I’m guessing most of you happy campers have a LinkedIn profile, including a shiny photo in your best bib and tucker.
LinkedIn is a great tool to market yourself and it claims 150 million members in 200 countries and territories; but who vouches for the integrity of LinkedIn? "Why, no one", I hear you cry (bit of a security panto going on here) – and you'd be right. LinkedIn is just a platform which enables all of us to be within six-degrees of Kevin Bacon (you get the gist).
This article focuses on LinkedIn because the site evokes a self-assured sense of professionalism, and therein the feeling of security and safety, which I wish to explore further.
The site enables a contact network to be created via direct, second-degree and third-degree connections, facilitating an introduction to someone via a mutual contact, thus evoking a form of provenance or vetting. This creates a vast interconnected network – almost an internet of identities.
The site can be used for recruitment, with employers listing jobs and searching for potential candidates. A recent pilot feature is an automated contacts tracking widget, whereby you are e-mailed with the statement, “Your connections could be great colleagues…” – you get the gist.
Interestingly, there are many famous people on LinkedIn – Barack Obama, David Cameron (go on, have a search). Obama’s profile is a bit old now – it was set up pre-election – and Hillary Clinton’s profile still states “Candidate for President”. Guess what, Kevin Bacon also has a profile.
LinkedIn from a security angle
However, let’s look at the security perspective.
LinkedIn has had issues with spam; primarily organised spamming services exploiting "interest group" mail lists, and also plenty of spam "connection" requests.
There were historical issues with cookies being hijackable then reused to authenticate bogus users too.
Your data is also stored in the US. But the company does state its participation in the EU's International Safe Harbour Privacy Principles.
Lately, I have had a raft of old school mates wanting connections. The thing is, they may have been a giggle in Mrs Armstrong’s Geography lessons, but are they good at their job? You link, and it looks like endorsement.
The addition of an anonymous rating system would add greater integrity to LinkedIn
Kevin Eagles, IA director, Akoben
Also, I have experienced outwardly respectable figures demanding recommendations to enhance their profiles. The addition of an anonymous rating system would add greater integrity to LinkedIn.
Be careful what you reveal in your profile. Recruiters (and others) are harvesting your data – why else do folks subscribe to the group SC/DV cleared?
Check how your profile appears on the web before logging in – some folks reveal a lot about themselves to strangers.
When you have logged on to LinkedIn, go to the top right where your name is displayed, click the drop-down to reveal "settings", and check out the "profile", "privacy controls" and other tabs.
As a security practitioner, LinkedIn appeals as it would to any professional, so it’s sensible to be "linked in". We should use social networking to some degree, or we are going to get "left out". However, be wary, and don’t be passive regarding your profile.
LinkedIn is an outstanding address book, and additional features are a bonus, but above all it is important to stay secure.
Kevin Eagles, CISSP, is IA director at Akoben
This was first published in April 2012