Tag Archive for LNKD

| November 26, 2016
Comments Off on Reducing Your LinkedIn Risks

Reducing Your LinkedIn Risks

Reducing Your LinkedIn RisksMicrosoft’s recent purchase of LinkedIn has pushed the struggling ersatz professional networking site back into the limelight. There is plenty of speculation why Microsoft (MSFT) purchased the site for over $2.6 billion. Undoubtedly it has to do with LinkedIn’s (LNKD) cache of over 430 million online users. Whatever Redmond’s designs are, now is probably a good time to check LinkedIn security to reduce your LinkedIn risks.

LinkedIn logoAttackers have long used social networking as part of their reconnaissance activities. They cull personal information posted on the site to craft targeted attacks that have a higher chance of succeeding. The cyber-criminals rely on the fact that people tend to trust people within their personal network.Their targets are more likely to fall for a spear phishing email if it appeared to come from a fellow member. The victims would also be more likely to visit a website if a member of their network suggested it.

LinkedIn risks

The fake LinkedIn profiles “significantly increase” the likelihood that these social engineering attacks will work according to research by Dell SecureWorks. The SecureWorks article describes how attackers use fake LinkedIn profiles. Most of these fake accounts follow a specific pattern:

  1. LinkedIn RisksThey bill themselves as recruiters for fake firms or are supposedly self-employed. Under the guise of a recruiter, the attackers have an easy entry point into the networks of real business professionals. Real recruiters already use the service as a way to find potential candidates. LinkedIn users expect to be contacted by recruiters, so this ruse works out in the scammers’ favor.
  2. They primarily use photos of women pulled from stock image sites or of real professionals. Many of the fake LinkedIn accounts use unoriginal photographs. Their profile photos were found on stock image sites, other LinkedIn profiles, or other social networking sites.
  3. Attackers copy text from profiles of real professionals. They then paste it into their own. The text used in the Summary and Experience sections were usually lifted verbatim, from real professionals on LinkedIn.
  4. They keyword-stuff their profile for visibility in search results. Fake LinkedIn accounts stuff their profiles with keywords to gain visibility in to specific industries or firms.  Northrup Grumman and Airbus Group are popular.

The primary goal of these fake LinkedIn accounts is to map out the networks of business professionals. Using these fake LinkedIn accounts, scammers can establish a sense of credibility among professionals to start further connections. The fake network was created to help attackers target victims via social engineering.

disguise it as a résumé applicationIn addition to mapping connections, scammers can also scrape contact information from their connections. The attackers collect personal and professional email addresses as well as phone numbers. This information could be used to send spear-phishing emails.

LinkedIn cyber-thieves use TinyZbotmalware (a password stealer, keystroke logger, multifunctional Trojan) and disguise it as a résumé application. The Dell researchers advise organizations to educate their users of the specific and general LinkedIn risks in their report:

  • Avoid contact with known fake personas.
  • Only connect with people you know and trust.
  • Use caution when engaging with members of colleagues’ or friends’ networks that they have not verified outside of LinkedIn.
  • When evaluating employment offers, confirm the person is legitimate by directly contacting the purported employer.

Reduce your risks

There are a few ways users can identify fake LinkedIn accounts:

  • search engineDo a reverse-image search. Tineye.com offers a browser plugin or use Google’s Search by Image to confirm the in picture is legit.
  • Copy and paste profile information into a search engine to find real profiles.
  • If someone you know is already connected with one of these fake accounts, reach out to them and find out how they know them.
  • If you suspect that you’ve identified a fake LinkedIn account, you should report it.

LinkedIn told Panda Security:

We investigate suspected violations of our Terms of Service, including the creation of false profiles, and take immediate action when violations are uncovered. We have a number of measures in place to confirm authenticity of profiles and remove those that are fake. We urge members to use our Help Center to report inaccurate profiles and specific profile content to LinkedIn.

As always, it pays to be careful with information that you share online as it can save you many potential problems in the future.

Here are some tips to keep your LinkedIn experience as secure as possible. Update Privacy Settings to understand how you’re sharing information. Smart options include:

  • ApathyTurn your activity broadcasts on or off. If you don’t want your connections to see when you change your profile, follow companies or recommend connections, uncheck this option.
  • Select what others can see when you’ve viewed their profile. When you visit other profiles on LinkedIn, those people can then see your name, photo, and headline. If you want more privacy, display anonymous profile information or show up as an anonymous member.
  • Select who can see your connections. You can share your connections’ names with your other first-degree connections, or you can make your connections list visible only to you.
  • Change your profile photo and visibility. You can choose to have your photo displayed only to your first-degree connections, only to your network, or to everyone who views your profile.

Opt into Two-Step Verification to prevent other people from accessing your account. LinkedIn lets members turn on two-step verification for their accounts. This will require an account password and a numeric code sent to your phone when you attempt to sign in from a device your account doesn’t recognize.

Opt into Secure Browsing for extra protection against unauthorized access to your Internet activity and to make sure you’re connected to the real LinkedIn website. While LinkedIn automatically secures a connection when you’re on certain pages that require sensitive information, you also have the option to turn on this protected connection when viewing any page.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| May 26, 2016
Comments Off on Lessons From the LinkedIn Data Breach

Lessons From the LinkedIn Data Breach

Lessons From the LinkedIn Data BreachReaders of the Bach Seat know that passwords suck and that people are awful at picking passwords. The Business Insider offers more proof. According to a recent article, the 2012 LinkedIn data breach exposed a whopping 167 million accounts that were compromised, including 117 million passwords.

The article says the passwords were hashed or encrypted so they can’t be read, but researchers at LeakedSource have been able to decrypt them. Their findings should be no surprise to Bach Seat followers. The results show just how much the same passwords get used over and over (and over and over and over and over) again.

Most often used passwords

92% of the top leaked LinkedIn passwords were identified as the top 25 most often used passwords in 2011 or 2012. Nearly half of the passwords listed were the most commonly used password in 2011, 2012, or 2013. The top 5 bad passwords were used to “secure” over 1.2 million accounts.

PasswordsThe LeakedSource data says the most popular password for LinkedIn in 2012 was 123456. That password was used by more than 750,000 accounts. Data the Bach Seat has collected says that 123456 has been the top 1 or 2 passwords every year used since 2011.

The remarkably unstealthy password ’linkedin’ is the second most used password on these breached LinkedIn accounts with 172,523 users. That is just so wrong on so many levels.

The password ‘password’ is number three with 144,458 hacked LinkedIn users relying on it to secure their professional profile. Our historical data says that ‘password’ has swapped the top ranking with ‘123456’ since 2011.

password is ‘password’12345678’ is the fourth most popular bad LinkedIn password with 94,214 users according to LeakedSource. This password has been a consistent #3 in my data.

The data for the top 49 passwords is below. You can search for your user name here  Fix your passwords.

RankPasswordFrequencyNotes
1123456753,305#2 in 2012
2linkedin172,523
3password144,458#1 In 2012
412345678994,314#6 in 2012
51234567863,769#3 in 2012
611111157,210#12 in 2011
7123456749,652#7 in 2011
8sunshine39,118#15 in 2011
9qwerty37,538#4 in 2011
1065432133,854#21 in 2011
1100000032,490#25 in 2013
12password130,981#21 in 2013
13abc12330,398#5 in 2011
14charlie28,049
15linked25,334
16maggie23,892
17michael23,075#16 in 2012
1866666622,888
19princess22,122#22 in 2013
2012312321,826#11 in 2013
21iloveyou20,251#9 in 2013
22123456789019,575#13 in 2013
23Linkedin119,441
24daniel19,184
25bailey18,805#17 in 2011
26welcome18,504
27buster18,395
28Passw0rd18,208#18 in 2011
29baseball17,858#9 in 2012
30shadow17,781#17 in 2011
3112121217,134
32hannah17,040
33monkey16,958#6 in 2011
34thomas16,789
35summer16,652
36george16,620
37harley16,275
3822222216,165
39jessica16,088
40GINGER16,040
41michelle16,024
42abcdef15,938
43sophie15,884
44jordan15,839#22 in 2012
45freedom15,793
4655555515,664
47tigger15,658
48joshua15,628
49pepper15,610

rb-

The advice remains the same as I wrote about in 2010.

Strong passwords characteristics:
• At least eight (8) alpha-numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored online.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| May 21, 2013
Comments Off on Hotmail is Dead

Hotmail is Dead

Hotmail is DeadHotmail is deadMicrosoft (MSFT) has completed the transition from Hotmail to the new Outlook.com. The Hotmail replacement has more than 400 million accounts. According to a blog entry at Office.com most Hotmail users will not notice much difference. They can continue to use those accounts as long as they choose and can claim an Outlook email address whenever they like.

HotmailWriting in the company blog, Dick Craddock, Outlook.com’s group program manager said that Hotmail had more than 300 million active accounts that had to be moved. MSFT completed the epic live upgrade in only six weeks. The upgrade from Hotmail to Outlook.com required communicating with hundreds of millions of people, upgrading all their mailboxes, and making sure they preserved every email, calendar, contacts, folders, and personal preference.

The new Outlook email client has several different features from Hotmail, such as two-factor authentication, an updated calendar, and app as well as integration with cloud service Skydrive and Skype. it allowed users to connect easily with Facebook (FB), Twitter, and LinkedIn (LNKD).

GigaOm reports that MSFT will even allow collaboration with Google users. They report that:

.Outlook.com logo.. if you’re reading an email from a Gmail user, you can reply with a chat icon from your Outlook.com inbox. Or, if you and your Google-oriented buddy are collaborating on a document in Microsoft Skydrive (as opposed to, say, Google Drive), you can send an instant message to your Google contact with the click of a button. Microsoft is also rolling out Google Chat integration.

All of these new features haven’t thrilled everyone, Mr. Craddock is quoted in the IBT, “Of course, whenever a widely used consumer service makes any substantial change, there will always be some folks that don’t like it, and that shows up in the feedback…”

Microsoft logoHotmail was one of the first web-based email services. Founded by Sabeer Bhatia and Jack Smith it was launched on July 4 1996 as “HoTMaiL”. Microsoft bought the web email service in 1997 for an estimated $400 million, and it was rebranded as “MSN Hotmail”.

Outlook.com was launched in February 2013.  It’s based around Microsoft’s Metro design language, and closely mimics the user interface of Microsoft Outlook.

rb-

AmazedFor anyone who has ever had to be involved in a hot email upgrade, you should recognize the technical feat moving Hotmail to Outlook.com really was despite occasional problems. During most email system upgrades, anything that can go wrong will go wrong. There will be power or network issues that will interrupt the mailbox transfer across the wire, there will be users with 32 Gb of email messages, there will be people who file their active messages in the trash can (yes, I’ve seen it) there will be strange shared calendars and accounts that just won’t transfer unless you move them item by item to find the corruption.

Kudos to MSFT for migrating Hotmail to Outlook.com, lets see if it matters in the face of Google’s (GOOG) Gmail and Doc’s.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| September 6, 2012
2 comments

5 Tips To Make Meetings Less Painful

5 Tips To Make Meetings Less PainfulSalesCrunch has created a guide to “meetings that don’t suck.” The firm collected data from its management software, which tracks things like if people are really paying attention (looking at the screen or not), and if follow-up materials are opened. The BusinessInsider says the Web conferencing company crunched the numbers and came up with 5 good tips for the next time you call a meeting.

1. The 15-minute meeting. No meeting should last more than 30 minutes. After 30 minutes, they are giving one-quarter of their attention to something else.

2.  Everyone needs to talk.  If all participants talk, people will give the meeting 92% of their attention. If someone is yammering on, it gets only 78% of their attention.

3. Send follow-up materials within 5 minutes. Nearly two-thirds of attendees will read them within one day. A few more will be read the next day, but not many.

4. Shorter follow-up materials are better read. People will spend 52 seconds with a short follow-up. But they will spend only 10 seconds on a mega 100-slide deck.

5. Reach out via LinkedIn immediately. Nearly three-quarters of meeting attendees will accept a new LinkedIn connection after an online meeting.

rb-

Some of these I do better than others. I like to keep my meeting simple while trying to engage everybody in the conversation. My follow-ups tend to be more formal meeting notes so they take longer to get them out. So my meetings are less painful than others.

Don't Such at Meetings

© 2012 SalesCrunch

 

Related articles
  • Study finds web conferencing popular but underutilized (shoretel.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Project Management | Tags: , , , , , , , ,
« Older Entries