Rapid response to LinkedIn breach key, security experts say

The professional social networking site LinkedIn officially acknowledged late Wednesday afternoon that hackers had breached its system and obtained user names and hashed passwords.

Its task now, say security experts, is to protect its reputation with the kind of rapid mitigation and transparent, professional response that will be credible to its 160 million members.

LinkedIn Director Vicente Silveira, who acknowledged the breach in a blog post, did not confirm how many of about 6.5 million passwords posted on a Russian hacker forum belonged to members.

But, he acknowledged that “some of the passwords that were compromised correspond to LinkedIn accounts,” adding that members with compromised passwords, “will notice that their LinkedIn account password is no longer valid.”

“These members will also receive an email from LinkedIn with instructions on how to reset their passwords,” he said. “There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.”

Torsten George, vice president of worldwide marketing and products for Agiliance, said the response so far amounts to a decent start — much better than the breach of Global Payments was handled. The company was evasive with the press, claimed in April that it had discovered the breach in March and that it affected fewer than 1.5 million card accounts, but later reports put that number at 7 million or more, and Visa and MasterCard sent out later warnings that the breach dates back at least to June 2011.

“I think they will do everything they can to report to their stakeholders and their community. I think right now they are just struggling with an overwhelming amount of data,” George said.

The company clearly has some public relations damage control to do. As numerous reports have noted, LinkedIn has used the Secure Hashing Algorithm-1 (SHA-1) format to protect users’ passwords. But that offers less protection than a technique called salted hashing, which security experts have recommended for some time that organizations use. “Salting” the hashes involves merging the hashed password with another combination and then hashing for a second time.

Todd Thiemann, senior director, product marketing for Vormetric, said the failure to salt the password data, “is a best practice that was not done.” He said he doesn’t know of all the countermeasures LinkedIn may have in place, but this failure “makes me scratch my head. But, we’re all fallible.”

He said among the major questions the LinkedIn community will want answered are, “How did the bad guys get this information? And if they got that, what else did they get?”

Indeed, there is information on the site that could be much more damaging than an email address, such as job-search postings, resumes and other professional information.

And James Johnson, writing on The Inquisitor, said in recent days, “a report began circulating in which LinkedIn was violating its own user privacy policy by sending detailed calendar entries to its servers.”

There is also bad news for users of Apple devices. Skycure Security expert Yair Amit wrote in a blog post that he and colleague Adi Sharabani, found a feature of LinkedIn’s mobile application, “that allows users to view their iOS calendars within the app. However … LinkedIn has decided to send detailed calendar entries of users to their servers.”

[See Bill Brenner in his Salted Hash blog: LinkedIn confirms calendar flaw (includes raw findings) | Data breach or not, changing your LinkedIn password is a smart idea]

Those details include not only the names of participants but also “the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” Amit wrote.

He included information in his post on how to disable the feature, but users may consider it a breach of trust, and wonder what else LinkedIn is collecting and storing without their knowledge.

Thiemann noted that there would also be credit card or perhaps PayPal information on members who pay to upgrade their profile. “But I have little doubt that they have more best practices to secure data at that level,” he said.

As usual, the experts again are saying this is another example of the danger of simple passwords, or using the same password for multiple sites such as Gmail, Amazon, PayPal and other accounts. Theimann said he heard one member had used LinkedIn as his password.

George said this should prompt LinkedIn to do what all entities with sensitive data should do. “The National Institute of Standards and Technology has issued guidance that you should no longer conduct your protection practices infrequently, just for compliance. You can’t schedule attacks, like you can an audit. So start implementing a strategy that makes it possible continuously to scan your environment,” he said.

That is difficult, he acknowledged, because of the vast amount of data involved. “You need to be able to aggregate it and prioritize it,” he said. “Most organizations take 30 to 60 days to remediate something like this.”

It is much easier for hackers, he noted, who have “motive, capability and all the time they need to try things out. There is much more pressure on the organization that gets attacked,” George said.