Wednesday, June 6, 2012

More than 6 million LinkedIn passwords stolen

Change your passwords! :)

(CNNMoney) -- Russian hackers released a giant list of passwords this week, and on Wednesday security researchers identified their likely source: business social networking site LinkedIn.
LinkedIn (LNKD) confirmed in a blog post late Wednesday afternoon that some of the stolen passwords correspond to LinkedIn accounts.

The company did not offer any information about how the passwords were stolen or the extent of the damage, but it said it is "continuing to investigate" the matter.
The 6.5 million leaked passwords were posted Monday on a Russian online forum, camouflaged with a common cryptographic code called SHA-1 hash. It's a format that's considered weak if added precautions aren't taken. Roughly half of the "hashed" passwords have already been decoded and posted online in human-readable text.
Several security researchers tweeted Wednesday that they have found their passwords among those that were revealed. Web security firm Sophos said it matched many of its researchers' own passwords that are used exclusively on LinkedIn.

Countless passwords on the list contain the word "linkedin." On a popular hacker forum, many reported finding passwords such as "linkedout," "recruiter," "googlerecruiter," "toprecruiter," "superrecruiter," "humanresources" and "hiring."

There's good news and bad news about this break-in.
The good news is that so far, no user names have been discovered in the list. It's highly recommended that you change your password, but after that you should be okay.
The bad news is that LinkedIn was using an outdated form of cryptography to secure its users' private information. The company should have known better than to guard its lists with just SHA-1, experts say.

Related story: LinkedIn is a hacker's dream tool
The problem with SHA-1 is that it translates the same text the same way each time. So if your password is "password" and your friend's password is also "password," they will be hashed exactly the same way. That makes reversing the process to uncover the original password significantly easier.
That's why security experts recommend that companies with giant lists of private data like LinkedIn add another security layer called "salt."
Salt randomly adds another piece of information to the password. It could be a user name, first name, or even a random number -- the point is that it changes the underlying text enough to make it almost impossible to decode.

"Any organization using SHA-1 without salting user passwords is running a great risk -- much higher than they should," said Per Thorsheim, chief information security advisor at Norwegian IT services company EVRY. "We've seen this time and time again. This is not good practice. Salt should be a minimum."
In its blog post, LinkedIn said that it "recently" put in place enhanced security, "which includes hashing and salting of our current password databases."
A spokeswoman declined to comment on how "recently" that security was added.

The potentially worse news is that far more than 6.5 million users' passwords were likely stolen. Each hashed password on the hacked list is unique, according to those who have looked at the data. Since SHA-1 encodes all identical passwords the same way, it's very likely that multiple people among LinkedIn's 150 million users had the same password.
What's really bad is that we don't know the identity of the hackers or what they're capable of.

If they simply stole a bunch of passwords without any way to match them with user names, it's a wake-up call for LinkedIn but not much more. But the attack came from Russia, a country known for its expert and mischievous hackers. There could be more fallout. "If it's random idiots that have done this, the chances are slim that they could actually exploit this to the amount where it would actually hurt LinkedIn or you and me," Thorsheim said. "But if this is organized crime and these guys are serious, then the damage potential is very high."
The password hack is the second piece of bad security news to hit LinkedIn this week.

The company's mobile application was caught collecting data from users' calendars and sending it back to the company for analysis. The tool matches up information about the people users have scheduled with information from their LinkedIn profiles. LinkedIn responded in a blog post that it seeks permission first, but it pledged to be more transparent about the way it collects and analyzes its users' personal information.

Tuesday, June 5, 2012

Updated Resumes and Contact information Please!

Just a reminder that if you have updated your resume or contact information, to please email me a copy of your current info so I have it on file. As always, I will never send or release your info to anyone without your prior consent! Best email is: caburns@comporium.net as I am phasing out the prolyn.net use. My telephone numbers will both remain the same for office number and my cell. Thanks!! :)

9 Snap Judgments Managers Make in Job Interviews

Great article by Jeff Haden...enjoy! Hope everyone;s having a great start to Summer! :)

One of my favorite Gladwellian Theories (Malcolm Gladwell is the king of cool theories) is thin-slicing: the ability to find patterns and make decisions based on the combination of a limited set of data and a wealth of experience. Call them hunches, call them snap decisions, but more often than not thin-slice judgments turn out to be accurate.

Like where hiring employees is concerned.

I've interviewed thousands of potential employees and hired hundreds of them. Over time I developed the ability to quickly size up a candidate, sometimes even within a minute or two, based on one or two actions or comments. My snap judgments were rarely wrong. (Although I didn't always avoid making one of the biggest hiring mistakes.)

I know what you're probably thinking:"But that is so unfair. You owed it to every candidate to wait until the interview was over to draw an overall conclusion. You can't make a hiring decision based on one or two minutes out of an hour-long interview."

Fair enough. But keep in mind most interviewers do the same thing. In fact, the more experienced the interviewer the more likely they are to make snap judgments. Fair or unfair, we're heavily influenced by first impressions or by what experience indicates are pivotal moments. If you're the job candidate you can either complain about the unfairness of it all and blow the interview, or accept that fact and use it to your advantage.

Here are some positive thin-slices:
The candidate immediately thanks me for the interview and says they're excited about the opportunity. I want you to be glad you're here. I want you to be excited about the job. If you're not thankful and excited now you definitely won't be thrilled after six months on the job. Plus an overt "let me see if this job is a good fit for me" interview can often be painful for the interviewer; even if over the course of the interview you realize you really want the job, you probably already lost us. Emotion -- positive emotion -- is good.

The candidate needs to make "truck payments." Years ago I was in charge of part-time employees at a manufacturing plant. Full-time employees were required to work heavy overtime but part-time employees were not, making coverage (and my job) difficult. When I asked a part-time candidate about their willingness to work overtime I loved the guys who said, "I'll work all the overtime I can get. I bought a new truck and the payments are killing me." Every job has a hot button requirement: Maybe it's frequent travel, maybe it's last-minute overtime, maybe it's a particular skill... a candidate who finds out the position's hot button and meets it is 90% home.

The candidate is late -- but doesn't tell me why. Say you're late for an interview. Don't tell me about traffic or bad directions or parking problems. Just say, "I'm sorry I'm late. If I've thrown off your day I will be glad to reschedule whenever it's convenient for you." Take ownership, don't make excuses, and offer ways to make things better. Nothing ever goes perfectly, and knowing you will take responsibility and work to fix problems is impressive.

The candidate asks for the job. Salespeople ask for the sale, and candidates should ask for the job. Just say, "Thanks for the interview. I really enjoyed speaking with you. And I would really love to work here." Why should I offer you something you're not willing to ask for?

And some negative thin-slices:

The candidate complains. Most people know not to complain about their present employer, but any complaint is a downer. Say you notice a photo of my family standing front of the Colosseum. You say, "Wow, I've always wanted to go to Italy... I've just never been able to afford it." Even gentle whining is a bummer. Don't complain about anything, no matter how justified. Negatives always stand out.
The candidate isn't ready. Don't you hate when you're standing in line at the grocery store and the person in front of you waits until all their items have been scanned and bagged before they reach into their wallet for their checkbook? The same is true in an interview: Have your resume and everything else you need all set to go. Hit the ground running and immediately focus on the interviewer. "Work" is a verb. Make "interview" a verb too.

The candidate tries to take charge. Everyone likes a leader... just not in an interview. Feel free to subtly shape the interview and lead the conversation into areas that showcase your strengths, but don't try to take over. Employers need people who can lead and follow. Plus, be honest, you trying to take over is really irritating.
The candidate gets "comfortable." I want you to be relaxed and at ease during the interview, but I also want you to sit up, sit forward, and show the interview matters to you. Kicking back says you don't really care.

The candidate asks throw-away questions. Here's the golden rule: When asked if you have any questions, don't make a few up to try to impress me. If you have no questions, say so. Don't ask about something you could have easily learned on your own. Don't ask questions designed to make you look good. In short, don't ask what you think I want to hear. Interviewers can tell, and it ends the interview on a down note.