Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements

If you’re an IT professional like me who likes to stay in touch with and expand your network, you’re probably familiar with LinkedIn (LNKD), operator of the world’s largest Internet-based professional network with 161 million members spanning over 200 countries and territories. In early June, the company learned that the encrypted passwords of over 6.4 million subscribers had been compromised and posted online.

 

In response to this incident, LinkedIn Director, Vicente Silveira, in a blog, said, “To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event.” The company disabled passwords of those members believed to be at risk and sent them a message explaining how to reset their passwords. LinkedIn also stated that since the incident, it had enhanced its security measures (beyond SHA-1) by applying an additional layer of data protection know as “salting” to better secure members’ information.

 

Here’s how salting works. Before generating the hash (note: hash function is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string) for each user password, you would create a random string of characters of a predetermined length and prepend this string to each plain text password. As long as the string (aka. a "salt") is of sufficient length and sufficiently random, the resulting hash will almost certainly be different each time the hash function is executed. By randomizing the hashes, lookup tables, reverse lookup tables, and rainbow tables become ineffective. Because an attacker won't know in advance what the salt will be, he or she can’t pre-compute a lookup table or rainbow table to crack passwords. If each user's password is hashed with a different salt, the reverse lookup table attack won't work either. Furthermore, in case an attacker tries to use brute force cracking in order to obtain passwords, Mykonos Web Security may be used to help prevent that.

 

On the other hand, if a legitimate user is logging into the Web site, because the user’s password associated salt is stored in the user database along with the hashed password, the authentication server will take the user supplied password and apply the user’s salt to obtain the hashed password. If there is a match, the user will successfully be authenticated.

 

Certain LinkedIn users were so dismayed by the data breach incident that they filed a class action lawsuit against LinkedIn seeking over $5 million in damages because the company allegedly didn’t follow its privacy policy and lacked sufficient security controls, in this case, salting, to protect its user database. Let’s hope this incident will be instructive for LinkedIn and other online businesses regarding the importance of implementing advanced Web application and data security controls to prevent a data breach, and avoid potential financial losses and the loss of customers resulting from such breaches.

Read more...

While hacking websites for financial gain continues to be a growing trend, hacking for notoriety has not ceased. A recent case in point is a story released on ZDNET about a 15-year old boy in Austria who hacked into 259 companies over a 90-day period. Upon being caught by the police, he reportedly admitted fault, citing a combination of boredom and desire to prove his skills as motivation for his activity.

 

Authorities stated that the suspect scanned the Internet for vulnerabilities and bugs in websites and databases that he could then exploit. He used various hacking tools widely available on the Internet, including software that helped him remain anonymous. However, it was this very software that ultimately stopped working and revealed the perpetrator’s IP address to Austria’s Federal Criminal Police Office’s C4 (Cyber Crime Competence Centre) unit, which arrested the teenager.

 

Unfortunately, the damage had already been done. All that the affected companies can do in retrospect is review the software code for their website, search for the vulnerabilities and remediate them. However, all of this requires time and money. To make matters worse, in certain cases, it may not be possible to remediate the code, such as if it was developed by a third party and the original developers aren’t accessible to make changes.

 

The victim companies could have benefitted from a security solution that detected the would-be hacker while he was interfacing with the Web site and stopped him cold in his tracks. Such a solution is available from Mykonos Software, a Juniper Networks company. Mykonos Web Security uses an industry unique approach that thwarts an attack literally as it begins. Mykonos detects, tracks, profiles and prevents hackers in real-time. Once deployed alongside the company’s web server(s), Mykonos Web Security works around the clock detecting and preventing attackers. It’s not creating log-files for the security administrator to review to find an attacker. It simply tells how many attackers it detected and what countermeasure response was applied. It’s a security device that works continuously as part of the security team even while the latter is not actively engaged with (e.g., monitoring) the website, which may provide greater peace of mind.

 

For further information, contact the Mykonos Sales team.

Read more...

About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.