What I find amazing is the number of people who are involved in various aspects of security and supposedly aware of basic security policy, continue to provide endless information about themselves and all the people they are connected with on LinkedIn. Every day, LinkedIn sends a daily bulletin to members with a list of new members who have joined the list of a members you are connected with including who they know and to which organizations they and their associates belong.
Members are more interested in having as many contacts as possible than they are about their own privacy or security. Between Google and LinkedIn, identity management becomes a farce.
One becomes a member simply by sending their true or alias name to LinkedIn. If I were to submit a well known and semi-famous alias that is known to several members of the group, I am sure that they would be flattered to have me on their list of LinkedIn associates and would be openly invited to join their list. I would slowly move up the ladder with their LinkedIn associates. Then by simple social engineering I would move about freely obtaining information and recommendation without any problem. I could then send to any of these trusting persons emails outside of LinkedIn with an innocent attachment containing a simple Trojan program that would allow me to obtain any data I needed from their computer.
Many years ago, I was invited by a friend to join LinkedIn. Flattered, I replied and filled out the application form. The very next day, I received an email bulletin containing the name of the member who invited me to join with his full biography. Soon, I began receiving requests from people I knew and had never heard. The potential dangers became all to apparent and I just stopped.
Identity management is not only academic, it is an everyday policy that people in the digital world need not only preach but practice.
Members are more interested in having as many contacts as possible than they are about their own privacy or security. Between Google and LinkedIn, identity management becomes a farce.
One becomes a member simply by sending their true or alias name to LinkedIn. If I were to submit a well known and semi-famous alias that is known to several members of the group, I am sure that they would be flattered to have me on their list of LinkedIn associates and would be openly invited to join their list. I would slowly move up the ladder with their LinkedIn associates. Then by simple social engineering I would move about freely obtaining information and recommendation without any problem. I could then send to any of these trusting persons emails outside of LinkedIn with an innocent attachment containing a simple Trojan program that would allow me to obtain any data I needed from their computer.
Many years ago, I was invited by a friend to join LinkedIn. Flattered, I replied and filled out the application form. The very next day, I received an email bulletin containing the name of the member who invited me to join with his full biography. Soon, I began receiving requests from people I knew and had never heard. The potential dangers became all to apparent and I just stopped.
Identity management is not only academic, it is an everyday policy that people in the digital world need not only preach but practice.
3 comments:
of course you could spin a story this way, but Linkedin is all about connections. You use it to find people. So, what is the risk in publishing your name,place of employment, and email address. Big deal. This information can be found in a thousand other places. Now if a person is ignorant enough to give up more important information through email to users in his/her network, then that is a problem; their problem. But I wouldnt play this off on Linkedin.
Its still a valuable tool.
Security is all about balancing risk. One can certainly be TOO paranoid.
The commenter above, identified as "Anonymous" made some interesting points, like there is a lot of information available "in a thousand other places", and asked what the risk is in giving out your name, place of birth, and email address. Well, by not giving out that information, you protect both your identity and your privacy - which is the point of the article. If you give "out" your identity, then you are potentially giving "up" your identity, and probably a lot more in terms of proprietary or confidential information (or info. that should be treated as confidential). If I don't tell you who I am, then you can't connect me with all the other personal information about me that is "out there" somewhere.
There is no privacy today. If you give out certain personal information, you're just making it easier for the bad guy. If the bad guy wants it bad enough, he'll get it.
Some easy areas are the phone book, public records (county, state, etc.) If you want to steal someone's identity, steal that of a deceased person from the cemetary and the obituaries. Birth dates, death dates and all family members are available.
Post a Comment