LinkedIn lawsuit, stealing your password via LinkedIn phishing, password reuse

The fallout over the password breach continues for LinkedIn, which is facing a $5 million class-action lawsuit [PDF] after 6.5 million users had their passwords stolen. The company is accused of not following industry standards for security, but the really interesting part of the lawsuit is that it points directly at LinkedIn’s privacy policy. Number six, “Security” states, “Personal information you provide will be secured in accordance with industry standards and technology.” That comes down to how exactly industry standards are defined.

Although LinkedIn claims to have enhanced its security now and will protect accounts by “hashing and salting of our current password databases,” other security and privacy experts believe the company was negligent. Sophos senior technology consultant Graham Cluley told InformationWeek “Salting password hashes has been good practice for 20 years or more. LinkedIn wasn’t salting its password hashes. As a result, in my opinion, LinkedIn failed to meet minimal standards that users would expect them to follow to secure their information.”

This leads us to your daily dose of healthy paranoia, which comes from Reuters TV and Anthony De Rosa in “How a hacker can use LinkedIn to swipe your password.” The video shows how an attacker can target a company and use the social network of professionals, LinkedIn, to target individuals who work there as well as find their email addresses. While LinkedIn does not show users’ email addresses, it does allow for good old-fashioned social engineering pretexting to plan the attack; anyone can search for everyone who claims to work at a specific company. If the attacker knows the company’s standards for email addresses, such as first initial, last name @acmefakecompany.net, then voila. With that list of email addresses the attack can begin.

In this case an email template was created to look exactly like it came from LinkedIn to alert you of a friend request. If a person were to click on it, in this case you would actually login to LinkedIn to keep suspicion as bay, but it also sends your session password back to the attacker’s server. Core Security’s Alex Horan said an attacker can do two things with that password. The first is to login to LinkedIn and “harvest all the information of people connected to them.” The second is to find out if that password has been reused on another site. Of course, LinkedIn is only an example as a cybercrook could use any site for phishing or spear phishing attacks.

Most of how to protect yourself is common sense, like don’t click on a link in email, but go directly to the site. If someone has invited you to join their network, you will be alerted of that on the actual site. There are script-kiddie kits to help in creating such phishing emails. When asked to comment, LinkedIn recommended for members to “connect only with people that they know and trust” and “use common sense and tools available to them to ensure that they don’t fall prey.”

The video’s security advice said to close the browser, then open it again before typing in your bank’s URL and logging into the financial site. Then close the browser when you’ve concluded your business. Open the browser again and continue to surf.

Furthermore, you might consider seeing just how much you reuse your LinkedIn password. Inspired by Mozilla’s Collusion, Paul Sawaya came up with the Firefox add-on Password Reuse Visualizer that is precisely what it says and can help us to truly visualize password reuse.

It’s a pretty cool eye-opener if you’ve reused your passwords. Even if you used similar passwords, your own lax security might make you a bit ill. Sawaya wrote:

What you’re seeing here is a rendering of my password reuse. The green dots (nodes) represent the passwords I’m using, and each small blue dot represents a site I’m using it on.

Hover over a password and see its visual hash.

Some users like to make many slight variations on the same password. That’s fine, but still an example of password reuse. When the visualization detects two similar passwords, it connects them with a square orange node. You can look at this and pretty quickly figure out where you should start changing your passwords first, and which passwords you should stop reusing.

Like this? Here’s more posts:

• The more you encrypt, the more the government breaks into your cloud
• Study Finds 1 in 2 Americans are ‘Clueless’ about Webcam Hacking
• Track the trackers with Collusion: Interview with Mozilla’s Ryan Merkley
• Microsoft ‘sorry’ for raunchy Windows Azure video with dancing girls, bad sexual lyrics
• Sanitize Microsoft Office: How to remove personal metadata
• The Future of Drone Surveillance: Swarms of Cyborg Insect Drones
• Male or female, who’s the better social engineer? Battle of the SExes!
• Apple and Google Maps: Will eye-in-the-sky ‘spy planes’ place our privacy at risk?
• Is Microsoft right and W3C wrong about Do Not Track being turned on by default?
• NSA claims it would violate Americans’ privacy to say how many of us it spied on
• Bill proposes to protect Americans’ privacy from warrantless drone surveillance
• Feds investigate who leaked classified Stuxnet cyberattack details to NYT
• This is why people pirate Windows
• Going Dark in the Golden Age of Cyber-Surveillance?
• FBI Creates Surveillance Unit to Build Backdoors into the Web

Follow me on Twitter @PrivacyFanatic