Here are some further thoughts on the LinkedIn compromise, following my previous
blog post.
Over the years I did some unscientific research on LinkedIn. Here’s some unofficial statistics I have on LinkedIn accounts: about 25% of LinkedIn users use their real corporate email account as the user name. That’s not a good practice for many reasons,
some of them related to security. Are you one of the 25%?
Interestingly enough, those that use their corporate email address as the user name tend to have more senior job titles. Executive types. People who don’t expect to move between jobs, or who are in an outbound position such as director of business development,
head of global alliances, etc. And last but not least, these individuals tend to use LinkedIn for a lot of corporate related activity. It appears that people with a Yahoo! or Gmail address as their user name often use LinkedIn for other things like looking
for a job.
Passwords can be stolen locally at the user level using Phishing or Trojans: in such cases the length of the password isn’t going to help anyone. But in many cases passwords are mass-compromised by hacking into the application servers.
What’s the worst that can happen if your LinkedIn account is exposed?
I think you can figure out what it can mean for you personally, but let me point out some less obvious potential for damage to the corporation you work for.
When a legitimate LinkedIn account is compromised by a cybercriminal, there’s a trusted identity in the wrong hands. The hacker can send personal emails to those linked into the compromised account that recipients will probably consider 100% legitimate.
This can be used for infecting contacts with malware, for the purpose of gaining access to their personal devices – and worse, their corporate networks. Executives can be a subject of extortion. And lets not forget the password thingy: if you’re an IT person
that has access to corporate network resources or FTP sites, a hacker may try to see if your LinkedIn password also works there. In many cases it does.
We should however take into account that passwords are not alone anymore. On their own - without additional lines of defense - static passwords are an outdated protection: the industry realized that long ago. Passwords are effective against a variety of
attacks, but if stolen they let the attacker straight through… unless there are additional defenses in place. Which is now getting to be the norm.
Today there are many ways to augment password protection with additional controls. The financial industry no longer uses password authentication as the sole protection, and also moves beyond login-level controls. In-session activity or transaction monitoring
is used, where what you do and how you do it is being evaluated.
DARPA (the US Defense Advanced Research Projects Agency) has indicated it’s considering a future world where
passwords are not used, and users are continuously authenticated based on their behavioral traits, and emerging eCommerce protection techniques now rely less on passwords people selected and more on analyzing their actions.
The use of smartphones further accelerates this shift from traditional passwords to more comprehensive, advanced techniques. So don’t be surprised if at some point in the future, perhaps very distant and perhaps less so, passwords will be a thing of the
past – just like punch cards and squealing modems.
But while we await this future reality, maybe we’d better change our LinkedIn passwords.