Attacks/Breaches

6/26/2012
09:45 AM
50%
50%

LinkedIn Password Breach: 9 Facts Key To Lawsuit

LinkedIn's privacy policy promised users "industry standard protocols and technology," but a class action lawsuit claims LinkedIn failed to deliver. Take a closer look at the security issues.

Did LinkedIn fail to follow "industry standard" information security practices? That's the charge leveled against the business-oriented social networking site in a class action lawsuit filed last week in U.S. District Court.

Interestingly, the lawsuit doesn't reference any existing U.S. regulation or law that would have required LinkedIn to meet industry standards for security. Instead, the lawsuit points to LinkedIn's privacy policy, which promises users that "personal information you provide will be secured in accordance with industry standards and technology." Another part of that policy likewise promises to use "industry standard protocols and technology."

With that in mind, here are nine facts related to LinkedIn and the question of "industry standard" security practices:

1. Breach Facts Remain Scarce
Here's what's known about the breach: hashes for 6.5 million LinkedIn users' passwords were uploaded to a hacking forum earlier this month by a hacker who requested help with cracking the passwords. Interestingly, no easy passwords appeared to be part of the upload, and there were no duplicates, suggesting that the attacker had already cracked those and edited down the list of uploaded passwords.

In light of those facts, Tal Be'ery, the Web security research team leader at Imperva's Application Defense Center, thinks that the number of breached accounts is at least 10 million.

[ Are legislators' efforts to craft breach notification standards a waste of time? Read Senators Float National Data Breach Law, Take Four. ]

2. Don't Expect Class Action Lawsuit To Succeed
But did LinkedIn's customers suffer damages due to the data breach? Furthermore, can consumers sue a private business based on its privacy policy--which is policed by the Federal Trade Commission--and questions of whether "industry standard" protocols were used? "I think it might be a difficult legal case," said Sean Sullivan, security advisor at F-Secure Labs. "In the court of public opinion? It's a different story."

3. Data Breaches Can Be Difficult To Detect
At this point, LinkedIn has yet to provide any details about how many accounts were affected, or how the attacker managed to grab a password database--or databases--containing information on millions of accounts. It appears that LinkedIn didn't know that it had been hacked until the passwords showed up on the password-cracking forum. That's led to charges that LinkedIn's security practices weren't sufficiently robust. For comparison's sake, however, FBI officials have said that in the course of cybercrime investigations, they often turn up evidence that businesses have been breached, but remained unaware of that breach until the bureau informed them.

4. "Standard" Security Approaches Are Often Weak
Of course, what that suggests is that many businesses' standard approaches to information security involve poor standards. Oftentimes lacking are specific processes for avoiding and dealing with data breaches, although a recent study did find that businesses in the United States are getting better at handling breaches.

5. No Business Is 100% Breach-Proof
Even with the most advanced security program, however, experts say that data breaches should always be treated as a "when, not if" proposition. "If an adversary wants to get into your network, they're going to do it--it doesn't matter how much technology you use. Eventually you're going to lose," said Jerry Johnson, CIO at Pacific Northwest National Laboratory, speaking via phone. Of course, the LinkedIn breach could also have been caused by a trusted insider, against which many security defenses simply wouldn't work.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
7/24/2012 | 4:08:57 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
RE #8 and 9- Another question is what the bad guys can do once they have the passwords.

This is like the identify theft problem where a bad guy with a name, birthdate, and social security number can get a credit card. The focus has been on protecting those 3 pieces of data but NOT on how easily they can use the data to get a credit card.

Really secure sites check IP addresses and ask for additional verification if the logon is from a new location.
Mark532010
50%
50%
Mark532010,
User Rank: Moderator
6/28/2012 | 8:33:32 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
It is still early in the process and I don't think LinkedIn has revealed many details yet but my guess is that they followed the classic management fallacy of too much "world class security" worries and too little worries about the mundane practical details that are the root cause of most breakins...Default passwords, unpatched servers, unwatched security consoles, unknown services running, elevated rights, unwatched file changes, etc. Its not sexy and the "World class experts" don't spend much time down there but that's where most of these problems are allowed to happen.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.