f********t 发帖数: 6999 | 1 http://www.informationweek.com/news/security/attacks/240001623?
All users of the LinkedIn social network should immediately change their
password.
Security experts began broadcasting that warning Wednesday after reports
emerged that nearly 6.5 million LinkedIn password hashes--encrypted using
SHA1, but not salted--had been posted to a Russian hacking forum on Monday,
together with a request to help decrypt them.
Hackers have already reported breaking 163,267 of the passwords, reported
Norwegian news outlet Dagen IT, which Wednesday broke the news of the
LinkedIn password breach.
LinkedIn confirmed that it's investigating the potential password breach. "
Our team is currently looking into reports of stolen passwords. Stay tuned
for more," read a Wednesday tweet from LinkedIn News.
What should LinkedIn users do? "First change your LinkedIn password. Then
prepare for scam emails about Linkedin password changes, linking to phishing
sites. Will happen," said Mikko Hypponen, chief research officer at F-
Secure, via Twitter.
Security expert Per Thorsheim tweeted that he'd reviewed the uploaded
password hashes and recovered at least 300,000 of them. "The number of [
occurrences] of 'linkedin' in those passwords leave little doubt about the
origin. Change password NOW!" Meanwhile, a post from the Security Ninja
website's Twitter feed noted that "after getting the list of @linkedin
hashes and hashing my old pwd with no salt there is a match for the hash in
the list." Accordingly, it said that it was "best to assume the worst and
change your password."
Evidently, LinkedIn didn't salt its passwords--a practice recommended by
security experts that involves adding a unique string to each password
before encrypting it. Had the passwords been salted, it would have made them
more difficult for attackers to reverse the SHA1 password hashes. In fact,
attackers may have already decrypted the passwords, and they may also have
users' passwords and email addresses. "Although the data which has been
released so far does not include associated email addresses, it is
reasonable to assume that such information may be in the hands of the
criminals," said Graham Cluley, senior technology consultant at Sophos, in a
blog post.
The Computer Emergency Response Team of Finland (CERT-FI) Wednesday warned
that many more than the 6,458,020 uploaded password hashes are likely to
have been obtained by attackers. "Not all LinkedIn passwords have been
published, but it is likely that an attacker is in possession of the rest of
the passwords," it said.
According to LinkedIn, as of March 31, 2012, it had 161 million members.
CERT-FI also advised anyone who had reused their LinkedIn password on
another site to immediately change it there as well, since it will be at
risk of being hacked by anyone who downloads and reverses the uploaded
LinkedIn password hashes.
More and more organizations are considering development of an in-house
threat intelligence program, dedicating staff and other resources to deep
inspection and correlation of network and application data and activity. In
our Threat Intelligence: What You Really Need to Know report, we examine the
drivers for implementing an in-house threat intelligence program, the
issues around staffing and costs, and the tools necessary to do the job
effectively. (Free registration required.) | f********t 发帖数: 6999 | | b***z 发帖数: 2723 | 3 这个是不是钓鱼的
【在 f********t 的大作中提到】 : http://leakedin.org/ 这里能查密码有没有泄露
| m******y 发帖数: 511 | 4 呵呵,很有可能。不过linkedin居然超过一亿的用户到是挺令我吃惊的。
【在 b***z 的大作中提到】 : 这个是不是钓鱼的
| q*i 发帖数: 78 | | l**t 发帖数: 10440 | 6 人家后台可是gs!
【在 q*i 的大作中提到】 : 居然股票没有跌?!
| n******6 发帖数: 1829 | 7 Linkedin的老印会忽悠,花街相信老印不信老中
【在 l**t 的大作中提到】 : 人家后台可是gs!
| l**t 发帖数: 10440 | 8 花街更相信犹太人,但fb一样惨兮兮
关键还是后台,太重要了
【在 n******6 的大作中提到】 : Linkedin的老印会忽悠,花街相信老印不信老中
| l****4 发帖数: 486 | 9 breaking new....
I'm in war room for two days...
BTW, LI's business is thriving. believe it or not.. :) | l**********r 发帖数: 4612 | 10 linkedin员工?
【在 l****4 的大作中提到】 : breaking new.... : I'm in war room for two days... : BTW, LI's business is thriving. believe it or not.. :)
| M****e 发帖数: 1132 | 11 people are lazy. If you hit some keys continuously, such as 1234567, 2345678
or qwertyu, it is very likely that the password is leaked. |
|