Cyber-attackers recently breached LivingSocial's systems and illegally
accessed customer information for more than 50 million users, LivingSocial said.
Users need to change their passwords immediately.
As PCMag.com reported yesterday, LivingSocial sent data breach notification
emails to all affected customers informing them of a cyber-attack which resulted
in unauthorized access of customer data. More than 50 million accounts were
potentially affected, according to LivingSocial, making this one of the largest
password breaches this year.
It's not clear at this time how the breach occurred and what other pieces
of information were stolen. In these kinds of incidents, attackers typically
break in by secretly installing malware on employee devices and then work their
way around the network until they find sensitive systems, George Tubin, senior
security strategist at Trusteer, told SecurityWatch.
Providers "should expect hackers to target their systems to obtain customer
data or sensitive corporate information," Tubin said. At this point, "it’s
obvious that these providers are simply not doing enough to protect their
customers' information," Tubin said.
Salted, Hashed Passwords Not Crack-Proof
It's a good sign that LivingSocial had hashed and salted its passwords as
that will slow down attackers somewhat, but "it won't stop" the attackers from
trying, and succeeding, in figuring out the original passwords, Ross Barrett,
senior manager of security engineering at Rapid7, told SecurityWatch. While
salting slows down the cracking process, "eventually the attackers or their
network will get the information they’re after" Barrett said..
Hashing is a one-way encryption, where you always get the same output for a
certain input, but it's not possible to start with a hash and work out what the
original string was. Attackers frequently rely on rainbow tables, a series of
immense dictionaries containing every conceivable string (including dictionary
words, common surnames, even song lyrics) and the relevant hash values.
Attackers can match the hash from the password table with the rainbow table in
order to find the original string that generated the code.
Salting refers to the process of adding extra information to the original
input string before creating a hash. Since the attacker doesn't know what the
extra bits of data are, cracking the hashes becomes harder.
The problem, however, is that LivingSocial used SHA1 to generate the hash,
a weak algorithm. Like MD5, another popular algorithm, SHA1 was designed to
operate quickly and with a minimal amount of computing resources.
Considering recent advances in hardware and hacking technologies, SHA1
hashes, even salted, aren't crack-proof. LivingSocial would have been better off
with bcrypt, scrypt, or PBKDF-2.
Change Those Passwords Now
LivingSocial has preemptively reset passwords for all users and users
should make sure to pick new passwords that aren't being used anywhere else.
Many people tend to reuse the same password across sites; if users used the
LivingSocial password on other sites, they should change those passwords
immediately as well. Once the passwords are cracked, attackers can try the
passwords against popular services such as email, Facebook, and LinkedIn.
"These breaches are another reminder why it’s so important to maintain good
password hygiene and use different passwords for all accounts and sites,"
Barrett said.
Attackers can use also use dates of birth and names to craft phishing and
other social engineering campaigns. They can reference these details to trick
users into thinking these are legitimate messages. The stolen data will be
"powering attacks for a very long time," Barrett said.
The LivingSocial breach is "another reminder that organizations will
continue to be targeted for their valuable customer data," Barrett said.
没有评论:
发表评论