Posted by: Matt Heusser
Add new tag, linkedin, passwords
Unless you’ve been hiding under a rock, you probably know that someone broke into the Linkedin Database and exported a list of accounts and encrypted passwords.
What you may not know is what, besides a sudden desire to change your linkedin password, all this actually means for you.
On it’s surface, the leak is relatively innocuous. Most users don’t store anything beyond their name, email address, and password. If the cracker managed to break the encryption and login, the best they could do is deface your account. Even if the bad guys crack into a ‘pro’ account, all they can snag is the last four digits of the credit card; you typically need the other twelve numbers, expiration date and security code to actually charge anything.
So what can we learn from this mess?
You might be surprised.
A Password Funnel
A few years ago, the webcomic XKCD demonstrated the idea of a password collector application — that if someone knows your linkedin password, they may well also know your bank account password, your amazon password, or gmail login.
And many people store other passwords in email. Maybe not you, but in a large enough company, invariable, some of the employees will.
What We Can Do About It
First, while you might not have separate logins for every site, it might make sense to have at least rationalize your passwords; banking and credit-card gifted accounts should be more specialized and protected than those for social media. (Expect companies like Twitter and Facebook to be lax with security outside of code that touches money; it just isn’t as integral to their business model.)
Speaking of banking accounts, make sure they have a second level of security, like authentication questions, that are asked every time you login from a different IP address.
Companies that drop-ship products and store your credit card numbers should ask you for the full number if you want to ship to a different address. (If you use a niche product site, try sending family presents from the site. If they don’t ask for the full number, send ‘em a note, they will thank you for it.)
Back in the IT Shop
Just like the Yahoo CEO with a lie on his resume, the linkedin example is a entertaining, because, after all, it’s not our company.
What we can do is use this as an example, as an opportunity to examine our own security, to make sure it stays that way.
You might start by getting checking out your own password policy (are the passwords stored encrypted? Are they SALTed?), to find any business process flaws. Or get permission to do a little ethical penetration testing, to test security of your applications.
Beyond the potential danger of the leaked passwords, there is another, more subtle danger: The reputation of the company. While the linkedin stock hasn’t had a major dip yet, the story also hasn’t had a major media event – like in October, 2011, when the Wall Street Journal reported a computer glitch on the American Visa Lottery incorrectly notified twenty-two thousand people that they had earned a visa.
That error appeared on page A2 of the Wall Street Journal, during the middle of a contract renewal with one customer. I brought the article in, and showed it to my sponsor, explaining that was a part of what I do around here — I help keep your company off the ‘A’ section of the Wall Street Journal.
The contract negotiation went pretty smoothly from there.
This linkedin thing may be an embarrassment …
… but, dare I say it, it is also an opportunity to get people thinking about security, and to demonstrate the value we add, before it happens to us.
Let’s make the most of it.