A tweet conversation yesterday finally snapped my brain into focus on the whole LinkdIn hack password debacle.
Someone had tweeted about the non complex nature of the majority of the passwords from the hash dump and my snarky response was basically, “Who cares? After all, LinkedIn certainly didn’t, why bother when places don’t carry out due diligence?”
After all, it was only LinkedIn right? I mean, who’s not already “in the know” that this is the Mos Eisley of business networking right? Between all the cutout accounts and stupid headhunters, one really has to know that it’s just a business version of Faceyspace right?
Well, I guess there are some out there who are using it like it’s a super secure and wonderful tool to make “spook” contacts for intelligence gathering huh?
If anything we have seen that it has just turned into a festival of stupid commentary, casual hooking up, and one of the BEST tools for someone like Tommy Ryan to nab all kinds of .MIL and .GOV folks with their digital pants down more than anything else.
So they were hacked, any of us in the business with half a brain “should” have been using throw away passwords or phrases with the appropriate complexity anyway, this includes the government and certainly the military people….
Well, it seems that this is not really the case….
ZOMG LinkedIn WASN’T PROTECTING MY PASSWORD!
So, once again we find that a company, that people do in fact pay for, was NOT performing the due diligence that they should be on behalf of their clients and protecting their passwords with salted hashes at the very least. Nope, no crypto of worth was at work within the rarefied digital confines of LinkedIn and WHO’DA THUNK IT?
Even after they found out they were hacked they did not really have a grasp on if they “really” had been and failed to issue an alert until later the same day (much later, like late afternoon) when word of the hack and proof of the dump was out on the Russian hacker board at 6am EST.
Now, given the past history of security gaff’s and certain unsavory people/accounts on LinkedIN over the recent few years, and LinkedIn's lackadaisical attitude towards security, is it any surprise that this all happened? That LI was not encrypting the password database to BASIC security standards? After all, they just take your money so you can hit up the pretty recruiters right? No security needed there…
Nah. Hell, they don’t even have a CIO/CSO/CISO do they? Who needs them huh? C’mon “We no need your stinkin CISO”... Oopsies.
So what has the “INFOSEC Community” have to gripe about here? I mean, gee, we already kinda knew their posture right? You should have collectively had your throw away password anyway, so no biggie. Yet, look at all the hue and cry here!
ZOMG The 6 MILLION Passwords Were On The Whole SIMPLE AND INSECURE!!!
Yup, that headline says it all really. You see, people on average don’t really care about their passwords nor do they really have the security awareness to even attempt to create complex ones. I mean, hey, it’s as simple as downloading a password manager/vault that creates them for you with good complexity as well as saves them for you to look upon when you forget right?
*Evidently, THAT is too hard for the majority of end users… Hangs head…*
Nope, all too many people had simple passwords like 1234 for their access to a site where they lay bare much of their business and social data it seems. Oh, and did I also mention that in the same day there was a vuln released on their iOS app that was thieving YOUR calendar data?
Oh yeah, nice! I guess it’s all just human nature to be lazy and create passwords that are easy to remember but this is just getting silly people. One wonders just how many of those people replicate those silly passwords on to other sites like their email or maybe their bank huh?
Oh my…. That many? We’re DOOMED.
Look, I have said it before and I will say it again, our own natures provide the largest attack surface. In the case of LinkedIn and the six million passwords there are two:
- Laziness on the part of the company not encrypting the passwords to basic standards and laziness on the part of the EU’s not creating stronger passwords
- A STUNNING lack of situational and security awareness on the part of both parties
It’s simple really, if you are a pentester or a criminal, all you need do is remember the axiom that human nature will always be the undoing of many security systems.Trust in stupidity son… ZOMG The Security Industry FAILED To Teach Us All About Strong Passwords!!!
Meanwhile, there was a great hue and cry by the twits on my feed and in articles on Island and other places on how the industry (as well as LI) failed once again in the security space. We evidently do not have enough “evangelistas” out there teaching the wretched masses about the wonders of proper password choice. We are just not reaching them and when we see things like this we then go on ad nauseam chiding them or in most cases just pointing our collective fingers and laughing.
Yeah, that’ll teach em. I can feel their collective IQ’s rising now.
I guess my question is can we even really inculcate these things when the basic human nature is to not use our frontal lobes too much? We have too many passwords now and it’s hard! C’mon, just lemme do 1234 it’s gonna be fine because the company is protecting my data! How do I know? Oh, cuz they have this pretty graphic here with a lock on it!!
If you believe that, I have this bridge I’d like to sell you.
Look, all you INFOSEC people out there lamenting, stop. Breathe. The simple truth is that you cannot win this battle unless YOU are in direct control of the systems that would FORCE password complexity on the end users. The sad fact is too many of us aren’t actually in control, its the C levels who are in the end, we just tell them what would be best for the security of the business.
It just so happens that much of the time these measures cost money, or, more likely, inconvenience the workers and the perception is that work and PROFIT would suffer from your new fangled security measures.
No, you cannot do that.. The workers will revolt and we will lose productivity Sonny Jim! That would affect the bottom line..
ZOMG You INFOSEC Weenies Are MISSING THE POINT!
Ok, so, it happened. LinkedIn handled it exceedingly poorly, and there is a great cry upon the internets over it all. People were tweeting and blogging, exhorting users to CHANGE THEIR PASSWORDS on LinkedIn but were failing to give a more nuanced warning.
“Uhhh, but, LI wasn’t sure they were hacked, how they were hacked, or IF they were still hacked!”
GO NOW! CHANGE YOUR PASSWORDS!
But, what about the whole password re-use thing? Any mention of that? Or that if you change your password, it may yet again be leaked because they may still be hacked?
Yup, bang up job people.
The real point for me is this salient fact: LinkedIn and other companies like Sony have shown time and again, they DON’T CARE about YOUR data. Always remember this people. So, you want an account on these places, then you best make a throw away pass and limit your data on the sites that host it. Otherwise, there will be a compromise like this one and not only your data there, but elsewhere (if you re-use or iterate) will be up for the taking.
What this also means is that business in general doesn’t get it nor care to and this is the most important point.
Either we demand they all do better or we just let them carry on leaking our data.
Cross-posted from Krypt3ia