So, no one has said boo about the LinkedIn breach?
The bell curve predicts that our community will have people with breached
passwords on that site, and some percentage of those people reuse those same
passwords elsewhere. If not true for you, it is likely true for the user
community you serve.
What I have passed on to our communications folks about getting a message out:
------------------------
Please note that LinkedIn has weighed in with a
carefully worded blogpost:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
Time is of the essence if a comm to employees will have positive impact.
Further
details:
1. The leak took place on June
4
2. LinkedIn was using unsalted SHA-1 for their password store.
3. FYI, there are *two* lists. The second one appears to be from eHarmony.
Unsalted MD5 used there.
4. The posted passwords are believed to be ones the cracker
wanted help with, i.e., they have significantly more already
cracked.
Stressing "time is of the
essence", phishing emails are already active in the wild based on the
crack:
http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-linkedin-breach-for-phishing-attacks/
This isn't your average breach. People put their *real*
identifying data on the LinkedIn site, by design.
I suggest the comm also should tell people not to click on any
links in email to reset LinkedIn accounts. LinkedIn has specifically said they
will not do that - it's a scam if you receive such a
solicitation.
Let me gently suggest some elements of that
communication.
1. If you have a LinkedIn password, it has
been stolen. Go change it - now.
I
purposely chose a throw away unique password for that LinkedIn site. It's not
that I'm a genius - it's that my work exposes me weekly to depressing
information security developments. So first thing, prevent your LinkedIn
account
from being used by someone else.
2. Go change every other website
login that uses that same password. Now. Even if you use a different username
with that
password.
If you can't remember all of
those, at least do all the ones you do remember. If you sometimes tell your
browser to remember your credentials for login, look at the browser's stored
values now (insert appropriate example for IE, Firefox, Chrome). Go change all
of them, and make them unique.
3.
Discuss with your
spouse/significant other/ partner/family if the password was used on a shared
account site (e.g., a common bank account)
Repeat step #2 for every instance where the password is common
to another website.
Concluding
thought:
This incident is
one that has happened before and will happen again. Reused passwords are a
powerful tool used by criminals to leverage access to a multitude of sites with
relative ease. Don't help them. Ask any victim of identity theft about the
ongoing angst they experience. There is no quick fix.
One possible other element of that comm:
This has nothing to do with how strong your
password is. It is strictly based on how strong the security defense is at the
site under attack, and how strong and persistent the attack is.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
