According to security and censorship watchdog Great Fire, the latest iPhone just made its debut in China, and already new owners are being hacked by what appears to be a state-sponsored “man in the middle” attack. Though there have been many other allegedly government-backed attacks on US-based companies, presumably for commercial or political gain, this appears to be aimed at gaining iCloud identities of its own citizens, and its hard to not draw a dotted line to the recent Hong Kong protests, images and news of which were widely disseminated by mobile devices like the iPhone.
What this means for you:
Unless you are a Chinese citizen that has somehow managed to find your way to this modest blog, this particular event won’t have much impact on you. The hack is actually being perpetrated by China’s “Great Firewall” and only affects a specific, Chinese-only browser called 360 Secure Browser made by a company called Qihoo. Use of this browser is apparently mandatory for all education institutions in China. Seeing as other browsers not under the control of the Chinese government like Firefox and Chrome appear to be unaffected by the hack, it’s hard not to jump to some obvious conclusions. While the more conspiratorial among you may whisper that the American government is only a few steps behind the Chinese in this egregious breach of privacy, it’s important to note that unlike China, US-provided internet is not gated by a single, government-controlled firewall like China’s Great Firewall, nor our are students and teachers mandated to run a (allegedly) state-backed browser. However, this does not mean you should be less vigilant in protecting your security and privacy, as its quite apparent that US agencies like the NSA have no problems snooping on its citizens anyways.
For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.