Tag Archives: LinkedIn

Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather

LinkedIn is Becoming LinkedOut

LinkedIn is becoming LinkedOut, at least in Russia.

Our friend Vladimir Putin passed a law in 2014 that said that any company that operates in Russia needs to store it’s user’s data in country.  Most U.S. companies protested against it, although it is believed that a few have an architecture that allows them to do that.

LinkedOut is not one of those companies, apparently.

Yesterday a Russian court ruled that LinkedIn violated this law and today Russian Internet providers have begun blocking LinkedIn.

Putin claims the reason for doing this is to protect their citizen’s privacy.  After all, Russia and Putin are known to have a keen concern for their citizens and, especially, for their citizen’s privacy.

An alternative reason might be to make it easier for the KGB to spy on and to hack into dissident’s conversations.  However, that would be at odds with Putin’s desire to protect his citizen’s privacy, so that can’t be the real reason.

In any case, LinkedIn is quickly becoming LinkedOut.

From a revenue standpoint, these social networks do not want to lose any users, so I am sure that are trying to figure out a way to deal with it.  Surely, the Kremblin hopes these companies come on their hands and knees, begging for another chance.

Some companies thought that Putin was just kidding, but maybe not.

The other thing that Putin is requiring is that anyone using encryption turn over his or her encryption keys to the government.  I am sure that is not sitting well with LinkedIn either.

On the other hand, LinkedIn only has around 6 million users in Russia so they might decide to tell Putin to Stick it.  It’s not clear.

This small size may have actually made linked in a target.  If other social media sites – ones that have tens or hundreds of millions of users – that might create a bit of a tense situation, but by taking down LinkedIn, they can pretend that they are actually implementing the law.

We have not heard anything from President Elect Trump.  Since he and Putin are best buds, I assume that he will fix this problem for LinkedIn as soon as he moves in to the White House.  Or maybe sooner.

Information for this post came from The Washington Post.

Facebooktwitterredditlinkedinmailby feather

Hacks, Hacks, Everywhere A Hack

Back in 2012, LinkedIn told its users that  it had been hacked – to the tune of 6.5 million users.  Well, it turns out, that was a tad bit shy of the truth.  It turns out that the real number was 117 million email and password combinations.  – roughly 18 times the number that they had admitted to.  LinkedIn told the 6.5 million users to change their passwords, but not the other 110+ million users.  The Fortune article has links to other sources if you want more information, but my recommendation is that you change your LinkedIn Password.

Tumblr says that it just discovered that hackers stole 65 million user email/password combinations in 2013.  That is a long time to figure that out.  I assume that is because hackers are now trying to sell those passwords.  Since people reuse passwords on other sites and don’t change their passwords, it is likely that many of those passwords still work.  The good news is that the passwords were hashed and salted, making it a LOT of work to decode them – but not impossible.  This is a perfect example of companies being hacked and not even knowing about it.  The only reason they found out is that someone is trying to sell the data.

On the lighter side, Katy Perry’s Twitter account was apparently hacked – or else she was having a REALLY bad day.  Her 89 million followers were treated to a series of inappropriate hacks.  This reminds me of the recent (a couple of years ago) hack of the DoD Twitter account.  This just means that protecting your (Twitter or any other) account with just a password is likely not at all secure.

On the “Gees, that is a big hack” side, Myspace (remember them?) data is now coming up for sale.  The dataset includes 360 million records, but only 111 million had users names in them.  However, many of them had email addresses (which could also be a user name for another site if the user reused their password) and passwords.  The total number of passwords in the dataset was 427 million.  While I doubt anyone still uses Myspace, if that email/ password combination is used elsewhere …..

What is the take away from this?

  • Even though it is tempting, do not reuse passwords on any account that you care about, even in the least (From Amazon to Twitter, banking to Email)
  • Use two factor authentication on important accounts (such as banking or any account that stores your credit cards and allows the user to use them)
  • Change your passwords periodically.  Notice that most of the news above is about old hacks where the data is being resold now.  If people changed passwords regularly (at least annually), then that data would be useless.

There is a web site called HaveIBeenPwned.com that allows you to enter JUST an email address to see if in their database of over a half billion breach records, that email address comes up.  It is safe because all you enter is your email address.

Information for the LinkedIn hack came from Fortune.

Information for the Tumblr hack came from Motherboard.

Information for the Katy Perry Twitter hack came from Techcrunch.

Information for the Myspace hack came from Fortune.

Facebooktwitterredditlinkedinmailby feather

LinkedIn “Reference Search” Is Legal

LinkedIn has a service called a LinkedIn Reference Search that allows someone to search for people who worked at the same companies that you did at the same time you did.  While LI does not give employers direct access to those people who worked with you, they do “recommend” that prospective employers use the LinkedIn tools to connect with those people to get information from them.

Some people weren’t too happy with LinkedIn about this and sued them, suggesting that what they were doing was providing a consumer report as defined in the Fair Credit Reporting Act or FCRA  (see LinkedIn is not a reporting agency says court).

The court took apart the claims about what LinkedIn does and said, basically, that it is not illegal.

One thing that LinkedIn does NOT do is tell you when someone runs a reference search on you, which would be nice.

So, the moral of the story is that networking has its positives and negatives and this might be a negative if you are looking for a job.

 

Facebooktwitterredditlinkedinmailby feather