LinkedIn – (In)Security by Design

Drazen Drazic

Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic

On one side, and rightly so, there were serious questions asked of LinkedIn and its security practices. Certainly the consensus was that its practices in regards to passwords left a lot to be desired. Furthermore, a large company of this size (in terms of the number of users it has) should be taking the security of those users’ data more seriously—this type of breach just should not be happening.

Taking aside the technical security issues now, I put forward the question; does a hacked LinkedIn present much more risk to an individual and the company they work in than a non-hacked LinkedIn?

Looking at the consequences of the current security breach as reported, what has been the impact to an individual LinkedIn user? LinkedIn, by nature of its business model, is the sharing of ‘personal’ information. That information is there already to one degree or another and what isn’t directly accessible can be, with a few clicks to ‘connect’.

While we question the security practices of LinkedIn and why such a breach could happen, few companies realise the security risks presented by the normal use of LinkedIn.

For a long time now we’ve tagged LinkedIn as the ‘social engineer’s best friend’. A social engineer in this context doesn’t necessarily mean a hacker, although it may well be (and more on that shortly) but it also defines anyone who could use the information the individual or company has on the site for the purposes of their own benefit. (Not the purposes the individual or company had intended that information be used for).

It’s an open information source on your company that can be tapped by almost anyone out there; competitors, clients, recruiters, vendors, anyone looking for an entry point to information that they can use to help them conduct their business—for any purpose. There’s so many potential ways this information can be used and I won’t go into more details here, but as a company, if you’re not aware of, understanding, and managing the risks of the use of LinkedIn, you are potentially putting your organisation at risk.

LinkedIn is database of corporate information that does not fall under the management control of the companies and companies’ staff using it. Its usage policies don’t align to your company’s usage policies. Its security policies don’t align to your company’s security policies. How are you controlling what information is being posted about your company?

From our perspective, LinkedIn provides almost all the information a targeted social engineering attacker (according to a hacking definition) could need to launch attacks on your business.

With only a short reconnaissance time, an attacker can build a detailed and very definitive corporate profile. We proved this at the Defcon Social Engineering Tournament in Las Vegas in 2010.

How this translates into an attack, we covered in more detail here:

If you’re sitting back reading this and thinking; “It can’t be that easy”. Believe me, in all the testing we’ve done for large companies, it has been. We have a 100% success rate at the moment—and we’re the good guys whose testing is usually time-boxed and working under tight scope constraints.

A malicious attacker doesn’t work under these constraints. They can take their time and work under whatever scope they choose. It’s not within the company’s control.

As we always say, if someone wants to get your information, with enough time and effort they will. That is a scary truth, All you can do is to try to make it harder for them—harder so that they hopefully will either give up, move onto an easier target or at least if they’re determined to get you, have to resort to approaches that may see them make mistakes and be detected.

Don’t make life easier for a targeted or opportunistic attack on your business. Assess your use of social media such as LinkedIn, identify your risks, understand them and set policies accordingly and importantly, continually monitor. Failure to do so could be business threatening. If you are an officer of the company and/or Director on the Board, you have an obligation under the corporations act to be doing this anyway.

When you look at it this way, I ask the question again; does a hacked LinkedIn really present anymore risk to you than a non-hacked LinkedIn? It depends upon how you use it.

Follow Drazen Drazic on Twitter:!/ddrazic

Show Comments