Not logged in » Login

Recent Discussion:

HarryD | 24.03.2020, 08:46
Thank you all for helping out.The problem has been solved.
Kasazza | 23.03.2020, 18:29
Quote from HarryD:Hi Nuno,Do you maybe have a solution how they can reflash the bios ?In M4 Pri...
bmoeschk | 10.03.2020, 12:18
Hi Harry,BIOS update should still be possible via iRMC. You will need a LAN connection to the server...
May 21 2016

Did LinkedIn Play “Crack Me If You Can”?

Back in June 2012, passwords for 6.5 million LinkedIn user accounts were compromised as the result of an attack by self-identified Russian cyber-crooks. Four years later, it turns out that the security breach was in fact much more severe than everybody thought or was prepared to admit.

Earlier this week, a spook from the past came back to haunt what is now the world's largest career networking service. On Tuesday, a Russian black hat (criminal hacker) who goes by the name of "Peace" appeared on two underground web shops attempting to sell off a treasure chest of no less than 117 million email/password combinations for a price of 5 BTC (bitcoin), or roughly $2,200 cash. A couple hours later, renowned Australian security expert Troy Hunt reported the dump contained 167 million user records via his Twitter feed. By Thursday, experts at KoreLogic Security in Annapolis, Maryland, had obtained their copy and finally revealed the devastating details. According to their company blog, the full dump included

  • 164,590,819 unique email addresses, and
  • A total of 177,500,189 unsalted SHA1 password hashes, some 62 million of which were unique.

As if that wasn't already bad enough, the KoreLogic team – who have specialized in password research – also announced that they had already cracked roughly 41.5 million, or two thirds, of those unique hashes within just two hours. The hashes in turn translated into old acquaintances like 123456, princess, and the ever-popular password. At the end of the working week on Friday evening, the numbers had gone up once again; now, 49.3 million or nearly 80% of the hashes and passwords on the list had been decrypted, and a mere 12.5 million were left to be processed through KoreLogic's "private distributed cracking grid." Meanwhile, LinkedIn had decided to invalidate the passwords of all impacted accounts while trying to assure its user base that the compromised data had indeed been picked up during the 2012 attack – and not in a new disastrous data breach.

So what exactly do these reports and new figures reveal about the state of password protection and password security? Probably a little less than one would expect. That's because LinkedIn quickly remedied at least a few of the ills that could have turned this week's leak into a catastrophic event. In particular, the career network now only stores salted password hashes that are harder to break and thus prevent or at least substantially protract dictionary, rainbow table and brute force attacks so they become both riskier to carry out and less effective. Likewise, LinkedIn has expanded its set of opt-in protection mechanisms, e.g. by offering two-factor authentication or email challenges as alternatives to standard username/password combinations.

But even though these methods do increase safety, the company's reluctance to enforce them has also drawn heavy criticism from security experts who believe users are given too much leeway to stick with old habits and weak password/account protection. In a statement to British IT news service The Register, Fujitsu's Director Enterprise & Cyber Security EMEIA Rob Norris said this week's special offer "highlights the value of personal data, even years after a data breach" and that today's "entrepreneurial, well-sourced and motivated" black hats will not hesitate to grab whatever information they deem useful. Needless to say, this includes lists of valid usernames and email addresses that usually remain active for long periods of time and are considered worthwhile targets for spammers worldwide. Others expressed their deep concern about LinkedIn's inability to correctly estimate the scope of the 2012 breach. Still others continue to blast the company for its past failures, suggesting it did in fact play "Crack Me If You Can" with user credentials.

All things considered, however, none of these arguments can explain away our habit of opting for easy-to-remember and therefore easy-to-deduct username/password combos. No salted hash will cure that.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now