This article can also be found in the Premium Editorial Download "Information Security magazine: Establishing an effective internal security pen testing methodology."
Download it now to read this article plus other related content.
The seemingly never-ending stream of data breaches could make it easy to become rather numb to news of another. But the massive LinkedIn
You’d expect a publicly traded company with more than 160 million members, including executive managers at Fortune 500 businesses, to be diligent about security. But after the millions of LinkedIn passwords were posted to a Russian hacker forum, security experts were shaking their heads at the company’s lax efforts. The company quickly became the butt of jokes in the security community, and its reputation took a beating.
“It tends to be viewed as an organization that would give more resources, care and attention to security than others. That’s where they let the ball drop,” says Jennifer Jabbusch Minella, CISO and infrastructure security specialist at Cary, N.C.-based Carolina Advanced Digital. “Everyone held them to a little higher standard because of what they are, who their users are and how many users they have.”
LinkedIn had hashed the passwords, but failed to implement an additional layer of security by salting them – a common and widely accepted practice for storing passwords, Jabbusch Minella says. (After getting a lot of questions about hashes and salting, she posted a handy tutorial on her blog). In the wake of the password leak, LinkedIn said it had transitioned to a system of both hashing and salting passwords before news of the breach broke June 6; it’s unclear if the transition was prompted by the company seeing evidence of a breach or if it was coincidence. Apparently, though, the company still doesn’t have a CISO or a CIO; its security team is led by the head of LinkedIn’s technology center in India, who reports to the senior vice president of operations.
LinkedIn also didn’t score many points for its handling of the password theft. Vague wording in blog posts led to some head scratching – for example, as Jabbusch Minella points out, the company talked about reaching out to members it deemed to be at risk without defining what “at risk” meant. But she doesn’t necessarily fault the company for not providing a detailed explanation of the incident. Admittedly, it can be a fine line to walk – providing transparency while not jeopardizing the criminal investigation, as LinkedIn’s Vicente Silveira noted. (Still, CloudFlare, a supplier of website security and performance services, managed to provide refreshing candor when it was breached at about the same time; CEO Matthew Prince wrote detailed accounts of how a hacker broke into his company’s network and attacked one of its customers).
The LinkedIn password leak prompted a barrage of tips from security vendors on creating strong passwords, which is all well and good. Incredibly, some people use ridiculous passwords like “123456.” Plus, some people reuse passwords across multiple sites, another poor practice. But this reliance on passwords for online security has gotten old. Isn’t there something else that can be done?
Jabbusch Minella says password managers can help ease the process of creating and remembering complex passwords, but that increased use of two-factor authentication would improve security. Some banks are requiring it for certain transactions, she says.
Businesses also can do more to protect the user accounts they store. In fact, Josh Shaul, chief technology officer at Burlington, Mass.-based Application Security, told SearchSecurity.com’s Robert Westervelt that salting won’t prevent determined cybercriminals from cracking passwords protected by MD5 and SHA. Instead, companies need to add strong database protections such as proper security configurations, updated patches and database activity monitoring, to keep intruders out, he said.
It’s anyone’s guess if the LinkedIn password leak will provide long-term lessons in security. As Jabbusch Minella says, security folks are really the ones up in arms about the breach; for most, it’s just another data leak. But we can always hope these kinds of incidents leads to data security improvements and fewer botch jobs – especially by those who make money by collecting our personal information.
About the author:
Marcia Savage is editor of Information Security magazine. Send comments on this column to firstname.lastname@example.org.
This was first published in June 2012