05 August 2012
Implicit Trust of The Cloud & Third Parties
I find 'Implicit trust' fascinating to observe, equally within business information security and within society. 'Implicit trust" can be defined as having no doubts or reservations, being unquestioning. For example most people implicitly trust their doctor, just because the doctor wears a white coat, exudes authority and has 'Dr' in front of their name. No one ever asks the doctor to validate their medical credentials. Perhaps we should.
Implicit trust can be lost and gained, a decade ago most people would implicitly trust bankers, having someone from the banking profession witnessing legal documents and signing passport applications would be seen as a highly thought of and credible witnesses within society, not so these days, and we all know why.
Police is another profession which has very interesting polarisations to observe, implicitly trusted by some and implicitlydistrusted by others.
Then there is paradox of politicians, nearly everyone distrusts politicians while at the same time trusting them to run the country.
In the world of information security, businesses which implicitly trust third parties with their information is a hallmark of either complacency or lack of an ability or expertise to properly vet and question. Trust must not be implicitly made but must be earned based on prior vetting and building a trusted relationship through experience. Just because your cloud service provider wears the doctors white coat of Amazon, Google or Microsoft, does not mean they should be implicitly trusted with your business's information and critical IT services.
04 August 2012
UK InfoSec Overview for July 2012
Microsoft patch two critical remote execution vulnerabilities in
Internet Explorer http://technet.microsoft.com/en-us/security/bulletin/ms12-044
Yahoo investigating exposure of 400,000 passwords
Tesco has come under fire for emailing users passwords in plain text
Yahoo investigating exposure of 400,000 passwords
- Hacking Group D33DS are said to be behind the attack.
- Hacking Groups continue to target big business websites, this attack demonstrates even hi-tec companies which have a high focus on IT security can be vulnerable to major data thefts.
- Serious lapses in data protection and confidentiality procedures saw highly sensitive information lost, disclosed to the wrong people and even published on the internet.
- In one alarming case a client’s referral details were revealed on Facebook after a staff member dialled the wrong number and left a message on an answering machine. It was among almost 100 serious data breaches reported by the region’s five health trusts in recent years
- 56,859 unique phishing sites were detected in February, while between 25,000 and 30,000 unique phishing email campaigns are detected each month.
- There has been a number of major data compromised due to phishing attacks, most notable is the RSA data breach of last year.
- Despite a number of arrests, Anonymous remains very active
Tesco has come under fire for emailing users passwords in plain text
- Tesco received consider negative publicity for not protecting their user’s passwords adequately and in line with best practices. Passwords must never be Emailed in plain text!
03 August 2012
UK Data Protection Overview for July 2012
ICO imposed
a civil monetary penalty (CMP) of £150,000
on the consumer lender, Welcome Financial Services Limited (WFSL), after
the loss of more than half a million customers’ details.
- WFSL’s Shopacheck business lost two backup tape.
- The backup tapes contained the names, addresses, dates of birth, loan accounts and telephone numbers of approximately 510,000 of their customers in November 2011. The backup tapes also held personal information of 20,000 current and former employees of WFSL, and 8,000 agents. The backup tapes have not been recovered to date.
- The lost backup tapes were not encrypted
- The ICO deemed WFSL to have broken the 7th principle of Data Protection Act.
- Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data
- ICO stated Data Controller did not follow their own Information Security Policies.
- Significant impact on reputation of the data controller (WFSL) as a result of this security breach which was publicised in national press.
- Two letters were sent to the correct recipient old address in May 2011, however the address was incorrect, and was a property where the recipient hadn’t lived for over 5 years
- The ICO’s investigation found that the individual’s current address had been provided to the trust’s staff before the medical examination took place. Additionally the correct address had been logged on the national care records service, known as NHS SPINE, in June 2006. The mistake was made after the Trust’s staff failed to use the address supplied before the examination, or check that the individual’s recorded address on their local patient database matched the data on the SPINE. The Trust had setup a prompt to remind staff about the need to check and update patient information against SPINE; however the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late.
- The ICO deemed the NHS to have broken the 7th principle of Data Protection Act.
- Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data. There can be significant reputational impact for a data controller as a result of these security breaches.
- Since August 2009, the council has required all taxis and private hire vehicles to install CCTV equipment to constantly record images and the conversations of both drivers and passengers
- The ICO has ruled the council’s policy breaches the Data Protection Act, concluding that the recording of all conversations is disproportionate given the very low number of incidents occurring compared to the number of trouble free taxi journeys. An enforcement notice has been issued to the council who now have until 1 November to comply
“The ICO is clear that this information
should never have been collected in the first place and the company’s failure
to secure its deletion as promised is cause for concern”
02 August 2012
Burgas Airport Bombing, CCTV does not React
I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included.
On the entrance to terminal and within the airport, a Security Notice sign caught my eye and bothered me as I waited to check in.
On the entrance to terminal and within the airport, a Security Notice sign caught my eye and bothered me as I waited to check in.
It said "This Area is Protected by Video Surveillance". Now CCTV can act as a deterrent and is particularly useful for the purpose of recording events and working out the causes of incidents. But even with a team of operators vigilantly watching the CCTV screens in real time, I just don't see how this CCTV would "protect the area" I was entering, as within this crowded space everyone had large bags and many had hats and sunglasses concealing their identity as well. To assure myself I concluded the words on the sign had got lost in translation, as it is EU law to inform the public of the presence of CCTV cameras.
This is the reason the words on the sign was bothering me; below is a picture of the Burgas bombing suspect caught on the very same CCTV system, entering the very same area just a few days earlier, clearly the CCTV didn't protect the area nor act as a deterrent
01 August 2012
Burgas Airport Bombing Data Breach Parallel
I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later, in between I knew some friends who went through the airport just a fews day after the incident. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included.
A Side Point
Interestingly on way out from Manchester airport to Burgas, the Thomas Cook check in crew we're only focused on making money from excess badge amounts and things like extra leg room seats, it was the first time I've never been asked if I packed my bags myself and whether my bags had been out of my sight at a check-in desk. A sign of the tough financial times as Thomas Cook just posted a £26.5 Million quarter loss, or security complacency, I thought.
Airport Security Theatre
It would be extremely irresponsible to point out airport security flaws, but needles to say the amount of additional 'Security Theatre' at Burgas airport post bombing as expected was considerable, but only for about 10 days. I didn't coin the phrase 'Security Theatre', but it's a very apt phrase to what several friends were subjected to at the airport, because the additional security hoops passengers were put through did nothing to lessen the threats to the aircraft. Further these measures didn't do anything to make passengers feel safer, if anything it raised anxiety considerably. However a few days later the additional security measures were all dropped the airport returned to as as it was prior to the bombing.
Data Breach Parallel
My main point here is this very much the same as when a business suffers a major data breach and receives public and media criticism. Often a knee jerk response of security theatre is introduced which does nothing to combat the actual causes of the data breach, but makes good sounds bites within media interviews. Then once the media focused dissipates, the business returns to as it was prior to the breach, including keeping the security complacency and not correcting he existing flaws which led to the breach in the first place.
Burgas Airport Bombing
A Side Point
Interestingly on way out from Manchester airport to Burgas, the Thomas Cook check in crew we're only focused on making money from excess badge amounts and things like extra leg room seats, it was the first time I've never been asked if I packed my bags myself and whether my bags had been out of my sight at a check-in desk. A sign of the tough financial times as Thomas Cook just posted a £26.5 Million quarter loss, or security complacency, I thought.
Airport Security Theatre
It would be extremely irresponsible to point out airport security flaws, but needles to say the amount of additional 'Security Theatre' at Burgas airport post bombing as expected was considerable, but only for about 10 days. I didn't coin the phrase 'Security Theatre', but it's a very apt phrase to what several friends were subjected to at the airport, because the additional security hoops passengers were put through did nothing to lessen the threats to the aircraft. Further these measures didn't do anything to make passengers feel safer, if anything it raised anxiety considerably. However a few days later the additional security measures were all dropped the airport returned to as as it was prior to the bombing.
Data Breach Parallel
My main point here is this very much the same as when a business suffers a major data breach and receives public and media criticism. Often a knee jerk response of security theatre is introduced which does nothing to combat the actual causes of the data breach, but makes good sounds bites within media interviews. Then once the media focused dissipates, the business returns to as it was prior to the breach, including keeping the security complacency and not correcting he existing flaws which led to the breach in the first place.
27 July 2012
Olympic Games Breach Disclosure Window Opens
The London Olympic 2012 Games has finally arrived, and will dominate media headlines around the world for the next couple of weeks. This is a great time for sports fans, but also a great time for firms to disclose data breaches. Yes, I know I'm being really cynical but let's see what breach notifications occur during this festival of sport.
As I write this post Google have just announced they are in breach of a UK Privacy agreement - http://www.bbc.co.uk/news/technology-19014206, admitting to have not deleted personal data gathered as part of their Street View surveys. This personal data should of have been wiped over 18 months ago! But back to my main point with this post today, as with this awkward privacy announcement, the media coverage of it will be swiftly buried within the media's frenzy of Olympic headlines, hence why companies PR teams choose specific dates to publicly announce their data breaches.
07 July 2012
How to Protect Your Gmail Account from Hackers
Hackers target online Email accounts for a reason, they know if they can 'own' a webmail account, they can access it from anywhere and at any time, to use it as a tool and to harvest information of value. Fraudsters will often rifle through compromised Email accounts looking for information which will grant them access to more lucrative web accounts. A quick search of pretty much any Email inbox reveals information about various online accounts used by the user, many of which will have potential fraudulent earning revenue to a hacker. Typically Emails containing information about e-commerce websites and online banking accounts will light up a hacker's eyes. In this post I'm going to explain typical techniques employed by online fraudsters, to highlight the vital importance of protecting your main Email account.
No Account Username, No Problem
As a security feature some website accounts don't use an Email address as a username, but invites account holders to create one instead. However if the hacker has access to the website account, more often than not there will be Emails containing the website account username. Furthermore with most websites ,a username can be requested over Email, which goes straight into the compromise Email account.
Passwords Finding
With an active lucrative website account identified together with a username, which may well be the Email address of the victim, obtaining the password which goes with it is child's play when the hacker is in control of the victim's Email account. Some websites will Email existing account passwords in plain text to the user, therefore the password can be found within account's Emails, or it can be just a question of requesting the password to be re-sent from the website. It can even be much easier for the hacker if the victim has used the same password with all their different accounts, as knowing their email address and online username together with a commonly used password is enough to steal their entire online life.
Password Resetting
Websites which don't Email passwords are still easy to beat if you control the victim's Email account. Nearly all websites provide a facility to reset a password, most ask for basic personal knowledge questions and then send a confirmation link Email to the compromised Email account, which then allows a new password to be created by the hacker. Those security questions aren't much of a problem, as the answers can be found within the reams of Emails and by accessing the victims social networking accounts. And personal details can be obtained from other weakly protected online accounts. Upon accessing an account the hacker just reviews the account profile for the necessary personal information, sometimes website account profiles has the hacker bonus of listing security questions with the victims answers, the same typical security questions are asked for and used on most websites time and again.
Your Online Email Account is essential to Protect, as it is the keys to your online identity
Gmail's Added Security Protection
If you are a Gmail (GoogleMail) user, good news, there is something you can do to increase the security of your Gmail account. It is not common knowledge but Google offers a free two factor authentication service called 2-step verification for all Gmail users. 2-Step verification significantly improves the security and massively increases the protection of your Gmail account from being accessed by hackers.
How to Set up Gmail 2-Step Verification wit your Gmail Account
Visit https://support.google.com/accounts/bin/answer.py?answer=185839&topic=1056283
How Does 2-Step Work? Why is it more Secure?
2-Step security works by requiring you have your mobile phone (registered with Google) in your possession each time you type in a password. When Gmail webmail is accessed for the first time on a PC, and every 30 days there after, Google 2-step forces password entry, which also requests a unique one-time verification code, at this point on your registered mobile phone you will instantly receive a text messaged with a one time code to type in.
This means you cannot log into your Gmail account without having possession of your mobile phone, hence two-factor authentication. So even if a hacker obtains your Gmail account password, the hacker cannot log into your Gmail account unless he or she has your phone as well, or are attempting access from your local PC where the password is required every 30 days. These are not typical scenarios for the online criminal, they access webmail accounts on their devices.
Great for Webmail, but what about Gmail through Outlook, or on my iPad and iPhone?
Devices such as PCs (Outlook), iPads, and Smart phones which need to continuously access Gmail could be a problem with this system, but fear not, Google have thought of that. The 2-step system is able to create a unique and strong dedicated password for each device you have. Once each setup's password has been initially entered, the system doesn't request a mobile phone authentication every 30 days like the webmail access. However you can fully manage these devices and their passwords online, changing them as often as you would like, and you can even revoke the passwords instantly should your device be stolen. The main security advantage, is even if these unique device passwords become compromised, these passwords can't be used to access your online Gmail account, they can't be used to change your Google settings, nor can they be used to change any passwords.
So if you are a Gmail user and care about your online Email account security, consider their 2-step verification.
No Account Username, No Problem
As a security feature some website accounts don't use an Email address as a username, but invites account holders to create one instead. However if the hacker has access to the website account, more often than not there will be Emails containing the website account username. Furthermore with most websites ,a username can be requested over Email, which goes straight into the compromise Email account.
Passwords Finding
With an active lucrative website account identified together with a username, which may well be the Email address of the victim, obtaining the password which goes with it is child's play when the hacker is in control of the victim's Email account. Some websites will Email existing account passwords in plain text to the user, therefore the password can be found within account's Emails, or it can be just a question of requesting the password to be re-sent from the website. It can even be much easier for the hacker if the victim has used the same password with all their different accounts, as knowing their email address and online username together with a commonly used password is enough to steal their entire online life.
Password Resetting
Websites which don't Email passwords are still easy to beat if you control the victim's Email account. Nearly all websites provide a facility to reset a password, most ask for basic personal knowledge questions and then send a confirmation link Email to the compromised Email account, which then allows a new password to be created by the hacker. Those security questions aren't much of a problem, as the answers can be found within the reams of Emails and by accessing the victims social networking accounts. And personal details can be obtained from other weakly protected online accounts. Upon accessing an account the hacker just reviews the account profile for the necessary personal information, sometimes website account profiles has the hacker bonus of listing security questions with the victims answers, the same typical security questions are asked for and used on most websites time and again.
Your Online Email Account is essential to Protect, as it is the keys to your online identity
If you are a Gmail (GoogleMail) user, good news, there is something you can do to increase the security of your Gmail account. It is not common knowledge but Google offers a free two factor authentication service called 2-step verification for all Gmail users. 2-Step verification significantly improves the security and massively increases the protection of your Gmail account from being accessed by hackers.
How to Set up Gmail 2-Step Verification wit your Gmail Account
Visit https://support.google.com/accounts/bin/answer.py?answer=185839&topic=1056283
How Does 2-Step Work? Why is it more Secure?
2-Step security works by requiring you have your mobile phone (registered with Google) in your possession each time you type in a password. When Gmail webmail is accessed for the first time on a PC, and every 30 days there after, Google 2-step forces password entry, which also requests a unique one-time verification code, at this point on your registered mobile phone you will instantly receive a text messaged with a one time code to type in.
This means you cannot log into your Gmail account without having possession of your mobile phone, hence two-factor authentication. So even if a hacker obtains your Gmail account password, the hacker cannot log into your Gmail account unless he or she has your phone as well, or are attempting access from your local PC where the password is required every 30 days. These are not typical scenarios for the online criminal, they access webmail accounts on their devices.
Great for Webmail, but what about Gmail through Outlook, or on my iPad and iPhone?
Devices such as PCs (Outlook), iPads, and Smart phones which need to continuously access Gmail could be a problem with this system, but fear not, Google have thought of that. The 2-step system is able to create a unique and strong dedicated password for each device you have. Once each setup's password has been initially entered, the system doesn't request a mobile phone authentication every 30 days like the webmail access. However you can fully manage these devices and their passwords online, changing them as often as you would like, and you can even revoke the passwords instantly should your device be stolen. The main security advantage, is even if these unique device passwords become compromised, these passwords can't be used to access your online Gmail account, they can't be used to change your Google settings, nor can they be used to change any passwords.
So if you are a Gmail user and care about your online Email account security, consider their 2-step verification.
12 June 2012
Flame Culprit Fingered
Flame, also known as Flamer and Skywiper, is a highly sophisticated espionage focused malware, which targets and infects Microsoft Windows systems. Flame is known to spread over the network and by USB thumb drives, and this malware is centrally controlled by 'those' who created and released it onto the world, more on 'those' later. To say Flame is an extremely sophisticated piece of malware is not an understatement, it can covertly can grab screenshots, log all keyboard entry (think usernames, passwords), record Skype voice calls and even monitor network traffic, returning all this information is sent covertly to "those" who created it. Those controlling Flame infections can even send specialised control commands, which includes a "kill command", which makes the Flame malware stop running and delete itself, so covering up any evidence of it ever being present on the PC.
Flame is not the product of cyber criminals, it is way too sophisticated, and you only have to look at which area of the world is mostly infected with Flame, which just happens to be middle eastern countries. Cyber criminals tend to target online affluent first world counties like the USA and countries within Europe. You only need to look at the Zeus worm in comparison, which is a worm which targets online banking. There is a clear difference between a cyber criminal created malware and state sponsored malware, both have different targets, and have different goals following the infection of their targets.
The Flame / Stuxnet Connection
I have to be a little careful how I word this as I don't want a holiday in Guantanamo, so according to this must read New York Times article (http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?) and industry experts I have spoken with off the record, the United States' National Security Agency (NSA) and Israel's Unit 8200 are said to be responsible for creating and launching the Stuxnet worm against Iran's nuclear enrichment facilities. The US government are said to have dubbed their cyber warfare activity as Operation Olympic Games. Now given the great success of Stuxnet in impacting the Iranian Natanz nuclear plant, it was always going to be a matter of time before Stuxnet was followed up.
Kaspersky Labs who have recently analysed Flame, concluded there is a solid link with the development of Flame with Stuxnet (http://www.bbc.co.uk/news/technology-18393985):
"What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected"
"The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."
"There is a link proven - it's not just copycats.
"We think that these teams are different, two different teams working with each other, helping each other at different stages."
The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware. It bears a "striking resemblance" to code used in Flame"
"The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming"
So joining up all the dots, it is an obvious conclusion that the United States and/or Israel are responsible for creating, deploying and controlling Flame, and therefore are using Flame to harvest private information on mass.
I am not clear about the United Nation treaties and rules in relation to cyber warfare/espionage engagements against other nation states, I don't think anyone is which could be the problem. But I'll leave you with some food for thought, the US government said it would respond to any state sponsored cyber attack made on it with military force.
“Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests." - http://www.fas.org/irp/congress/2011_cr/cyberwar.html
Flame: Commendable Malware
Flame is not the product of cyber criminals, it is way too sophisticated, and you only have to look at which area of the world is mostly infected with Flame, which just happens to be middle eastern countries. Cyber criminals tend to target online affluent first world counties like the USA and countries within Europe. You only need to look at the Zeus worm in comparison, which is a worm which targets online banking. There is a clear difference between a cyber criminal created malware and state sponsored malware, both have different targets, and have different goals following the infection of their targets.
Flame Infection Area
I have to be a little careful how I word this as I don't want a holiday in Guantanamo, so according to this must read New York Times article (http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?) and industry experts I have spoken with off the record, the United States' National Security Agency (NSA) and Israel's Unit 8200 are said to be responsible for creating and launching the Stuxnet worm against Iran's nuclear enrichment facilities. The US government are said to have dubbed their cyber warfare activity as Operation Olympic Games. Now given the great success of Stuxnet in impacting the Iranian Natanz nuclear plant, it was always going to be a matter of time before Stuxnet was followed up.
Kaspersky Labs who have recently analysed Flame, concluded there is a solid link with the development of Flame with Stuxnet (http://www.bbc.co.uk/news/technology-18393985):
"What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected"
"The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."
"There is a link proven - it's not just copycats.
"We think that these teams are different, two different teams working with each other, helping each other at different stages."
The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware. It bears a "striking resemblance" to code used in Flame"
"The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming"
So joining up all the dots, it is an obvious conclusion that the United States and/or Israel are responsible for creating, deploying and controlling Flame, and therefore are using Flame to harvest private information on mass.
I am not clear about the United Nation treaties and rules in relation to cyber warfare/espionage engagements against other nation states, I don't think anyone is which could be the problem. But I'll leave you with some food for thought, the US government said it would respond to any state sponsored cyber attack made on it with military force.
“Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests." - http://www.fas.org/irp/congress/2011_cr/cyberwar.html
07 June 2012
LinkedIn Password Breach: Change Your Password Now
Yesterday we learnt a hacker posted 6.5 Million LinkedIn passwords onto a Russian forum. These passwords were weakly encrypted (that's an unsalted SHA-1 hash for the techies), which means the actual passwords can be recovered by the bad guys with very little technical ability.
Advice to LinkedIn Members
1. Change your LinkedIn Password Right Now
6.5 Million accounts may only be a portion of the total LinkedIn membership, and you may not consider your account as being affected because you have yet to receive a warning message from LinkedIn. However in my view it is highly likely the bad guys will have ALL the LinkedIn account details and passwords for all LinkedIn users. So assume your account login (Email) and password is known by the bad guys, given this it is essential to change your LinkedIn password as soon as possible.
2. If your LinkedIn password is the same password you use on any other websites, Change Those Passwords
Most people use the same password on different websites simply because it is difficult to remember lots of different passwords on each website. The hackers know this and so target weaker protected websites like LinkedIn to obtain your username, email address and particularly your password. Then they try the same combinations to access higher protected and more valuable websites (money making opportunities for them) such as online banking, Email, Facebook, PayPal, Ebay etc.
The Problem with Website Passwords
3. Assume all your LinkedIn Personal Details as Compromised
If the hackers can obtain the password field within the database, it is safe to assume they will have harvested all the other unprotected fields in the database as well, which unfortunately will include a full profile of your personal information. LinkedIn aren't the the first website to neglect security and lose your personal information to hackers, and they won't be the last. So always be cautious of criminals trying to use your personal information against you, typically they try to make money from it. This can manifest as identify theft or as an elaborately personalised phishing Email, always be suspicious and be cautious of non-face-to-face (Email/Phone) communications, and check your finical transaction statements for signs of foul play on a regular basis.
1. Change your LinkedIn Password Right Now
6.5 Million accounts may only be a portion of the total LinkedIn membership, and you may not consider your account as being affected because you have yet to receive a warning message from LinkedIn. However in my view it is highly likely the bad guys will have ALL the LinkedIn account details and passwords for all LinkedIn users. So assume your account login (Email) and password is known by the bad guys, given this it is essential to change your LinkedIn password as soon as possible.
2. If your LinkedIn password is the same password you use on any other websites, Change Those Passwords
Most people use the same password on different websites simply because it is difficult to remember lots of different passwords on each website. The hackers know this and so target weaker protected websites like LinkedIn to obtain your username, email address and particularly your password. Then they try the same combinations to access higher protected and more valuable websites (money making opportunities for them) such as online banking, Email, Facebook, PayPal, Ebay etc.
The Problem with Website Passwords
3. Assume all your LinkedIn Personal Details as Compromised
If the hackers can obtain the password field within the database, it is safe to assume they will have harvested all the other unprotected fields in the database as well, which unfortunately will include a full profile of your personal information. LinkedIn aren't the the first website to neglect security and lose your personal information to hackers, and they won't be the last. So always be cautious of criminals trying to use your personal information against you, typically they try to make money from it. This can manifest as identify theft or as an elaborately personalised phishing Email, always be suspicious and be cautious of non-face-to-face (Email/Phone) communications, and check your finical transaction statements for signs of foul play on a regular basis.