A security analyst claims IT departments hit the snooze button following the Sony hack last year and are not doing enough to protect users online.
LinkedIn, eHarmony and Last.fm have all seen users' passwords stolen in the last 72 hours with the same hacker suspected of stealing them all. But, whatever about the person who stole them, questions are now being asked whether online services like social networks are doing enough to protect your identity and your personal information.
How the hacker managed to breach LinkedIn, eHarmony and Last.fm is still unknown but what is known, at least in the case of tyhe stolen LinkedIn passwords, is that the encryption used was non-existent, meaning that even a 13-year-old could crack them with little effort.
Security and forensic analyst with Lunmension, Paul Henry told IBTimes UK: "Any 13-year-old kid can do it. I think we'll see more people getting hit with similar breaches. We've known about this problem since the Sony incident last year and I have to wonder why more people haven't done something about it already."
The problem is that LinkedIn did not encrypt its users' passwords. LinkedIn confirmed since the breach that it obscured its passwords by using the SHA-1 hashing algorithm. While hashing a password is a form of encryption, it is not a very effective one.
To crack a hashed password only requires you to use an automated program like those offered on Russian hacker forum InsidePro.com, where the leaked passwords were posted.
Salting the hash
Many security experts believe that LinkedIn should have 'salted' its passwords as well as hashing them, and Henry agrees: "LinkedIn should have salted the hashes, which would have made the possession of the hashes worthless to the hackers. Normally, you take a random set of characters or numbers, known as the salt, and apply it to the hash, making it impossible to reverse engineer the passwords because you would need the "salt" to "unhash" it."
Henry added: "It's important for companies to know that hashing is not encryption. Unless you're salting, it's trivial to reverse the hash. " LinkedIn has now said it will add 'salts' to its passwords, but it seems to be a case of closing the stable door after the horse has bolted, particularly to the compromised users.
However, it is not like the LinkedIn, eHarmony and Last.fm breaches were the first of their kind to hit the headlines. Last year Sony suffered a major breach of its PlayStation Network, among other services, which saw millions of users' passwords and more personal information compromised.
Henry believes IT departments at all online services and social networks should have been woken up by this breach, but is seems as if a lot of them failed to take notice:
"Since the Sony hack, why haven't they looked at the way their own passwords are being stored and encrypted? There was a lot of visibility into this issue last year and something should have been done by now. If the Sony incident was a wake-up call, apparently IT hit the snooze button. This LinkedIn breach is another chance for everyone else to get it right. Hashing isn't enough and it never has been."
While 6.5 million acctouns being compromised is not insignificant, there are much bigger targets out there for hackers, none more so than Facebook. So could the same thing happen to the $100bn social network?
"I don't know if Facebook is salting their users' passwords or not. If they are not, however, then yes, Facebook users should be worried because, as I said earlier, any 13-year-old script kiddie can reverse engineer the passwords if they're not salted. "
It seems as if the focus for cybercriminals has switched from email to social networks as more and more people use these to communicate with friends and family as well as share personal information such as photos.
Graham Clulely, senior technology consultant with Sophos, a security research company, told the Financial Times: "Now they've [cybercriminals] switched over to social networks like Pinterest, Twitter and Facebook. The anti-spam features on these sites are nowhere near as mature as places like Hotmail and Gmail."
According to analysis by Kaspersky Lab, in April social networks replaced financial institutions as the top target for phishing attacks.
Users' who's accounts have been breached will be worried about the consequences and one of the main problems is that many people use the same password and user name for a variety of online accounts.
"If you're using that password anywhere else, as a lot of people do, you've got a serious issue and the information protected by that password can now be accessed by people you'd rather not have poking around in your personal business," Henry said.
In order to protect from such attacks in the futures, Lumension has posted a number of helpful hints online including changing your password on any site that uses that password, using a different password for different sites and where possible, select different secret security questions.