Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Potential leak of 6.5+ million LinkedIn password hashes

Published: 2012-06-06
Last Updated: 2012-06-06 20:12:49 UTC
by Jim Clausing (Version: 3)
11 comment(s)

Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them.  Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn.  There are no usernames associated with the hashes and a number of us have confirmed that our passwords are NOT included, but this seems serious enough to merit a recommendation that LinkedIn users change their passwords.  The folks from LinkedIn have posted to twitter that they are investigating and further information will be forthcoming.

Update: (2012-06-06 20:00 UTC--JC) Okay, some have asked if we have recommendations.  Other than change your password now and don't use the same password on multiple accounts, all we can really recommend at the moment is wait and see.  LinkedIn is reporting they see no evidence of a breach at the moment, but the investigation is still pretty early (in my opinion).  Once you've changed this password (and the passwords on any other accounts where you used this one), wait for a while.  Once we figure out what happened here, you'll probably need to change it again.  We'll save a rehash of password policies and the secure handling of passwords within databases and applications for a future diary.  In the meantime, I'm adding a few links to some other password-related diaries we've done that seem appropriate to review today

Update 2: (2012-06-06 20:10 UTC--JC) No sooner do I do the previous update then I discover an official response from LinkedIn.

References:

http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now/

Also see @thorsheim on twitter.

Some previous password diaries that might be of interest:

Critical Control 11: Account Monitoring and Control

Theoretical and Practical Password Entropy

An Impromptu Lesson on Passwords

Password Rules: Change them every 25 years (or when you know the target has been compromised)

I'm sure I've missed a couple of good ones, but these are a decent place to start --JC

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

11 comment(s)

BIND 9 Update - DoS or information disclosure vulnerability

Published: 2012-06-06
Last Updated: 2012-06-06 14:50:50 UTC
by Jim Clausing (Version: 1)
1 comment(s)

The Internet Systems Consortium released a security advisory on Monday about a possible denial of service attack against BIND named DNS servers (which constitute the majority of name servers on the internet).  The advisory states that the primary threat is against recursive name servers (the ones clients workstations/laptops/mobile devices point to to translate DNS names into IP addresses), though authoritative primary and secondary name servers could also be at risk if configured with experimental record types.  While they were not aware, at the time, of any active exploitation of the vulnerability, the details had been discussed in public mailing lists.  The vulnerability involves improper handling of certain requests with zero-length RDATA fields.  From the description, it doesn't appear that the crafting of a packet that would trigger the vulnerability would be too difficult.  The result would be either crashing the named daemon or disclosure of some unrelated contents of memory.  Updates should be applied, especially to your recursive name servers, as soon as practical.

References:

http://www.isc.org/software/bind/advisories/cve-2012-1667

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords: bind 9
1 comment(s)

Firefox, Thunderbird, and Seamonkey Security Updates

Published: 2012-06-06
Last Updated: 2012-06-06 14:05:17 UTC
by Jim Clausing (Version: 1)
0 comment(s)

The Mozilla folks have released new versions of Firefox, Thunderbird, and Seamonkey and if you haven't already seen or been offered the update via the automatic updating mechanisms, you should soon.  However, this time, push the issue and manually update, if it doesn't come automatically.  The Mozilla Foundation released a security advisory yesterday regarding a privilege escalation vulnerability introduced by the new updater service (yes, I'm sure they realize the irony there) introduced in the last release.  Bottom line, make sure you update from Firefox/Thunderbird 12 to 13 (and Seamonkey 2.9 to 2.10) ASAP

References:

http://www.mozilla.org/security/announce/2012/mfsa2012-35.html

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

0 comment(s)
ISC StormCast for Wednesday, June 6th 2012 http://isc.sans.edu/podcastdetail.html?id=2581
Diary Archives