undefined | Better HN

0 pointsfreehunter12y ago0 comments

I work in enterprise information security, and my team agreed upon hearing this news that if this was used on our email system, we would consider it a MITM attack. Whether or not the end user opted in, the corporation did not.

So, in the context of use in environments where your email address is not fully owned by you, attack would be a valid word. Otherwise, I agree that it's a MITM but not an attack.

0 comments

7 comments · 2 top-level

tedunangst12y ago· 3 in thread

Is your corporation going to fire the users who use this? If not, why not? They are aiding and abetting an outside attacker.

freehunterOP12y ago

No, in the same way we don't fire people for getting viruses on their computer. Without a reason to believe the action was intentionally designed to cause harm to the business, like cstrat said, education is the best way to handle it. It would be hard to prove malicious intent in a case like this. LinkedIn would be attacking us, the user would just be an attack vector. It's akin to getting phished.

benatkin12y ago

I agree, and I think the major email providers should block it. Maybe Google can just cut off their API access and stop using LinkedIn for recruiting. That ought to get their attention.

cstrat12y ago

Given that a lot of users are technically unaware of what they are doing, it would be akin to firing someone for falling for one of those pop ups that offers to do a free virus scan. If you are a pharmaceutical sales rep and you read that LI blog post, you probably think it is perfectly safe...

I would think the responsibility falls back onto IT to educate users - and to block connections from LI to the mail server.

baddox12y ago· 2 in thread

I appreciate the data point, but I must admit that sounds very unreasonable, unless you're considering the employer as the attacker. Would the same apply if an employee were using a VPN at work?

freehunterOP12y ago

We do block VPN on our corporate network, yes. A VPN is a tunnel that hides user activity from our monitoring and DLP tools and use of VPN from our network to the outside is against policy. Likewise, sharing your credentials with a third party is against policy.

The attacker is LinkedIn. The employee is the attack vector. LinkedIn is engaging in a phishing attack.

baddox12y ago

You didn't explicitly answer whether you consider VPN usage to be a man in the middle attack. I understand banning it (as well as this LinkedIn feature) on a corporate network, but not considering either a man in the middle attack.

1 more reply

j / k navigate · click thread line to collapse

0 comments

7 comments · 2 top-level

tedunangst12y ago· 3 in thread

Is your corporation going to fire the users who use this? If not, why not? They are aiding and abetting an outside attacker.

freehunterOP12y ago

benatkin12y ago

I agree, and I think the major email providers should block it. Maybe Google can just cut off their API access and stop using LinkedIn for recruiting. That ought to get their attention.

cstrat12y ago

I would think the responsibility falls back onto IT to educate users - and to block connections from LI to the mail server.

baddox12y ago· 2 in thread

I appreciate the data point, but I must admit that sounds very unreasonable, unless you're considering the employer as the attacker. Would the same apply if an employee were using a VPN at work?

freehunterOP12y ago

The attacker is LinkedIn. The employee is the attack vector. LinkedIn is engaging in a phishing attack.

baddox12y ago

1 more reply

j / k navigate · click thread line to collapse