Linkedin.com: A great networking resource or security threat?
Published: Wednesday, November 5, 2014
Updated: Monday, January 13, 2014 13:01
How many of you out there have a LinkedIn account? Chances are, if you’re a serious student, aspiring professional or already employed, the answer is yes.
LinkedIn, after all, is now the nation’s largest professional social network. Millions of people use it to connect with colleagues, professional organizations, and prospective employers.
But with so many people trusting their personal information to such a large network, is LinkedIn really a safe resource?
Last year, the network was the target of a massive username and password theft, with nearly 6.4 million accounts reportedly compromised by Russian hackers. It was later revealed that the site had failed to follow best practices when it came to storing password hashes and username combinations.
Hash algorithms are a semi-secure way of hiding information. Basically, they take a string of characters of variable length, do some math on it, and transform it into a collection of hexadecimal (base-16) values of fixed length. For example, one of the most common hash algorithms is the MD5 Hash. It turns any string, even one as short as one character, into a hash of 32, base-16 values. Hashes can’t be reversed, at least in theory, but the hash for any word or phrase is always the same.
Hashes can be made more secure by adding a “salt” value, a random character appended to the front of the string before hashing. This adds a level of randomness to the algorithm that makes it harder (but not impossible) to break the code.
That’s where LinkedIn went wrong. They were storing unsalted hashes, which made the passwords easier to attack.
But that’s last year’s news. The latest big thing going on with LinkedIn is a new email scanning service called Intro, a plug-in that reportedly detects when an email user has a LinkedIn profile and adds their contact information to the email.
Sounds pretty nifty, right? Not so fast. The new feature has been described security researchers as similar to a man-in-the-middle attack. I wrote about these in my last column about ARP attacks. Now imagine the same sort of thing happening every day, on large scale, and worse, with the user’s permission.
By signing up for Intro, you’re giving LinkedIn permission to scan your email and modify it as it’s being sent.
I can’t imagine what a real attacker would possibly do with that. Considering the kind of problems LinkedIn (and other social networks) have had with user security recently, this move seems grossly irresponsible to me.
So, back to the original question. Is LinkedIn safe and secure? The truth is, it’s as secure as any other social media site. I think the best thing that can be said about Intro is that at the moment it’s only for iOS users.
So it’s only a worry if you have an iPhone, a LinkedIn account and a complete disregard for online security.