ALTOM: LinkedIn hacking case holds a lesson about passwords

On June 6, the professional networking site LinkedIn, of which I’m a member, lost more than 6 million passwords to marauding hackers. This is a pretty small number of compromised accounts, actually. LinkedIn claims more than 160 million users, so by today’s standards, losing less than 4 percent of your passwords in one leak is no big deal.

LinkedIn, of course, is embarrassed and is taking steps to change those affected passwords and re-secure the accounts.

Why did the hackers do it? I know my fellow LinkedIn members are awesome and among mankind’s brightest, but their resumes have surprisingly little street value. What could the hackers have had in mind? The answer is that they didn’t care about the LinkedIn accounts at all. They cared about the members’ negligence and their passwords.

The hackers intend to exploit some common online tendencies. First, e-mail addresses are the tokens of choice to distinguish users from one another throughout the Internet. There can be only one combination of user name and domain everywhere in the world. That means everywhere you go in cyberspace, every website where you buy things or register, every inbox, has your unique fingerprint on it: your e-mail address.

You often hear that you’re anonymous online, and you can be if you want to be. But if you want to buy or sell, register for newsletters, or get return e-mails, you have to declare your identity. And that identity is your e-mail address.

Through your e-mail address, a hacker can identify you pretty easily, because e-mail addresses can be harvested in lots of ways. The hackers know where you go, where you bank online, where you buy your underwear and other embarrassing goods, and where you hang out. What they can’t get to is your actual accounts. If they had that, they could steal from you by simply pretending to be you. For that, they need your passwords.

If everybody scrupulously used different passwords for all their different touch-down points online, they’d be much safer. But they don’t, because it’s too much hassle. Most of us use one or two basic passwords over and over, everywhere we go. So any hacker who acquires, say, your LinkedIn password, could likely put that together with the corresponding e-mail identifier, and they could likely unlock half or more of your cyber-life, plundering you at will.

It gets worse. Those e-mails and passwords aren’t just sitting on a single computer somewhere. They’re being compiled into lists and being sold, as a kind of black-hat version of direct mailing lists. And in a way, the announcements of hacker penetration into various sites work to the hackers’ advantage, due to something known in the trade as “spear-phishing.”

“Phishing” is the practice of sending e-mails that have little bombs in them. They could have attachments that put viruses on the recipients’ machines, or phony but legitimate-looking links to similarly malicious but legitimate-looking websites that will also implant ugly bits of software on your computer and steal information you type in.

So when a LinkedIn client hears about a password problem, hackers can profit from the announcement by sending out faux e-mails asking him to log in to LinkedIn to change his password and providing a link to a fake LinkedIn site. The fake site, which is almost indistinguishable from the real LinkedIn, captures the new password, too, while the true LinkedIn still has the old one.

And finally, why would hackers be interested in putting viruses on computers? The days of hackers causing havoc merely for fun are pretty much over. Today’s hackers are in business and, like all businessfolk, they’re looking for profit. They find it in spam, those numerous, annoying e-mails we all get that clog up inboxes like today’s version of junk mail.

Amazingly enough, many spammers don’t actually send most of those messages themselves. Rather, they enlist the unwitting assistance of hundreds or even thousands of hijacked computers just like yours. Spammers implant viruses that scan your contact lists, then assemble their messages and use your computer to send them to your kith and kin, often with your return address. Some of the spam could even seem to have your imprimatur, carrying a message like, “Hey Bob, this is Frank, and you have to see this!” Bob clicks on it, and he’s simultaneously shown an ad and opened up to his own virus implantation.

Anti-virus software is, of course, a vital part of the arsenal for keeping these infections at bay. But in the bigger picture, using only a thimbleful of passwords for dozens of online accounts is an invitation to being hacked. Major sites like LinkedIn will forever be vulnerable to attack, and it’s well to remember that your password is like your car key, a simple device that has big implications when stolen.•

__________

Altom is an independent local technology consultant. His column appears every other week. He can be reached at taltom@ibj.com.