Individuals are more insulated from spam or worms on LinkedIn than you would be on MySpace -- but your organization may be more susceptible to a targeted attack via the business-oriented social networking site.
This is just one example of the differences in vulnerabilities found in the three most popular social networking sites: MySpace, Facebook, and LinkedIn. Although the three sites have previously been painted with a broad security brush, each carries its own unique risks, experts say. (See Social Networking Gone Bad.)
LinkedIn, which is based on a friend-to-friend-to-friend connection model, could provide a social engineer with a treasure trove of information, including corporate organization charts or email addresses that can lead to spear-phishing attacks.
"You can log onto LinkedIn without authentication and claim to be part of a group, and suddenly you have an organizational chart that is typically confidential information," says Tod Beardsley, lead counter-fraud engineer for TippingPoint. "So it lets you do a Kevin Mitnick-style attack, where you're inserting yourself into a position of trust... This makes the job of social engineering much easier."
LinkedIn's problem isn't as much technology as the common practice of sharing of names, titles, and organizations. "It used to take someone a couple of weeks or a month to get an organizational chart for his attack. Now it's all online," he says.
Once an attacker finds out the names of who works with whom, for instance, he could send a carefully crafted email via LinkedIn to the victim's HR department head, posing as a headhunter recommending a candidate for an open position. But his email could carry a malicious Word file, rather than a resume. When opened, the file could gain ownership of the HR rep's PC and steal other company information, says Graham Cluley, senior technology consultant for Sophos.
"Information about how people are connected, the work they do, and their positions, is all gold dust to the committed identity thief or targeted attacker," Cluley says. "It gives them the stepping stones to commit identity theft" or other breaches, he says.
And because LinkedIn and other social networking sites let users authenticate to the site using an email address, they open up another potential hole for an attacker. "LinkedIn suffers from the same problem as a lot of other social networking sites -- they do a lot of authentication based on unauthenticated email," TippingPoint's Beardsley says. A user can click onto the "forgot my password" button to reset a password, for instance.
"The problem here is you're relying on email security as well as your social networking site security," he says. "Both have to work well."
But LinkedIn is generally safer than MySpace and Facebook, mainly because it's less feature-rich and thus opens fewer potential attack vectors, experts say.
No comments:
Post a Comment