Showing results for 
Search instead for 
Did you mean: 
Create Post

Living too Social- Passwords for everyone!

Level 11

Everyone is talking about the hacking issue that happened last week to LivingSocial®, the daily deals site. And why wouldn’t they? The hackers gained access to customer data on their servers including emails and encrypted passwords. Although the company feels the passwords are encrypted and it would be difficult to decode them, more than 50 million of their users have been asked to reset their passwords.

Now, does encryption save you?

Encryption is all about transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge. So, if a third-party possess the knowledge to decrypt it, your information is safe no more!

Here’s one a very informative video by one of our good friends ‘Javvad Malik’ who explains password encryption on a humorous note

It may be worth appreciating the engineers at LivingSocial for adding cryptographic salt, as it calls for password cracking programs, to guess the plaintext for each individual hash, than guessing passwords for millions of tens of millions of hashes. But if they really wanted to have the information secure, then choosing the SHA1 algorithm ahead of bcrypt, scrypt, or PBKDF2 wasn’t a great move.

The entire approach has been reactive when they could have been staying proactive and watching out with eyes wide open. This is where your endpoint security needs to lead from the front.
It is not just about protecting your servers and devices within your network, it’s also about your end users.

This is the time when you turn to Security Information and Event Management (SIEM). SIEM combines two different areas: SIM and SEM. SIM (Security Information Management) that gathers and creates reports from security logs and SEM (Security Event Manager) that uses event correlation and alerting to help with the analysis of security events.

To stay ahead of the curve, you can use a SIEM security software which acts as a central collection point for device data, automatically aggregating and then normalizing this data into a consistent format.Based on this, the anomalies and security threats can be easily and quickly identified which will help respond to suspicious events.

In most cases, enterprises use correlation with security specific devices such as IDS/IPS devices, firewalls and domain controllers to take a proactive approach to network security. Going a step further, the event log analyzer understands the relationship between different activities using multiple event correlations in real time to effectively troubleshoot security issues.

Now the take-away from the LivingSocial incident and the immediate fix is that the users should not only change the passwords for their LivingSocial account but also ensure that they are not using the same passwords on other sites. They should also understand that it’s not optional.

Stay secure!!!


Very nice article!  Let me expand on the encryption comment a little.

>> choosing the SHA1 algorithm ahead of bcrypt, scrypt, or PBKDF2 wasn’t a great move

  • After the incident, LivingSocial did switch to bcrypt instead of SHA1 (see their updated FAQ). 
  • PBKDF2 can and often does use SHA1 (e.g., SP 800-132 Section 5.3), but is stronger than SHA1 alone because it uses derived keys to facilitate a technique known as "key stretching".
  • bcrypt has been around since 1999 (see USENIX paper for the gory details) and may be the most popular strong password storage alternative today.
  • scrypt has been the sexy new alternative since about 2009 (see its paper for even more details) that promises to take the effort of hash and key cracking beyond what even specialized hardware can reasonably be expected to do.*

Long story short, if you have to work through federal certification, you might choose PBKDF2.  If you want something with 14 years of production history behind it, you might choose bcrypt. And if you want state-of-the-art security (and don't mind being a little ahead of the curve), you might choose scrypt. 

* = In fairness, "making cracking take longer" is the goal of just about any encryption scheme; we just continue know more about how to crack encryption now than we did before. 

Level 15

Thanks for the posting.