LinkedIn made 'basic mistakes', claim security companies

By Peter Gothard
09 Jun 2012 View Comments
data-security

The apology was issued, but the blame game has just begun. "We want to reiterate that we sincerely apologize for the inconvenience [the theft of user passwords] has caused our members," read LinkedIn director Vicente Silveira's blog on Thursday night, referencing Wednesday's much publicised hack.

The publications of millions of hacked passwords on a cracking forum last week was part of a spate of social media attacks, with Last.fm and eHarmony also being targeted for their users' password data.

Further reading

"To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorised access to any member's account as a result of this event," added Silveira. 

However, the security community does not agree that the claimed lack of (verified) unauthorised access was a matter of good fortune. The important issue was poor judgement and lax security on the part of LinkedIn, and others, in allowing users' data to be lifted so easily.

LinkedIn has responded to the attack by 'salting' its passwords on top of the hashing it was already doing, to make it more difficult to crack the encryption. But the security industry is homing-in on some of the security procedures used by LinkedIn and other internet companies.

Kevin Donovan, vice president of corporate business development at security company VASCO, told Computing: "The big issue with this is, it's not going away. If you look at the history of banking or gaming, for a long time they used static usernames and passwords. At the moment in time when the application and the value reaches critical mass, fraud starts to creep in."

Donovan said that simply changing passwords and adding extra security features, such as salting, is not the long-term solution. "'Username and password' is really the weakest link in the chain," he said.

"[LinkedIn] chose a very unsafe way of doing it," Chris Eng, vice president of research at Veracode, told Computing. "It's a very, very basic mistake in terms of password storage – just using a straight hash – because it's so easy just to brute- force those. And it's something that is not new, and that people have been recommending that you don't do for years."

"Others could be doing just a plain hash, like LinkedIn and eHarmony did, which, honestly, I think is still going to be very common, because a lot of developers just don't understand the attack vector," he added.

"Good practice is finding a balancing point between security, user acceptance and cost," added Donovan. "So I don't think there's one specific solution; it's really a balance between those three."

Donovan and VASCO's focus in terms of this balance is in the hardware space, as the company explores personal hardware devices, including smartphones, that use PIN codes to generate one-time passwords, like a SecurID tag.

"Most users have a mobile phone with them already, so it's cost effective, as well as more secure than the 'static' options out there already."

Donovan believes that the future of online security lies in taking such 'banking-level security' into the consumer sector, citing Intel's Identity Capable Platform technology as another major feature that's leading the way.

"You're starting to see the infrastructure players getting involved with starting to solve this problem. I think IPC is a good example of this," said Donovan.

But Eng disagrees. "I think we've got a long way to go before we reach that point," he said. "Certainly, more sensitive sites use two-factor authentication – something like a password in combination with an RSA SecurID token."

"But that's really only being used for the most sensitive websites," Eng continued. "We're not going to see that – certainly not a hardware token – for sites like LinkedIn."

Eng described what's being protected on LinkedIn as being "not quite as important as some of the other things".

He asked: "Is it worth the cost and maintenance expense to protect the information behind there? I don‘t see us ever reaching a state where we're using multifactor authentication for every website."

Marc Lee, EMEA sales director at Courion, believes that LinkedIn's failings highlight the importance of leveraging identity and access intelligence to determine exactly who has access to what resources within a business, and how the access is being used.

"High-profile online brands need better and faster early-warning systems when access to sensitive data needs to be shared in open environments and could be at risk," said Lee.

"Whether the theft was committed by an external hacker or an internal person with legitimate access, having the real-time intelligence to know that the data may have been accessed inappropriately could have helped prevent or minimise the impact of this incident."

Whatever the style of solution, the industry is unanimous that widespread security conventions need to be improved to match increasingly sophisticated threats.

"Until you see a significant change, I think these things won't be too uncommon or shocking," said Donovan.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 9 - what do you want?

What would your business require from Windows 9 "Threshold" to make it an attractive proposition?

31 %
4 %
8 %
7 %
50 %