After the leak of 6 millions of non salted passwords of LinkedIn, a new episode in the story.  Katie SZPYRKA, residing in Illinois, premium member of LinkedIn, sues LinkedIn for

… failing to properly safeguard its users’ digitally stored personally identifiable information (“PII”), including e-mail addresses, passwords, and login credential;

She claims that LinkedIn fails to properly encrypt its users’ PII

… LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format.  The problem with this practice is two-fold.  First, SHA1 is an outdated hashing function, first published by the National Security Agency in 1995.  Secondly, storing users’ passwords in hashed format without first “salting” the passwords runs afoul of conventional data protection methods, and poses significant risks to the integrity users’ sensitive data.

The second statement is true.  I would be more cautious with the first one.  There are known attacks on SHA1.  it is why there is a new challenge to find a new replacement to SHA1.  Nevertheless, they are not easy and simple.  Using SHA1 was not the problem.  Using salted SHA1 for storing passwords is still a good practice for several years.

She also complains that the attack was using an SQL injection and that the site was not properly protected against this type of attacks, despite the existence of a NIST checklist to prevent them  :Weary:

An interesting statement

… free account users buy products  and services by paying LinkedIn in the form of contact information (first name, last name, and an email address)

That’s true.  I would even add by her/his network information that allows to better profile the user.

The outcome of this action will be interesting.   How many web sites would be under the same threat?  The main problem is to decide whether it is pure negligence or a vulnerability as there will always be in web sites (or nay products).  Zero vulnerability will never exist.  If each breach would end up in a class action, this would most probably the end of Internet.

The filing is available here.

reCaptcha is the captcha by Google.  The hacking team DefCon 949 (DC949) disclosed at the conference LayerOne their method to break captcha.  The astonishing, announced accuracy is 99%.  Some interesting lessons from this hack

• The method to break reCaptcha attacked the audio part. Normally, reCaptcha proposes challenges coming from altered scanned words from books, and you have to write them.  Thus, it should have  a large samples of challenges.  The trick: reCaptcha has a mode for visually impaired people.  The challenge is now audio with words on noisy background.  The vocabulary is limited to 58 words, and the background is a mix of a limited number of audio sequences.  Thus, there were far less audio challenges than visual challenges.  Thus, the attackers went against the easiest challenge.  As a cryptography metaphor, they had the choice between a large key or a small key for the same final result.
  A nice illustration of law 6: “Security is not stronger than its weakest link”.   Audio challenge was the weakest link.
• Before the conference, Google updated its algorithms, thus defeating he hack.  This spoiled a little bit the presentation. Nevertheless, it removed nothing to the quality of the attack.  When reading blogs coverage, I had sometimes the feeling that some people thought that it was unfair behavior.  No!  It is the right thing to do.  It is always a cat and mouse game.  The mouse has to run fast.

The presentation is available on youTube
httv://www.youtube.com/watch?v=rfgGNsPPAfU