Rapid response to LinkedIn breach key, security experts say

The professional social networking site LinkedIn officially acknowledged late Wednesday afternoon that hackers had breached its system and obtained user names and hashed passwords.

Its task now, say security experts, is to protect its reputation with the kind of rapid mitigation and transparent, professional response that will be credible to its 160 million members.

LinkedIn Director Vicente Silveira, who acknowledged the breach in a blog post, did not confirm how many of about 6.5 million passwords posted on a Russian hacker forum belonged to members.

But, he acknowledged that "some of the passwords that were compromised correspond to LinkedIn accounts," adding that members with compromised passwords, "will notice that their LinkedIn account password is no longer valid."

"These members will also receive an email from LinkedIn with instructions on how to reset their passwords," he said. "There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email."

Torsten George, vice president of worldwide marketing and products for Agiliance, said the response so far amounts to a decent start -- much better than the breach of Global Payments was handled. The company was evasive with the press, claimed in April that it had discovered the breach in March and that it affected fewer than 1.5 million card accounts, but later reports put that number at 7 million or more, and Visa and MasterCard sent out later warnings that the breach dates back at least to June 2011.

"I think they will do everything they can to report to their stakeholders and their community. I think right now they are just struggling with an overwhelming amount of data," George said.

The company clearly has some public relations damage control to do. As numerous reports have noted, LinkedIn has used the Secure Hashing Algorithm-1 (SHA-1) format to protect users' passwords. But that offers less protection than a technique called salted hashing, which security experts have recommended for some time that organizations use. "Salting" the hashes involves merging the hashed password with another combination and then hashing for a second time.

Todd Thiemann, senior director, product marketing for Vormetric, said the failure to salt the password data, "is a best practice that was not done." He said he doesn't know of all the countermeasures LinkedIn may have in place, but this failure "makes me scratch my head. But, we're all fallible."

He said among the major questions the LinkedIn community will want answered are, "How did the bad guys get this information? And if they got that, what else did they get?"

Indeed, there is information on the site that could be much more damaging than an email address, such as job-search postings, resumes and other professional information.

And James Johnson, writing on The Inquisitor, said in recent days, "a report began circulating in which LinkedIn was violating its own user privacy policy by sending detailed calendar entries to its servers."

There is also bad news for users of Apple devices. Skycure Security expert Yair Amit wrote in a blog post that he and colleague Adi Sharabani, found a feature of LinkedIn's mobile application, "that allows users to view their iOS calendars within the app. However ... LinkedIn has decided to send detailed calendar entries of users to their servers."

[See Bill Brenner in his Salted Hash blog:Ã'Â LinkedIn confirms calendar flaw (includes raw findings)Ã'Â |Ã'Â Data breach or not, changing your LinkedIn password is a smart idea]

Those details include not only the names of participants but also "the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes," Amit wrote.

He included information in his post on how to disable the feature, but users may consider it a breach of trust, and wonder what else LinkedIn is collecting and storing without their knowledge.

Theiman noted that there would also be credit card or perhaps PayPal information on members who pay to upgrade their profile. "But I have little doubt that they have more best practices to secure data at that level," he said.

As usual, the experts again are saying this is another example of the danger of simple passwords, or using the same password for multiple sites such as Gmail, Amazon, PayPal and other accounts. Theimann said he heard one member had used LinkedIn as his password.

George said this should prompt LinkedIn to do what all entities with sensitive data should do. "The National Institute of Standards and Technology has issued guidance that you should no longer conduct your protection practices infrequently, just for compliance. You can't schedule attacks, like you can an audit. So start implementing a strategy that makes it possible continuously to scan your environment," Thiemann said.

That is difficult, he acknowledged, because of the vast amount of data involved. "You need to be able to aggregate it and prioritize it," he said. "Most organizations take 30 to 60 days to remediate something like this."

It is much easier for hackers, he noted, who have "motive, capability and all the time they need to try things out. There is much more pressure on the organization that gets attacked," Thiemann said.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place