Lax security caused LinkedIn hack, say reports

The professional social site, LinkedIn announced last week that it was hacked and more than 6 million passwords were stolen. LinkedIn is seeking help from the FBI to investigate the theft of passwords. Now, Sydney Morning Herald claims that hackers try breaking into companies almost everyday, but lax security on the part of LinkedIn, reportedly caused this attack. It is surprising that a data company, which collects data and makes profit hasn’t been able to combat such an attack. Security experts have pointed out that LinkedIn neither has a Chief Information Officer (CIO) nor a Chief Information Security Officer (CSIO) whose job is to monitor breaches. This makes the vice president of operations responsible for security.

Another one bites the dust

Earlier, the music website Lastfm.com and the dating website eHarmony were also attacked.  In February, Jody Westby, CEO of Global Cyber Risk had told IT Pro that the only way to protect data was for data-driven companies to have a CSIO and a chief privacy officer on staff, as privacy, security and cyber crime are interlinked. The LinkedIn security breach shows that there wasn’t much thought given to the security by LinkedIn. "If they had consulted with anyone that knows anything about password security, this would not have happened," said Paul Kocher, President of Cryptography Research, a San Francisco computer security firm.

Furthermore, there are no penalties for such companies who are responsible for breach of customers' data. In fact, after the LinkedIn password breach, the company’s stock rose. Moreover, LinkedIn wasn’t a new start-up, it entered initial public opening last year, and rakes in the moolah by helping to hire top talent for companies. "I expected better from LinkedIn," Craig Robert Smith, a professional musician and product manager at Buzzmedia told SMH. "But I can't delete my account because it's the place to be in terms of getting recruited and networking."

Reportedly, companies make it difficult for hackers to sneak in with a series of random digits at the end of each hashed value. The process is called salting and requires just a few more lines of code, which can be added at no extra cost. Salting passwords is a basic step that LinkedIn failed to take. Even more superior security involves hashing passwords with complex cryptographic functions, salting them, and then hashing the result again. Later, storing the credentials on separate and secure Web servers.