Josh More – Starmind Blog

As a followup to my previous post on LinkedIn, I would like to recount a story that a friend told me the other day.  I was visiting with Adam Steen of 25 Connections. Adam's business is knowing people, and he knows pretty much everyone in the Des Moines business world. If you need a connection in this area, Adam is the guy to go to.

As with many of us in the small business world, he uses LinkedIn to help manage his contacts. However, his business is all about personal connections. This is great for his business, but does introduce a new type of attack that I had not previously considered.

Several months ago, Adam met someone who works in the financial industry. After a pleasant first meeting, he received a LinkedIn connection request. As we all do, he accepted the connection and thought no more of it. Then, last week, Adam got a call from a friend of his who informed him that this connection was using LinkedIn to call Adam's friends and set up appointments. Of course, he accepted this appointments because the person knew Adam trusted him. After all, if Adam says someone's good to work with, they usually are. However, Adam didn't actually vet the connection. Instead, the attacker was using social engineering to make it appear as though he had. Once the appointment was made, Adam's friend found himself sitting through one of the most uncomfortable high-pressure sales situation he had ever experienced.

So, how did this attack work?

First of all, it is entirely dependent on the nature of the social networking site.  If the site is configured to allow your contacts to see one another, you have to consider whether the individuals to whom you are connecting are worth this level of trust.

Secondly, the attack is only useful if the connections are generally trustworthy. If Adam's name hadn't meant anything to the person being called, the appointment wouldn't have been set up and the attack would have been foiled.

Third, if you have a number of close personal contacts who know you but not each other, and you use a social network that allows your friends to see one another, you may be vulnerable.

Now, in Adam's case, he was able to identify the untrustworthy individual and remove him from his network. Since this particular variant was based on personal contact, the removal of the personal connection foils it. However, it would be trivial to make such an attack far more malicious. An attacker could forge an email from the trusted link that carries a malicious attachment or link. The target then, thinking that the message came from someone very trustworthy, would be fooled into running the code, allowing the attacker to get whatever information they wanted.

So, how do you protect yourself... and more importantly, your contacts?

Think about who you're connecting to and if you get a request from a friend of a friend, make sure that it's legitimate. This could be as simple as picking up the phone and calling the purported shared link. (Odds are that you don't talk often enough anyway.)  Also, if you are in the habit of connecting people to one another, try to connect them at the same time. I find that it's easiest to send an email to yourself and copy them both on it. That way, they get one another's address, see that you are vetting them both and you have a copy of the connecting email should you need it later. This also makes it more likely that someone who bypasses the process would be more likely to be caught, as it would seem more unusual from the start.

This may be a good time to review your contacts and make sure that they're really what they should be.

Related posts

• Site Review – LinkedIn (3)
• Mythic Monday – Cupid, Psyche and Detection (0)

Who doesn't know about LinkedIn by now?  This business-focused social networking site has been around seemingly forever (2003 is forever ago, right?).  There are even blogs dedicated to helping you maximize your use of LinkedIn.  Really, what more can I add?

You probably already know the basics.  If you have an account on LinkedIn, you can add all the businesses associates you know to your account.  This gives you a sort of online Rolodex that you can access from anywhere.  Digging deeper, you can use groups to find the contact info for people you know, but perhaps not well.  You can ask and answer questions and try to use the network to find contacts deeper within an organization.

It's very useful for sales people and job hunters... and since everyone will likely be one or the other at some point in their career, most people are on it.

However, like all systems, there is a dark side. Many security practitioners constantly caution about putting personal information online. This information can be used in social engineering attacks against a business or to engage in identity theft. If someone manages to get your LinkedIn credentials, they also get access all of your contacts. For a sales person, this can result in loss of competitive advantage. Moreover, if someone untrustworthy manages to link into your network, they can see everyone you know. This information can be used to target existing clients or uncover information about the structure of yours and related companies.  On the other hand, this same design allows legitimate people in your network to leverage your extremely valuable connections, which can strengthen your relationships to all parties involved.

This is a fairly typical risk management problem. If you put data into the system, you run the risk of its being misused. But if you do not, your competitors can leverage their networks better than you. What can you do?

The solution that most people take is to simply ignore the risk. They assume that everyone is who they claim to be and will link willynilly to all and sundry. Some of them even claim to be LIONs (LinkedIn Open Networkers) and will link to anyone who expresses an interest, often attempting to link to complete strangers.  (In the physical world, we use a different word to describe this behavior, but that veers from the topic at hand.)

Another solution is to ignore the site altogether. If your data isn't online it can't be compromised. Many in the security community approach it this way. It is the most secure solution, but you also lose all the benefits.

Of course, there is a middle ground. By using out of band techniques, you can have a reasonable assurance of a person's identity. For example, if you receive a LinkedIn invitation, you should first check out their profile and make sure that it matches what you expect. Then, you should send them an email or give them a call outside of the LinkedIn system and make sure that they intended to send you the request. If they say "yes", then you know that they are legitimate and you can add them to your network if you know them to be trustworthy. This doesn't address all of the risks, but it does hit the major ones while still allowing you to use the system to your advantage.

Related posts

• Site Review – LinkedIn – Part 2 (0)