Sunday, August 14, 2011

Social Engineering Attacks and LinkedIn

I’ve mentioned social engineering attacks as a method that attackers may use to get access to relatively secured networks. While many social engineering attacks are bulk type attacks, targeted at anyone in an organization, we have been hearing more and more about targeted attacks. These attacks are targeted at specific people in an organization, control systems engineers or technicians for instance.

The question often arises how do attackers select the targets of the spear phishing attacks? Well one way is through the perusal of social networking sites; particularly the professional sites liked In the modern networked society in which we operate it would be a waste of time to recommend that personnel in security sensitive positions for go the use of these sites; too much valuable information is exchanged via this medium.

No, what every security expert that I have heard over the last couple of years say is that everyone should be careful about the information that they share on these sites and who they share it with. Frequently this is easier said than done as the managers of these sites are not really concerned about secondary security issues like providing information that could be used in developing a targeted social engineering attack to gain access to an industrial control system.

I had an interesting bit of information shared with me by a long time reader. It seems that LinkedIn has learned a new marketing trick from Facebook. Linked in describes it this way:

LinkedIn may sometimes pair an advertiser's message with social content from LinkedIn's network in order to make the ad more relevant. When LinkedIn members recommend people and services, follow companies, or take other actions, their name/photo may show up in related ads shown to you. Conversely, when you take these actions on LinkedIn, your name/photo may show up in related ads shown to LinkedIn members. By providing social context, we make it easy for our members to learn about products and services that the LinkedIn network is interacting with.

So if you follow an automation company like Siemens or any of a hundred other vendors your name and picture could show up on one of their LinkedIn ads. Someone interested in attacking one of their installations could follow you back to your profile and learn who you work for. From there most people can guess your corporate email address and you are now a target.

Linked in has provided a way for people to opt out of this program so they are not totally clueless; though it does seem odd that they haven’t publicized this option. Anyway, thanks to one of my cybersecurity readers here is the simple technique for protecting yourself against this source of potential social engineering attack targeting:

• Log into your LinkedIn account;

• In the upper right corner of the screen, select 'Settings' under your name;

• Go to 'Account' on the bottom left side of the screen and select 'Manage Social Advertising' under ‘Privacy Controls’;

• Disable the box which states 'LinkedIn may use my name & photo in social advertising'; and

• Click on ‘Save’

This is a simple enough process. It took me literally seconds to complete. I recommend that if you occupy any type of security sensitive position, you should do the same.

No comments:

/* Use this with templates/template-twocol.html */