Reports are now popping up in my technology news feed that a database containing information from over 700 million LinkedIn members is now available for purchase on the dark web. Unlike some of the other information dumps that have made headlines recently, this one doesn’t contain passwords or other sensitive information, but it does contain the information that LinkedIn members typical put in their profiles, including phone numbers, addresses (mail and email), job and education history as well as whether or not a particular member might be looking for a job. According to LinkedIn and which other sources seem to corroborate, this isn’t actually a data breach, but what is known as an “information scrape” which is shorthand for a database built by reading and indexing information that is readily available on the web. Keep in mind, “readily available” does not necessarily mean authorized use, especially when it is gathered and put on sale by someone not LinkedIn.
What does this mean for you?
Even if you aren’t on LinkedIn, if you do any sort of business that requires to you interact with others via the internet, you should be aware of why these types of databases are still considered a significant security risk, and I can sum it up in one word: Phishing. One of the most common tactics in use now by phishers is leveraging data gathered in these databases to build and send fake emails that contain enough real information to trick even the most savvy email veteran. Especially vulnerable are the millions of job seekers who use LinkedIn everyday to contact plenty of people they don’t know directly, and have to rely on information found on the website. Cybercriminals are using this particular weakness to infect job seekers with trojans as part of a fake employment application, which can then lead to identity theft, extortion and a definite disruption in the job seeking process. In the end, there isn’t much you can do about this except the following:
Set up 2-factor authentication on all your important accounts, especially email.
Back up your important data. Cloud-based backups are best.
Make sure you are running malware protection on your computer.
Make sure your network (home and work) is protected by a proper firewall.
For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.
Microsoft is (re)launching Outlook.com and consolidating its various “free” email service domains under the Outlook.com brand in an effort to regain the former glory it once held with Hotmail.com which has since fallen to a distant third behind Google’s Gmail and Yahoo Mail. Microsoft estimates it will be spending anywhere from $30 to $90 million in marketing in all the major media over the next 3 months on a combination of attack ads aimed at Gmail users as well as informational campaigns they hope will help persuade users to switch (back, in many cases) to Microsoft.
What this means for you:
If you already have a Hotmail.com or MSN.com email address and you haven’t already converted over, you’ll be migrated over to Outlook.com gradually as Microsoft consolidates the services under the new brand. If you are considering switching (or opening another webmail account), the only feature Outlook.com is offering that differs from the competition is Contacts stored in your online address book will automatically update information based upon information available on social media platforms like Facebook, Twitter and LinkedIn. Gmail does this with G+ but you have to resort to third-party extensions and services to mine the other social media sites for this information. Beyond this feature, Outlook.com is mostly playing catch-up to Gmail, though their marketing dollars may steal some of Yahoo’s marketshare despite the company’s revamp of its webmail service a little over a year ago.