« Loan Repayment Plans for Judges? | Main | Responsibility for Srebrenica »
September 11, 2008
Is LinkedIn a Bad Idea for Employers?
On LinkedIn, users connect with colleagues, clients, and friends, providing information about their professional specialties in the hopes of generating business opportunities. Although that social networking site and others like it may help organizations and their employees build client rosters, they also provide crucial information to hackers who use it to prey upon an organization’s employees and fool them into downloading malware into their system. With the Google search of “at site: linkedin.com” and a company’s name, an attacker can view a list of public LinkedIn profiles of individuals working at the company, their positions, and potentially a list of their closest colleagues. An attacker who knows the email address formatting conventions within a company would in turn know the email address of many potential victims.
Consider this example. An attacker learns that two employees with an organization, Jonathan and Nate, are friends. The attacker might send Jonathan an email purporting to be from Nate. The text of the message might say, "Jonathan, I would love your thoughts on this power point I put together for my upcoming conference. Best, Nate." If the attacker can persuade Jonathan to open the email, the attacker can gain power over that user to spread malware that could raid the employer’s digital treasure chests of valuable information.
Markus Jakobsson offers advice on how to combat this problem. Employers could insist that employees do not maintain public profiles of their social networking sites. They could educate employees about the tactics used by attackers. Better spam filtering would make it harder to reach the potential victims, and good antivirus protection from an established vendor that provides regular, reliable updates may effectively block many dangerous attachments.
Posted by Danielle Citron at September 11, 2008 02:53 PM
Trackback Pings
TrackBack URL for this entry:
http://www.concurringopinions.com/movabletype/mt-tb.cgi/4184.
Comments
Employer controls? as if that ever works. By your reasoning, e-mail is bad for companies. Several viruses have transited via e-mail in just the way you describe and have been extremely successfully in shutting down a company's mail system and other things. Block all non-registered e-mail addresses? Probably not going to work in a large operation. Risk filtering out an important client mail (it happens, I speak from personal experience). Also not a good idea.
Your scenario also decribes the same thing as breaking into someone's e-mail. I would hope that LinkedIn is at least close to the security of e-mail if not the same (which isn't much, all things said).
The social networking sites, personal e-mail at work and receiving personal mail on work e-mail all bring up interesting risk issues. But prohibition techniques is probably not the best way to address the problem.
Posted by: Jack S. at September 11, 2008 06:15 PM
the other things though, education and better virus filtering is a good technique. This of course requires properly trained technical staff as well who keep an eye on the virus news sites via alerts or whatever, etc. many times these nasty's come out and do damage before corrective action can be taken. some can be spared if there's effective communication.
Posted by: Jack S. at September 11, 2008 06:19 PM
Another way to combat the problem would simply be to not have any friends. :-)
Posted by: Bruce Boyden at September 11, 2008 07:48 PM
Jack S., this problem is more insidious than typical spam. It's now possible to do some pretty convincing social engineering, rather than just a "Dear Sir" in some strange email with a link or attachment.
The remedies listed are quite appropriate. Tools are readily available to block malware attachments, filter email from spammy addresses, and even flag emails containing links to known malware domains and IP addresses. But education is key to get employees to recognize the risks of putting too much information in the public domain that can easily play into social engineering attacks.
Posted by: Logical Extremes at September 11, 2008 11:06 PM
