Story image

LinkedIn’s outage blunder left users exposed and was ‘easily preventable’

01 Dec 2017

​If you were out to do a bit of business and employment-oriented networking yesterday, you may have come across an error message.

LinkedIn went down yesterday in countries across the world due to an SSL certificate expiry, which resulted in us.linkedin.com, uk.linkedin.com, ca.linkedin.com and many others becoming inaccessible to many.

What’s more concerning is those that were able to bypass the error message and login were in fact browsing with all of their data at risk as there was no encryption.

LinkedIn updated users on its ‘LinkedIn Help’ Twitter site:

And undoubtedly with no shortage of urgency, the social media giant assured its users shortly afterwards that the issue had been resolved.

Cybersecurity expert Alan Woodward says the outage will have far-reaching implications.

“Simply put, it will erode trust with visitors to your site,” says Woodward.

“For a site like LinkedIn that could matter a great deal when people come to trust them with more data, something LinkedIn is always encouraging you to do to – 'complete your profile'.”

Vice president for security strategy and threat intelligence at Venafi, Kevin Bocek says simply this shouldn’t have happened.

"You may have fired up LinkedIn yesterday afternoon, only to be greeted with a "CERT_DATE_INVALID" warning. You won't have been alone. LinkedIn's website was down across most of its main regions, including, the UK,  Australia and the US,” says Bocek.

“High-profile websites crash almost every week, but what's really jarring about LinkedIn's stumble is that it was entirely preventable".

Bocek says this all comes down to a certificate related issue.

“Certificates provide every machine - whether it's a website, application or device, with an online identity. Without them, machines can't trust each other when they communicate,” says Bocek.

“So when LinkedIn's certificate expired yesterday, every major browser simply stopped trusting it. For a global social network with millions of members, it won't be catastrophic. But what if the same thing happened to, say, a large retailer over Christmas?"

If there’s one thing to come out of this, Bocek says LinkedIn’s blunder demonstrates why keeping in control of certificates is so important.

“While LinkedIn will have thousands of certificates to keep track of, outages like yesterday's show that it only takes one expiry to cause problems,” Bocek says.

“To stay in control, organisations should look to automate the discovery, management and replacement of every single certificate on its network - or LinkedIn won't be the last high-profile snafu."

Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.