Results 1 to 9 of 9

Thread: 'An Attacker's Dreamí LinkedIn's new app

  1. #1

    Default 'An Attacker's Dreamí LinkedIn's new app

    “I’m flabbergasted by this,”, “I can’t believe someone thought this was a good idea.” - Richard Bejtlich


    LinkedIn’s New Mobile App Called ‘a Dream for Attackers’
    Excerpt
    "But security researchers have taken issue with the way the app works. Intro redirects e-mail ...

    Researchers liken that redirection to a so-called man-in-the-middle attack in...

    ” ‘But that sounds like a man-in-the-middle attack!” I hear you cry,’ ” Bishop Fox, a security consulting group wrote in a blog post. “Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.”

    http://finance.yahoo.com/news/linked...000326401.html
    Last edited by KC; 25-10-2013 at 10:04 AM.

  2. #2
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,334

    Default

    Neglecting, of course, the inherent insecurity of email on open networks in general. I think there are legal concerns with regards to business emails but the technical/hacker concerns seem very exaggerated. Your email already resides on various companies computers all over the Internet.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  3. #3

    Default

    I guess it's something I'll have to read more about. Both of these guys seem concerned. Hype? Gets them press, so who knows.

    http://www.usatoday.com/story/cybert...ckers/3191583/

    Excerpts:
    "James Lyne, Global Head of Security Research for anti-malware company Sophos, says in a blog posting that LinkedIn has "put up a big sign advertising to cyber criminals, nation states and others 'hack here, we've got loads of juicy data'. "...

    "From a security and privacy standpoint, this introduces fresh opportunities for bad guys, says Carl Livitt, Senior Security Researcher at security consultancy Bishop Fox. Livitt and Lyne are among the first security experts to react strongly to Intro."

  4. #4
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,334

    Default

    Agreed, it could be more than it appears however I'm innately distrustful of security consultants. It's in their interest to overstate threats.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  5. #5

    Default

    Speaking of which...

    Updated:

    LinkedIn accesses Gmail contacts via ‘auto-authorization’ [amended]
    Martin Anderson Thu 6 Oct 2016

    Scientist Forrest Abouelnasr published a digest of his conversation with LinkedIn support after he began to notice impossible associations cropping up on his LinkedIn page:

    ‘I’ve never knowingly given linkedin permission to access my gmail contacts, but it keeps suggesting I connect on linkedin with people whose only connection to me is messages through gmail – and it usually happens suspiciously right after I send and receive a few emails from that person. This behavior has in the past included people whom I know do not have a linkedin account, since it suggests that I “invite them to linkedin” – which means the other person cannot be allowing linkedin access to their emails, it must be through my linkedin account.’
    ...

    UPDATE: LinkedIn deny that the behaviour described in this article can occur without the user’s authorisation, but only if the user goes into the address book import page and grants permission for LinkedIn to access Gmail contacts. Details about this are here. Though Forrest Abouelnasr has apparently retracted his initial complaint, it is currently only available via a Quora page which requires the reader to log in, which we are not willing to link to in its current state. We will add that link if it becomes freely viewable.

    Hopefully we’ll eventually get the same level of clarification one day regarding the mysterious cross-pollination between Facebook and other Gmail.

    https://thestack.com/security/2016/1...authorization/

  6. #6

    Default

    Just reading this thread and by no means a techy of any kind but just about an hour ago I got an email from someone in Houston asking me to add them to my LinkedIn account. Now, I was on LinkedIn years ago and have not had any activity on that account from years ago so the email came from out of the blue. Not sure if this is a coinkydink but maybe they are moving in on PC/Laptop emails.
    "The man who does not read has no advantage over the man who cannot read." ĖMark Twain

  7. #7

    Default

    Quote Originally Posted by Gemini View Post
    Just reading this thread and by no means a techy of any kind but just about an hour ago I got an email from someone in Houston asking me to add them to my LinkedIn account. Now, I was on LinkedIn years ago and have not had any activity on that account from years ago so the email came from out of the blue. Not sure if this is a coinkydink but maybe they are moving in on PC/Laptop emails.
    I've never even had an account on Linked in and I get these occasional emails. Albeit a few of them have been legit, from people I've later contacted and said no thank you. I don't like the platform, see a number of problems with it and would rather utilize other means of contacts.
    "if god exists and he allowed that to happen, then its better that he doesn't exist"

  8. #8

    Default

    I'm a heavy user of LinkedIn, I prefer it to business cards (I would have to store over 500 of them). Its great way to keep in contact with people you used to work with / see when they change jobs and similar. Not overly worried about security, there is nothing on my LinkedIn page that is particularly secretive.

  9. #9

    Default

    Being a domestic engineer now it's not much use to me. Personally I would rather have the business card than wade through resumes on the internet. We all know how inflated some of them can be.
    "The man who does not read has no advantage over the man who cannot read." ĖMark Twain

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •