LinkedIn Reinforces Encryption After Last Week's Password Leak
The professional social networking site has still not given any details as to how the hack occurred.
Linkedin is like the little boy who cried, 'wolf.' By sending too much mail that people are not really interested in, they are getting ignored when they have something important to sayAndrew ConwayCloudmark
This will count as a small consolation for anyone affected by the loss of 6.5 million passwords secured in an 'unsalted' state using the less secure 160 bit SHA-1 encryption algorithm.
The company said that after discovering the hack on the morning of 6 June, it had disabled published passwords it believed were at risk of exposure by the end of play on 7 June. None of the emails involved included email logins, the company claimed.
"After we disabled the passwords, we contacted members with instructions on how to reset their passwords," LinkedIn said. "At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft."
Importantly, the company said it had now completed an upgrade of the security applied to all accounts whether part of the hack or not which added the use of salted hashes.
Precisely what new security was now being employed - specifically whether 256-bit SHA-2 was part of the upgrade - the company's announcement is oddly evasive.
LinkedIn did say it had disabled all passwords believed to be at risk although again how many of the 6.5 million leaked were deemed worthy of this attention is not clear
"For security reasons, we cannot discuss certain details of our ongoing security upgrades," it said.
The firm's small army of security critics might point out that detailing the security standards employed should not render a company vulnerable and indeed most vendors with public membership usually state the encryption standards used as a deterrent.
As to who hacked LinkedIn, how the hack was carried out, and with what real-world effects on member security, the LinkedIn note does not elaborate.
"At this time, LinkedIn cannot release any further information in order to protect our members and due to the ongoing investigation," the company said.
According to message filtering vendor Cloudmark, an ironic effect of the hack appears to have been that some LinkedIn users discarded legitimate warnings sent by the firm after the attack because they thought they might be criminal spam.
"Over four percent of the people receiving this [warning] email, thought it was spam and sent it straight to the bit bucket. If Linkedin sends out 6.5 million emails, then a quarter of a million people are congratulating themselves on avoiding spam, and still have a compromised Linkedin password," said Cloudmark's Andrew Conway.
LinkedIn did say it had disabled all passwords believed to be at risk although again how many of the 6.5 million leaked were deemed worthy of this attention is not clear.
In Conway's view, part of the problem was that LinkedIn automatically opted users into receive email related to their activity and interests, resulting in some users marking the company's emails as spam simply to stem the tide of unwanted communication.
"Linkedin is like the little boy who cried, 'wolf.' By sending too much mail that people are not really interested in, they are getting ignored when they have something important to say," said Conway.
McAfee is officially Intel Security - a business unit of Intel from 01 July 2015 onwards, says Gavin Struthers, president, Asia Pacific, Intel Security.
The bank has launched this app before the release of the wearable device in the country, making it the first bank to do so for Indian customers.
Mobile users in India can now retain their numbers while relocating to any part of the country even if they change service providers.
The container-based technology will add portability as its new dimension in software release cycles, says CEO Vinothini Raju.