Simply Security - News, Views, and Opinions from Trend Micro

Posted on July 5th, 2012 in Data Privacy, Underground Economy by Simply Security | 1 Comment | Tags: Data Privacy, Underground Economy

LinkedIn's security troubles provide perspective on evolving cybercriminal motives and the complexities of mobile data privacy.

LinkedIn is having a week to forget as data protection concerns continue to mount. Just hours after it was learned that the social media network could be leaking sensitive information through its iOS app, reports emerged to suggest that 6.5 million user passwords may have been released into the wild as well.

Opting into data privacy concerns

At an industry workshop held earlier this week at Tel Aviv University, Skycure Security analysts Adi Sharabani and Yair Amit identified a concerning anomaly in the way LinkedIn displayed user calendars within the company's iOS application. During the integration process, calendaring info is sent from the mobile device on which it was originally entered over to LinkedIn corporate servers.

If a user had registered a meeting in his or her calendar, LinkedIn servers would potentially receive everything from the guest list and meeting location to personal notes jotted down during the conversation. As the researchers noted, these meeting minutes often contain highly sensitive data including conference call details and passcodes.

But while users do have to manually enable this convenient feature, many may be surprised by exactly how much personal data LinkedIn is handling and where it is traveling. What's more, the contact data is being delivered in raw, plain text format rather than encrypted hashes.

In an attempt to eliminate confusion, LinkedIn mobile product director Jeff Redfern responded with a reminder of exactly what the social networking site does and does not do with customer data.

"In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles," Redfern wrote. "That information is sent securely over SSL and we never share or store your calendar information."

As a concession, LinkedIn has decided to discontinue its practice of including meeting notes in the data packet. Also, a new informative link will be embedded to more explicitly educate users on what they can expect from the app and what they can do to protect their information.

But just as it appeared that the professional networking site had deftly extinguished a mobile data privacy controversy, another fire emerged.

Hackers walk away with 6.5 million passwords

First confirmed by Norwegian security experts from Dagens IT, approximately 6.5 million encrypted LinkedIn passwords have been posted to the forums of a notorious Russian hacking site. According to Computerworld, the cybercriminals then began to crowdsource help from like minded programmers and went to work cracking the "unsalted hashes" protected by SHA-1 encryption – an algorithm that has proven vulnerable to simple password dictionaries in the past.

Before the website went down, a web cache suggested that more than 236,000 passwords had already been compromised.

With so much personally identifiable and career-focused information tied to these accounts, a wave of data security anxiety has washed over the business community. However, LinkedIn has been slow to confirm or deny whether or not a breach has taken place.

As the investigation continues, it appears that the networking site has already begun disabling passwords that it believes may have been compromised. Members are also being prompted with emails informing them of the reset and advising a further review of password security and general data protection best practices. If and when accounts are confirmed to be compromised, the company's customer support staff has suggested that individuals will be emailed once again with a deeper context of related issues.

Data Security News from SimplySecurity.com by Trend Micro