By now everyone has heard about the breach at LinkedIn, where 6.5 million email password hashes were leaked (over half of which have been cracked, or converted into plain text). Those who read this blog regularly know how I feel about social media in general:
“So managing social media risk boils down to this: You must be able to justify your decision (both to engage and to not engage) strategically, but to do so requires an accurate cost/benefit analysis. Both costs (reputation, and other residual risks) and benefits (strategic and financial) are extremely difficult to quantify, which means that in the end you are accepting an unknown level of risk, to achieve an uncertain amount of benefit.“
This is not to say that social media can never be properly risk managed, only that the decision to engage (or not) must be analyzed the same way you analyze any other business decision. And this is a challenge because social media does not easily lend itself to traditional risk management techniques, and this incident is a good case in point.
So once again, let’s use this latest breach as yet another incident training exercise. In your initial risk assessment, chances are you classified the site as low risk. There is no NPI/PII stored there, and it doesn’t offer transactional services beyond account upgrades. Additionally, regarding the breach itself, only about 5% of all user password hashes were disclosed, and as I said previously, about half of those were converted into the underlying plain text password. And what exactly is your risk exposure if your password was one that was stolen and cracked? First of all, they would also need your login name to go with the password. But if they were able to somehow put the two together, they might change your employment or background information, or post something that could portray you or your company in a negative light. So there are certainly some risks, but they come with lots of “ifs”. So low probability + low impact = low risk…change your password and move on, right?
Well maybe, depending on how you answer this question: Is your LinkedIn password being used anywhere else? If you have a “go-to” password that you use frequently (and most people do) you should assume that it’s out there in the wild, and you can also assume it is now being used in dictionary attacks. So yes, if you are an individual user, change your LinkedIn password, but also change all other occurrences of that password.
But back to our training exercise…if you are an institution with an official (or unofficial) LinkedIn presence through one or more employees, even if they’ve changed their password(s), you may still be at risk. If the employee uses the same password to access your Facebook or Google+ page, or remotely authenticate to your email system, or access anything else that is connected to you, your response procedures should require (and validate) that all affected passwords have been changed. In fact, since you have no way of knowing if your employee has a personal LinkedIn (or Facebook, etc.) presence, it might be good practice to have your network administrator force all passwords to change just to be safe. You may also want to change your policy to state that internal (or corporate) passwords should never be duplicated or re-used on external or personal sites (although enforcing that may be a challenge).
- Personal information you provide will be secured in accordance with industry standards and technology. Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. (Bold is mine)
- You are responsible for maintaining the secrecy of your unique password and account information, and for controlling access to your email communications at all times.
Even though they have made public statements that they have taken steps to address the root cause of the breach, given the above policy there is no indication that LinkedIn feel it necessary to obtain a third-party review for validation of their enhanced privacy and security measures. Granted, given the nature of the information they collect and store they may not feel compelled to do so, and you may not require it, but at the very least you should expect the passwords to be secure.
*Indeed there are several issues raised by this breach that are yet to be answered: How did it occur? Could the breach be worse than disclosed? Why did they encrypt the passwords using the older SHA1 hash algorithm? Why did they not salt the hashes? Why didn’t they have a CIO? Did they truly use industry standards to secure your information? If they did, those standards are clearly inadequate, so will they now exceed industry standards?