[Owasp-natal] Confirmado hack no Linkedin

Noilson Caio caiogore em gmail.com
Quinta Junho 7 01:43:41 UTC 2012


rapaz,hoje a lista do john the ripper foi bem movimentada.

2012/6/6 Eduardo Coelho <eduardocoelholima at gmail.com>

> ╔ grave.
>
> Merece um alerta, em especial para quem usa a mesma senha para diversos
> servišos diferentes.
>
> Linkedin perdeu alguns pontos. Usar hash sem salt, veio? Serio? =/
>
>
>
> Atenciosamente,
>
> Eduardo Coelho Lima
> >> eduardocoelholima at gmail.com
> http://coelho.ithub.com.br
>
>
>
> 2012/6/6 Noilson Caio <caiogore at gmail.com>
>
>>  Ú isso mesmo.
>>
>>
>>
>> LinkedIn has confirmed<http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/>that some of the password hashes that were posted
>> online<http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/>do match users of its service. They have also stated that passwords that
>> are reset will now be stored in salted hashed format.
>>
>> What is a salt? It is a string that is added to your password before it
>> is cryptographically hashed. What does this accomplish? It means that
>> password lists cannot be pre-computed based on dictionary attacks or
>> similar techniques.
>>
>> [image: Password hash with salt example]
>>
>> This is an important factor is slowing down people trying to brute force
>> passwords. It buys time and unfortunately the hashes published from
>> LinkedIn did not contain a salt.
>>
>> [image: 60% of LinkedIn passwords cracked]After removing duplicate
>> hashes, SophosLabs has determined there are 5.8 million unique password
>> hashes in the dump, or which 3.5 million have already been brute forced.
>> That means over 60% of the stolen hashes are now publicly known.
>>
>> We also did some additional testing of commonly used passwords that
>> should never be used. We started with the list of passwords that the
>> Conficker worm used<http://nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/>to spread through Windows networks.
>>
>> All but two of the Conficker passwords were used by someone in the 6.5
>> million user password dump. The two passwords that weren't found were
>> 'mypc123' and 'ihavenopass'.
>>
>> Other passwords that we found in the dump include 'linkedin',
>> 'linkedinpassword', 'p455w0rd' and 'redsox'. We even found passwords that
>> suggest people should know better like 'sophos', 'mcafee', 'symantec',
>> 'kaspersky', 'microsoft' and 'f-secure'.
>>
>> We will continue to keep Naked Security readers up to date with what is
>> known as we learn more.
>>
>> It is critical that LinkedIn investigate this to determine if email
>> addresses and other information was also taken by the thieves which could
>> put the victims at additional risk from this attack.
>>
>> *Special thanks to Beth Jones and Richard Wang from SophosLabs for their
>> hard work and assistance with this post.*
>>
>>
>>
>>
>>
>>
>>
>> --
>> Noilson Caio Teixeira de Ara˙jo
>> Linux Professional Institute Certification  2 - LPI000182893
>> Novell Certified Linux Administrator (CLA) - 10111916
>> Novell Data Center Technical Specialist
>>
>> http://ncaio.ithub.com.br
>> http://br.linkedin.com/in/ncaio
>> http://www.commandlinefu.com/commands/by/ncaio
>> http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
>>
>>
>> _______________________________________________
>> Owasp-natal mailing list
>> Owasp-natal at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-natal
>>
>>
>


-- 
Noilson Caio Teixeira de Ara˙jo
Linux Professional Institute Certification  2 - LPI000182893
Novell Certified Linux Administrator (CLA) - 10111916
Novell Data Center Technical Specialist

http://ncaio.ithub.com.br
http://br.linkedin.com/in/ncaio
http://www.commandlinefu.com/commands/by/ncaio
http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20120606/f8a5d597/attachment.html>


More information about the Owasp-natal mailing list