Oct 27 2013
The security team at LinkedIn is stating they’ve done a spanking awesome job of securing Intro and that we should trust in them. This came out on Saturday in the form of a blog post from LinkedIn’s Cory Scott. Cory has an impressive background, with time spent at Matasano Security and Symantec. You can check out his LinkedIn profile for yourself if you want. And it sounds like they’ve got a pretty good setup. But his missing the main point: LinkedIn has painted a huge target on themselves by asking for access to data they should never be asking for in the first place.
I could pick apart every single claim he has made in the blog post; I have to explain and defend similar statements every day in my own role and what he’s said is almost meaningless given the level of detail he’s telling us. What does it mean to have a ‘tight security perimeter’ or ‘the right monitoring in place’? A tight perimeter only lasts until the marketing team decides they need direct access to data or an admin makes a mistake on a network configuration. What is ‘the right monitoring’ in this case? How closely is LinkedIn looking at the data coming into, and more importantly, leaving their network? LinkedIn has had several high profile compromises in the last few years and I’m willing to bet that they thought they had the proper level of monitoring in each of those cases too.
What’s really the problem is what LinkedIn had to do in order to create Intro. This isn’t actually much of a program, it’s really a configuration file that you install to LinkedIn permission to insert itself into the traffic between iOS Mail.app and the IMAP server you’re connecting to. They’re breaking the communication channel and any security surrounding it in order to be able to insert their own content. Even if they don’t monitor the emails content itself, the metadata about the emails you send is invaluable when it comes to understanding your network of contacts and friends. Just looke at how closely this mirrors the current international debate about the NSA. I can’t see why anyone would be more willing to trust LinkedIn any more than they’d trust a shadowy government agency. At least the NSA supposedly has our best interest at heart and won’t sell our data in order to meet Wall Street earning numbers.
Then there’s the issue of being able to inject HTML code and a user interface (UI) into your email, one that allows them to push HTML and CSS to your desktop. How much testing has that really undergone? How is the system protected from malicious code being injected into the stream? If these systems are somehow compromised, then the entire user base of LinkedIn could easily be compromised. Or an attacker could wait until a specific target uses the service, vastly increasing the chances to remain undetected.
I maintain that LinkedIn has made a huge mistake with Intro. If I was a well funded, adaptive attacker, I’d be quickly sniffing around the edges of Intro, looking at how I can compromise the profiles, if I can intercept the communication between the devices and LinkedIn and how I can compromise the servers and services LinkedIn is offering. They’ve made themselves the center man in a circle of communication, a role I have a hard time believing they’re ready for and that they have the ability to properly secure. This isn’t the type of activity and network that standard security practices, even done right 100% of the time, are ready and able to handle. LinkedIn’s history doesn’t leave me feeling they’ve done even standard security practices to industry leading standards, so why should I feel they’ve done it right this time?
If Intro lasts a year without some sort of class break or system compromise, I’ll be surprised. I wish them luck, but I maintain this was a bad idea any security professional should have called a halt to early in the planning process. And I won’t be surprised if Apple calls a halt to this either.