Attacks/Breaches
6/26/2012
09:45 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

LinkedIn Password Breach: 9 Facts Key To Lawsuit

LinkedIn's privacy policy promised users "industry standard protocols and technology," but a class action lawsuit claims LinkedIn failed to deliver. Take a closer look at the security issues.

Did LinkedIn fail to follow "industry standard" information security practices? That's the charge leveled against the business-oriented social networking site in a class action lawsuit filed last week in U.S. District Court.

Interestingly, the lawsuit doesn't reference any existing U.S. regulation or law that would have required LinkedIn to meet industry standards for security. Instead, the lawsuit points to LinkedIn's privacy policy, which promises users that "personal information you provide will be secured in accordance with industry standards and technology." Another part of that policy likewise promises to use "industry standard protocols and technology."

With that in mind, here are nine facts related to LinkedIn and the question of "industry standard" security practices:

1. Breach Facts Remain Scarce
Here's what's known about the breach: hashes for 6.5 million LinkedIn users' passwords were uploaded to a hacking forum earlier this month by a hacker who requested help with cracking the passwords. Interestingly, no easy passwords appeared to be part of the upload, and there were no duplicates, suggesting that the attacker had already cracked those and edited down the list of uploaded passwords.

In light of those facts, Tal Be'ery, the Web security research team leader at Imperva's Application Defense Center, thinks that the number of breached accounts is at least 10 million.

[ Are legislators' efforts to craft breach notification standards a waste of time? Read Senators Float National Data Breach Law, Take Four. ]

2. Don't Expect Class Action Lawsuit To Succeed
But did LinkedIn's customers suffer damages due to the data breach? Furthermore, can consumers sue a private business based on its privacy policy--which is policed by the Federal Trade Commission--and questions of whether "industry standard" protocols were used? "I think it might be a difficult legal case," said Sean Sullivan, security advisor at F-Secure Labs. "In the court of public opinion? It's a different story."

3. Data Breaches Can Be Difficult To Detect
At this point, LinkedIn has yet to provide any details about how many accounts were affected, or how the attacker managed to grab a password database--or databases--containing information on millions of accounts. It appears that LinkedIn didn't know that it had been hacked until the passwords showed up on the password-cracking forum. That's led to charges that LinkedIn's security practices weren't sufficiently robust. For comparison's sake, however, FBI officials have said that in the course of cybercrime investigations, they often turn up evidence that businesses have been breached, but remained unaware of that breach until the bureau informed them.

4. "Standard" Security Approaches Are Often Weak
Of course, what that suggests is that many businesses' standard approaches to information security involve poor standards. Oftentimes lacking are specific processes for avoiding and dealing with data breaches, although a recent study did find that businesses in the United States are getting better at handling breaches.

5. No Business Is 100% Breach-Proof
Even with the most advanced security program, however, experts say that data breaches should always be treated as a "when, not if" proposition. "If an adversary wants to get into your network, they're going to do it--it doesn't matter how much technology you use. Eventually you're going to lose," said Jerry Johnson, CIO at Pacific Northwest National Laboratory, speaking via phone. Of course, the LinkedIn breach could also have been caused by a trusted insider, against which many security defenses simply wouldn't work.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
7/24/2012 | 4:08:57 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
RE #8 and 9- Another question is what the bad guys can do once they have the passwords.

This is like the identify theft problem where a bad guy with a name, birthdate, and social security number can get a credit card. The focus has been on protecting those 3 pieces of data but NOT on how easily they can use the data to get a credit card.

Really secure sites check IP addresses and ask for additional verification if the logon is from a new location.
Mark532010
50%
50%
Mark532010,
User Rank: Apprentice
6/28/2012 | 8:33:32 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
It is still early in the process and I don't think LinkedIn has revealed many details yet but my guess is that they followed the classic management fallacy of too much "world class security" worries and too little worries about the mundane practical details that are the root cause of most breakins...Default passwords, unpatched servers, unwatched security consoles, unknown services running, elevated rights, unwatched file changes, etc. Its not sexy and the "World class experts" don't spend much time down there but that's where most of these problems are allowed to happen.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web