Vulnerabilities / Threats
10/28/2013
11:38 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

LinkedIn Defends 'Intro' Email Security

LinkedIn responds to user and security expert concerns about new email feature, cites measures it took to make LinkedIn Intro safe.

LinkedIn: 10 Important Changesr
(click image for larger view and for slideshow)
LinkedIn: 10 Important Changes
LinkedIn's newest feature, called Intro, stirred up controversy last week when the professional social network introduced it -- and a few other features -- at an event about its mobile offerings. LinkedIn Intro is an opt-in service that lets you connect on a professional level with people you email every day.

"When people email you, we show you their LinkedIn profile: you can put faces to names, write more effective emails, and establish rapport," LinkedIn said in the announcement. "You can grow your professional network by connecting with them on LinkedIn."

But not everyone was as enthusiastic about it: Security experts were wary, especially in light of LinkedIn's breach last year, which compromised 6.5 million user passwords. To use Intro, users are required to route all emails through LinkedIn's "Intro" servers, which then scan them for certain types of content and temporarily store the passwords to users' external accounts. Security expert Graham Cluley said this sent a shiver down his spine.

[ Learn how to keep your job search private. Read 5 LinkedIn Privacy Settings For Job Hunters. ]

Over the weekend, LinkedIn responded to criticism in a blog post highlighting the measures it took to ensure Intro was safe and secure.

"When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible," said Cory Scott, senior manager of information security at LinkedIn. "We explored numerous threat models and constantly challenged each other to consider possible threat scenarios."

LinkedIn described the actions it took prior to Intro's launch. Among them:

-- Isolating Intro in a separate network segment and implementing a security perimeter across trust boundaries;

-- Performing hardening of the external- and internal-facing services and reducing exposure to third-party monitoring services and tracking;

-- Engaging iSEC Partners, a security consultancy, to perform a line-by-line code review of the credential handling and mail parsing/insertion code;

-- Penetration testing the final implementation by LinkedIn's internal team to ensure vulnerabilities were addressed; and

-- Ensuring it had the right monitoring in place to detect potential attacks, react quickly and minimize exposure.

LinkedIn clarified that all communications use SSL/TLS at each point of the email flow between a user's device, LinkedIn Intro and the third-party email system. "When mail flows through LinkedIn Intro, we make sure we never persist the mail contents to our systems in an unencrypted form," Scott said. "And once the user has retrieved the mail, the encrypted content is deleted from our systems."

Scott also addressed rampant concerns from iOS users. "It's important to note that we simply add an email account that communicates with Intro," he said. "The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device. We do not change the device's security profile in the manner described in a blog post that was authored by security firm Bishop Fox on Thursday."

LinkedIn's Scott said he and LinkedIn welcome "healthy skepticism and speculation," but LinkedIn felt it was necessary to clarify its practices and correct the misperceptions.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/29/2013 | 3:13:40 AM
re: LinkedIn Defends 'Intro' Email Security
By nature, social computing leans toward sharing and openness. People join LinkedIn to build their circle of connections not to live the most private life possible.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industrys professional organizations about how security pros can get more involved with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.