Is LinkedIn a Bad Idea for Employers?
posted by Danielle Citron
On LinkedIn, users connect with colleagues, clients, and friends, providing information about their professional specialties in the hopes of generating business opportunities. Although that social networking site and others like it may help organizations and their employees build client rosters, they also provide crucial information to hackers who use it to prey upon an organization’s employees and fool them into downloading malware into their system. With the Google search of “at site: linkedin.com” and a company’s name, an attacker can view a list of public LinkedIn profiles of individuals working at the company, their positions, and potentially a list of their closest colleagues. An attacker who knows the email address formatting conventions within a company would in turn know the email address of many potential victims.
Consider this example. An attacker learns that two employees with an organization, Jonathan and Nate, are friends. The attacker might send Jonathan an email purporting to be from Nate. The text of the message might say, “Jonathan, I would love your thoughts on this power point I put together for my upcoming conference. Best, Nate.” If the attacker can persuade Jonathan to open the email, the attacker can gain power over that user to spread malware that could raid the employer’s digital treasure chests of valuable information.
Markus Jakobsson offers advice on how to combat this problem. Employers could insist that employees do not maintain public profiles of their social networking sites. They could educate employees about the tactics used by attackers. Better spam filtering would make it harder to reach the potential victims, and good antivirus protection from an established vendor that provides regular, reliable updates may effectively block many dangerous attachments.
September 11, 2008 at 2:53 pm
Posted in: Privacy
Print This Post
Responses (4)
Jack S. - September 11, 2008 at 6:15 pm
Employer controls? as if that ever works. By your reasoning, e-mail is bad for companies. Several viruses have transited via e-mail in just the way you describe and have been extremely successfully in shutting down a company’s mail system and other things. Block all non-registered e-mail addresses? Probably not going to work in a large operation. Risk filtering out an important client mail (it happens, I speak from personal experience). Also not a good idea.
Your scenario also decribes the same thing as breaking into someone’s e-mail. I would hope that LinkedIn is at least close to the security of e-mail if not the same (which isn’t much, all things said).
The social networking sites, personal e-mail at work and receiving personal mail on work e-mail all bring up interesting risk issues. But prohibition techniques is probably not the best way to address the problem.
Jack S. - September 11, 2008 at 6:19 pm
the other things though, education and better virus filtering is a good technique. This of course requires properly trained technical staff as well who keep an eye on the virus news sites via alerts or whatever, etc. many times these nasty’s come out and do damage before corrective action can be taken. some can be spared if there’s effective communication.
Bruce Boyden - September 11, 2008 at 7:48 pm
Another way to combat the problem would simply be to not have any friends.
Logical Extremes - September 11, 2008 at 11:06 pm
Jack S., this problem is more insidious than typical spam. It’s now possible to do some pretty convincing social engineering, rather than just a “Dear Sir” in some strange email with a link or attachment.
The remedies listed are quite appropriate. Tools are readily available to block malware attachments, filter email from spammy addresses, and even flag emails containing links to known malware domains and IP addresses. But education is key to get employees to recognize the risks of putting too much information in the public domain that can easily play into social engineering attacks.
Leave a Reply