October 27, 2016

LinkedIn Confirms That Millions of User Passwords Have Been Posted Online

(LiveHacking.Com) – LinkedIn has confirmed that passwords posted onto a Russian hacking forum belong to LinkedIn accounts. The hacker uploaded 6,458,020 hashed passwords, but no usernames. There is no current confirmation if the hacker obtained the usernames as well, but it is very likely that the hacker does have them but has simply chosen not to post them online. The passwords are an unsalted lists of SHA-1 hashes which should be hard to crack, however the SHA-1 algorithm isn’t fool proof and isn’t collision-free. Simple dictionary passwords will be easy enough to crack by creating the SHA-1 of the word and then looking in the password list for any examples of that hash. These 6.5 millions password examples will now be used to populate rainbow tables and will be an obvious choice for seeding a dictionary attack for any future database leaks.

LinkedIn has disabled the compromised accounts and is sending users an email with instructions on how to reset their passwords. It is worth nothing that there will not be any links in this email. This is because phishing attacks often rely on links in emails that lead to fake sites designed to trick people into typing in their password. Once the password has been reset any affected members will receive a second email providing a bit more context on this situation and why they are being asked to change their passwords.

LinkedIn has recently added some more security to their system including better hashing and salting of the password databases.



NIST Propose Two New SHA2 Algorithms

NIST (National Institute of Standards and Technology) the US government department responsible for defining standard measures and, in the digital age, for defining certain technology standards, has proposed an alteration to the SHA-2 hash algorithm standard.

A hashing algorithm is a deterministic way to produce a fixed-size bit string from an arbitrary block of data in such a way that an accidental or intentional change to the data will change the hash value.

The perfect hashing algorithm has four properties:

  1. it is easy to compute the hash value for any given message
  2. it is infeasible to find a message that has a given hash,
  3. it is infeasible to modify a message without changing the hash
  4. it is infeasible to find two different arbitrary blocks of data with the same hash.

There are currently five SHA2 algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. Each algorithm produces a message digest of a specific length: SHA-1 produces a digest of 160 bits, SHA-224 produces one of 224 bits, and so on.

The proposed standard would add SHA-512/224 and SHA-512/256. They are based on the SHA-512 algorithm but produce a truncated output of 224 or 256 bits, respectively. They are being added because it is thought they might be a more efficient alternative to using SHA-224 or SHA-256 on 64-bit platforms.

Also the proposed standard would remove the current restriction on the padding operation in the secure hash algorithms which could potentially lead to more flexibility and efficiency.