LinkedIn-style Hacks Create Hidden Danger For Businesses
When LinkedIn first started up, I didn't join because I was concerned that I could not tell how securely the service held personal information. It wasn't that I knew anything specific, it was what I didn't know and couldn't find out — like how it stored passwords. As the service matured I never got around to joining until I finally relented earlier this year — and as Lloyd Bridges said in the movie Airplane!: "looks like it was a bad week to stop smoking!"
It has been reported that hackers have stolen a file containing 6 million users' passwords from LinkedIn and have been able to decrypt the passwords because LinkedIn has been using "old" hashing/encryption technology. This is extremely concerning — not just for individuals but for businesses. As bad as this seems on the face of it, the nature of this hack creates serious danger in ways not easily seen. Danger that businesses need to address immediately.
This is not just a case of consumers possibly having their credit card numbers and some personal information compromised. It is a potential business risk issue. To illustrate, let me ask a simple question:
Do you think your users may synchronize their LinkedIn password with passwords that they use to access your business systems?
If so, you are compromised — it is not as if it will be difficult for hackers to figure out what companies the individuals work at! We may be horribly mistaken if we think that the ultimate target of this hack is only LinkedIn (just as RSA was not the ultimate target of the RSA hack). Doesn't just about every business have users on LinkedIn?
Hackers will have all the information needed to break into your business systems: a user's password, company name…and their name. As we have made account IDs a permutation of the users' names to make it easier for users to access systems, we make the environment easier for hackers too.
When a password is compromised, we need to ask ourselves what else may be compromised. Even if the users do not synchronize their passwords, many advanced users create a naming convention to keep track of the various passwords that they have for home, finances, entertainment, business, etc. (like asterisk, followed by a word, followed by a number). The LinkedIn hack may not only have compromised the LinkedIn password and any password it is synchronized with, but it may also have compromised the users’ password conventions.
While LinkedIn enables password reset by sending a one-time link to the user's email address of record, many web sites enable password reset by answering some personal questions to authenticate the user. If the password to any of these sites is compromised, so is the authentication Q&A information. Are those questions re-used by other sites? Are they used by your company to authenticate the user?
Chief Information Security Officers should move immediately to educate business users on the potential implications of this LinkedIn hack — and the implications of their own behavior (synchronizing passwords, using similar Q&A information for authentication to password reset for external services). And they should either urge users to assess whether they need to change their passwords and Q&A authentication information internally to the business, or force that change. (And by the way, if you don't have an automated way to accomplish this for your users, I can point you in the right direction!).
As the line between business and personal computing continues to blur, this LinkedIn hack is a great warning shot across the bow. It should remind us to prepare for the fact that personal and business security are becoming inextricably linked. And that a compromise of personal security can enable a hacker to get "Linked In" to your business!