Tag Archives: Linkedin

Judge dismisses LinkedIn password breach lawsuit

A US District Court judge has dismissed a suit that claimed that the plaintiffs were damaged by LinkedIn’s lack of diligence in safeguarding LinkedIn subscribers’ usernames and passwords. The case was brought by Katie Szpyrka and Khalilah Wright, after about 6.5 million usernames and passwords were downloaded from LinkedIn by a Russian hacker last June. (I wrote about two LinkedIn problems in LinkedIn users’ data LeakedOut. and again when 88 percent of the passwords were cracked within five days: No password news is good password news.)

Judge Edward Davila dismissed the lawsuit because

  • Plaintiffs hadn’t read LinkedIn’s Terms Of Service (TOS), so couldn’t claim that LinkedIn had breached their TOS, which includes

    …we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information.

  • Plaintiffs could not show consequent damage.

That clause within LinkedIn’s TOS sounds broad. “If you upload it to our site, don’t expect us to safeguard it.” Broad, I tells ya.


News article from Kaspersky’s ThreatPost: LinkedIn Data Breach Lawsuit Dismissed

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Advertisements

One reason to avoid walled gardens

A new client’s business has a few bad reviews on his Google Places page. Some are over a year old. Surprisingly, he was unaware of them. Why? He lives within AOL’s walled garden. All his searches are done within AOL, so he never saw the negative reviews outside AOL’s walls. (I guess that someone else created his Google Places page.)

AOL is an anachronism, but the caveat of avoiding walled gardens applies if you use any site that tries to confine its users. Facebook, Myspace, Linkedin, and Google+ are like Las Vegas casinos: they want to keep their visitors confined within territory that they control. Do you want Search? We’ve got it. Want email? We’ve got it. Want to buy something? We’ve got that too. Want a haircut? A shoeshine? A snack? A dinner? The casino — and AOL, Facebook, Linkedin, et al — wants every asset you’ve got.

On the Internet, the walled gardens want to extract everything they can from you, whether it’s your money or information about you, which they eventually sell to advertisers in exchange for targeted ads directed at you. That’s how they make money. A Facebook user exclaimed, “Facebook has never asked me for one dime!”. Of course not; he’s told Facebook all about himself. That information goes into Facebook’s finished goods inventory, which they sell to advertisers.

Think about it. When you’re on Facebook (or AOL et al), Facebook captures every keystroke and mouse click. Read their Terms Of Service (TOS); they can do whatever they wish with that data, including selling it to third parties.

If you’re a business owner, don’t be confined to any walled garden, and respond quickly to negative reviews, regardless of where they appear. A happy customer will tell a prospect; an unhappy customer will tell ten prospects. On the web, an unhappy customer can tell millions of prospects.

Has your business received negative reviews on Google Places?
Google Places is a work in progress whose features don’t always work as expected. (Google is moving Google Places pages to Google+ Local.) Here is the best advice that I’ve found. It’s from a Google employee: https://productforums.google.com/forum/m/#!category-topic/business/technical-issue/mPz5bqu7ViM.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

No password news is good password news.

Opened Safe icon
art: Michael N. Erickson
Cracking of passwords has moved from an esoteric exercise for geeks to something that any kid can do.

 

Three developments in cracking passwords for fun and profit:

  1. Hash Cat, a new open-source GPU[1]-based cracking program has become available for free download at HashCat.net. It’s available in both Windows and Linux versions and can run 16 graphics processing units in parallel.
  2. Do you recall last June’s theft of 6.5 million password / email pairs from LinkedIn? Those passwords weren’t in plaintext — they had been hashed by Linkedin using the (now discredited) SHA-1 hashing algorithm, so were presumably still pretty secure. Hash Cat was let loose on the purloined Linkedin hashed passwords by Jeremi Gosney. Using a homebrew PC with multiple GPUs[1], he was able to crack 20 percent of the 6.5 million hashed passwords within thirty seconds. He used a dictionary attack with a 500 million word dictionary. His machine makes 15.5 billion guesses per second. Two hours later, he had cracked an additional 33 percent of the passwords. After one day, he had cracked 64 percent of the passwords. After five days, he had cracked 88 percent of the passwords.
  3. Jeremi benchmarked Hash Cat on his $12,000 machine containing eight AMD Radeon HD7970 GPU cards. He ran a brute force attack on an 8-character password, trying all 96 characters for each character, in twelve hours. Add one more character, and it will require 96 times as much time to crack, or 1,152 hours. Add another character (making a ten-character long password) and it will require 110,592 hours to crack by brute-force.

And the conclusion is?

  • Use completely random passwords whose characters are drawn from the a-z, A-Z, 0-9 and punctuation mark character set (which contains 96 characters).
  • Use passwords that are at least ten characters long.

The best way to create and manage strong passwords is with a password management program. I like Keepass.


  1. Graphics Processor Unit: restricted instruction set single-chip processor that’s dedicated to graphics functions. GPUs may be used for other dedicated tasks, such as decryption.
Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695