Wednesday, June 6, 2012

Dumb, Dumb, and Dumber


LinkedIn recently had a bit of a security problem that allowed people to access about 6 million user passwords. Actually they were unsalted hashes of passwords and that is technically different, but effectively about the same in this case. That was dumb. The passwords hashes should have been salted.

For the non-technical user a password “hash” is a code that the password is translated to. If I know the code I can figure out any coded password from the “hash”. A process called “salting” adds randomness to the hash, so knowing the code doesn’t let me crack all of the passwords from the hash.

On to the next “Dumb”. As an attempted “Public Service” Mr. Chris Shiflett (http://shiflett.org/)  put up the website leakedIn.org so that users can check to see if their password was one of the ones that was compromised. In order to do this you have to type in your LinkedIn password. Sorry, but despite good intents by Mr. Shiflett, this is a dumb idea. You should never type your LinkedIn password anywhere other than at LinkedIn. If you are concerned that your password may have been one that was compromised, it is time to change it.

Now for the dumber… LeakedIn.org is not using SSL, or in other words it does not start with https. When you go to a website that starts with http nothing is encrypted. If you use public Wi-Fi then all of your data can be captured (unless WPA2 encryption is used). For this reason any reasonable web site that asks for a password uses https (encrypted) for at least the part where you send your password. LeakedIn uses http and that is really bad.

So, LinkedIn failing to use best practices when encrypting passwords was dumb. Asking users to type in their LinkedIn password anywhere other than at LinkedIn is dumb. Asking a user to you in their password on a non-SSL site is even dumber!

For the more technical users who have looked at the code on the web site, yes it is the hash and not the password that is returned to LeakedIn.org, but the problem LinkedIn has is that the unsalted hashes were leaked and LeakedIn is having users send their unsalted password hashed in plaintext across the web.

©2012 Randy Abrams - Independent Security Analyst

7 comments:

  1. Right... except the site computes the SHA1 hash (in Javascript, on the page, read the effin SOURCE) and only tests that against the list of leaked hashes.

    ReplyDelete
    Replies
    1. Encouraging users to enter their password where they should not, is always a dumb idea. Doing so on an unencrypted page is even dumber.

      Delete
  2. Excellent article - in the last few hours I heard about leakedin.org, and when I checked the site I thought "now that's a clever trick for anyone wanting to harvest some passwords!".
    The moral of the story is to be very wary of entering any passwords somewhere "new". If in doubt, check with someone you trust, or do some internet research... plenty of knowledgeable people like Randy sharing their information online.

    ReplyDelete
  3. Steve Gibson of GRC.com says it's safe. That's good enough for me.

    ReplyDelete
  4. There is a difference between safe and smart. Typing your password into that site might be safe, but it is a dumb idea.

    Steve Gibson knows a bit about data recovery, but he isn't the go-to guy for security professionals.

    No responsible, rational, security professional will tell you that using leakedin.org is consistent with smart security practices.

    ReplyDelete
  5. To Master Zap's point - not only were the hashes sent and not the actual passwords, the passwords in question are NOT associated with a user ID. Your point about being on a public wifi is boring at most - there are about 30 easier ways to pwn someone on a public wifi than 1) figuring out their linkedin user id 2) hoping the user uses leakedin and 3) capturing the hash on the wife and then 4) brute forcing the hash to find the password and logging in to a user's linkedin profile.

    The reason shiflett and others put up these sites is to provide validation to what linkedin refused to admit for WAY too long - that they were hacked and that they are a publicly traded and audited company which used unsalted hashes for storing user passwords. Did linkedin bother to immediately reset people's passwords and send out an email address? No they did not. Does the hacker community react to irresponsible corporations - yes they do. Does SSL help in this situation - no.

    ReplyDelete
  6. Anonymous? People are supposed to listen to anonymous security advice? You clearly miss the points here. Go back to http://randy-abrams.blogspot.com/2011/12/two-rules-you-damned-well-better-know.html and learn the concept of good security habits.

    If Shiflet or LastPass had put up a conspicuous notice that the proper way to use the tool is to first change your password, and then check your old password, I would not have a problem with that, but they didn't, they actively taught bad security practices.

    The hashes were what was leaked in the first place. It is insecure speculation that there were no usernames associated with it, however we do know for certain that when you send your password hash over the Internet it travels with your IP address and that can make the task of correlation magnitudes easier.

    You may think the public wifi angle is boring, but then you probably never saw Firesheep in action either.

    SSL ensure that the unsalted hash you send over the internet is encrypted. Yes, that helps.

    ReplyDelete