How To Avoid Becoming The Next LinkedIn
LinkedIn really stuck its foot in its mouth recently when a group of supposedly Russian hackers worked their way into the company’s only lightly encrypted servers and stole over 6 million user passwords, dumping the whole lot on hacker forums thereafter. If you yourself are a LinkedIn user, do yourself a favor and change your password now just to be sure.
That aside, there is a much more important issue that you or anyone who has their own online data to protect on a website or server should be thinking about in light of what happened to the social networking giant: How to avoid the same sort of problem for your own passwords and other crucial information?
LinkedIn is a major player in the social networking scene, makes a profit, and has plenty of cash on hand to tackle security issues and maintain a solid infrastructure. Despite this, the company had taken an extremely cavalier attitude towards protecting the information of its millions of users. LinkedIn had no chief security officer to specifically deal with data protection and its information was protected in a laughably poor way. Since customers and users had no clue about the data security behind their accounts, nobody seems to have ever questioned LinkedIn’s policies.
Although the theft of 6.5 million user passwords only represents less than 5% of the people that do their social networking and contact management through the website, the fact that hackers were ever able to access so much data represents a serious failure on the part of the company. If any bank were to have 5% of its client accounts breached, the ramifications for its stock price would be disastrous.
A Basic Look at the Breach
The details on how exactly the hackers worked their way into LinkedIn’s data servers and what else they accessed are still unclear
However, it’s important to note that the file containing the user passwords was stored on LinkedIn’s web servers instead of being kept locked away in a separate and isolated data storage server. Furthermore, the passwords on the file were hashed with a fairly weak algorithm called SHA-1, which is well known to hackers and whose numeric hash tags can be slowly cracked with enough effort since they’re quite well known. The hackers would only need to know a general list of common potential passwords and their likely pre-calculated hash values in order to crack the contents of the stolen file.
Furthermore, with the password file on hand, the hackers can utilize enormous lists of common hash values for nearly any combination of alphanumeric characters to find out what characters each hashed password actually contains. This is especially easy since they already have the passwords on hand and know what hash function system they were dealing with; SHA-1 in this case. The hashed passwords were posted online in an effort to get halp from other hackers in decrypting them.
LinkedIn had completely failed to follow a few very basic security procedures that could have eliminated this whole disaster: For one thing, their web servers were obviously laughably insecure if the hackers had been able to access them at all, secondly, their most crucial data (the password lists) was stored in these insecure web servers and thirdly, the password files were encrypted so weakly that breaking them was a joke. This is inexcusable considering that cheaply or even freely available modern encryption that’s strong enough to thwart even governments can be found on the marketplace.
How to Avoid a LinkedIn Mistake with Your Website
The security breach that LinkedIn suffered is not difficult to avoid with your own website. With a few basic steps, you can be almost entirely sure that your data stays secure from any and all attacks. Let’s go over a few basic steps that you can take to create a website in which your own clients’ data is almost entirely free of risks.
Your web servers will be the place where virtually all of your vital information is stored, just like was the case with LinkedIn. Protect these servers by using a hosting provider who offers you a full range of security features such as antivirus programs, intrusion detectors and strong data encryption protocols for their systems. Furthermore, you should specifically ask for dedicated servers that will be used for your website and your website alone. These will cost more per month but the extra protection they offer over shared servers makes the money worth it.
Server Intrusion Protection
Aside from the protections offered by your hosting provider, you should also install your own intrusion detection and server threat neutralization software. These security programs should be installed on your servers if possible and also installed on any computers which you use to access your servers through an FTP system. The FTP (File Transfer Protocol) system that you use to upload data to your website needs to be on a computer that is well protected. Buy this from reliable third part providers like AVG, Kaspersky and other well rated companies, learn to use it or hire someone who is an expert in doing so (more on this in a minute). Update this software regularly and also update any other server or computer based applications you happen to use to their latest most secure versions.
The most basic step in any web or computer security plan; strong passwords are something that LinkedIn probably didn’t use to guard access to its web servers or internal files; you need to avoid this. Any passwords you use to access your hosting servers, FTP programs, and any computers that are used to access your website should all be as strong as possible. This means that each password you use should be distinct; at least 10 to 20 characters long and contain a randomized series of numbers, letters in both upper and lower case and possibly other random characters. These may be hard to remember but if you focus on storing them somewhere secure or memorize them through an acronym or mnemonic of some kind, you’ll be less likely to forget them. The extra effort in remembering a difficult data access password is much less of a problem than having your entire website breached and its data compromised.
Encrypted Server Files
Finally, dealing with the key problem that caused LinkedIn’s security breach: encrypting your files with quality encryption. Instead of simply using weak and predictable hash algorithms, either protect your internal files with strong encryption systems like PGP, AES or anything else with a fully randomized strength of at least 128 bits. Or, at a minimum, use standard hash systems but add long series of random character strings between hashed password characters. This process is called “salting” and is one of the most basic steps LinkedIn should have followed to protect its customers. Never store plain text files on your servers.