This week, Check Point researchers discovered a vulnerability within LinkedIn’s messenger platform, which if exploited, would enable attackers to spread malicious files via the platform to infect the machines of target on the business social network. This discovery has highlighted concerns about the security measures in place on the networking site, which is home to millions of professionals.
So, why are the flaws bad in this instance?
Check Point researchers found potential ‘flaws’ that would allow an attacker to deploy malicious content that masquerades as legitimate file sharing. This is a common use for LinkedIn – share a resume, a job posting, professional development and so on. The reason this malicious content can masquerade as wholesome is because of LinkedIn’s models for security scanning.
But how can this masquerading be effective? LinkedIn has constructed security scanning logic that does not include these tactics as a premise on the logical chain. Without the security scans accounting for the malicious scripts and Macros, attackers can use common file types to infect unsuspecting LinkedIn users.
Though Check Point researchers published 4 technical flaws, I would suggest two conceptual flaws that allow this to happen:
The attacker controls the file name, type and extension. In a social media/sharing context, this is unavoidable. If LinkedIn enables people to share content, it would be unable to seize ownership of the file parameters (name, type, extension, etc). So, the logical arguments the scanners use, would not be able to begin with LinkedIn specified content parameters – its originating author maintains that control. This opens the possibility of the technical exploits.
The ‘originator-decides’ paradigm is LinkedIn’s attempt at benign neglect. Not only does LinkedIn avoid controlling the content users share, but the US Government will not allow LinkedIn (or any social media platform) to claim ownership of the content users share. Our starting point of ownership has LinkedIn on the horns of a dilemma, and the steps LinkedIn has taken have other troubles.
The second conceptual flaw for LinkedIn is their security scanners use models to ask the content a series of if/then statements. LinkedIn’s security scanners only scan for two categories of threat:
1) first-degree malicious substance
2) damaging malicious substance for the LinkedIn platform.
On the first degree of malicious substance, the LinkedIn scanners do not take into account embedded Macros or scripts nested in the file. It simply stops at the first degree, asking, something like: “Does this contain any malicious links?” This is a superficial scan, in the literal sense of the term – existing or occurring at or on the surface. The second point of LinkedIn’s security logic is modeling the potential malicious content to the damage it could cause to a user in the context of the LinkedIn platform and stops short of the context of the user’s own machine or network. Also, superficial.
So, when the file does not contain any surface-level malicious content and the potential victim is not the LinkedIn platform itself, the file receives a clear bill of health. And passes through to the user.
Exploiting this conceptual landscape is child’s play. All that’s left for an attacker is to write the scripts…
How can organizations better protect users from flaws in otherwise safe social networks?
Firstly, organizations can better educate and train their personnel to treat social media platforms (including, LinkedIn) just as they would other sources for malicious content (e.g. BitTorrent).
Secondly, organizations can protect themselves by performing better calibrated scans than the superficial pass social media provides. Simply stated, organizations can begin with LinkedIn as an untrusted distributor of content, then run security scans against downloaded material that goes beyond superficiality, surveying the content each file contains. Organisations can move beyond the first degree of malicious substance and account for the potential harm to the user and network.
Lastly, organizations can adopt an assumption of compromise. When we assume that compromise is already happening and can frame our threat hunting in that paradigm, nothing is trusted. Furthermore, organizations help themselves with a mindset that says, “Anything could happen.” That open-mindedness allows security teams to think like an attacker and evaluate the tactics one could take to compromise the organization.