LinkedIn passwords compromised.Social network poisoning & other risks

It’s happened, today has been diffused the news that users’ passwords of the most famous business social network LinkedIn have been stolen and leaked on Internet. The company, through it blog, has confirmed the event declaring that more than six million passwords were compromised. Following the message published

We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:

1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

The company also informed the clients that is currently investigating on the data breach doesn’t giving more information on the exact number of exposed accounts. LinkedIn is considered a mine of information related to business and government personnel that include a huge quantity of confidential data on more than 160 million members.

The data breach has been made public when a user has posted on a Russian forum, specializes in hash cracking, a message that claims that he has hacked and uploaded almost 6.5 million LinkedIn passwords, according to The Verge.

 

On Imperva Data security Blog have been published some interesting hypothesis that let us conclude that the real dimension of the data breach is bigger. The experts of Imperva noted that the file leaked doesn’t contains what they define “easy” passwords such as “123456” that are traditionally the most used. Maybe the hacker has only published the more complicated passwords. Another factor that induce to believe that the number of the stolen passwords is bigger is that passwords are typically listed only once, the list in fact doesn’t reveal how many times a password was used by the members. A single entry in this list can be used by more than one account.

On twitter many users are reporting in these hours that they have found the hash of their LinkedIn passwords on the list published on internet, meanwhile the company is informing the users that it is analyzing the data publishing in order to advise its customers. The digest for the LinkedIn passwords is calculated using the SHA-1 algorithm, despite is considered secure, it is relative simple to discover weakness passwords.

To avoid any kind of problem is suggested to immediate change the passwords s a precaution especially if they are shared among different internet services and common to other account on other platforms.

The hack related to LinkedIn is considerable really serious due the nature of the popular social network, mainly business oriented. LinkedIn members share information about their professions and assignments in private business and also in governments. This characteristic make the social network different from the other ones such as Facebook, exposing sensible information on the business or career relationships of the members.

Accessing to a LinkedIn account is possible to acquire many information on the victims, its relations and it’s participation to events and discussions related to specific professional areas. It’s clear that the information could represent the basis for other type of attacks and for cyber espionage. Just last month a serious vulnerability was been found in the authentication process of the popular network LinkedIN, the news published on the Spanish blog of the security expert Fernando A. Lagos Berardi. The article published reported a vulnerability in LinkedIn that allowed obtaining user’s password.

Analyzing the relationships of a victims it is possible to discover its actual engage, trace its past experiences and specialization, possibly utilizing its profile to enforce the reputation of fake accounts and members poisoning the network of professional.

Starting from the assumption that Internet and in particular the social network lacks a coherent and safe management of digital identity, last year I introduced the concept of social network poisoning as the effect produced by the application of methods designed to make unreliable the knowledge related to a profile and its relationships. The application of this kind of attack on large-scale could lead to the collapse of Social Networking and could expose member to the risks of cyber espionage and other cyber crime such as identity theft.

In the same way as the ”route poisoning” (affecting the telecommunications network), the “poisoning action” are conducted with the aim to pollute the contents of this social network profiles typically introducing artifacts and relationships exist between them and real ones thus making the information unreliable. The result is the consequent failure of the chain of trust which is based on all social networks, in order not to allow search engines specifically developed to retrieve information of any kind relating to a particular profile.

The main tools currently poisoning hypothesize new and viable in a future scenario are:
Replacement of identity, or the ability to impersonate another user to the wide variety of purposes intelligence social engineering.

• Simulation of identity, creating a false profile, which does not correspond to any existing person, for malicious purposes or simply to remain anonymous.
• Fuzzing profile, the voluntary introduction of elements false and / or non-matching to your profile to deceive intelligence systems, to prevent OSINT activities or other forms of personal gain.
• Fuzzing social graph, the association intended to groups and individuals that have nothing to do with their interests and relations with the intention of introducing ”noise” in their social graph.
• Building of personal /social bots , creating a large number of fake profiles (e.g. millions of fake profiles) managed by machines, able to interact with real users in a way likely, thus changing the ”sentiment” and ”conversation ”large-scale as well as altering all the social graph and to preclude meaningful correlations on the data.
• black curation, the use of real users ”holes” or fictitious to speak on topics of which you want to change the meaning, or to create new one ad-hoc, in analogy to the black SEO (search engine optimization) already use on search engines.

During this transition is suggested to consider carefully which profiles to add to our network for the possibility that some of them have been already compromised giving the possibility to cyber criminals or spies to access to information shared in the profile.

Social network such as LinkedIn are also used by a lot of government officials all over the world, don’t forget for example the attacks made months ago against NATO’S most senior commander using  the Facebook platform. The intelligence and the West industry are still too vulnerable to all kinds of attacks, so it is absolutely necessary to define cyber strategies to deal with incidents like those described.

In the last year it has been observed an impressive growth of state-sponsored attacks aimed at stealing information to give them an economic, political and military advantage.

Many times we have spoken of Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats such as cyber espionage, but applies equally to other threats such as that of traditional espionage or engineering attack.

Another real risk is the possibility that in these hours is launched a massive phishing campaign to invite the LinkedIn users to change their passwords, might provide additional information to criminal. Typically, such campaigns may be accompanied by strategic dissemination of malware for many different purposes, so the user receives an email with a link (although this hypothesis has been excluded by LI) which redirects him to the infected web site.

I conclude by reiterating that similar events may have serious impacts if not properly managed, at this stage the awareness of the threat and timeliness of information are crucial.

Following the detailed instruction for the change of the password:

Changing Your Password:

• Never change your password by following a link in an email, since those links might be compromised and redirect you to the wrong place.
• You can change your password from the LinkedIn Settings page.
• If you don’t remember your password, you can get password help by clicking on the Forgot password? link on the Sign in page.
• In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter.

 

Pierluigi Paganini

References

http://it.wikipedia.org/wiki/Social_Network_Poisoning