September 2, 2014

TechRadar’s user database stolen

(LiveHacking.Com) – Following the break-in at LinkedIn, popular British technology site has sent an email to its users informing them of a security breach. According to the email, user details including username, email address, date-of-birth and encrypted passwords have been stolen. It looks as if the hackers managed to breach the site via the forums. The email goes on to explain, “the forums have been closed and will remain closed until we are satisfied that there are no further issues and the forum can be safely restored to service.”

The biggest danger is not that the hackers have your password to the TechRadar site, but rather that if you use the same password on any other websites. If so, then you need change these passwords immediately. The situation was the same when LinkedIn was breached but with the added twist that user data on LinkedIn was also potentially more valuable.

As always the email contained the normal platitudes, “our IT team launched an investigation immediately and has identified the cause of the problem and taken action to rectify it.” and “we take the security of your data extremely seriously and we apologize for any inconvenience caused.”

It seems that the break-in was discovered by TechRadar itself or that it was reported privately as there doesn’t yet seem to be any news of the database being posted publicly as was in the case of LinkedIn.

The TechRadar email mentions that the passwords were “encrypted”, however there are no details on what level of encryption was used or if they were salted. The problem with the LinkedIn breach was that the passwords were stored as hashes without salt. This meant that hackers were able to decrypt a large portion of the passwords very quickly.

TechRadar says it will contact its users again shortly with instructions on how to update passwords.

LinkedIn Confirms That Millions of User Passwords Have Been Posted Online

(LiveHacking.Com) – LinkedIn has confirmed that passwords posted onto a Russian hacking forum belong to LinkedIn accounts. The hacker uploaded 6,458,020 hashed passwords, but no usernames. There is no current confirmation if the hacker obtained the usernames as well, but it is very likely that the hacker does have them but has simply chosen not to post them online. The passwords are an unsalted lists of SHA-1 hashes which should be hard to crack, however the SHA-1 algorithm isn’t fool proof and isn’t collision-free. Simple dictionary passwords will be easy enough to crack by creating the SHA-1 of the word and then looking in the password list for any examples of that hash. These 6.5 millions password examples will now be used to populate rainbow tables and will be an obvious choice for seeding a dictionary attack for any future database leaks.

LinkedIn has disabled the compromised accounts and is sending users an email with instructions on how to reset their passwords. It is worth nothing that there will not be any links in this email. This is because phishing attacks often rely on links in emails that lead to fake sites designed to trick people into typing in their password. Once the password has been reset any affected members will receive a second email providing a bit more context on this situation and why they are being asked to change their passwords.

LinkedIn has recently added some more security to their system including better hashing and salting of the password databases.



LinkedIn SSL and Cookies Vulnerability

Rishi Narang, an independent security researcher, has revealed that LinkedIn contains security vulnerabilities that could allow hackers to access user accounts. According to Rishi, “there exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.”

LinkedIn (like most sites) uses session and authentication cookies to determine if a request originated from an authenticated user.

The first vulnerability discovered by Rishi is that the secure flag isn’t set on these cookies which means that the cookie will be transmitted in clear-text if the user visits any HTTP URLs (rather than HTTPS) within the cookie’s scope.

The second problem is with the expiration date of these cookies. Authenication related cookies normally expire in a few hours (or even minutes for financial related websites) but LinkedIn’s cookies expire after one year.

Rishi says that as a result, in just 15 minutes, he was able to access multiple active accounts that belonged to individuals from all over the world.

Rishi goes on to explain that an attacker can sniff the cookies from clear-text session and then use them to authenticate a new session. The attacker can then compromise and modify the information available on the user profile page.

The news of these vulnerabilities comes only days after LinkedIn went public. LinkedIn is a social-networking site for professionals with more than 100 million users and over 1,200 employees.