Thoughts on linkedin database Leakage

[Event playback]

Last Wednesday (June 6), LinkedIn, a well-known professional social networking website, reported that some user accounts and passwords were stolen. Vicente Silveira, LinkedIn Director, confirmed this in his personal blog. According to Venturebeat, the list of LinkedIn account passwords stolen by W has been uploaded to a Russian hacker server, but it cannot be confirmed whether the user account of W is stolen.

Note:

Introduction from Baidu Encyclopedia:

LinkedInIs a social network (SNS) Service website for commercial customers. The website aims to enable registered users to maintain the contacts they know and trust in their business dealings, commonly known as Connections ). Linkedin currently has over million users, with a new member joining each second on average. About half of its members are in the United States and 11 million are from Europe.

 

 

[How did hackers do this ?]

In the past two years, data has been stolen frequently in China and abroad. The details of these attacks have not been announced yet, so let's make a bold guess, how do hackers extend their black hands to user databases?

 

 

 

 

The Security Theory of short board is usually very small in the most prone to problems. Maybe you just need to install less patches or write less symbols in the Code. Of course, there is also a possibility, hackers use a sledgehammer to hack the server in the IDC. :) The bad guys keep staring at us, and an error is fatal.

[What should I do ?]

How should we prevent such incidents?

If you can't get in, you can't take it away, and you can't use it. The thinking of in-depth defense can be reflected.

Cannot enter

If hackers cannot get in, you need to know where the hacker comes in?

1. attacks on web servers are obtained from tools such as nmap and nessus, and Google hacking. The purpose of obtaining information is to obtain more information to attack the web end.

2. Hackers attacked our Intranet or vpn and attempted to access the server through the office network.

How to control the portal?

1. System

I. development follows the SDL development process. Security tests are conducted before www.2cto.com is launched to ensure that no security issues occur before the launch.

2. Employees are not allowed to register Internet website accounts in their office mailboxes.

Iii. Security Regulations for VPN or other third-party Media

Iv. Vulnerability Repair Process

2. Process:

1. Use IDS to alert hackers for attempted intrusions.

Ii. Conduct regular security tests on online businesses and generate summative reports

3. the Intranet (VPN) is isolated from the server area or has strong security authentication.

Not Taken

After hackers intrude into the system, in order to obtain more permissions and facilitate subsequent operations (such as taking away a large amount of data), they usually perform further Elevation of Privilege or backdoor placement.

After a "backdoor" is installed on the server, the server data can be stolen on a dark night evening. So what kind of behavior will hackers steal?

I. First, the web Trojan will be uploaded. The web Trojan will be divided into different versions based on the script, but each malicious script will have a keyword.

2. After the server is successfully controlled by a web Trojan, hackers will perform system detection on the server, such as the Linux version, permissions, and network configuration.

3: After being familiar with server information, the next step is to trigger Behaviors Based on the hacker's purpose, such as penetrating other servers through controlled servers, or intruding into databases and stealing data.

Iv. Purpose: Clear logs and install system backdoors.

Each of the above actions has its own characteristic behavior, which can be prevented through the host monitoring system based on the behavior.

Related probes and monitoring points are set in typical intrusion processes of intruders. For example, when intruders upload webshells or use Trojans, the system will issue alerts in a timely manner, or when intruders intrude through the shell of the vulnerability operating system, the monitoring platform also records all the operations to facilitate future tracking.

No

I. The password cannot be used.

Linkedin password sample. The encryption method is SHA1, which is much better than the rough plain text. But is SHA1 really safe? Many people are aware that it is a misunderstanding that the standard hash algorithm (md5 sha1 sha256, etc.) is used for password encryption. I intercepted the cracking Indicator Comparison Table of well-known GPU cracking tools on the Internet.

 

 

5000 M c/s can be converted to approximately 2 billion records per second. Is the password really safe if the brute force password hits the database?

I consulted the webmaster of the largest password cracking website in China. His suggestion is non-standard hash + salt.

Ii. Files cannot be used

On the Internet, some people often expose top secret documents and financial reports of a company. The value of these data is beyond review. How can we ensure that even data is stolen will not cause losses. We recommend that you use an internal file encryption system.

Emergency Response

What if the database leaks?

On Thursday, Linkedin issued a statement

In this case, Linkedin is constantly repairing the negative effects of password leaks. Publish an announcement-> restrict the logon of stolen numbers (stop loss)-> guide the user to change the password-> commit to rectification. The following table lists the emergency responses of Linkedin.

Response time	Solution	Attitude
Linkedin	The event should not exceed 12 hours after the announcement	Guide the user to change the password on the website, without modifying the password through a third-party Media	Commitment to security protection and enhanced verification on encrypted passwords

Emergency response is a question from a university. If it is handled well, it can make up for it. If it is not handled well, it will lead to more crises.

[Others]

Account strength identification

After the CSDN database leaks, a good person matches the popular passwords of the database, and shows the rankings of common, literary, and 2B passwords. This is no exception. Someone analyzed the linkedin password, as shown in:

 

 

We can see that "link" is the most easily obtained password, followed by "work" and "job ", religion such as "god", "angel", and "jesus" are also popular cryptographic themes. In addition, the numbers "1234" and "12345" are also listed.

In the account system, 1. Single-point password setting is a strong password policy, so many people will habitually enter 1qazxsw2, which fully complies with the policy, but this can only be a strong password. 2. prevent this password that complies with the policy and is insecure. We have an effective method in the account system to prevent automated password verification.

However, I am worried that as the number of password library leaks increases, the weak password issue cannot be completely solved in password settings. The automated behavior of password verification by blocking is inevitable.

Privacy Protection

This linkedin Password Leak Caused a privacy issue. The technology website reported that the IOS client of linkedin secretly uploads the user's calendar, to-do events, address book, or password information, linkedin uploads unnecessary data for data analysis and better service to users. However, this is a situation where privacy protection is highly sensitive outside China, in the IOS client, Path and so on have also encountered such problems. However, all of them are fixed quickly after being cracked.

 

 

 

We must not only protect our clients against users' privacy and plaintext Password Storage, but also protect our users against malicious programs, especially on Android platforms, the process of reading text messages, images, and even fee-absorbing messages is endless without the user's permission.

[Conclusion]

Security is no small matter. It is far from enough to rely solely on the efforts of network security workers. On the one hand, we are moving forward, and on the other hand, security requires everyone's participation and cooperation, so that hackers are nowhere to hide.

When I wrote this article, I learned on Weibo that the last. fm database also leaked. In the increasingly severe network security environment, security work has a long way to go.