LinkedIn Failed to Meet Standards or Better Standards are Needed

Sunday, June 10, 2012

Jeffrey Carr


LinkedIn Either Failed To Meet Industry Standards Or Standards Need To Be Raised

In light of this breach of 6.5 million LinkedIn password hashes (mine was included in that group), I took a closer look at LinkedIn's "Security" section of its Privacy Policy:

"Personal information you provide will be secured in accordance with industry standards and technology (emphasis added). Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards."

The first question that I had after reading this was what's the "industry standard" that LinkedIn should be held to?

It didn't salt its password hashes and it used an encryption algorithm (SHA1) that has been proven unreliable and which NIST discourages for certain applications.

In 2010, a German researcher demonstrated how he could crack a SHA1 encrypted password using 6 characters in 49 minutes at a cost of $2.10 using Amazon's cloud service.

LinkedIn apparently doesn't have a CSO or CISO which for a publicly traded company communicates the message that security is not a priority.

Considering that they still don't know how this breach occurred and the minimal attention paid to password security, I can't help but wonder how secure the credit card information is which LinkedIn stores for its premium account holders.

I'm closing my LinkedIn account in protest for LinkedIn's poor handling of this breach.

I still haven't been notified by the company that my password was one of the 6.5 million stolen and I hate the fact that security is so far down their priority list.

LinkedIn was a professional convenience but it's no longer worth the risk as far as I'm concerned. 

Possibly Related Articles:
Network Access Control
Information Security
Encryption Passwords Security CISO hackers breach CIO Policies and Procedures LinkedIn
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.