But it also runs the risk of making LinkedIn more attractive to hackers. At least that's the early reaction from two prominent security analysts.
James Lyne, Global Head of Security Research for anti-malware company Sophos, says in a blog posting that LinkedIn has "put up a big sign advertising to cyber criminals, nation states and others 'hack here, we've got loads of juicy data'. "
Intro ties into Apple's iOS native e-mail application. It is designed to re-configure your e-mail to proxy through LinkedIn servers. This redirection enables LinkedIn to insert a banner that appears to be integrated with the application natively. LinkedIn, in effect, has become a man-in-the-middle of your e-mail flow; its servers sit between you and your actual e-mail provider.
From a security and privacy standpoint, this introduces fresh opportunities for bad guys, says Carl Livitt, Senior Security Researcher at security consultancy Bishop Fox. Livitt and Lyne are among the first security experts to react strongly to Intro.
Julie Inouye, LinkedIn's corporate communications director, says the company has taken extensive security and privacy precautions.
"We take the privacy and security of our members' data very seriously and have taken a thoughtful approach to ensure we've put the right security precautions in place for the LinkedIn Intro product," Inouye told CyberTruth.
Inouye points out that security precautions include: isolating the Intro environment as a separate high security segment from the rest of LinkedIn systems; hardening parts of its infrastructure related to delivering the service; retaining an outside vendor to review the code dealing with transmission of credentials and handling email content; ensuring that credentials and e-mail content are never stored unencrypted; and continuously monitoring the! Intro platform for security and availability issues.
Even so, in a CyberTruth interview, Bishop Fox's Livitt drilled down on his concerns:
CT: So what do you believe to be the core security issue introduced by Intro?
Livitt: You can bet your last dollar that enterprising hackers and spammers will view Intro as a potential goldmine. Intro supports some of the biggest names in email: Yahoo!, Gmail, AOL. And it's all centralized. Further, in most cases LinkedIn is not actually issuing new passwords for their email servers – they simply 'pass through' your real credentials to your real email provider.
Imagine if someone were to compromise the Intro platform. They would gain access to the usernames and passwords of at least every Yahoo! and AOL user; Gmail users would not be affected in the same way because of OAuth. There is also a rather pervasive concern that LinkedIn has a poor security track record and there is corresponding concern about the design, implementation, and due diligence that has gone into creating the Intro service.
Then there's the human side. Is it okay to hand over all of your emails to someone in exchange for convenience? Is it acceptable for a third-party to have the stated aim of modifying your emails? Is it ok to accept 3rd iPhone configuration profiles as part of a free service?
CT: What market forces do you think drove LinkedIn to try this?
Livitt: I can only speculate. The ability to mine e-mails for information about users so that advertising can be targeted more effectively. The persistent branding of all e-mails with LinkedIn's service to embed themselves into the psyche of users. The ability to intercept and act upon the corporate communications of a large user base would be a business intelligence coup . . . Maybe we should have seen this coming after LinkedIn bought Rapportive.
CT: Anybody else doing anything similar to this?
Livitt: Some of the big MDM (mobile device management) providers employ techniques similar t! o what In! tro is doing, but they have mature solutions. MDMs like AirWatch, Goodand Fiberlink provide enterprise solutions for companies to manage the security of mobile devices by pushing security configuration profiles to iPhones and Androids. This gives them capabilities to manage apps and remotely wipe the phone. This is exactly the means by which LinkedIn is now pushing a new e-mail profile to iPhones. I know of no other social networking providers who do this. Facebook does ask for your e-mail credentials in order to collect your contacts, but none of your e-mail passes through their systems.
CT: Have you contacted them about this?
Livitt: We haven't heard anything from LinkedIn, nor have we actively pursued dialogue with them. That said, the risks introduced by their applications are by design. This isn't a security vulnerability that can be patched.
CT: Anything else?
Livitt: This will be an interesting social experiment – how many people do you think will actually hand over their e-mails to LinkedIn in exchange for the convenience of having LinkedIn embedded into their e-mail client? I have no idea, but it will be fascinating to find out.
No comments:
Post a Comment