09:45 AM

LinkedIn Password Breach: 9 Facts Key To Lawsuit

LinkedIn's privacy policy promised users "industry standard protocols and technology," but a class action lawsuit claims LinkedIn failed to deliver. Take a closer look at the security issues.

Did LinkedIn fail to follow "industry standard" information security practices? That's the charge leveled against the business-oriented social networking site in a class action lawsuit filed last week in U.S. District Court.

Interestingly, the lawsuit doesn't reference any existing U.S. regulation or law that would have required LinkedIn to meet industry standards for security. Instead, the lawsuit points to LinkedIn's privacy policy, which promises users that "personal information you provide will be secured in accordance with industry standards and technology." Another part of that policy likewise promises to use "industry standard protocols and technology."

With that in mind, here are nine facts related to LinkedIn and the question of "industry standard" security practices:

1. Breach Facts Remain Scarce
Here's what's known about the breach: hashes for 6.5 million LinkedIn users' passwords were uploaded to a hacking forum earlier this month by a hacker who requested help with cracking the passwords. Interestingly, no easy passwords appeared to be part of the upload, and there were no duplicates, suggesting that the attacker had already cracked those and edited down the list of uploaded passwords.

In light of those facts, Tal Be'ery, the Web security research team leader at Imperva's Application Defense Center, thinks that the number of breached accounts is at least 10 million.

[ Are legislators' efforts to craft breach notification standards a waste of time? Read Senators Float National Data Breach Law, Take Four. ]

2. Don't Expect Class Action Lawsuit To Succeed
But did LinkedIn's customers suffer damages due to the data breach? Furthermore, can consumers sue a private business based on its privacy policy--which is policed by the Federal Trade Commission--and questions of whether "industry standard" protocols were used? "I think it might be a difficult legal case," said Sean Sullivan, security advisor at F-Secure Labs. "In the court of public opinion? It's a different story."

3. Data Breaches Can Be Difficult To Detect
At this point, LinkedIn has yet to provide any details about how many accounts were affected, or how the attacker managed to grab a password database--or databases--containing information on millions of accounts. It appears that LinkedIn didn't know that it had been hacked until the passwords showed up on the password-cracking forum. That's led to charges that LinkedIn's security practices weren't sufficiently robust. For comparison's sake, however, FBI officials have said that in the course of cybercrime investigations, they often turn up evidence that businesses have been breached, but remained unaware of that breach until the bureau informed them.

4. "Standard" Security Approaches Are Often Weak
Of course, what that suggests is that many businesses' standard approaches to information security involve poor standards. Oftentimes lacking are specific processes for avoiding and dealing with data breaches, although a recent study did find that businesses in the United States are getting better at handling breaches.

5. No Business Is 100% Breach-Proof
Even with the most advanced security program, however, experts say that data breaches should always be treated as a "when, not if" proposition. "If an adversary wants to get into your network, they're going to do it--it doesn't matter how much technology you use. Eventually you're going to lose," said Jerry Johnson, CIO at Pacific Northwest National Laboratory, speaking via phone. Of course, the LinkedIn breach could also have been caused by a trusted insider, against which many security defenses simply wouldn't work.

1 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Moderator
6/28/2012 | 8:33:32 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
It is still early in the process and I don't think LinkedIn has revealed many details yet but my guess is that they followed the classic management fallacy of too much "world class security" worries and too little worries about the mundane practical details that are the root cause of most breakins...Default passwords, unpatched servers, unwatched security consoles, unknown services running, elevated rights, unwatched file changes, etc. Its not sexy and the "World class experts" don't spend much time down there but that's where most of these problems are allowed to happen.
Number 6
Number 6,
User Rank: Apprentice
7/24/2012 | 4:08:57 PM
re: LinkedIn Password Breach: 9 Facts Key To Lawsuit
RE #8 and 9- Another question is what the bad guys can do once they have the passwords.

This is like the identify theft problem where a bad guy with a name, birthdate, and social security number can get a credit card. The focus has been on protecting those 3 pieces of data but NOT on how easily they can use the data to get a credit card.

Really secure sites check IP addresses and ask for additional verification if the logon is from a new location.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio