[Fredslist] It may be time to give up on LinkedIn - LinkedIn’s New Mobile App Called ‘a Dream for Attackers’
Raj Goel, CISSP
raj at brainlink.com
Fri Oct 25 10:30:40 EDT 2013
Gothamites,
Today's NY Times has an article on a troublesome new app from LinkedIn that redirects (hijacks) your email traffic and routes it thru their servers.
Some social media champions may promote this as a good thing, but given LinkedIN's track record for insecurity, poor security practices and overall trend towards facebook-ization of their site, you may want to revisit your profile and LinkedIn usage practices.
OCTOBER 24, 2013, 8:03 PM 2 Comments
LinkedIn’s New Mobile App Called ‘a Dream for Attackers’
By NICOLE PERLROTH
LinkedIn Intro, a mobile feature, integrates with people’s iPhone Mail apps to display user profile information.
FACEBOOK
TWITTER
GOOGLE+
SAVE
E-MAIL
SHARE
PRINT
Security researchers are calling LinkedIn’s new mobile app, Intro, a dream come true for hackers or intelligence agencies.
“I’m flabbergasted by this,” Richard Bejtlich, the chief research officer at the computer security company Mandiant, said in an interview on Wednesday. “I can’t believe someone thought this was a good idea.”
Intro is an e-mail plug-in for iOS users that pulls LinkedIn profile information into e-mails so that the sender’s job title appears front-and-center in e-mails on a user’s iPhone or iPad.
Some bloggers have hailed it as a smart play by LinkedIn to get more mobile action and to get users to stop thinking of the service as a static Web site they go to every couple of years to update their employment status.
But security researchers have taken issue with the way the app works. Intro redirects e-mail traffic to and from users’ iPhones and iPads through LinkedIn’s servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details.
Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it.
Iranian hackers used that tactic to intercept dissidents’ Gmail accounts in 2011, by hacking into DigiNotar, a Dutch certificate authority. The National Security Agency is accused of using man-in-the-middle attack tactics to snoop on Google traffic, according to recent revelations by Edward Snowden.
Security researchers say LinkedIn essentially does the same thing in the name of a new mobile feature.
” ‘But that sounds like a man-in-the-middle attack!” I hear you cry,’ ” Bishop Fox, a security consulting group wrote in a blog post. “Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.”
LinkedIn has responded to some of those concerns in an amended blog post Thursday. The company notes that customers have to opt in to the app and that, once they do, their e-mail is encrypted to and from LinkedIn’s servers. The company also notes that LinkedIn does not store any e-mail on its servers.
But researchers note that in order for LinkedIn to stick changes into an e-mail, they have to decrypt it and then encrypt it again en route to its recipient, adding a new layer of insecurity to e-mail in transit.
“I worry LinkedIn is not going to treat this as the holy grail for people’s e-mail, even though it is,” said Mr. Bejtlich. “The risk is that you essentially trust a box, run by LinkedIn, with your e-mail. It’s a target for someone that wants to get to your e-mail. All the fears people now have about e-mail — that they will be intercepted by intelligence agencies for instance — are present.”
LinkedIn has not had the best security profile. After the service was hacked last year, six million user passwords popped up on a Russian message board, revealing that the company used only bare basic security protocols. And last month, the company became the target of a class-action suit by users who said it was improperly accessing their data.
Bishop Fox, the security consulting firm, called the app “a dream for attackers” and enumerated specific concerns in a blog post. Among them: By giving LinkedIn access to their e-mails, users may be waiving their rights to attorney-client privilege. The consultancy also warned users that by opting into Intro, they may be “in gross violation” of their employer’s security policies.
“I don’t think people who use this are seriously thinking about the implications of LinkedIn seeing and changing their e-mail,” notes Mr. Bejtlich. “These changes are done in the name of a feature, or speed, but it just completely breaks the idea that e-mail traffic is going where it should go and no place else.”
--Raj
Rajesh Goel, CISSP
cell (917) 685-7731
CTO: Brainlink International, Inc.
raj at brainlink.com
www.brainlink.com
www.linkedin.com/in/rajgoel
You run your business, and leave the IT to us.
Author of "The Most Important Secrets To Getting Great Results From IT"
http://www.amazon.com/Important-Secrets-Getting-Great-Results/dp/0984424814
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.gothamnetworking.com/pipermail/fredslist/attachments/20131025/e346ebc1/attachment.html
More information about the Fredslist
mailing list