linkedin threats

8/9/2019 LinkedIn Threats

http://slidepdf.com/reader/full/linkedin-threats 1/33

CSIS Security GroupResearch & Intelligence

Social Networking Risk – Who Do You Want to be Today?Dennis Rand – Senior malware/Security researcher

[email protected]



Agenda

Short introduction to CSIS

Social networking (based on LinkedIn case)

Risks of Social Networking

Best Practices

Revelation of the ”fake” LinkedIn profile

becomming ”friend” with 1000’s of people



CSIS – introduction

CSIS is a Danish owned IT-Security company

Specialises in the following areas:

- Anti-phishing and Cybercrime services

- ”Command and Control” stolen data recovery (M.A.S.H)

- Vulnerability- and applicationstests (PCI Vendor approved)

- Log- monitoring og consolidation and IDS

- Brandmonitoring

- Mailfirewall services

- SecDNS services

- CSIS Platinum alert service



Social networkingSocial networks is globally geeting more popular.

– LinkedIn

– Plaxo

– Xing– CollectiveX

– Viadeo

– Facebook– MySpace

– SkyRock



Risks of Social networks



Risks of Social networksThe threats against the users of Social Networks:

– Employees can bring client information if they leave

– Competitors use of your social network

– Hackers use of your Online Social Networks



LinkedIn

LinkedIn is an online network of more than 20million experienced professionals from around theworld, representing 150 industries

With a Linked account/profile you can:

Find and meet potential clients, service providers, subject experts, andpartners who come recommended

Be found for business opportunities

Search for great jobs Discover inside connections that can help you land jobs and close deals

Post and distribute job listings

Find high-quality passive candidates

Get introduced to other professionals through the people you know

Source: http://www.linkedin.com/static?key=company_info



Employees can bring client informationif they leaveEmployee contracts often states ”you are notallowed to use customer information if you leave”,but!



Competitors use of your social

networkThe use of Social Networks are getting more andmore common around the world, and are used forkeeping a list of clients, friends, co-workers and

business partners.

The problem with LinkedIn is that the abovefeature is a default setting.



Hackers use of your Online Social

Networks A hackers approach towards “abusing” LinkedIn would be forthe purpose of gathering information, since LinkedIn and anyother Social Networking solution, you can be whoever you wantto be, or you can take the identity of whoever you want to be.

– Building up a large network

– Email harvesting

– Personalized malware and attacks (social engineering)

– Information disclosure of products and vendor usage



Building up a large network

No check of data entered from the Social Network service

– We created a profile with an interesting profile:

– The profile had worked at 3 large organisations

– A college degree

– Long work experience

– Sent an invite to random people who had made their email public

– Within 3 hours we recieved the first invites back

– Sent out a lot of invites

– Accepted everything

– Joined Groups

– Added my profile to ”Toplinked.com”,”opennetworkers.pbwiki.com” and other LinkedIn websites



Date of statistics: 21 April 2008 – Profile been active for allmost a year

Building up a large network As of today my profile has 3601 direct connections, 1115 of

these invited me. 10,449,800+ connections in 3rd level

2486

1115

132

0

500

1000

1500

2000

2500

Accepted Invi tation Invi ted me Rejected Invi tation





Top 30 Industry

0

100

200

300

400

500

600

700

S t a f f i n g & R e c r u i t i n g

C o m p u t e r s o f t w a r e

C o m p u t e r a n d N e t w o r k

s e c u r i t y

M a n a g e m e n t c o n s u l t i n g

H u m a n R e s o u r c e s

I n t e r n e t

F i n a n c i a l S e r v i c e s

T e l e c o m m u n i c a t i o n s

B a n k i n g

M a r k e t i n g a n d a d v e r t i s i n g

O u t s o u r c i n g & O f f s h o r i n g

P

r o f e s s i o n a l t r a i n i n g a n d

c o a c h i n g

C o m p u t e r n e t w o r k i n g

S e c u r i t y & I n v e s t i g a t i o n s

I n f o

r m a t i o n T e c h n o l o g y a n d

S e r v i c e s

C o m p u t e r h

a r d w a r e

A c c o u n t i n g

V e n t u r e c a p i t a l &

P r i v a t e

R e a l e s t a t e

I n v e s t m e n t b a n k i n g

P h a r m a

c e u t i c a l s

R e s e a r c h

L o g i s t i c s a n d s u p p l y c h a i n

I n v e s t m e n t m a n a g e m e n t

I n f o r m a t i o n

S e r v i c e s

R e t a i l

S e m i c o n d u c t o r s

D e f e n s e

& S p a c e

W i r e l e s s

O i l & E n e r g y

Numbers





Interesting industries where myprofile have friends

People in my network with

Security related certifications

5Law enforcement

4Military

4Government Administration

4Government Relations

18Defense & Space

34Security & Investigations

25Investment banking

94Banking

110Financial Services

192Computer and Network security

12ISSMP

18CEH

50CISM

95CISA

173CISSP



Some interesting groups I have joined

– By joining groups, I also strengthen the trust of the profile, currently

a member of 790 groups

Date of statistics: 12 March 2008 – Profile been active for allmost a year




Email harvesting If you create an interesting profile, and through your profile appear to

be a previous employee, then you can get a list of employees that youcan send an invite to without having to know their email address.

All contacts can be exported from LinkedIn, and (ab)used.



Personalized malware and attacks

Scenario 1

A malicious person would use the contacts connected through the

network and send mails that includes information available about

the people in the network.

Hey Jack, We connect through LinkedIn and I wanted to send you

this information.

Please view the attached file or download it from

http://www.xxxxxx.dk/MyPersonalCV

Best regards

Frederick Hanson




Scenario 2

Publishing a question to specific groups within the trusted LinkedInnetwork and add a URL to a malicious website that would infectthe user when they visit the website by doing drive-by or socialengineering (tricking the user to open a malicious file).




Scenario 3

Add a link to my public profile which point to a website that couldcollect information about people visiting the website or perhapsadd a malicious file for download e.g. resume.exe describing it asa self extracting file containing a PDF with my resume. You can

ever abuse vulnerabilities in say Adobe or Microsoft Word, Excelto make this attack more effective.




Scenario 4

Targeted attacks against country, industries or businesses andagain it is possible to use LinkedIn to filter and export the data:

We have over the last few years seen more and more targeted attacks(spear phishing), on businesses like Research and financialcorporations.



Information disclosure of products and vendor usage

Another security threat concerning Social Networks is that people put in way to

much information which potentially could be abused by hackers to gain ainsight about the network and infrastructure prior to a targeted attack.

The resume reveals a lot of information as shown below:



Best Practices



Best Practices

Companies should implement policies regarding theuse of Social Networks in their Security Policy.

– If using social networks is allowed, a guideline orprocedure describing how these are to be used,to protect your company from informationdisclosure, would be advise able.



Best Practices

The following issues should be taken intoconsideration– People will write too detailed and possibly confidential

information within their profile.

– People will allow everyone to see all connections made, againallowing possible confidential information to leave the company.

– Employees can bring client contacts with them, if they decide toleave the company, “without stealing any information” in the waywe usually see; they have just connected to the clients.

– People will trust their connections and click on everything that

they receive from these people.



Best Practices

Are Social networks like LinkedIn good or bad?It all depends on the usage!

I find Social networks to be a good thing as long as you rememberthat your information is to some extend public to the world, so

beware of what you write about yourself and your company since thisinformation potentially could be abused by hackers.

Also when you accept connections ensure that people are, who they

say they are, and whether or not you really want them as aconnection.



Revelation of the LinkedIn profile



I will like to present to you

John Smith



I found you while I was searching my network on LinkedIn and found you.

In the future I might be interested in contacting you regarding a possible job/business

connections, so this is my way to keep a list of interesting people/possible futurebusiness partners/connections.

A little about myself I'm currently doing projects all around the world, withIT-security related work, primarily around ITIL, Auditing, Forensic and malware parts.

I'm an “Open networker”, since I find it fascinating to get to know people from all aroundthe world.

Currently I work as a freelance consultant, for a large company not mentioned inmy profile, due to my contract :)

I’m currently looking for a full-time job, when I’m finished with the contract that I’m under, theProject ends around April 2008.

In my spare time I enjoy reading fiction, and running, I’m also an astronomer, with too little time to spare forthat area.

I’ve been married to my beautiful wife Lynn since 2006 and we have a small girl named Kathryn, who is now1½ years of age.

Hope you will take the time to read my profile and accept my invite :)

Best regardsJohn Smith

Invitaion sent out



So close, yet so far away



Questions ?

linkedin threats

Documents