10 reasons to fear LinkedIn’s new service

The business social media network wants to rout your email. The benefits to you are unclear

Topics: the daily dot, Linkedin, email, intro, internet privacy, NSA, National security, Privacy, , , ,

10 reasons to fear LinkedIn's new service (Credit: AP)
This article originally appeared on bishopfox.com and was reposted with permission on The Daily Dot.

Don’t make the mistake of thinking you’re [the] customer, you’re not – you’re the product.

– BRUCE SCHNEIER

LinkedIn released a new product today called Intro.  They call it “doing the impossible”, but some might call it “hijacking email”.  Why do we say this?  Consider the following:

Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.

“But that sounds like a man-in-the-middle attack!” I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.

Why is this so bad?  Here’s a list of 10 reasons to start:

1. Attorney-client privilege.

You use your email to stay in touch with everyone in your life from your family to your friends to your business associates. And you may exchange particularly sensitive messages with certain people like your lawyer, doctor, psychotherapist, or spiritual advisor. These communications are generally legally privileged and can’t be used as evidence in court – but only if you keep the messages confidential.

“If you let a third party have access to your privileged email, you could be waiving important legal protections,”

-MARCIA HOFMANN, ATTORNEY AND FORMER SENIOR STAFF ATTORNEY AT THE EFF

To be certain if you’re concerned about the legal effect of letting LinkedIn have unfettered access to your email, you should check with your counsel…on a system that doesn’t have Intro installed.

2. By default, LinkedIn changes the content of your emails.

Be aware that outgoing emails receive an additional signature.  Incoming emails receive additional LinkedIn profile data.  The introduction of new data sources into a medium rife with security issues such as email is a dream for attackers.  We’re curious how long until someone finds an innovative way to phish through Intro.



3. Intro breaks secure email.

Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end. This means email signatures can no longer be verified.

Encrypted emails are likely to break because of the same reason – extra data being appended to your messages.

If you forward an email to someone else, the LinkedIn profile data stays in the email. What if you don’t want it to?  What if they don’t want you to and it pisses them off?

4. LinkedIn got owned.

This happened last year, and estimates of 6.5 million usernames and hashed passwords were leaked to a Russian message board. They were using unsalted hashed passwords, which is a terrible design decision. LinkedIn has a documented history of insecure design practice.  So as anybody who has ever assessed a vendor would want to know:

a. Who did the security review of the Intro app?

b. Are there outstanding security vulnerabilities?

c. Can we see a copy of a Letter of Assessment?

5. LinkedIn is storing your email communications.

It’s metadata, or so they claim. In particular, the list of people with whom you communicated is saved because “If you are not connected with the person on LinkedIn, we may later suggest them as a connection on the LinkedIn website and in our other mobile apps.”

Think about it this way.  A vendor tells you they will install a device on your network that monitors all your email so they can insert their data into your emails.  They’ll do this for free – except they want to have unfettered access to all your emails and mine them for information about your users.  They don’t say what exactly they would store from each email, but just trust them to do the right thing.

6. LinkedIn is changing your device’s security profile.

Intro works by pushing a security profile to your device; they’re not just installing the Intro app. They have to do this in order to re-route your emails. But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things.

Most of your end users aren’t going to understand the impact of these changes, nor will they know how to reserve them if they wanted to do so. You are effectively putting your trust in LinkedIn to manage your users’ device security.

7. It’s probably a gross violation of your company’s security policy.

If your company’s policy (e.g. security, confidentiality, data classification, email) has anything about not disclosing sensitive data, it more likely says something like “Do not share sensitive data with third-parties.”

You’re probably violating that by installing Intro.

8. If I were the NSA…

…and I hear everyone’s mobile phones were routing their emails through LinkedIn…well I know where I’m having my next birthday party.

9. It’s not what they say, but what they don’t say

The privacy policy is ambiguous and vague.

“Does LinkedIn Intro disclose information to anyone else?” the answer is not “No.” It is “We will never sell, rent, or give away private data about you or your contacts.”

The astute reader must ask themselves:

  • How do you determine what is “private”?
  • What is considered “not private”?
  • Who makes the judgment call?

Even further:

  • Are you agreeing not to misuse “private data about [me]” as in the content of my emails or my LinkedIn profile information?
  • Are you agreeing not to misuse “[my] contacts” as in my contact list or “private data about…[my] contacts” such as the content of our communications?

The better question perhaps is, “How does LinkedIn know what you consider private?”  I suspect the answer is that they don’t.

10. Too many secrets

There are unanswered technical questions, too. Do the LinkedIn Intro servers mandate the use of SSL/TLS for all traffic? Does the Intro app redirect all of the accounts on your phone, or just one that you nominate? Can you opt out of the man-in-the-middleattack feature?

There’s a lot to consider and I’m sure others will think of more implications.  For the time being, Intro is banned from Bishop Fox devices until we know more about it.  And at the time of this writing, our recommendation is:

Don’t introduce Intro into your environment. 

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 22
  • Close
  • Fullscreen
  • Thumbnails

    Once upon a time on the Bowery

    Talking Heads, 1977
    This was their first weekend as a foursome at CBGB’s, after adding Jerry Harrison, before they started recording the LP “Talking Heads: 77.”

    Once upon a time on the Bowery

    Patti Smith, Bowery 1976
    Patti lit up by the Bowery streetlights. I tapped her on the shoulder, asked if I could do a picture, took two shots and everyone went back to what they were doing. 1/4 second at f/5.6 no tripod.

    Once upon a time on the Bowery

    Blondie, 1977
    This was taken at the Punk Magazine Benefit show. According to Chris Stein (seated, on slide guitar), they were playing “Little Red Rooster.”

    Once upon a time on the Bowery

    No Wave Punks, Bowery Summer 1978
    They were sitting just like this when I walked out of CBGB's. Me: “Don’t move” They didn’t. L to R: Harold Paris, Kristian Hoffman, Diego Cortez, Anya Phillips, Lydia Lunch, James Chance, Jim Sclavunos, Bradley Field, Liz Seidman.

    Once upon a time on the Bowery

    Richard Hell + Bob Quine, 1978
    Richard Hell and the Voidoids, playing CBGB's in 1978, with Richard’s peerless guitar player Robert Quine. Sorely missed, Quine died in 2004.

    Once upon a time on the Bowery

    Bathroom, 1977
    This photograph of mine was used to create the “replica” CBGB's bathroom in the Punk Couture show last summer at the Metropolitan Museum of Art. So I got into the Met with a bathroom photo.

    Once upon a time on the Bowery

    Stiv Bators + Divine, 1978
    Stiv Bators, Divine and the Dead Boys at the Blitz Benefit show for injured Dead Boys drummer Johnny Blitz.

    Once upon a time on the Bowery

    Ramones, 1977
    “The kids are all hopped up and ready to go…” View from the unique "side stage" at CBGB's that you had to walk past to get to the basement bathrooms.

    Once upon a time on the Bowery

    Klaus Nomi, Christopher Parker, Jim Jarmusch – Bowery 1978
    Jarmusch was still in film school, Parker was starring in Jim’s first film "Permanent Vacation" and Klaus just appeared out of nowhere.

    Once upon a time on the Bowery

    Hilly Kristal, Bowery 1977
    When I used to show people this picture of owner Hilly Kristal, they would ask me “Why did you photograph that guy? He’s not a punk!” Now they know why. None of these pictures would have existed without Hilly Kristal.

    Once upon a time on the Bowery

    Dictators, Bowery 1976
    Handsome Dick Manitoba of the Dictators with his girlfriend Jody. I took this shot as a thank you for him returning the wallet I’d lost the night before at CBGB's. He doesn’t like that I tell people he returned it with everything in it.

    Once upon a time on the Bowery

    Alex Chilton, Bowery 1977
    We were on the median strip on the Bowery shooting what became a 45 single sleeve for Alex’s “Bangkok.” A drop of rain landed on the camera lens by accident. Definitely a lucky night!

    Once upon a time on the Bowery

    Bowery view, 1977
    The view from across the Bowery in the summer of 1977.

    Once upon a time on the Bowery

    Ramones, 1977 – never before printed
    I loved shooting The Ramones. They would play two sets a night, four nights a week at CBGB's, and I’d be there for all of them. This shot is notable for Johnny playing a Strat, rather than his usual Mosrite. Maybe he’d just broken a string. Love that hair.

    Once upon a time on the Bowery

    Richard Hell, Bowery 1977 – never before printed
    Richard exiting CBGB's with his guitar at 4am, about to step into a Bowery rainstorm. I’ve always printed the shots of him in the rain, but this one is a real standout to me now.

    Once upon a time on the Bowery

    Patti Smith + Ronnie Spector, 1979
    May 24th – Bob Dylan Birthday show – Patti “invited” everyone at that night’s Palladium show on 14th Street down to CBGB's to celebrate Bob Dylan’s birthday. Here, Patti and Ronnie are doing “Be My Baby.”

    Once upon a time on the Bowery

    Legs McNeil, 1977
    Legs, ready for his close-up, near the front door of CBGB's.

    Once upon a time on the Bowery

    Suicide, 1977
    Rev and Alan Vega – I thought Alan was going to hit me with that chain. This was the Punk Magazine Benefit show.

    Once upon a time on the Bowery

    Ian Hunter and Fans, outside bathroom
    I always think of “All the Young Dudes” when I look at this shot. These fans had caught Ian Hunter in the CBGB's basement outside the bathrooms, and I just stepped in to record the moment.

    Once upon a time on the Bowery

    Tommy Ramone, 1977
    Only at CBGB's could I have gotten this shot of Tommy Ramone seen through Johnny Ramones legs.

    Once upon a time on the Bowery

    Bowery 4am, 1977
    End of the night garbage run. Time to go home.

  • Recent Slide Shows

Comments

Loading Comments...