  |
 |
|
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: | ||
 |
|
LINKEDIN PASSWORD BREACH: 9 FACTS KEY TO LAWSUITSource: Information WeekPosted on July 26, 2012 Did LinkedIn fail to follow "industry standard" information security practices? That's the charge leveled against the business-oriented social networking site in a class action lawsuit filed last month in U.S. District Court. Interestingly, the lawsuit doesn't reference any existing U.S. regulation or law that would have required LinkedIn to meet industry standards for security. Instead, the lawsuit points to LinkedIn's privacy policy, which promises users that "personal information you provide will be secured in accordance with industry standards and technology." Another part of that policy likewise promises to use "industry standard protocols and technology." With that in mind, here are nine facts related to LinkedIn and the question of "industry standard" security practices: 1. Breach Facts Remain ScarceHere's what's known about the breach: hashes for 6.5 million LinkedIn users' passwords were uploaded to a hacking forumearlier this month by a hacker who requested help with cracking the passwords. Interestingly, no easy passwords appeared to be part of the upload, and there were no duplicates, suggesting that the attacker had already cracked those and edited down the list of uploaded passwords. In light of those facts, Tal Be'ery, the Web security research team leader at Imperva's Application Defense Center, thinks that the number of breached accounts is at least 10 million. 2. Don't Expect Class Action Lawsuit To SucceedBut did LinkedIn's customers suffer damages due to the data breach? Furthermore, can consumers sue a private business based on its privacy policy--which is policed by the Federal Trade Commission--and questions of whether "industry standard" protocols were used? "I think it might be a difficult legal case," said Sean Sullivan, security advisor at F-Secure Labs. "In the court of public opinion? It's a different story." 3. Data Breaches Can Be Difficult To DetectAt this point, LinkedIn has yet to provide any details about how many accounts were affected, or how the attacker managed to grab a password database--or databases--containing information on millions of accounts. It appears that LinkedIn didn't know that it had been hacked until the passwords showed up on the password-cracking forum. That's led to charges that LinkedIn's security practices weren't sufficiently robust. For comparison's sake, however, FBI officials have said that in the course of cybercrime investigations, they often turn up evidence that businesses have been breached, but remained unaware of that breach until the bureau informed them. 4. "Standard" Security Approaches Are Often WeakOf course, what that suggests is that many businesses' standard approaches to information security involve poor standards. Oftentimes lacking are specific processes for avoiding and dealing with data breaches, although a recent study did find that businesses in the United States are getting better at handling breaches. 5. No Business Is 100% Breach-ProofEven with the most advanced security program, however, experts say that data breaches should always be treated as a "when, not if" proposition. "If an adversary wants to get into your network, they're going to do it--it doesn't matter how much technology you use. Eventually you're going to lose," said Jerry Johnson, CIO at Pacific Northwest National Laboratory, speaking via phone. Of course, the LinkedIn breach could also have been caused by a trusted insider, against which many security defenses simply wouldn't work. 6. Password Best Practice: SaltOf the information currently available about the LinkedIn security breach, one notable fact is that the business didn't salt its passwords. "Salting password hashes has been good practice for 20 years or more. LinkedIn wasn't salting its password hashes. As a result, in my opinion, LinkedIn failed to meet minimal standards that users would expect them to follow to secure their information," said Graham Cluley, senior technology consultant at Sophos, via email. "Of course, that doesn't mean that LinkedIn are the only ones who are failing to reach such a minimal standard. My expectation is that there are many other websites are out there making similar mistakes--but we just don't know about them," said Cluley. Notably, two password breaches that came to light the same week as the LinkedIn breach, involving eHarmony and Last.fm, likewise revealed that neither site had salted its passwords. 7. Security: Where To Find StandardsFailing to salt passwords suggests a more widespread lack of effective security practices, and there are a number of not just standard practices, but actual standards that all businesses should be pursuing. "In particular, the OWASP top 10 are commonly seen as industry standard, and referred to in other standards like PCI," said Johannes Ullrich, chief research officer at SANS Institute, via email. For example, here's what theOWASP top 10 section on "insecure cryptographic storage" has to say about passwords: "Ensure passwords are hashed with a strong standard algorithm and an appropriate salt is used." Ullrich also pointed to the common weakness enumeration (CWE) system, which is billed as a "community-developed dictionary of software weakness types," and which specifically calls out the use of a one-way hash without a salt as one of the top 25 most dangerous software errors. 8. Security Involves More Than HashingWhen it comes to LinkedIn, however, take the related password discussion with, yes, a grain of salt. "No salting is indeed a bad practice, but I think the whole hashing and salting discussion is missing the main point," said Imperva's Be'ery. "It's very natural to focus on it, as the only thing we know for a fact is that 6.5 million of LinkedIn's hashed passwords were leaked. It's like having a bank robbery that was discovered by finding the bills in circulation, and [having] the press discussing whether and how the bills should be marked, while the real question is: How was the bank robbed in the first place?" Or as F-Secure's Sullivan said, when it comes to LinkedIn, "I'd be curious to know how the internal production systems were secured." 9. LinkedIn: Security Facts Still OutstandingIn other words, a few password facts aside, very big questions about LinkedIn's security practices have yet to be publicly detailed. "Hashing and salting, much like bill marking, is a secondary measure of protection," Be'ery said. "The main protection is supposed to keep the bad guys away from the data or the money." "So the real question here is, how the data was breached," he said. "Did LinkedIn use 'industry standard protocols and technology' with respect to breach protection? Did they pen test their app? Did they use a Web application firewall? Did the hackers use some super new 'zero-day' attack, or did they use some very common Web application attacks such as SQL injection or remote file inclusion?" Until those questions get answered, expect discussions of LinkedIn's security to remain largely academic.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
|
ALERT  WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |