Oct 27 2013

Making the right mouth noises, but…

Published by at 4:46 am under General

The security team at LinkedIn is stating they’ve done a spanking awesome job of securing Intro and that we should trust in them.  This came out on Saturday in the form of a blog post from LinkedIn’s Cory Scott.  Cory has an impressive background, with time spent at Matasano Security and Symantec.  You can check out his LinkedIn profile for yourself if you want.  And it sounds like they’ve got a pretty good setup.  But his missing the main point: LinkedIn has painted a huge target on themselves by asking for access to data they should never be asking for in the first place.

I could pick apart every single claim he has made in the blog post; I have to explain and defend similar statements every day in my own role and what he’s said is almost meaningless given the level of detail he’s telling us.  What does it mean to have a ‘tight security perimeter’ or ‘the right monitoring in place’?  A tight perimeter only lasts until the marketing team decides they need direct access to data or an admin makes a mistake on a network configuration.  What is ‘the right monitoring’ in this case?  How closely is LinkedIn looking at the data coming into, and more importantly, leaving their network? LinkedIn has had several high profile compromises in the last few years and I’m willing to bet that they thought they had the proper level of monitoring in each of those cases too.  

What’s really the problem is what LinkedIn had to do in order to create Intro.  This isn’t actually much of a program, it’s really a configuration file that you install to LinkedIn permission to insert itself into the traffic between iOS Mail.app and the IMAP server you’re connecting to.  They’re breaking the communication channel and any security surrounding it in order to be able to insert their own content.  Even if they don’t monitor the emails content itself, the metadata about the emails you send is invaluable when it comes to understanding your network of contacts and friends.  Just looke at how closely this mirrors the current international debate about the NSA.  I can’t see why anyone would be more willing to trust LinkedIn any more than they’d trust a shadowy government agency.  At least the NSA supposedly has our best interest at heart and won’t sell our data in order to meet Wall Street earning numbers.

Then there’s the issue of being able to inject HTML code and a user interface (UI) into your email, one that allows them to push HTML and CSS to your desktop.  How much testing has that really undergone?  How is the system protected from malicious code being injected into the stream?  If these systems are somehow compromised, then the entire user base of LinkedIn could easily be compromised.  Or an attacker could wait until a specific target uses the service, vastly increasing the chances to remain undetected.

I maintain that LinkedIn has made a huge mistake with Intro.  If I was a well funded, adaptive attacker, I’d be quickly sniffing around the edges of Intro, looking at how I can compromise the profiles, if I can intercept the communication between the devices and LinkedIn and how I can compromise the servers and services LinkedIn is offering.  They’ve made themselves the center man in a circle of communication, a role I have a hard time believing they’re ready for and that they have the ability to properly secure.  This isn’t the type of activity and network that standard security practices, even done right 100% of the time, are ready and able to handle.  LinkedIn’s history doesn’t leave me feeling they’ve done even standard security practices to industry leading standards, so why should I feel they’ve done it right this time?

If Intro lasts a year without some sort of class break or system compromise, I’ll be surprised.  I wish them luck, but I maintain this was a bad idea any security professional should have called a halt to early in the planning process.  And I won’t be surprised if Apple calls a halt to this either.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “Making the right mouth noises, but…”

  1. Roland Dobbinson 27 Oct 2013 at 8:04 pm

    If I were an attacker, I’d simply concentrate on using LinkedIn’s own Social Engineering Networking (heh) data to either phish, blackmail, or recruit a LinkedIn employee in order to gain the access I wanted.

    This kind of thing is crazy-stupid, and I would submit that any self-described ‘security professional’ from whom one receives Intro-ized email will have revealed himself as unworthy of his Confused Information Systems Security Professional self-study comic books.

    What’s really surprising is that LinkedIn’s legal team didn’t put the kibosh on Intro, given the huge liability exposure resulting from the fact that they’ll potentially be MITMing the email of some pretty major corporations – apparently, either they’re clueless, or were over-ridden, or weren’t even consulted in the first place.

%d bloggers like this: