Re: LinkedIn password database compromised

[AP NANOG <nanog () armoredpackets com>]

I normally don't respond and just sit back leeching knowledge, however 
this incident with LinkedIn & eHarmony strikes close to home.  Not just 
because my password was in this list of dumped LinkedIn accounts, but 
the fact that this incident struck virtually every business professional 
and corporation across the world.  Please bare with me while I ramble a 
few thoughts...

The real problem with authentication falls on "trust".  You either have 
to trust the website is storing the data securely or some other party 
will verify you are who you really are.  Just as in the example of the 
DMV.  If you think about your daily life you have put your entire life 
on display for the world.  You trust the DMV with your drivers license 
information, address, social security number, heck they are even asking 
for email now.  If your active or prior military you have given that 
same information, plus DNA and fingerprints.  Think about how much 
information about you and your habits occur from simply using "rewards" 
cards, or "gas points".  You, meaning users, give up your identity 
everyday and with little regard, but when it comes to a website or 
tracking you across websites we throw our hands up and scream "stop".

Please don't get me wrong, I am a HUGE fan boy of privacy and protection 
of data, but responsibility ultimately falls back on the user.  Those 
users who do not know any better are still at fault, but it is our job 
to educate them in better methods of protection.

So the question falls back on how can we make things better?

The fact that we must trust people outside ourselves is key.  We need to 
explain the importance of things such as KeePass (http://keepass.info/), 
and pass-phases, rather than words.  Below is an example, my password 
which was leaked during the LinkedIn dump, but till I started using this 
as an example the likelihood of the hash being cracking it was VERY 
slim.  Use this as an example of how to select a password for websites 
and how even if the hashes are dumped the likelihood of cracking it is slim.

Password:  !p3ngu1n_Pow3r!
SHA1 Hash: b34e3de2528855f02cf9ed04c217a15c61b35657
LinkedIn Hash: 00000de2528855f02cf9ed04c217a15c61b35657

To crack this pass-phase using the following systems it would take the 
the associated amount of time:

$180,000 cracker it would take roughly 2 decades, 7 years to complete 
the crack
$900 cracker it would take 3 centuries, 3 decades to complete the crack
Average graphics card it would take 15 centuries to complete the crack
Average desktop computer would take 795 centuries to complete the crack

Now what does this mean in the schema of things.  You cannot trust any 
website, third party identity verification, one time password, etc.  You 
can only trust yourself in creating a password that even if dumped will 
make it nearly impossible to crack.  Use some form of nomenclature to 
identify a website separate from the base pass-phrase, thus giving you 
individual "passwords" and in turn if one site gets dumped the others 
remain safe.

Practicality is more along the lines of what the solution is.  It is not 
practical to develop an pub/priv solution because of the user 
themselves, it is however practical to educate everyone we meet, 
preaching to them how to make simple changes can increase their 
protection ten fold.

A similar question though comes from "Website xyz.com was just dumped, 
how do I know if my password was in this group?".  Just from previous 
experience, organizations release the warning stating they had a breach, 
but it normally takes a good bit of time, as seen with LinkedIn, for 
them to release who was part of this dump.  If they ever really do, 
sometimes it becomes a blanket "We were breached please change your 
password." story.  If a website you have been using is breached then I 
revert back to the original statement saying that the issue becomes 
trust.  In the early days of LinkedIn websites claiming to check your 
password against the database dump were popping up left and right.  Is 
it truly wise to jump to these sites and put your password, which 
potentially will take decades to crack, into a website that claims to 
check it without storing that password anywhere.  I know there are sites 
which were created by companies and individuals with outstanding 
reputations, however it was outside my control and thus not trusted.  I 
decided to write a small, very simple, Python script that will run on 
your local machine and allow you to check your password against the dump 
of hashes.  Right now it only does the LinkedIn dumps, but my goal is to 
do any dump all you have to do is point it to the file.  I also then 
decided to take a little longer on the next release and learn to code in 
a GUI for users who may not be a techie.  I will continue to work on the 
GUI release, but if you want to get that release email me and I'll make 
sure you are aware of its release.

Until then I hope this helps those who may not feel comfortable about 
checking a password against a website and trusting that website doesn't 
store your password.

http://www.armoredpackets.com/hashcheck_a_small_piece_of_mind

I also hope that my explanation about how trust is the real issue, and 
that ultimately you can't trust any site nor any method.  That by making 
simple, yet effective, changes in how you create and use passwords will 
protect you long enough to safely change the passwords/pass-phrases for 
all your sites.

Back to leeching knowledge :-)

Keep up the great conversations!

- Robert Miller
(arch3angel)

On 6/13/12 3:54 PM, Grant Ridder wrote:
> Hi Everyone,
>
> I thought that i would share an IEEE article about LinkenIn and eHarmony.
>
> http://spectrum.ieee.org/riskfactor/telecom/security/linkedin-and-eharmony-hacked-8-million-passwords-taken/?utm_source=computerwise&utm_medium=email&utm_campaign=061312
>
>
> -Grant
>
> On Wed, Jun 13, 2012 at 1:05 PM, Phil Pishioneri <pgp+nanog () psu edu> wrote:
>
> > On 6/8/12 7:22 PM, Luke S. Crawford wrote:
> >
> > > I haven't found any way that is as simple and as portable as using
> > > ssh that works in a web browser.
> > The Enigform Firefox Add-on (plus mod_openpgp on Apache httpd) seems
> > similar:
> >
> > http://wordpress.org/extend/**plugins/wp-enigform-**authentication/<http://wordpress.org/extend/plugins/wp-enigform-authentication/>
> >
> >   Enigform is a Firefox Add-On which uses OpenPGP to digitally sign
> > > outgoing HTTP requests and Securely login to remote web sites, as long
> > > as the remote web server is Enigform-compliant.
> > -Phil