LinkedIn on Wednesday morning was still unable to confirm reports that 6.5 million user passwords had been exposed. But Sophos has discovered LinkedIn password information posted on a Russian hacker site.
"Although the data which has been released so far does not include associated e-mail addresses, it is reasonable to assume that such information may be in the hands of the criminals," Graham Cluley, senior security analyst at Sophos, wrote in his blog.
"Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords."
How Did It Happen?
We caught up with Neil Roiter, research director at Corero Network Security, to get his reaction to the news. He told us the reported LinkedIn password breach is a good reminder to use a different password for each of the Web sites you access.
"The larger question to be answered is how the hackers were able to break in and steal the passwords, and what personally identifiable information, if any, also may have been stolen," Roiter said. "People will want assurances that LinkedIn will discover how they were breached, take appropriate steps to prevent a recurrence and review their overall security practices."
SQL Injection Likely
We turned to Dave Pack, director of LogRhythm Labs, to get additional insights about the reported breach. Without specific details of the attack, he told us it's difficult to determine exactly what could have been done to help protect the sensitive data. However, he added, most database breaches are the result of a vulnerable Web application front-end being exploited using SQL injection.
"According to our research, it is extremely common for successful attackers to utilize automated SQL injection tools such as sqlmap or Havij," Pack said. "Such tools leave behind a log trail on the Web server which at first glance makes the attack appear complex, but also makes it easy to detect."
Pack offered an example: By default these tools put their own names into the User Agent string of the http requests they make. He said user agent whitelisting and blacklisting can be used to make sure automated SQL injection tools are immediately identified if they try to do Web application reconnaissance or launch an attack.
"These tools put quite a bit of SQL syntax into URL parameters. Most Web applications have no legitimate need for SQL in the actual URLs. Alarming on this syntax along with encoded variations will detect both automated tool usage as well as manual Web application attacks," Pack said. (continued...)