A confirmed fact in the LinkedIn breach is that LinkedIn used poor encryption to store its passwords, says CTO of we45
BANGALORE, INDIA: By now, many of you reading this article might have received an email from LinkedIn saying that their system was breached and passwords were stolen. They would have probably reset your password by now, so the next time you login, you are forced to change it. Surprising as it may be, its true. 6.5 million user credentials were stolen from LinkedIn’s Databases and posted online for the world to see. If such an attack can be perpetrated against an Internet stalwart company like LinkedIn, you should sit up and take notice of how to prevent such “happenings” at your company and its website.
Although it is unconfirmed, it is highly likely that LinkedIn’s hackers used SQL Injection to gain access to sensitive user information. SQL Injection is a devastating attack, where an attacker can use the website’s forms and fields to inject queries to the backend database and force it into providing sensitive data that the attacker can use to extract sensitive information from the organization’s website/web application. The Database is the organization’s storehouse, where everything from user credentials, to credit card information to financial information is stored. It is inherently meant to be safe against prying eyes, especially those of an attacker, and if that itself is compromised, then there is little hope for data security in the organization.
SQL Injection is a rare occurrence and it is only found on few websites and apps. In our tests we find it in 9 out of 10 websites. Usually, in under 10-15 minutes we are able to dig out any detail we need from the database, by attacking a poorly coded website or web app.
A confirmed fact in the LinkedIn breach is that LinkedIn used poor encryption to store its passwords. The encryption was of lower grade and could be easily cracked by the attackers. Let me explain how this works. Once an attacker has access to the database and finds User Information in the Database, the attacker is interested in usernames and passwords that are used (by the users) to login to the application. The passwords should (ideally) be encrypted or hashed, to protect against the possibility that the attacker will be able to decrypt this information. However, the quality of the encryption or hashing is highly important. If the encryption is low grade or poor, then the attacker would be able to decrypt said information and render this protection measure completely useless.
LinkedIn used hashing to render its passwords unreadable. It used an industry standard algorithm called “SHA-1” to render passwords unreadable in its database. However, LinkedIn failed to use salts to add enhancements to its hashing process. Salting is a process by which additional characters are added to the unreadable text to increase its complexity. Salting of hashes are considered best practices today. In fact, recently, for a web application my company was testing, we were able to access the Database with a SQL Injection attack and then able to crack user passwords that were hashed with the same SHA-1 algorithm. For a relatively poor “all-letters” password with upto 5 characters, we were able to crack passwords at the rate of a single password every 3 seconds.
So if you are worried (and you should be) and you want to take some action about websites and web applications in your own organization. These are some tips to get you started:
Test your website / web app NOW!!!
There are several ways to compromise a website or web application, and testing for security is seldom performed by even the most diligent or high-tech organizations. So, without doubt, have third party security personnel test your site / app comprehensively for security flaws. Chances are 9 times out of 10, you will find something disturbing. When you do....
One of the most important protections for a website or web app is to develop them securely. Train your developers to develop web application securely, based on secure coding practices and conventions. Lack of this leads to devastating attacks like SQL Injection. Such attacks can be easily prevented with secure coding practices adopted by developers. For instance, SQL Injection can be thwarted by properly validating all input from users.
Encryption provides a dangerous sense of security. More often than not, encryption is poorly implemented, without much regard to architecture. This causes organizations to go into a fake sense of security where they believe that critical information is encrypted and is completely secure. Encryption must be strong and implemented carefully in an application.
Users tend to utilize poor passwords on most systems they use. What’s worse? They maintain the same password across multiple sites they use, like Email, Facebook, etc. Encforcing strong passwords is a critical requirement, simply because in the event of a security breach, strong passwords are unfeasible to crack.
The hesitance to implement Information Security measures for your website and web application are not valid anymore, especially if having a web presence matters to your company. LinkedIn has suffered credibility damage across the board, being widely ridiculed for its security stance. So the question really is: Would you like to learn at the cost of other sites? Or become a data breach statistic yourself?
(The author is CTO, we45 Solutions India Pvt. Ltd, an Information Security Company)