Posts Tagged ‘linkedin’

A quick “heads up” that I will be presenting on the topic of Social Media Threats on Friday, March 7, at the Delaware Valley Chapter of the Information Systems Security Association. Here’s a link for more info:

www.issa-dv.org/meetings

Also, I’ll be presenting on Access Management and Federated Identity Management on Thursday, March 20, at the Harrisburg (PA) Chapter of ISACA (previously known as Information Systems Audit and Control Association). Link below:

www.isaca-harrisburg.org

So if you’re looking for some CPE’s and will be in the area, please drop by and say “hi.”

I’ve posted a video of the full presentation I gave in Munich earlier this year on social media threats but now if you want the abbreviated format, please join me at Hacker Hotshots on Thursday, July 18, at noon (EDT) for a short web cast.

Here’s a link to the web site where you can register:

http://www.concise-courses.com/infosec/20130718/#

Here’s an article from the Greater Wilmington Business Journal covering the keynote I gave on social media threats yesterday at the Wilmington IT eXchange.

http://www.wilmingtonbiz.com/industry_news_details.php?id=5198

Thanks to the 130 or so people that came out and packed the house and a special thanks to Dr. Tom Janicki and Dr. Bryan Reinicke, for the invitation to speak and hospitality while I was there.

As I’m sure many of you have heard, the popular, business-oriented social networking site, LinkedIn.com, had a security breach recently that resulted in exposing about 6 million of its users’ passwords. You might be thinking, what’s the big deal?

  1. I don’t store anything all that sensitive on my LinkedIn account and
  2. even if I did, why would anyone want to target me?

The first issue that many fail to appreciate is that most people use the same password for more than one site. In fact, many use the same password for every site. This is a problem since it means that if I know your LinkedIn password, I probably also have a pretty good idea what your email password is. And if I can get into your Gmail account, for instance, then I can also go to your banking site and request a new password be emailed to your account, which I now control.

Furthermore, I can change all these passwords to one of my choosing and then you can’t get in to fix the problem either. Then it’s game over and you are forced to deal with a sea of faceless support centers for each site trying to gain back control of your digital persona. Since many of these services are free, the support your get is worth about as much as you paid for it, if you know what I mean.

As to why you would be targeted for such an attack? Because you exist. Hackers don’t only go after famous people just as identity thieves don’t restrict themselves to only millionaires.

So, what can you do?

  • First of all, you should probably change your LinkedIn password today. Even if you weren’t one of the 6 million compromised accounts, why wait for the next breach?
  • Second, change other passwords to key accounts like your email, bank, credit card and merchant sites that might have payment details stored for you.
  • Third, choose good passwords that can’t be easily guessed or cracked through dictionary or brute force attacks, which leads to …
  • Fourth, use a password storage vault or single sign-on software to keep track of all your passwords. These tools allow you to generate strong, hard to guess passwords that are unique for every site and only require you to remember one strong master password to unlock the vault.

If you are trying to do this for an entire organization, consider a centrally managed, enterprise class tool like IBM Security Access Manager for Enterprise Single Sign-On, which automatically enters userids and passwords when logon fields pop up, allows you to set policies for all your users and supports resetting lost passwords and shared workstation support with fast user switching.

If you want a simple, free tool to keep track of passwords on a single system that requires you to copy and paste stored passwords manually from the vault, Password Safe, from the open source SourceForge project is one of many options.

Also, there are other options that range somewhere in between for a range of prices supporting a variety of platforms. Whatever you choose, just try to make sure it comes from a legitimate source. The worst case scenario would be to store all your passwords in one tool that sends all your info to an attacker.

OK, so now you just think I’m being paranoid, right?

LinkedInMy previous posting dealt with a technical attack involving malware being distributed through social media. Here’s a story on how social media sites can be used for social engineering to entice users into being attacked.

http://money.cnn.com/2012/03/12/technology/linkedin-hackers/index.htm

The article points to how information gleaned from LinkedIn profiles can be used to target users with more plausible attack scenarios — a.k.a. spear phishing. It describes how one person was able to get added as a connection to more than 60 people at a company where he posed online as a worker and then proceeded to get himself added to a private LinkedIn discussion forum.

  • “Now I had an audience of 1,000 company employees,” O’Horo said. “I posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, I got 87 hits — 40% from inside the corporate network.”

Of course, the risk here is that the fake page could have been infected and used to distribute malware as previously described. But is this really a problem with LinkedIn? Should we avoid social networking sites as a result?

I would say “no” and “no.” The real issue here was that people were trusting things they shouldn’t trust. If someone had bothered to find out who this guy was before adding him to the private discussion forum, it wouldn’t have been an issue. Also, if users had been more discerning as to which links they clicked on, it wouldn’t have been an issue.

The point really is what and whom should you trust? LinkedIn, like any social networking site, is only as good as the information in it and only as trustworthy as the people posting to it. It seems that every time we develop a new communications forum, whether it be snail mail, telephone, email, SMS, or social networking sites, we have to re-educate ourselves as users as to what is and is not reasonable and responsible behavior within this new context.

Hackers know this and it’s how they are able to exploit these windows of opportunity with each new turn of the technological crank. The onus is on the good guys to maintain a healthy skepticism when moving into new forums or risk being the next victim.

Welcome to Inside Internet Security — the blog. I qualify it that way since it is named after a book I wrote about a dozen years ago which, in a sense, served as the launch pad for what has been an amazing personal journey through the intricacies of IT security in the age of the Internet.

It seems somehow appropriate to commence this new (for me) means of outreach through social media with an exploration of some of the security risks inherent in this format. So in that spirit, I offer up a link to a keynote talk I did in September of 2011 at the New York Institute of Technology’s Cyber Security Conference for your consideration in hopes that it will provoke some thinking on the topic.

In this talk I discuss some of the vulnerabilities in the social networking format as well as cite examples of real world attacks and compromises that have occurred on Facebook and LinkedIn along with some discussion of the weaknesses that exist in current authentication technologies such as passwords and biometrics. (There were some technical difficulties with the audio at the start but it smooths out soon.)

Enjoy …

https://i0.wp.com/www.nyit.edu/images/uploads/calendar/cybersecurity-200_1.gif

NYIT Cyber Security Conference: How Secure Are We? Identify Management and Social Networking Threats