bishopfox
Latest
OS X update fixed 'simple' bug that could leak your iMessages
Researchers explained one large security hole in Apple's iMessage app that received a patch last month, but until now we didn't have details on another vulnerability fixed at the same time. By tricking users into clicking a specially-crafted link, hackers could gain access to the usually encrypted communications in OS X El Capitan's Messages. "You don't need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode or ROP chains," according to security researchers at Bishop Fox -- just knowledge of basic JavaScript.
LinkedIn's 'Intro' offers major security risks for minor benefits
LinkedIn's new "Intro" is not only the worst idea I've heard in quite a while; it's a bad idea with almost no upside. Here's what you should know about Intro before you even think about using it. Where did Intro come from? Quoting from LinkedIn's "Pledge of Privacy" page (say that ten times fast), here is how LinkedIn describes Intro: LinkedIn Intro is an email service that helps you be brilliant with people. The phrase "brilliant with people" is a phrase that LinkedIn apparently acquired when it bought Rapportive. LinkedIn must really like it, because the service's "Pledge of Privacy" page uses it three times. Rapportive, for those who never used it, was a service which attempted to collect as much information about you as possible from social network and create a profile for you based on the connections that it made. The company also made a browser-plugin which populated a sidebar in Gmail with the Rapportive profile. Sounds great, right? Well, partly. Three years ago I mentioned showing Rapportive to people, and while they loved the idea of seeing that information from other people, when they saw their own information, they suddenly realized that a) some of these connections they would rather have kept private, and b) some of the information was incorrect or outdated. You see it now, right? Here's a company that had devoted itself to collecting as much information about people as possible. It wasn't a question of whether it would be bought by some larger company, it was just a question of who would buy Rapportive. I can easily imagine Facebook and Google both being interested in it, but LinkedIn either got there first, or made a better offer. And all the information Rapportive has about you went with it. Now we have 'Intro.' What does Intro do that's different than Rapportive? Rapportive was a simple browser plugin that you had complete control over and was locally installed. It didn't change anything in your incoming or outgoing email, it just looked at the header information of the email you were currently reading in your browser. If you sent email through your iOS device or another mail app besides webmail, Rapportive couldn't see that message. Intro isn't like that. Instead, Intro will serve as a "proxy" for your email, which means that every email message that you send through that account will go through LinkedIn's servers. Think about that. LinkedIn's entire business is about making connections between people. It bought Rapportive to get its hands on a large amount of data about people that had been collected on the Internet. Now LinkedIn wants you to send all of your email through its servers. And why are you supposed to do this? So you can be "brilliant with people"? What does that even mean and how does LinkedIn hope to accomplish this? When people email you, we show you their LinkedIn profile: That's what you're getting out of this. You're trading unlimited access to your email in order to make it a bit easier for you to see someone's LinkedIn profile. What are some of the other features of this service? you can put faces to names Ok, maybe, but most of the time you can probably do this by connecting your Twitter or Facebook account to your iOS device which will make a one time connection to those services and try to match people from your contacts list to people on those services. From a privacy and security standpoint, even doing that is a dodgy proposition to a lot of people, but it's approximately a thousand times less dodgy than sending all of your email through LinkedIn's servers. write more effective emails and establish rapport. You'll also be taller, thinner, and better looking! Oh wait, it can't do that either. Hint: writing effectively might be better accomplished by actually knowing the people you are writing to, rather than pretending to know them based on the information LinkedIn shows you. Likewise establishing "rapport" is probably not best served by potentially compromising their privacy and security by having their emails to you routed through the servers of a company devoted to collecting information about people. But the last "feature" is my favorite: You can grow your professional network by connecting with them on LinkedIn. Translation: "You can help LinkedIn's business by using LinkedIn more." "Aren't you being a little overly dramatic about this?" I don't think so. What LinkedIn is proposing is exactly the sort of thing that anyone who was hoping to be able to do any of a dozen nefarious things would love to do. Here is LinkedIn's own description of the service: What's happening under the hood: without Intro, your Mail app connects directly to the servers of your email provider (e.g. Gmail or Yahoo!) to download messages. With Intro, your Mail app connects instead to the Intro servers, which fetch messages from your email provider and then pass them back to your Mail app. As the messages pass through the Intro servers, we add the social context that helps you be brilliant with people. See, there's that phrase again. LinkedIn wants you to send your email through its servers so it can add its information to your incoming email. Which will benefit you, as long as the person uses LinkedIn and keeps their LinkedIn account current. Translation: the more people who use this app, the better it is for LinkedIn's business, which is to collect information about people. Every email you send is also a free ad for LinkedIn! LinkedIn doesn't just want to change your incoming email either. The company is also going to change your outgoing message. From the FAQ: When you send an email with Intro, by default we add a small snippet of your LinkedIn public profile to the bottom of your message. This snippet functions as a great email signature, and it automatically updates itself within 24 hours after you edit your LinkedIn profile. Gosh, is't that just the best? Send all of your email through the Intro servers and it will add –- at no extra charge! –- a "small snippet" (as opposed to a "large" snippet?) from your LinkedIn profile! I'm probably going out on a limb here, but do you suppose that "small snippet" might maybe possibly add some sort of link or other information about how the person receiving your email can –- at no extra charge! –- find out more about LinkedIn, so that they too can feel the warm glow of appreciation from helping support LinkedIn's business model? Let's imagine the best case scenario. LinkedIn's announcement page for Intro is just so modest about what has been accomplished, it's only promoted as "Doing the Impossible on iOS." Turns out it's not impossible, it's just a bad idea. You have to install a new device-side profile into iOS to allow it to insert information into your email. In the best possible case, this advanced and unintended use of technology built into iOS would be done with a company with a great track record of security. LinkedIn is not that company. That profile LinkedIn wants you to install is a security risk. Injecting HTML into your email via an iframe loaded from the Intro server is a security risk. Sending all of your email through LinkedIn's servers is a security risk. LinkedIn may have very good intentions behind the "privacy pledge." Personally it sounds like the technological equivalent of a virginity pledge: what is said today with a mixture of good intentions, a desire to say all the right things and look good in the eyes of others does not mean that pledge will be upheld in the future. As Facebook has shown countless times, corporate privacy policies have a way of changing over time, gradually becoming a little more relaxed here and there. Somehow those policies never seem to change in ways the protect users and their information. Even if you believe that LinkedIn's intentions are pure as the driven snow and that the company won't do anything nefarious with your data, you are piling risk on top of risk, and depending on LinkedIn's technical competency to protect your data, despite a dodgy track record. All of which makes me ask again: Why? So you can see a little bit of contact data from LinkedIn slightly more easily than you could before? My advice is this: if you want to "be brilliant with people," start by realizing when someone wants you to do something that benefits them much more than it benefits you. Still not convinced? If you won't listen to me, maybe you'll listen to Bishop Fox, a company which has, since 2005, "provided security consulting services to the Fortune 1000, high-tech startups, and financial institutions worldwide. Our mission is to secure our clients and their business." They have 10 reasons why LinkedIn Intro is a bad idea. If you can get through my article and theirs and still think it's a good idea, well, at least you can't say we didn't try to warn you.
