Cory Scott, LinkedIn's CIO, announced on Wednesday in a blog post titled “Protecting Our Members” that LinkedIn, “had [become] aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members.”
As he points out in the blog post title, and as originally announced when the breach actually happened back in 2012, the company was, and is currently doing everything in its power to protect its users. The company had invalidated all affected users' passwords, asked them to change them and encouraged the use of two-factor authentication.
Robert Simmons, director of research innovation at ThreatConnect, spoke with SCMagazineUK.com and agreed that, “LinkedIn has implemented two factor authentication and does a pretty good job of promoting it.”
Likewise Satnam Narang, senior security response manager for Norton by Symantec, agreed, “LinkedIn users should consider turning on two-step verification, a true 'security update' that provides an extra layer of security.”
The missing parts of the puzzle
However, this is only part of the picture. No news had been shared around why LinkedIn hadn't invalidated all the new passwords discovered - the original breach in 2012 affected approximately 6.5 million members, and today there are much higher numbers floating around the web - as many as 117 million, 165 million or more, depending on who you ask.
Ilia Kolochenko, CEO of High-Tech Bridge, told SC, “LinkedIn at this point are most likely analysing the data to try and figure out what had happened. As the data has been put up for sale a full four years after being stolen, it could indicate the dataset contains a lot of fake entries. Criminals do this to boost up the publicity behind the breach and earn more money from it. It goes without saying that 100-plus million carries a lot more prestige than 6.5 million.”
And not much had been offered from LinkedIn by way of explanation as to why it was choosing to use an encryption method that crypto-boffins have agreed is relatively easy to crack.
Simmons continued: “There are certainly better ways that companies everywhere can be storing and securing user passwords such as SHA256 or SHA512 with a salt, in addition to offering users two-factor authentication options.”
Kevin McKeough, product manager at Thales e-Security, added, “‘Salting' adds an additional layer of security by hashing the password with some additional random data to ensure the hash is unique and harder to crack. Unfortunately, LinkedIn didn't employ this technique.”
Darren Thomson, CTO and VP of technology services at Symantec, spoke with SC: “Symantec's 2016 Internet Security Threat Report revealed that three in every four legitimate websites have unpatched vulnerabilities, which allows cyber-criminals to easily gain access to their subscribers' database to target users directly or sell their personal information on the black markets.”
Lee Munson, senior researcher at Comparitech.com, agreed with Thomson. “Whether we are talking about LinkedIn or any other company, tech or otherwise, consumers should never assume that their data is entirely safe," he said. "While some companies undoubtedly take security more seriously than others, the simple fact is that attackers are always one step ahead and so mitigation is the name of the game; not prevention.”
SC approached LinkedIn for comment on its choice of encryption. A spokesperson said, “LinkedIn will not [be] commenting further at this time.” The company referred us back to Cory Scott's blog post.
On the case of passwords
Geoff Webb, vice president of strategy at Micro Focus, said, “Examples like this LinkedIn breach show that we are probably reaching the end of the password as a useful single factor of authentication. We need a more effective way to securely prove who we are without relying solely on passwords.
"The answer could be tokens, smartphones, biometrics, behavioural indicators, or a blend of these measures – pinpointing the appropriate method always depends on the sensitivity of the information or service being secured. But what is clear is that relying on a user to devise (and remember) a sufficiently secure password is fundamentally flawed.”
The other end of it is better password management, of course. Paul Trulove, VP of product management at SailPoint, commented to SC, “Password management is still very much a critical element to an individual's online security and one that many are still struggling to get right. Many of the major security breaches that have occurred over the last couple of years – ones that have even impacted the most basic consumer – have all been related to passwords. The most obvious and simple measures are still being overlooked, or often, users are simply unaware of the potential dangers, which will only get worse as we continue to adopt applications – both cloud and web.”
SC asked Lance Spitzner, director of SANS, if major websites should adopt enterprise behaviour and force password changes every three months. Spitzner concluded that, “Changing passwords every three months is a waste of time and money, enterprises are moving away from that. The only time you should change your password is when you know it has been compromised, such as in this case. Two-step verification is the key.”
Richard Beck, head of cyber security at QA, agreed, saying, "When it comes to passwords, it's less a case of how often they should be changed – but more about how difficult they are to crack. There is no evidence that regular password changes improves an organisation's security posture. Guidance from CESG, the National Authority for Information Assurance, states that it is more effective to implement a policy that states employees should [use] longer and more complex passwords and then letting users keep them for longer, rather than requiring them to change passwords every two to three months.”
However, with passwords the problems remain the same. As Paco Garcia, CTO of Yoti points out: “They are always going to have the same problem: they can be alienated from the intended person that is granted access to a particular system or device. There is no silver bullet so we have to take an approach of strength in numbers and consider several factors of authentication. The combination of a cryptographic key, a biometric with a good anti-spoofing method and something that you know is reasonably strong three-factor authentication vector is ideal. For the most effective security measures, you must always consider how important the asset you're securing is to your business, and tailor your strategy accordingly.”
Would the GDPR have an impact on this?
Eduard Meelhuysen, VP of EMEA at Netskope spoke with SC and said that, “While LinkedIn now aims to reset the details for potentially compromised accounts on a much larger scale, to some extent the damage is done. Thec EU General Data Protection Regulation (GDPR) – set to come into effect on 25th May this year – will hold businesses accountable for their data practices and force companies to take active measures to mitigate any threats to personal privacy.
“Although many businesses may struggle to initially comply with the strict measures required by the GDPR, we are already seeing the potential benefits of this regulation. By actively looking into the extent of the hack four years ago, LinkedIn would have been able to guarantee that any details offered for sale at a later date were invalid. Instead, LinkedIn must now work quickly to alert any compromised users and encourage them to change their details.”
Paul Trulove, vice president of product management at SailPoint recently blogged about this issue and said that, “The new law dramatically changes the way in which organisations approach customer data protection, particularly in terms of access privileges. With financial penalties in place, which can be as much as 4 per cent of a corporation's annual turnover, enterprises simply cannot afford to let customer data slip into the wrong hands through mismanagement or a malicious breach.”