LinkedIn passwords database got hacked, and 6.5 million encrypted passwords got posted on the Internet. There exist various programs to reverse engineer encrypted passwords and the passwords are actively being cracked by hackers. As of 6/6/2012, almost 160K of them are available in cleartext on the Internet.
Are you Secure?
Dustin Hilgaertner (an architect at Cinchcast) and myself developed a simple application which checks if your password has been compromised or not. Basically, it does a simple lookup in the cracked password file, which is circulated around, for your cleartext password. The password you enter isn't logged at any point.
The URL to check if your password is compromised or not is:
If you don't trust entering your password, you can download a list (as of 6/6/2012) yourself, and search for your cleartext password there
I like to compare security to maintaining your bathroom. If you do a great job, then nobody says thank you. But if you screw up, and the bathroom starts leaking, then all hell breaks lose. Unfortunately, value of security isn't recognized by many companies, so securing the systems always takes a back seat to other business priorities. This seems to be the case here - an older SHA1 algorithm was used to obfuscate passwords, instead of newer SHA2, and what's worse the passwords weren't salted which is a basic security tenet.
Even though the breach details aren't available yet, my guess is that social engineering and custom trojans (APT) were used to get into an internal network. In this exploits, a hacker sends a seemingly innocuous file to an internal employee with an Excel spreadsheet or a Winword document which contain a custom virus. Once the employee opens it, a virus is installed on the system creating a backdoor for attacker to poke around the network. Because the virus is custom-crafted, most anti-viruses or intrusion detection systems don't notice it. After the attacker is on the network, most of the time the game is lost.
If you want to learn five simple rules to keep your organization secure, you can listen to my audio podcast recorded using Cinchcast Technology:
The slide deck is below: