Skip to main content

LinkedIn breach .. the multiplier effect


Last week's high profile theft of password for the business networking site LinkedIn has been a topic of many news articles and blogs in the computing and security area.  There was a particularly interesting discussion of the issue of developers not understanding the security implications of using fast hashing algorithms which are intended for high-speed, on the wire, integrity checking such as SHA, for secure storage of passwords.  The argument here is that password hashes should actually use more computationally demanding (i.e. slower) algorithms.  This would increase the cost to the attacker in conducting a brute force attack to identify the correct plain text to match the encrypted passwords in the stolen file(s).

The immediate countermeasure that was publicised through media and through social network 'word of mouth' was that people should change their LinkedIn password.  Of course this created the opportunity for phishing attackers (unrelated to those who stole the passwords in the first place) to try and lure users to their own facade sites to try and get the passwords from users.  In the midst of all this, LinkedIn also sent out an e-mail to users instructing them to change their password.  According to Cloudmark, over 4% of the users who received this legitimate e-mail thought that it was a potential phishing attack and ignored the advice to change their password (thus thinking they had avoided the phishing attack but remaining vulnerable to the attackers who stole the passwords in the first place).  Cloudmark make the point that this is partly due to the fact the LinkedIn have a track record of generating lots of e-mail notifications and therefore users get into the habit of ignoring these e-mails.  However, it is not necessarily true that just because the user ignored the e-mail (i.e. marked it as spam/phishing), that they also didn't go ahead and visit the LinkedIn site directly and change their password anyway.

The one piece of advice I haven't seen in all this coverage is a reminder to people to think about their other service subscriptions where they might have used the same credentials as those used for LinkedIn.  Given the plethora of online services that people use nowadays, and the difficulty of remembering different passwords for each of them, I wouldn't be surprised if many people use the same username/password combinations across many of them.  In these cases, users need to change their login password on those services too.  Otherwise they might experience a multiplier effect of attacks on their other online accounts as a result of the LinkedIn breach.
Post a Comment

Popular posts from this blog

Visual programming for 'wiring' the Internet of Things

There is a proliferation of devices being developed to form the building blocks of the Internet of Things (IoT), from Internet-connected power sockets and light bulbs to kettles, toasters and washing machines. However, to realise the full potential of the IoT, it will be necessary to allow these devices to interconnect and share data with each other to deliver the functionalities required by end-users. In recent research on end-user programming for the IoT, my colleagues Pierre Akiki, Yijun Yu and myself have proposed the notion of Visual Simple Transformations (ViSiT), that provides a visual programming paradigm for users to wire together IoT devices. The video above shows a demonstration of the ViSiT solution and full details of the approach will appear in an upcoming special issue of the ACM Transactions on Computer-Human Interaction (ToCHI).

This work is highlighted in a recent IEEE Software Blog: Empowering Users to Build IoT Software with a Puzzle-like Environment and full deta…

Privacy-by-Design Framework for Internet of Things Systems

IOT-2016 7-9 September, 2016, Stuttgart, Germany from Charith Perera
Recent DDoS attacks on key internet services, like the attack that affected the Dyn domain name service, highlighted the security challenges associated with the proliferation of insecure Internet of Things (IoT) systems.  This attack exploited common vulnerabilities like the use of default administration passwords on IoT devices such as internet-enabled CCTV cameras, internet-enabled appliances and smart home devices, to recruit over hundreds of thousands of nodes into a botnet.   This capability highlights the cyber security threats associated with the IoT and brings into sharp relief the importance of considering both security and privacy when designing these systems.

In recent work, presented at the Internet of Things Conference, we describe a privacy-by-design framework for assessing the privacy capabilities of IoT applications and platforms.  Building on more general design strategies for privacy in informaiton …

Privacy Itch and Scratch

Ubiquitous computing technologies are being used to collect, process and share increasing amounts of personal information, from our location and physical activity levels to the things we buy and the web pages we read.  Although these developments have created a wealth of new applications that engage and entertain us, they also pose significant challenges for our privacy - particularly the challenge of maintaining awareness and control over our personal information flows as we go about our daily lives.

My colleagues, Vikram Mehta, Blaine Price and Bashar Nuseibeh, and I have been exploring new interaction metaphors for enhancing our privacy awareness and control.  Our earlier work in this area used haptic interactions through the users' smartphone to enable privacy controls to be configured by physically shaking and moving the device (PrivacyShake).   More recently we have been exploring the role of on-body interfaces to achieve more subtle and non-intrusive mechanisms for privacy …