, Harmony and Last.fm show that criminals are targeting users credentials, a point made by Imperva was that the password list from Linkedin that was published on a bulletin board appeared to have no repeats of the hashed values which leads to conclude that the number of compromised accounts is likely to be higher than the original figure.
The reason for this is that passwords are not unique, the UserID is unique but they is nothing to stop different users having the same password, a password encrypted using the same algorithm would give the same hash value, if the password hashing process had included a salt (random) value in the hashing process then the same password should produce a different hash value. An article on the Register website http://www.theregister.co.uk/2012/06/07/linkedin_admits_data_breach/ indicates that LinkedIn did not use a salt in the original hashing procedure.
If the hackers can crack the encryption then the users account would be vulnerable, however after notification of the hacker users are going to change their passwords. This will lead to a rise in scams using phishing techniques to get users to click on a link to change their password but end up being redirect to various malicious websites or having additional credentials and information harvested from them.
Even through the hack has been well publicised and users will be changing passwords, the list of passwords will still be of value as users often use the same password on a number of accounts, in which case users who have done this should change passwords immediately on all affected accounts.
Recommend actions
Change the password on the hacked account
Be wary of emails about LinkedIn, Harmony and Last.fm
Use different passwords on different accounts
No comments:
Post a Comment