LinkedIn snarfing contacts from Exchange LinkedIn offers lots of chances for its users to hand over credentials so the social business network can suggest new connections. But a new offer to do so for Microsoft Outlook means contacts can be sucked out of Microsoft Exchange and exposed to the world. Australian sysadmin Adam Fowler noticed the feature and detailed its …
This is a simple example of the kind of data sucking that happens practically everywhere anyway.
To show you how widespread this is, try running WhatsApp without giving it access to your full address book. I think it's even in the T&Cs somewhere that you give them the right to purloin your entire list of contacts.
From an intelligence perspective this stuff is absolutely wonderful because you can quickly grab the entire relationship map of any {suspects/people you don't like/political activist/this year's evil entities} without pesky stuff like probably cause, due process and oversight.
Anyone with ANY concerns about privacy or with a duty to protect clients should really start to rethink using any US based entity. By now I'd rather trust China with my data - at least they're not pretending.
It's misleading to offer this as an Exchange problem. This is generally a problem with allowing a 3rd party access to personal or corporate resources - this is a general risk with 3rd party apps.
Part of the problem is that especially on mobile devices it's not possible to be selective what you allow. If you could identify a subset of data that you were willing to hand over to the planet the risk would be at least controllable, but apps want all or nothing. Well, all, because having the temerity to insist there are things you don't want to share like location either leads to an app that doesn't work on iOS, or one that doesn't even wants to install on Android, the latter also not allowing you to change your mind later.
Mobile apps are still in their infancy when it comes to protection of information, and I personally don't consider this infantile state a coincidence. The Internet has two currencies, one is bitcoin, the other on is personal information. Only one of them is sort of legal..
Maybe I'm missing something here - this is a USER problem.
I've read quite a few company Computer Use Policies in my time, and every single one has something about "you should NEVER GIVE YOUR PASSWORD TO ANYONE".
Exchange (like most corporate email offerings) is secure (assuming it hasn't been badly set up) - you need to authenticate before you gain access to the data. You have a username and password that is unique to you, and you are probably at risk of gross misconduct if you give them to someone else. Linkedin are someone else.
No, it's a vendor problem, for defaulting the platform to divulge information in an unwanted way.
But now, for those paid to say so, the problem is for the administrator to gyrate into untold dimensions to accomplish basic frigging corporate security.
What next? A quadruple helix, with quintuple flips to even have a firewall?
Not to self, look up this prostitute and see to it our company never hires it.
Even to rinse out toilets.
@ItsNotMe
I responding to "Outlook hasn't had any issues with viruses" - as far as I'm concerned, there are hundreds of nasties out there that will happily spawn themselves to anybody in your Outlook address book. Outlook seems happy to do this, it's also how stuff like LinkedIn can also query your address book without much effort. Try doing that with a secure email program.
As far as I'm concerned, 90% of reasons for having AV installed in the workplace are either IE or Outlook. The other 10% is Windows.
I am getting more and more put off by LinkedIns persistent attempts to scour my contacts. Was genuinely shocked when I saw them asking for my work Outlook account details. I work for a MegaCorp and I just know that loads of MarketingDroids will be merrily plugging in their details.....It is a major security FAIL in the making.
While I certainly agree that there is a problem with an employee that gives 3rd party apps access to corporate data against company rules, any decent sysadmin is going to want to know how to prevent this in the first place. It's very similar to the concept of employees who try to hook up a personal device to the corporate network at the office or over VPN against the company rules. People do these things anyway out of ignorance or arrogance. The competent sysadmin tries to make their network as secure as possible against unauthorized access, even from their own employees.
As an example, my company has a policy that unauthorized mobile devices can use our company wifi but not access certain internal resources. Rather than just have a company rule saying "don't do this" and leave network security to chance, there are network policies in place to ensure unauthorized devices can't access what they shouldn't. If our sysadmins told our management they simply don't need to secure the network against things users were told not to do, they'd be sitting in HR right after the person who violated policy.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
