Later On

A blog written for those whose interests more or less match mine.

Why companies do not protect your data

leave a comment »

It costs money to protect the data, and there’s no penalty if the data are stolen. For corporations, whose outlooks tend to be sociopathic and focused purely on profit, the direction to go is obvious: don’t spend money on data security. LinkedIn is the latest, as reported by Nicole Perlroth in the NY Times:

LinkedIn is a data company that did not protect its data.

Last week, hackers breached the site and stole more than six million of its customers’ passwords, which had been only lightly encrypted. They were posted to a Russian hacker forum for all to see.

That LinkedIn was attacked did not surprise anyone. Companies’ computer systems are attacked every day. Indeed, the CBS music site Lastfm.com and the dating site eHarmony confirmed last week that millions of user passwords were stolen.

What has surprised customers and security experts alike is that a company that collects and profits from vast amounts of data had taken a bare-bones approach to protecting it. The breach highlights a disturbing truth about LinkedIn’s computer security: there isn’t much. Companies with customer data continue to gamble on their own computer security, even as the break-ins increase.

“If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm.

Part of the problem may be that there are few consequences for companies with a devil-may-care attitude toward data. There are no legal penalties. Customers rarely defect. And in LinkedIn’s case, its stock price actually rose in the days after the breach.

What especially concerns many people on this particular breach was that LinkedIn was not some green start-up or a company unfamiliar with data. After a highly successful initial public offering in May last year, it has piles of cash. It recruits top talent. And it makes money. It also has 160 million members who share their business connections in the hopes of making a broader and more efficient network. And they want their data to be protected.

“I expected better from LinkedIn,” said Craig Robert Smith, a professional musician and product manager at Buzzmedia. “But I can’t delete my account because it’s the place to be in terms of getting recruited and networking.”It was not immediately clear how hackers were able to breach the system, how long they had been there, or if they are still poking around inside. LinkedIn does not have a chief security officer whose sole job it is to monitor for breaches. The company says David Henke, its senior vice president for operations, oversees security in addition to other roles, but Mr. Henke declined to speak for this article.

On a grading scale of A through F, experts say, LinkedIn, eHarmony and Lastfm.com would get, at best, a “D” for password security. The most negligent thing a company can do with users’ passwords is store them in plain text. That was the case with RockYou, a gaming site that lost 30 million user passwords in a 2009 breach. The most basic step they can take to protect passwords is camouflage them with basic encryption — what is known as “hashing” — in which they mash-up a password with a mathematical algorithm and store only the encoded, or “hashed,” version.

But hackers are a determined bunch. They use . . .

Continue reading.

Obviously a Federal law that requires strong security and includes harsh penalties for companies that fail to met specified standards would help. (In my opinion, “harsh penalties” would include prison terms, not just fines.) But this is impossible in a Congress that has no interest at all in protecting consumers and an overwhelming interest in protecting corporations—in the Senate a minority can block any action (as it routinely does), and in the House, the GOP is in charge, and the GOP is definitely in the corporation-protection racket: that’s where the GOP gets its money (though of course that flow of money does not influence legislation ha ha ha ha (bitter laughter). I suppose our country is getting the government it deserves.

I will say that I closed my LinkedIn account, and gave as a reason “You lost my password,” but I’m retired. Others may not be able to do that.

Let me point to the conclusion of the story for those who dislike the government and think the government should pretty much let companies do what they want, because that would probably work out for the better somehow:

Mr. Kocher thinks he sees one reason in two charts he consults. One shows the number of airplane fatalities per miles flown, which decreased to one-thousandth of what it was in 1945, with the advent of the Federal Aviation Administration in 1958 and stricter security and maintenance protocols. The other, which charts the number of new computer security threats, shows the opposite. There has been a 10,000-fold increase in the number of new threats since 2002, according to data from Symantec, the antivirus firm.

The problem, Mr. Kocher and others security experts say, is a lack of liability. Computer security is not regulated and even as loads of sensitive personal, corporate and financial data gets uploaded daily, companies continue to skimp on basic protections. If 5 percent of airplanes in the United States crashed tomorrow, there would be investigations, lawsuits, a cutback in air travel and airlines’ stock prices would most likely suffer. With social networks, Mr. Kocher says, “People don’t vote with their feet.”

LinkedIn would not say whether any members had dropped the service since the breach became public on Wednesday, but even as hackers worked diligently to crack its passwords, the company’s stock rose 4 percent by the end of the week.

“Every time a plane crashes, the F.A.A. investigates and publishes the data in aggregate,” Mr. Grossman said. “With breaches, there’s no such thing. There’s no government agency. We don’t know where the bodies are buried, or how they got there.”

But government is bad, in the view of some, and requiring companies to do things for the common welfare is bad.

Written by LeisureGuy

10 June 2012 at 1:38 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.