LinkedIn Fails Security Due Diligence

Thursday, June 07, 2012

Marc Quibell

94c7ac665bbf77879483b04272744424

Yet another mega money-making company has failed to protect it's greatest resource: Customer Information.

Recent reports indicate that a database full of encrypted passwords of LinkedIn users was lifted from right under LinkedIn noses.

LinkedIn verified and then apologized for the breach. Sorry, they said. Sorry for what? Was this an accident? Sorry for.... having lax security? Sorry we failed you? No, they said they are sorry for the "inconvenience".

Yes, it is very inconvenient for the criminals in Russia to now have closer access to my work history, my friends' work history, contact information, private messages containing PII, Identity theft information of thousands of connected users and myself.

I DO feel a little better knowing that the usernames were not stored with the passwords; it's unknown whether the two can be associated however. So, really, we're all sitting around here, hoping and guessing they don't have enough information on us to use to login... I can't help but feel even more vulnerable.

Aren't you a little tired of companies being sorry for the "inconveniences" they may have caused you? Especially if you've been a victim of Identity Theft, having to change cards, close accounts, deal with a bad credit score.... etc. Having to deal with everyone trying to get your identity restored could take years! It takes a financial and mental toll.

One can assume that poor security practices led to the password database ending up in Russia. We can also say that the best security practices were not applied to the security of our passwords: LinkedIn did not "salt their hash" and therefore the passwords were much more vulnerable to simple brute force attacks once the Russians got ahold of them.

Wouldn't salting the hash be considered reasonable security practice? I guess LinkedIn now thinks so, because as a result of this loss, they now salt their hash.

Folks, that is called 'reactive security mitigation' and to me, that means LinkedIn was negligent in it's proactive diligence. You don't wait until you have an incident to review your information security and make changes. And what this really says to me is that LinkedIn is not serious about securing our data.

The failure rate of these so-called 'stewards' of our information is very alarming and I think, IMHO, it's time to hit them where it hurts - in their wallets. Time to punish companies that lose your data resulting from substantiated negligent security practices. Period.

Anyone who fails this duty and completely disregards the safety and security of our information needs to be held accountable. It's the only way to get these companies to take better care of our information.

I don't know if LinkedIn was truly negligent, but if I were LinkedIn, I'd offer more than an apology for an inconvenience; I'd start giving out some premium services or something worth.... something!

Possibly Related Articles:
4662
Network Access Control
Information Security
Encryption Passwords Access Control Best Practices Due Diligence Personally Identifiable Information breach LinkedIn Hashing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.