Lawsuit argues LinkedIn failed to meet vulnerability management obligations

Security breaches like the one that affected professional social networking site LinkedIn on June 6 can be costly, both financially and in terms of lost consumer confidence.

Penetration testing can often prevent such instances and help ensure your company is storing user information securely.

LinkedIn is now facing a class action lawsuit over the aforementioned incident, which saw cyber criminals hack its information database and release 6.5 million user passwords onto a Russian internet forum.

The lawsuit, filed in Canada, asserts that LinkedIn did not meet its obligations of vulnerability management, as it did not salt its passwords – a practice commonly considered standard industry protocol.

"Despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilise basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format," reads the lawsuit.

LinkedIn responded by arguing that no member accounts were breached and that no user has suffered any undue injury relating to the incident.

"Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation," said LinkedIn.

LinkedIn could potentially find itself liable for $5 million in damages if the lawsuit is successful.

LinkedIn – (In)Security by Design – Drazen Drazic

The reactions to the recent LinkedIn hacking “scandal” were interesting.

On one side, and rightly so, there were serious questions asked of LinkedIn and their security practices. Certainly the consensus was that their practices in regards to passwords left a lot to be desired. Furthermore, a large company of this size, in terms of the number of users it has should be taking the security of those users’ data more seriously – this type of breach just should not be happening.

Taking aside the technical security issues now, I put to you the question; Does a hacked LinkedIn present much more risk to an individual and the company they work in than a non-hacked LinkedIn?

Looking at the consequences of the current security breach as reported, what has been the impact to an individual LinkedIn user? LinkedIn by nature of its business model is the sharing of “personal” information. That information is there already to one degree or another and what isn’t directly accessible, can be, with a few clicks to “connect”. Continue reading

LinkedIn reassures users that their information is secure

Professional social networking site LinkedIn has moved to assure users that their information is secure, following a highly-publicised security breach earlier this month.

“By now, many of you have read recent headlines reporting that 6.5 million LinkedIn hashed passwords were stolen and published on an unauthorised website,” wrote LinkedIn director Vicente Silveira, in a blog post dated June 9.

“We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime.”

Silveira pointed out that no usernames were paired with the leaked passwords, and claimed that he has received no reports of accounts being breached as yet.

He also claimed that LinkedIn recently upgraded its security protocols. Stored passwords are now hashed and salted in order to provide an extra layer of protection, a commonly recognised best-practice in the security industry.

Following the breach, many experts criticised the LinkedIn team for not taking more care in guarding user information.

LinkedIn has responded by pointing out that all compromised passwords were deactivated immediately and that all users whose information was put at risk have been contacted.

However Andrew Conway, from security website CloudMark, is reporting that four per cent of affected LinkedIn users incorrectly marked that email as spam, and did not take heed of the instructions it contained.

Even minor security breaches can have a major impact on a business’s reputation. Customers expect complete security when operating in the online environment and it is the responsibility of the company to ensure its private information is safe.

Penetration testing is often a good way to fully evaluate the security protocols that your business has in place, by finding any potential backdoors and access points before they are exploited by cyber criminals.

Blogger Vincenzo Cosenza recently released his world map of social network popularity, and found LinkedIn to be the second most popular online networking option in Australia, behind only Facebook.

Hackers leak confidential Linkedin passwords

Professional social networking website Linkedin.com is investigating a security breach that may have seen upwards of six million passwords compromised.

Linkedin president Vicente Silveira confirmed the incident in a blog post dated June 6, and informed affected users that they would receive an email with instructions on how to reset their passwords, followed by a further email explaining the situation.

Compromised passwords will no longer work, while non-affected users will be able to continue using the site with their current login details.

Over 160 million people use Linkedin to create business contacts, find jobs and upload resumes. Users must be accepted as contacts before they can view another person's private details.

Linkedin is yet to release official numbers, but UK Web security company Sophos is reporting 6,458,020 hashed passwords were uploaded to a Russian online forum.

While the relative usernames to those passwords were not posted, it is likely that the hacker has access to those as well.

Security breaches like this can be a major blow to business, compromising secure information and damaging client confidence.

Red cell assessments are one way to review security measures, by simulating an external attack on secure company information.

A red cell team consists of highly trained professionals, adept at using both standard and experimental methods of cyber penetration.

They can attempt to access secure information already stored on a business database, or they can seek out a faux-document that has been planted beforehand. Either way, information remains secure and confidential and there is minimal risk of downtime or productivity loss.

After the assessment is complete, a full debriefing provides clients with an evaluation of their security processes and allows them to take the necessary steps to prevent a legitimate attack.

Linkedin has apologised to users for any inconvenience caused and emphasised that it takes client security seriously.