If you use LinkedIn, you've probably told the site where you work, what you do and who you work with. That's a gold mine for hackers, who are increasingly savvy in using that kind of public -- but personal -- information for pinpoint attacks. It's called "spear phishing," and it paid off last year in two especially high-profile security breaches: a Gmail attack that ensnared several top U.S. government officials and a separate attack on RSA, whose SecurID authentication tokens are used by millions. In both cases, the attackers successfully tricked their targets into opening e-mail attachments that appeared to come from trusted sources or colleagues. Investigators haven't disclosed how the attackers gathered information on their victims, but at RSA's security conference last month, the risks of social networking sites -- and LinkedIn (LNKD) in particular -- were a hot topic. Dozens of presenters said the business networking site could be a potent weapon in the hacker toolkit. "Businesspeople are using LinkedIn for research purposes, and headhunters and marketers use it to recruit. Why wouldn't Chinese intelligence agents use it as well to spear phish?" said security analyst Ira Winkler, the author of "Spies Among Us." Most of the discussion about LinkedIn's risks was theoretical -- investigators say it's almost impossible to trace back the original source of personal data used in successful "social engineering" attacks. But in one arresting case study, self-described "hacker for hire" Ryan O'Horo demonstrated how he used LinkedIn to get inside a client's corporate network. O'Horo is a managing security consultant for IOActive, a services firm that offers vulnerability testing. His customer, a "high-profile company with tens of thousands of employees," had top-notch technical protections. "We needed to go to the next level," O'Horo said of his efforts to crack its network. O'Horo created a fake account on LinkedIn, posing as a company employee. He stocked the profile with realistic details -- a plausible job history and skill set -- plus a few credibility-establishing flourishes like a membership in a local hockey league. From his dummy account, O'Horo sent out 300 connection requests to current company employees. Sixty-six were accepted. Next, O'Horo requested access to a private LinkedIn discussion forum the company's employees had created. The group's moderators granted his request without ever checking a company directory to confirm his identity. "Now I had an audience of 1,000 company employees," O'Horo said. "I posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, I got 87 hits -- 40% from inside the corporate network."
O'Horo got caught just three days into his LinkedIn attack: An astute employee figured out he didn't belong and blew the whistle. But he'd already made his point. "They were definitely surprised that the group existed," O'Horo said of his client's response to his report. "It wasn't a formal company group; there was no oversight or policy covering that aspect of their social presence. The people in charge of their information security didn't know it was there." Hackers don't need anything so fancy as private discussion forums to take advantage of LinkedIn, though. The site's users openly display plenty of valuable data. At last summer's DefCon security conference, a group of "social engineering" hackers staged a game in which contestants attempted to trick employees at more than a dozen major companies -- including Apple (AAPL, Fortune 500), AT&T (T, Fortune 500), Calmar (WMT,Fortune 500) and United Airlines (UAL, Fortune 500) -- into disclosing sensitive corporate information. Next to Google (GOOG, Fortune 500), LinkedIn was the competitors' most widely used resource. Some people divulged specific technical information about their employer's infrastructure in their profiles, while others offered up details that could be used for stealth attacks. For example: If you can learn the name of a target's colleagues, it's fairly easy to fake an email that appears to come from one of them.
No comments:
Post a Comment