Share this post

🔑 Key Takeaways

  1. Protect your personal information online and implement effective security measures to prevent breaches and protect sensitive data.
  2. Personal computers must have high security measures in place to avoid brute force attacks and prevent employees from using unsecured devices for official work purposes.
  3. LinkedIn responded to a hack by implementing a four-step process: confirm, contain, remediate, and post-mortem. They also tracked down the hacker by examining VPN logs and an engineer's iMac, and realized they needed to salt their password hashes.
  4. Quick identification of unique user agents and prompt communication with authorities is crucial in effectively responding and containing security breaches, as demonstrated by LinkedIn's response to the password-cracking incident.
  5. Avoid using the same password across multiple accounts to prevent hackers from gaining access to all your accounts. Use unique and strong passwords, and consider using password managers for added protection.
  6. Regular monitoring, stringent security measures, and prompt response are necessary to minimize the damage caused by data breaches and prevent loss of user trust.
  7. Cross-referencing data and using MLAT can help law enforcement agencies to investigate cybercrime by finding similar indicators of compromise (IOCs) and tracing back to the attacker's email address.
  8. Through online tracking and connections, the FBI was able to find evidence of cybercrime activities, including a purchase of Formspring data, leading to the indictment of a Russian broker, but not his capture.
  9. Weak passwords leave users vulnerable to data breaches, resulting in potentially harmful consequences. Strong and unique passwords are a necessary step in protecting personal information from hackers, who can compromise sensitive data for profit.
  10. Yevgeniy Nikulin's lengthy legal battle and eventual conviction shed light on the transparency of the justice system and the mental toll of extended confinement.
  11. Implement user behavior anomaly detection, use unique, complex passwords and password managers, prioritize logging and archival of data, avoid hosting websites on personal computers, change passwords regularly and don't reuse them across multiple accounts.

📝 Podcast Summary

The Complexities of the Cyber-Crime Supply Chain and the Importance of Cybersecurity Measures.

The cyber-crime supply chain involves many layers from hackers to buyers and brokers, and even third-party agents. The data breach is just the beginning, as buyers may use the stolen information to send spam or promote other businesses. When LinkedIn was hacked in 2012, the hacker found a backdoor entrance by targeting an engineer with remote VPN access through their LinkedIn profile. This highlights the importance of being careful with personal information posted online, as it can make individuals vulnerable to cyber attacks. Companies must also implement effective security measures, such as firewalls and security audits, to prevent breaches and protect sensitive data.

The Cost of Security Breaches through Personal Computers

A hacker gained access to LinkedIn's VPN server by exploiting a personal computer of a LinkedIn's site reliability engineer. The engineer unknowingly hosted the website from his virtual machine which gave access to the hacker. The hacker brute-forced the login on the engineer's personal iMac and found LinkedIn's private key and its VPN profile. Once he found the VPN profile and the private key, he connected directly to LinkedIn's VPN server. The incident highlights the importance of securing personal computers, and also, the need to prevent the use of personal computers for official work purposes.

LinkedIn's response to a major security breach

The hacker breached LinkedIn's network by connecting to it from his home in Moscow, Russia and logged into the user database, stealing usernames, password hashes, and email addresses. LinkedIn discovered the breach three months later after someone offered to sell the stolen data on an underground forum. LinkedIn's response to this incident was a four-step process - confirm, contain, remediate, and do post-mortem. The security team tracked down the hacker by examining VPN logs and an engineer's home iMac before discovering that the hacker was actively trying to crack users' password hashes. However, LinkedIn wasn't salting password hashes at the time, which made cracking them easier. This incident was classified as a Code Red as it was business-impacting and user data had already been leaked to the internet.

Importance of Logging and Identification in Incident Response

Logging is key in incident response, but with millions of daily users, it can be difficult to find critical information. Identifying unique user agents can help link suspicious activity to the same individual, even if they use different IPs. A password-cracking GPU farm was used to obtain passwords from the database dump. The investigation took LinkedIn six weeks with multiple teams analyzing thousands of servers and millions of logs before forcing password changes for employees and informing the public. Prompt communication with the authorities is essential to ensure effective response and containment of a security breach, demonstrated by LinkedIn alerting the FBI of the breach.

How Reusing Passwords can Lead to Data Breaches and Cybersecurity Incidents

Reusing passwords across multiple accounts can lead to severe consequences as hackers can access any account with the same login credentials. The 2012 LinkedIn data breach, where a hacker gained access to 6.5 million passwords, led to the compromise of a Dropbox engineer's account who had been using the same password for all his social media accounts. This allowed the hacker to access Dropbox's network and steal user data, ultimately leading to Dropbox setting up a War Room to handle the cybersecurity incident. To avoid such breaches, users must create strong, unique passwords for every account and use password managers to avoid the hassle of remembering them.

Importance of Stringent Security Measures and Prompt Response in Corporate Network Security

The security of corporate networks and user data is crucial. Dropbox and Formspring experienced massive breaches resulting in the theft of millions of user details. Though the Dropbox team detected suspicious activity, they couldn't pinpoint the exact cause until they examined the logs. Similarly, Formspring found out about the breach only after a dump of 420,000 user accounts was posted on an underground forum. Companies must adopt stringent security measures, including monitoring rules and frequent password changes, to thwart such attacks. Prompt detection, quick response, containment, and informing users are necessary steps companies should take to minimize the damage and restore trust.

FBI's Investigation of Cyber Attack on LinkedIn, Dropbox, and Formspring

The FBI investigated the cyber attack on LinkedIn, Dropbox, and Formspring and found a trail connecting them, including similar IPs, user agents, and an email address chinabig01@gmail.com. MLAT was used to request for subscriber records from Russia, and it took 8 months to 5 years to get the information needed. The FBI cross-referenced the LinkedIn data with Dropbox and Formspring data and found similar indicators of compromise (IOCs) linking them to the same email address. The FBI contacted Google and issued a search warrant to get any information on the user, and found search terms related to vulnerabilities and hacks. This shows the importance of cross-referencing data and using MLAT to investigate cybercrime.

FBI Tracks Down Russian Hacker Involved in Cybercrimes

The FBI was able to track down a Russian hacker named Yevgeniy Nikulin, who went by the name Zhenya and was registered on different online sites using various names and email addresses. The hacker was involved in various cybercrimes, including hacking into LinkedIn and Automattic. The FBI was able to find evidence of his activities through different online sites and email accounts he was using. They were also able to connect him to a Russian man named Kislitsin, who brokered deals between hackers and buyers. Kislitsin's email revealed that a buyer purchased the Formspring data for $7,100, and was involved in other cybercrimes as well. Although the FBI indicted Kislitsin, they were unable to capture him.

Cybersecurity Breaches and the Importance of Strong Passwords

Yevgeniy Nikulin, a Russian hacker, was responsible for the Dropbox data breach and had access to Formspring data which he intended to sell on the black market. FBI issued an indictment against him, but he could not be arrested as he was in Russia and could not be extradited to the US. Later, it was found that the LinkedIn data breach was much bigger than initially thought, with 117 million user passwords being stolen, with most users having weak passwords like '123456'. This news impacted a lot of people, including top executives, government officials, lawmakers, and even the president of the United States. Users must change their passwords and use strong and unique passwords to avoid such breaches.

Yevgeniy Nikulin's Arrest and Extradition for Hacking Charges

Yevgeniy Nikulin was arrested in Prague in 2016 for allegedly hacking into LinkedIn, Dropbox, and Formspring. He fought extradition to the US for two years and was finally extradited in 2018. In the US trial, he pleaded innocent to all charges, but many witnesses, evidence and FBI testimonies connected him to the incidents. The trial started in 2020 but was delayed due to the pandemic. In the meantime, the Secret Service arrested Oleksandr Yaremenko, a hacker who had evidence linking Yevgeniy Nikulin to the crimes. Yevgeniy spent four years in jail, and the mental toll manifested in his behavior. The transparency from the trial allowed for unprecedented details in the public domain.

Best Practices for Account Security

The main takeaways from this story are: companies should implement user behavior anomaly detection to alert them when unusual login activity occurs, individuals should use unique, complex passwords for every account and utilize password managers to help with this, companies should prioritize proper logging and archival of data for forensic purposes, and hosting websites on personal computers exposes the network to vulnerabilities. Additionally, the story highlights the importance of changing passwords regularly and not reusing them across multiple accounts. Finally, the next episode will uncover a story involving passwords found in the LinkedIn database and their potential impact on account security.