The reactions to the recent LinkedIn hacking “scandal” were interesting.
On one side, and rightly so, there were serious questions asked of LinkedIn and their security practices. Certainly the consensus was that their practices in regards to passwords left a lot to be desired. Furthermore, a large company of this size, in terms of the number of users it has should be taking the security of those users’ data more seriously – this type of breach just should not be happening.
Taking aside the technical security issues now, I put to you the question; Does a hacked LinkedIn present much more risk to an individual and the company they work in than a non-hacked LinkedIn?
Looking at the consequences of the current security breach as reported, what has been the impact to an individual LinkedIn user? LinkedIn by nature of its business model is the sharing of “personal” information. That information is there already to one degree or another and what isn’t directly accessible, can be, with a few clicks to “connect”.
While we question the security practices of LinkedIn and why such a breach could happen, few companies realise the security risks presented by the normal use of LinkedIn.
For a long time now we’ve tagged LinkedIn as the “Social Engineer’s best friend”. A Social Engineer in this context doesn’t necessarily mean a hacker. It may well be, and more on that shortly, but it also defines anyone who could use that information the individual/company has on the site for the purposes of their own benefit. (Not the purposes the individual or company had intended that information they presented on the web to be used for).
It’s an open information source on your company that can be tapped by almost anyone out there; competitors, clients, recruiters, vendors – anyone looking for an entry point to information that they can use to help them conduct their business – for any purpose. There’s so many potential ways this information can be used and I won’t go into more details here, but as a company, if you’re not aware of, understanding, and managing the risks of the use of LinkedIn, you are potentially putting your organisation at risk.
LinkedIn is database of corporate information that does not fall under the management control of the companies and the company’s staff using it. It’s usage policies don’t align to your company’s usage policies. It’s security policies don’t align to your company’s security policies. How are you controlling what information is being posted about your company?
From our perspective, LinkedIn provides almost all the information a targeted social engineering attacker, (from a hacking definition) could need to launch attacks on your business.
With just a relatively short reconnaissance time, the attacker can build a detailed and very definitive corporate profile. We proved this at the Defcon Social Engineering Tournament in Las Vegas in 2010:
How this translates into an attack, we covered in more detail here:
If you’re sitting back reading this and thinking; “It can’t be that easy”. Trust me. In all the testing we’ve done for large companies, it has been. We have a 100% success rate at the moment – and we’re the good guys whose testing is usually time-boxed and working under tight scope constraints.
A malicious attacker doesn’t work under these constraints. They can take their time and work under whatever scope they choose. It’s not within the company’s control.
As we always say, if someone wants to get your information, with enough time and effort they will. That is a scary truth, All you can do is to try to make it harder for them – harder so that they hopefully will either give up, move onto an easier target or at least if they’re determined to get you, have to resort to approaches that may see them make mistakes and somehow get detected.
Don’t make life easier for a targeted or opportunistic attack on your business. Assess your use of Social Media such as LinkedIn, identify your risks, understand them and set policies accordingly – and importantly, continually monitor. Failure to do so could be potentially business threatening. If you are an officer of the company and/or Director on the Board, you have an obligation under the corporations act to be doing this anyway.
When you look at it this way, I ask the question again; does a hacked LinkedIn really present anymore risk to you than a non-hacked LinkedIn? It depends upon how you use it.