LinkedIn was recently exposed to be subject to man in the middle attacks. Michael Sutton of Zscaler and Richard Cassidy from Alert Logic share their views on this issue.
Michael Sutton, VP Security Research at Zscaler:
“I wouldn’t consider this a vulnerability, but rather a transition to enhanced security that is not yet complete. Zimperium is pointing out the fact that LinkedIn does not yet default to and enforce SSL only for all users worldwide. Many web applications are implementing SSL only connectivity due to increasing privacy concerns. LinkedIn is moving in this direction and started transitioning all users to SSL only pages in December 2013 but the transition is ongoing. While we might wish that the transition would move faster, LinkedIn should be applauded for moving in this direction. All web properties should take note and follow the example set by the likes of LinkedIn, Google, Facebook, etc. all of which have moved to SSL only by default.”
Richard Cassidy, Senior Solutions Architect for Alert Logic:
“The concept of MITM attacks has been around a long while now and with the inception of SSL over HTTP (HTTPS) we heralded a new era in online communications that would now allow us to share sensitive data over the public networks without fear of personal details being caught by those men who live in the middle and who love to steal data from any unsuspecting user. That said, things came crashing down when SSL Sniffing was announced to the world and then again, when SSL stripping was released at a Blackhat conference some years ago, should we even mention the more recent “HeartBleed”- perhaps not!
Organisations have since long been working on new and clever(er) ways to thwart the latest spout of MITM attacks against their HTTP and HTTPS sites; The release of HSTS standard, saw a promising response to MITM type threats. Organisations have been considering (and implementing) more advanced countermeasures through NAC solutions or more pro-active network infrastructure equipment to detect ARP-Poisoning at a port (rather than gateway only) level and so on and so forth, all to help reduce the risk of their networks being the source of MITM threats.
The specific threat mentioned against LinkedIn quite simply utilised a well-known MITM attack tool, to re-direct the user to a non-secure version of the site. An unsuspecting (typical) user may simply ignore the warnings that the browser provides when being re-directed to an unsecure version of the site they are accessing, or when a certificate may not be verified. We know that LinkedIn were contacted by a “security group” back in 2013 advising them of the exploit against their services and we can read that they acknowledge this by stating they were transitioning their sites to HTTPS (SSL) only. What we didn’t see was any announcement back then to their customers about the threat of a MITM attack and how users could better protect themselves who might still be accessing old clear-text services or connecting to LinkedIn on open AP’s at coffee shops, hotels, restaurants, etc. We have to appreciate that as users we have to assume a level of responsibility for our own security when accessing publicly available e-services, but there is a level of responsibility on part of the service-provider to ensure we are as educated as possible on “best practices” when accessing their services, in addition to regular updates on what they are doing for the users to further enhance the security of their services.
Unfortunately, there is only so much organisations – such as LinkedIn – can do proactively, to prevent MITM attacks from being successful; In my opinion we still live in a very reactive world from a security perspective, where – for many organisations – security processes are the necessity of exploit attempts (whether successful or not) and (in the context of MITM attacks) the battle is almost always with end-users and how they interact with the websites they’re accessing. That said however, organisations would clearly benefit from enhancing their web services security to end users by implementing HSTS, or providing SSL access as standard. Users would benefit greatly from regular notifications via their portals on “best-practices” in maintaining their security status when accessing the services from public locations. The better you communicate with your users on the subject of security, the greater the degree of education and the lower the risk on all fronts to both parties. Transparency therefore has to be the first point of order when events such as these are brought to the attention of our providers, followed very closely by users doing their part to ensure a safer browsing experience by paying closer attention to how and what they are accessing on the internet when connecting to trusted providers.”