LinkedIn May be "Hacker's Dream Tool" But Attacks Easy to Foil
It's not very often that Anonymous and CNN agree on anything, but it did happen when CNN Money reported that professional networking site LinkedIn was a "Hacker's dream tool", the latest social media scare story. Sharing the link, the account @YourAnonNews tweeted "CNN is spot on with this article (a rarity we've found). LinkedIn is a hackers dream tool".
When you read the article, you discover that, as so often happens, they are not talking about any technical vulnerability. All they mean is that LinkedIn is a useful source of professional biographical information that is useful for the type of social engineering attack known as "spear phishing". Social engineering refers to all the techniques based on getting people to do things they should not be doing, by tricking them in some way. This is, in fact, the way many famous hacks have been done. When Paris Hilton's smartphone was "hacked", for example, someone simply fooled a T-Mobile store employee into revealing the password for resetting the user password, then created a new one.
Spear phishing is a social engineering attack where someone uses detailed personal information to fool the victim into believing a message comes from a trusted source, tricking them into clicking on a link they would never touch in a mail from a stranger. It is called spear phishing because it is just like a normal phishing attack but much more precisely targeted, aiming at a single user rather than millions.
In reality LinkedIn is simply a useful source of professional information about people, second only to Google. This information is used to identify the names of colleagues that can be used in spoofed mails as the "sender" or it can be used in more complex ways. One way is to create a completely fake profile of a person who works at a company. Then this account sends out connection requests to all the other employees on LinkedIn and many of these will accept the request without ever asking themselves if the person exists. Once connected to real employees the persona then has access to employee-only groups and other information.
This does not mean that you should be alarmed, wonder if LinkedIn is safe or close your account. Quite the contrary. I have a profile on LinkedIn and I recommend all the people who attend my networking workshops to have one, too. All you need to do is be a little more careful. This means being suspicious when someone unexpectedly invites you to try some new software. Most important of all you should not accept invitation requests from people that you do not know or cannot verify. There is a philosophy called "open networking" which does exactly that, but it is appropriate only for independent professionals who ae free to take whatever risks they feel are appropriate. If you are working for a large organization you should be more careful because your carelessness causes harm not only to you but also to your colleagues and your employer.
Lectures, Workshops, Coaching, Writing
For lectures, workshops, coaching and writing on networking and other topics visit http://andrewhennigan.com, email speaker@andrewhennigan.com or call 0046 73 089 44 75
Related Posts on Networking:
How to Separate Work and Private Networking
Involuntary Networking: Why First Street is Fascinating but Scary
LinkedIn Etiquette: How to Approach People You Don't Know
Selling Your Ideas: Influencing Your Way to Success
Professional Networking: Five Sites You Should be Using
How to Use Twitter for Professional Networking
Sign Up Now: Joining New Networking Sites Boosts Your Reputation
Zerply: Three Thumbs Up, Two Thumbs Sideways
Three Keys to Networking
When you read the article, you discover that, as so often happens, they are not talking about any technical vulnerability. All they mean is that LinkedIn is a useful source of professional biographical information that is useful for the type of social engineering attack known as "spear phishing". Social engineering refers to all the techniques based on getting people to do things they should not be doing, by tricking them in some way. This is, in fact, the way many famous hacks have been done. When Paris Hilton's smartphone was "hacked", for example, someone simply fooled a T-Mobile store employee into revealing the password for resetting the user password, then created a new one.
Spear phishing is a social engineering attack where someone uses detailed personal information to fool the victim into believing a message comes from a trusted source, tricking them into clicking on a link they would never touch in a mail from a stranger. It is called spear phishing because it is just like a normal phishing attack but much more precisely targeted, aiming at a single user rather than millions.
In reality LinkedIn is simply a useful source of professional information about people, second only to Google. This information is used to identify the names of colleagues that can be used in spoofed mails as the "sender" or it can be used in more complex ways. One way is to create a completely fake profile of a person who works at a company. Then this account sends out connection requests to all the other employees on LinkedIn and many of these will accept the request without ever asking themselves if the person exists. Once connected to real employees the persona then has access to employee-only groups and other information.
This does not mean that you should be alarmed, wonder if LinkedIn is safe or close your account. Quite the contrary. I have a profile on LinkedIn and I recommend all the people who attend my networking workshops to have one, too. All you need to do is be a little more careful. This means being suspicious when someone unexpectedly invites you to try some new software. Most important of all you should not accept invitation requests from people that you do not know or cannot verify. There is a philosophy called "open networking" which does exactly that, but it is appropriate only for independent professionals who ae free to take whatever risks they feel are appropriate. If you are working for a large organization you should be more careful because your carelessness causes harm not only to you but also to your colleagues and your employer.
Lectures, Workshops, Coaching, Writing
For lectures, workshops, coaching and writing on networking and other topics visit http://andrewhennigan.com, email speaker@andrewhennigan.com or call 0046 73 089 44 75
Related Posts on Networking:
How to Separate Work and Private Networking
Involuntary Networking: Why First Street is Fascinating but Scary
LinkedIn Etiquette: How to Approach People You Don't Know
Selling Your Ideas: Influencing Your Way to Success
Professional Networking: Five Sites You Should be Using
How to Use Twitter for Professional Networking
Sign Up Now: Joining New Networking Sites Boosts Your Reputation
Zerply: Three Thumbs Up, Two Thumbs Sideways
Three Keys to Networking
Comments