Say what you want about social media. The bare fact is that folks use it – more of them every day. In fact, social media sites like Facebook, Twitter and YouTube are growing – quickly – and have come to define our modern online experience.
That said: the sites represent a huge security risk. Sites like Facebook, Twitter and Instagram are increasingly used as platforms to circulate scams and malicious links. A larger and more nebulous threat is posed by all the information that organizations and their workers are spilling online.
It’s already common knowledge that hackers and other “bad guys” comb through worker profiles or LinkedIn, Facebook and other sites to help craft targeted attacks. But could your social networking profile provide more useful information – like your password? Independent security researcher Itzik Kotler thinks so.
Kotler is the creator of Pythonect, a new, experimental dataflow programming language based on Python. Using it, he said he’s been able to derive passwords from the public content of individuals’ LinkedIn profiles - combining information like the company an individual works for, their name and birthdate to derive actual passwords for their account.
Kotler’s method was straight forward: he used Google’s Custom Search Engine to find all the employees for a given company. For the profiles that are returned, Kotler then scraped their personal information for analysis- a job made easier by LinkedIn’s adoption of the Google hCard microformat, which is used to display the contact details of people, companies, organizations, and places in easy-to-read form on search results pages.
The strategy – really a proof of concept test for Pythonect – isn’t the most efficient means of breaking into an account, Kotler admits, but it does suggest that the treasure troves of personal data we make available online could be useful as more than just fodder for social engineering attacks.
Kotler responded to some e-mail questions from Security Ledger about Pythonect and distilling passwords from LinkedIn data. (Note: I’ve edited this to correct typos and spelling errors and for coherence.)
Source: https://securityledger.com/2013/01/does-your-linkedin-profile-hold-the-key-to-your-password/
That said: the sites represent a huge security risk. Sites like Facebook, Twitter and Instagram are increasingly used as platforms to circulate scams and malicious links. A larger and more nebulous threat is posed by all the information that organizations and their workers are spilling online.
It’s already common knowledge that hackers and other “bad guys” comb through worker profiles or LinkedIn, Facebook and other sites to help craft targeted attacks. But could your social networking profile provide more useful information – like your password? Independent security researcher Itzik Kotler thinks so.
Kotler is the creator of Pythonect, a new, experimental dataflow programming language based on Python. Using it, he said he’s been able to derive passwords from the public content of individuals’ LinkedIn profiles - combining information like the company an individual works for, their name and birthdate to derive actual passwords for their account.
Kotler’s method was straight forward: he used Google’s Custom Search Engine to find all the employees for a given company. For the profiles that are returned, Kotler then scraped their personal information for analysis- a job made easier by LinkedIn’s adoption of the Google hCard microformat, which is used to display the contact details of people, companies, organizations, and places in easy-to-read form on search results pages.
The strategy – really a proof of concept test for Pythonect – isn’t the most efficient means of breaking into an account, Kotler admits, but it does suggest that the treasure troves of personal data we make available online could be useful as more than just fodder for social engineering attacks.
Kotler responded to some e-mail questions from Security Ledger about Pythonect and distilling passwords from LinkedIn data. (Note: I’ve edited this to correct typos and spelling errors and for coherence.)
Source: https://securityledger.com/2013/01/does-your-linkedin-profile-hold-the-key-to-your-password/
No comments:
Post a Comment