On Thursday, LinkedIn announced that over 6.5 million of its members' passwords were taken and posted on a Russian hacker's site. If you were one of the 6.5 million (I was apparently one, according to the sites LeakedIn and Lastpass), you should know that ComputerWorld is reporting that more than 60% of the unique hashed passwords that were accessed and posted online this week have already been cracked, according to security firm Sophos. They have also been posted online for other hackers to exploit.
What happened? LinkedIn’s user credentials were apparently compromised because it stored log-in information on its main Web servers instead of isolating those files on separate, secure machines whose only function would have been to verify log-in details. As ComputerWorld's report on the LinkedIn attack explains, there are multiple steps for hackers seeking to snatch and reveal users’ passwords. First, they must gain access to the passwords on a company’s computers. Once a hacker has gained access, he or she must overcome the next obstacle -- encryption, as most companies encrypt their passwords using protocols designed to protect users’ passwords from hackers’ incursions.
That said, programs designed to defeat these protocols are ubiquitous. Once a hacker has his or her hands on the encrypted password bank, he or she merely uses the encryption breaking program to reveal the plain text of the passwords.
In order to defend against hackers and the encryption-defeating programs, organizations have developed a process known as “salting,” which strengthens the passwords before they are encrypted (by adding characters, for example), thus effectively creating a second layer of protection. It is at this stage that LinkedIn’s security methods are being criticized for being lax; rather than “salt” their passwords, LinkedIn apparently relied on a well-known encryption protocol that offered little resistance once the hackers had gained access to the passwords.
This leak is not the first time that LinkedIn has been criticized for this kind of laxity. According to The Daily Mail, the LinkedIn mobile application was sending calendar entries, including phone numbers and passwords (when contained in the entry), to the LinkedIn servers without encrypting the data.
Not suprisingly, criticism of LinkedIn continues to come from all quarters. For example, as a sign that LinkedIn does not take these security issues seriously enough, LinkedIn has been criticized because it does not have a C-level executive in charge of information or information security (it does have a Senior Vice-President, Operations).
Unfortunately, the perceived problem of weak corporate protection of users’ passwords is not unique to LinkedIn. According to the UK's International Business Times, the problem is endemic, particularly in softer targets like social networks. Throw in the rise of spearphishing and whaling (i.e., targeted cyberattacks that use social media and other publicly available information to deceive unwary users) and you have the proverbial witch's brew over the Internet.
What Should You Do? If you are one of the 6.5 million: 1. Change your LinkedIn password immediately.
2. Change all of your other passwords. Yes, I know it is a hassle, but I began doing it after learning that my password was leaked. In fact, if you have used your LinkedIn password or a simple variation of that password for other accounts or sites, you can bet that someone has or will try to access that account using that password. What Can You Do to Protect Yourself and Your Company? Even if your password was not breached, the LinkedIn incident serves as an important reminder of password protection. Here are some basic steps that we all should be taking:
1. Change your passwords every three months. Make it part of your quarterly routine.
2. Don't use the same password for sensitive accounts, for the reasons noted above.
3. Don't use the dictionary for passwords and avoid simplicity. Avoid favorite sports teams, pet names and other information that might be easily gleaned from social media. Slate has a nice article detailing techniques for coming up with hard-to-crack phrases and ideas for passwords.
4. Choose your security questions wisely. As I noted last fall, cyberthieves are willing to spend the time trolling through your social media pages and if you have revealed information (anniversary dates, high school mascot, etc.), the answers to typical security questions can be provided through this publicly-available information.
5. Store your passwords safely, preferably through a password manager. With all this password activity, it will be tough to keep track of all of your ever-changing passwords, so you should consider using a password manager, which is password-protected software that enables you to store all your usernames and passwords in a single place. The New York Times Bits Blog article on the LinkedIn attack identifies a number of password managers that work across platforms, including Splash Data, which offers password-management software for Windows, Macs and mobile devices, and Agile Bits with its 1Password software. Also, see Top Ten Reviews which has reviews of password managers for PCs.
6. For employers, encourage your employees to follow these guidelines and have your IT staff force employees to change their passwords quarterly or face getting locked out.
A special thanks to my colleague Michael Shoenfelt, who helped me assemble this information quickly for this post.
Tags: LinkedIn, hacking, password protection, cybersecurity
Cybersecurity | Social Media
A profoundly troubling article by Bloomberg details expanding efforts by hackers to attack system networks of law firms to cull confidential data on sensitive deals and transactions. According to the January 31, 2012 article entitled "China-Based Hackers Target Law Firms to Get Secret Deal Data," the attacks have been sufficiently serious that the FBI's cyber division convened a meeting with the top 200 law firms in New York City last November to address the rising number of law firm intrusions.
One attack in particular involved China-based hackers looking to derail a $40 billion acquisition of the world's largest potash producer by an Australian mining conglomerate. The hackers "zeroed in on offices on Toronto's Bay Street, home of the Canadian law firms handling the deal." According to the article:
"Over a few months beginning in September 2010, the hackers rifled one secure computer network after the next, eventually hitting seven different law firms as well as Canada’s Finance Ministry and the Treasury Board, according to Daniel Tobok, president of Toronto-based Digital Wyzdom. His cyber security company was hired by the law firms to assist in the probe. The investigation linked the intrusions to a Chinese effort to scuttle the takeover of Potash Corp. of Saskatchewan Inc. by BHP Billiton Ltd. as part of the global competition for natural resources, Tobok said. Such stolen data can be worth tens of millions of dollars and give the party who possesses it an unfair advantage in deal negotiations, he said."
Why law firms? The article quotes Mary Galligan, the head of the FBI's cyber division in New York as observing that "as financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” Galligan's unit held the meeting with the 200 law firms as a result. “We told them they need a diagram of their network; they need to know how computer logs are kept,” the article quotes Galligan as saying of the meeting. “Some were really well prepared; others didn’t know what we were talking about.”
Mandiant, a cybersecurity firm based out of Alexandria, Virginia, estimates that 80 law firms were hacked last year. "Spear phishing" attacks (i.e., targeted attacks at particular individuals) or gaps when transitioning information to cloud storage sites are the preferred means of attack right now. At the November meeting, the FBI also recommended that the law firms review their mobility policies, including the security of e-mail linkups and mobile phones.
The takeaway? As trade secret lawyers, we frequently advise our clients on the importance of managing sensitive information -- i.e., limiting access, use of encryption, having sound security policies that are implemented, and creating a culture of security. To the extent that law firms are managing highly sensitive technical data or are involved in highly sensitive transactions, they need to apply their own advice to their employees and IT networks.
Tags: trade secrets, law firms, hacking, FBI, spear phishing, cloud storage
International | Intellectual Property | Cybersecurity | Trade Secrets | Technology Transactions
Powered by BlogEngine.NET 22.214.171.124
Theme by Mads Kristensen
Join me on Linked In!
The information in this blog is designed to make you aware of issues you might not have previously considered, but it should not be construed as legal advice, nor solely relied upon in making legal decisions. Statements made on this blog are solely those of the author and do not necessarily reflect the views of Hahn Loeser & Parks LLP. This blog material may be considered attorney advertising under certain rules of professional attorney conduct. Regardless, the hiring of a lawyer is an important decision that should not be based solely upon advertisements.
© 2011 Hahn Loeser & Parks LLP
The material available on this site is for information purposes only and does not constitute legal advice, nor is it intended as a substitute for legal counsel.