The case involving the leaking of 6.5 million passwords raises issues of security at dominant Websites like LinkedIn and Facebook.
LinkedIn is the target of a $5 million class-action suit that claims the social networking sites data security measures were ineffective, resulting in about 6.5 million user passwords being stolen by a hacker.
The lawsuit, filed in U.S. District Court in Northern California on behalf of Illinois resident Katie Szpyrka, claims that while LinkedIn says it protects personally identifiable information (PII) with industry-standard practices and protocol, it failed to follow through with basic steps. Specifically, the company, which has about 120 million users, used a technique called hashing to encrypt information, but failed to add a second layer called salting.
LinkedIn not only used an outdated hashing technique, but also, storing users passwords in hashed format without first salting the passwords runs afoul of conventional data protection methods, and poses significant risks to the users ¦ data, according to claims in the 23-page lawsuit, which was filed June 18.
LinkedIn used a hash-based encryption technique called SHA-1, which is considered by some experts as being safer than MD5, but still flawed, especially if not accompanied by salting.
Industry standards require at least the additional process of adding salt to a password before running it through a hashing functiona process whereby random values are combined with a password before the text is input into a hashing function, the lawsuit claims. This procedure drastically increases the difficulty of deciphering the resulting encrypted password.
More common practice is to salt the passwords before inputting them into a hash function, then to salt the resulting hash value, and again run the hash value through a hashing function. Finally, that fully encrypted password is stored on a separate and secure server apart from all other user information.
LinkedIns data security procedures fall well short of this level of security, the lawsuit claims.
The stolen information came to light June 6, when a hacker posted the hashed passwords to an online password cracking forum. According to security consulting firm KoreLogic, almost 80 percent the passwords have been encrypted, and users should expect that their passwords will be leaked. In statements and blog postings over the past two weeks, LinkedIn officials have said that they have not seen evidence that any users have been harmed by the breach, and assured users that they were improving the security of the information they hold, including using the salting technique to strengthen the hashed data.
Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords, Vicente Silveira, a director at LinkedIn, said in a June 9 blog post. The only information published was the passwords themselves.
In response to the lawsuit, LinkedIn spokesperson Erin O'Harra told Reuters that there was no merit to the lawsuit, which was filed "by lawyers looking to take advantage of the situation. No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured."
Right after the news of the data breach was made public, LinkedIn officials urged users to change their passwords, advice that was repeated by most security experts, including those from KoreLogic. Experts and journalists also reiterated the various steps to take to strengthen passwords, from using a combination of letters, numbers and punctuation to changing the passwords often to ensuring that they dont use the same password for multiple sites.
Such steps are good ones to follow, but user efforts are only half the data security issue, according to Richard Moulds, vice president of product management and strategy at Thales e-Security, a security consulting and solutions provider.
The other half is determining how Websites protect those passwords, Moulds told eWEEK. Youve got no way of determining what procedures theyve put in place.
For Websites that are built on transactions and deal with such data as credit card numbersthink financial services institutions or retail sitesthere are regulations in place that set high security requirements. However, for other sites, such as Facebook and LinkedIn, there are no such regulations, even though companies like these hold massive amounts of personal information from hundreds of millions of people.
At the same time, some of these Web-based companies are beginning to make transactions, Moulds said. For example, LinkedIn charges anywhere from $19.95 to $99.95 a month for upgrading to a premium account, according to the lawsuit. The named plaintiff, Szpyrka, reportedly paid LinkedIn $26.95 a month for a premium account.
Still, LinkedIn and similar sites are under no requirements regarding security, and users have few ways to determine the level of security on them, Moulds said. For example, users couldnt know that LinkedIn, at the time of the data breach, was using a weak hashing technology and did not have a second level of security in place, such as salting. Now, after news of the data breach surfaced, LinkedIn officials are out front with the security measures in place.
[O]ne of our major initiatives was the transition from a password database system that hashed passwords, i.e., provided one layer of encoding, to a system that both hashed and salted the passwords, i.e., provided an extra layer of protection that is a widely recognized best practice within the industry, LinkedIns Silveira said in his blog post. That transition was completed prior to news of the password theft breaking [June 6]. We continue to execute on our security road map, and well be releasing additional enhancements to better protect our members.
The LinkedIn data breach also raises another issue, Thales Moulds said. For many organizations that do business online, such as banks and retail companies, security is a differentiator from competitors. If a user is unhappy with Bank of America and its security practices, for example, they can always move to another bank. The same goes for retail sites.
However, sites like Facebook and LinkedIn dont have such competition. They are the only significant players in their areas, so unless there is a breach like the one at LinkedIn, there is little competitive reason for them to spend the time or money to bulk up their security rather than expand their services.
Its a quirk of the Internet, where areas are dominated by one company, Moulds said.