Tag Archive for LinkedIn

| September 6, 2012
2 comments

5 Tips To Make Meetings Less Painful

MeetingSalesCrunch has created a guide to “meetings that don’t suck.” The firm collected data from its management software, which tracks things like if people are really paying attention (looking at the screen or not), and if follow-up materials are opened. The BusinessInsider says the Web conferencing company crunched the numbers and came up with 5 good tips for the next time you call a meeting.

1. The 15 minute meeting. No meeting should last more than 30 minutes. After 30 minutes, they are giving one-quarter of their attention to something else.

2.  Everyone needs to talk.  If all participants talk, people will give the meeting 92% of their attention. If someone is yammering on, it gets only 78% of their attention.

3. Send follow-up materials within 5 minutes. Nearly two-thirds of attendees will read them within one day. A few more will read the next day, but not many.

4. Shorter follow-up materials are better read. People will spend 52 seconds with a short follow-up. But they will spend only 10 seconds on a mega 100-slide deck.

5. Reach out via LinkedIn immediately. Nearly three-quarters of meeting attendees will accept a new LinkedIn connection after an online meeting.

rb-

Some of these I do better than others. I like to keep my meeting succinct while trying to engage everybody in the conversation. My follow-ups tend to be more formal meeting notes so they take longer to get them out. So my meetings are less painful than others.

Salescrunch Dont suck at meetings

 

Related articles
Category: Business | Tags: , , , , ,
| August 16, 2012
One comment

25 Most-Used Passwords Revealed

PasswqordsRachel King at ZDNet’s Zero Day writes that the recent data breaches at LinkedIn, Last.fm and eHarmony has put passwords back in the spotlight. Unfortunately many people still rely on “password” to secure their digital identity. Antivirus software provider ESET noted some recent work by IT security consultant Mark Burnett who has compiled a list of the “top 500 worst (aka most common) passwords” based on a variety of methods he has detailed on his blog. The entire list is available here (ZIP).

25 Worst passwords

20122011
password
password
123456
123456
12345678
12345678
1234
qwerty
qwerty
abc123
12345
monkey
dragon
1234567
pussy
letmein
baseball
trustno1
football
dragon
letmein
baseball
monkey
111111
696969
iloveyou
abc123
master
mustang
sunshine
michael
ashley
shadow
bailey
master
passw0rd
jennifer
shadow
111111
123123
2000
654321
jordansuperman
supermanqazwsx
harleymichael
1234567football
The 25 worst passwords of 2012 compared to 2011.
2012 data from xato.net and 2011 data from SplashData.com

rb-
Approximately 2/3′s of the worst passwords stayed the saPulling hair outme between 2011 and 2012. Are your users passwords on this list? If so, it’s safe to say you should consider a password change policy to force them into using a stronger password.

I have written about passwords since at least 2010 – here, here and here. When will they listen?

Related articles
Category: Security | Tags: , , , , , , ,
| July 25, 2012
Comments Off

Social Networks Are Malware Launch Pads

Social networkingSocial networks’ role in the growth of the global virtual society has been well documented. What is not so well documented according to Help Net Security is the role social networks have in spreading malware. The security and privacy mechanisms of social networking firms such as LinkedIn (LNKD), Twitter and Facebook (FB) have proven insufficient to prevent exploitation.

The article notes that “To Err is Human,” and human errors lead to exploitSocial mediaation and manipulation whether the social network is online or offline. Social networks hold a plethora of personal information on the users that form the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. When an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content into the network. The network’s connectivity enables the spread of the exploitation. The blog explains that attackers exploit the weakest link in the chain.

The inability of users to determine the legitimacy of content flowing through the social network aids this exploitation process. Help Net Security says the biggest problem with the online social networks is that they do not have built-in protection against malware. For example, current social networks do not scan the URL’s and embedded content coming from third-party servers such as Content Delivery Networks. Therefore, there is no way to authenticate the URL’s passed among the user objects in the social networks.

The infection process begins with the exploitation of humanWeakest link ignorance and followed by spreading of the malware through the trust upon which the network is based.

The article further explains that to start the exploitation process, an attacker will pick an issue that affects human emotions to evoke a response so the social network user will do something the attacker wishes. Phishing and spam messages about weather calamities, politics and financial transactions are used for starting infections. The author states that since social network exploitation begins by exploiting an individual’s ignorance common attack strategies have emerged.

One of the simplest infection techniques is to put malicious URLs on a Facebookuser’s Facebook message wall. When a user clicks on an illegitimate hyperlink it can result in automatic download of malware through the browser. Some of exploits used are:

  • Browser Exploit Packs (BEP) which fingerprint the browser version and other software on the user machine. Based on this information, a suitable malware is served to the user which uses exploits for that particular browser.
  • Drive-by-Download attacks begin by visiting a malicious Botnets and Browsers – Brothers in a Ghost Shellpage. They exploit vulnerabilities in browsers and plugins. Successful exploitation of the vulnerability causes a shell code to run that in turn downloads the malware into the system.
  • Malicious advertisements (malvertisements) happen when an attacker injects a malicious link in a users Facebook wall to spread malware. The fake post is linked to a third-party website which has malicious advertisements embedded in it. These advertisements are linked to malicious JavaScripts which executes the malicious content in the browser.

Trojan horseHelp Net Security states that online social networks are not harnessing the power of Safe Browsing API’s from Google (GOOG) or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation.

Microsoft (MSFT) recently spotted a Facebook attack in the wild that exploited Facebook users trust in a social engineering campaign. The attack tries to trick Facebook users into installing a backdoor Trojan with keylogging capabilities according to the Help Net Security report.

MSFT says the Facebook Wall messages varied but they all lead to Computer trojan horsefake YouTube pages. Once there, the user is urged to download a new version of “Video Embed ActiveX Object” to play the video file. Unfortunately, the offered setup.exe file is the Caphaw Trojan.

The trojan bypasses firewalls, installs a FTP and a proxy server and a keylogger on the affected machine. Microsoft’s Mihai Calota says ” … has built-in remote desktop functionality based on the open source VNC project.” MSFT says the Facebook attack can be used to steal money, “We received a report .. that money had been transferred from his bank account … The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.”

rb-

The articles correctly state that security and Boy with knife and electricityprivacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity and ignorance of the social network customers to their own profit. User should demand safe and secure transmission of the information and user’s privacy. These should also be a focus of the social networking companies.

To protect themselves, users should:

  • Have up to date AV software running on their computers
  • Keep their browsers and operating systems fully patched
  • Change the passwords on all their sensitive accounts regularly
  • Warn friends and Facebook if an account seems to be hacked by using the Facebook “report/mark message as spam” option.
Related articles
Category: Security, Social Networking | Tags: , , , , , , , , , ,
| June 26, 2012
Comments Off

Credit Agency to Trawl Facebook

FlounderGigaOm has an article that documents the efforts by Schufa, the largest credit ratings firm in Germany to mine data from the Facebook (FB), LinkedIn (LNKD) and Twitter accounts of its customers. cites documents leaked to German media, that the firm whose slogan is “We Build Confidence” would use the information “to identify and evaluate opportunities for and threats to the company.”

Facebook (FB)“It cannot be that social networks are systematically scoured for sensitive data, resulting in credit ratings of customers,” said consumer protection minister Ilse Aigner.

rb-

Get over it.

I wrote about firms like RapLeaf mining social networks for employers and banks back in 2010. What is surprising to me and Mr. Meyer is that this latest social network mining operation comes out of Europe and especially Germany, a country where most people are very conscious of data protection concerns.

This goes back to the internet-age old issue of privacy. Where is the line between public and private is it different for some groups than others? Do the NSA, CIA, MI5 and who ever else is listening get different access to data than Rapleaf, ApGet over itple (AAPL), Facebook, Twitter?

Just because the info is out there, public by default do they have the right to use it?

On the other hand users of Facebook and Foursquare happily tie their credit cards to these accounts, post status updates and check-in to places for the world to see.  

Maybe we are just getting what we deserve.

Category: Security, Social Networking | Tags: , , , , , , , , , ,
| June 6, 2012
Comments Off

Bad Day at LinkedIn

Data theftIts been a bad days for LinkedIn (LNKD). LinkedIn users have been the victim of two security and privacy blunders in the same day. First, the LinkedIn mobile app for iOS devices has been discovered sending potentially confidential private and business information to the company servers without the users’ knowledge. Help Net Security reports that security researchers Yair Amit and Adi Sharabani at Skycure Security, identified the security hole. According to the researchers, the security flaw involves calendar syncing which collects data from all the calendars (private and corporate) on the iOS device.

LinkedIn“The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers point out in the article. “…this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines.”

The initial response LinkedIn’s spokeswoman Nicole Perlroth, appears to minimize the issue and blame the users for the privacy breach when she told Help Net Security that the feature is opt-in, and said nothing about whether the company will update the app that would stop this privacy snafu from happening in the future. (Looks like LinkedIn updated the App and broke it according to reviews in the Apple AppStore) This was re-enforced by Joff Redfern, Mobile Product Head at LinkedIn on the LinkedIn blog where he also pointed out the information harvesting app is an opt-in feature. He claims that the information collected is not stored or shared. LinkedIn did change the LinkedIn app for Google (GOOG) Android so it no longer sends data from Droids to LinkedIn. There was no information in the article if LinkedIn plans to change the Apple iOS app.

Head in the sandBut wait it gets worse …. LinkedIn also lost 6.5 million accounts today. They were however found on a Russian forum.  LinkedIn has confirmed on their blog that there are “compromised accounts.” Cameron Camp, Security Researcher at ESET, commented on the leak for Help Net Security:

“The difference with this hack … is that people put their REAL information about themselves professionally on the site not just what party they plan on attending, ala Facebook and others …  mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it.”

Mitt Romeny

What happened here?

rb-
I wrote about the value of different credentials here and here.
I am wondering about the timing of the two security problems for LinkedIn. Could they be related? Were attackers using the Apple iOS app as an attack vector? After all, we know that Apple loves to collect personal info on its customers.

Action Items:

  • Toggle off the “Add Your Calendar” option in the Sync Calendar feature of the LinkedIn app on your Apple iOS devices
  • Immediately change your LinkedIn password and any accounts that share the same password.
  • Be on the lookout for phishing campaigns that might leverage the incident.

 

Related articles
Category: Security | Tags: , , , , , , ,
« Older Entries  

Switch to our mobile site