Wednesday, April 23, 2008

Freelance Security probes on LinkedIn - Rickrolled?

I got this email today . . . from CSIS Security Group [kas@csis.dk]





Dear LinkedIn user: Meet Mr. John Smith!

You have a profile on LinkedIn.com and you have chosen to connect with "John Smith". This itself is not a problem, if it wasn't for the fact, that John Smith doesn't really exist (in real life). The profile was invented as part of a security experiment in pitfalls of Social Networks to determine and illustrate potential risks using Social networks, such as LinkedIn. The presentation was just released on the Fraud Europe conference in Bruxelles today.


We decided not to release any detailed information about who and how John Smith got connected with in his network. However, we felt obligated to inform all Linkin accounts hooked up with John Smith about this piece of research and the release of the final edition of "Social Networking Risk - Who Do You Want to be Today?".

With the paper being released we will delete the "John Smith" profile!

If you've not already guessed it, you're receiving this e-mail because you are linked with john Smith. We hope this will be a leason learned and nothing else ...

All data harvested during the past year, will be deleted. We will also inform LinkedIn and asking them to remove the profile.

You can download the presentation given at Fraud Europe conference at the following URL:
http://www.csis.dk/dk/media/LinkedIn-Threats.pdf

The technical paper, used as background for this presentation and released in January 2008, can be downloaded here:
http://www.csis.dk/dk/media/LinkedIn-V2.pdf

Best regards,

Dennis Rand, Security- and Malware researcher CSIS Security Group http://www.csis.dk

---
CSIS Security Group
www.csis.dk


A Google search for "LinkedIn CSIS Security Group" found Martin Lynge Hansen at http://www.linkedin.com/in/lynge . . . maybe I should Rickroll him? I flagged him and linked to this post.

linkedin.john@gmail.com LinkedIn Profile: http://www.linkedin.com/in/linkjohnsmith

what do you think?

UPDATE: I posted it on my blog, and flagged the profile to linkedin as misrepresentation -- it's gone now, go figure.

Thanks LinkedIn, but with over 3,000 connections how many got the email and how many flagged the profile?

I found one other who posted this, see Uncommon Sense Security.

More on a search for linkedin.john@gmail.com:

http://www.linkedseo.com/list.php
http://www.meta-guide.com/malta/cse12.asp

1 comment:

Marilyn M. said...

WOW Carter, thats scary...

Especially for those of us who have been an open book in our online world as well as our communities for some time now.

Which brings me to share this; I have recently closed the browsing of my contacts:

a.) because some of my contacts did not like others knowing their entire professional histories without due cause.

b.)I relented just after something similar occurred with me.

Unfortunately, this was a REAL Person passing their selves off to me as a contact by a different name altogether. I discovered them on my own as I usually check peps out pretty well. Although sometimes latter than sooner, from here on out it will be much sooner. ;-)

I do not believe that this person meant any harm but it really jolted me into a process of a reality check-up, being the social butterfly (on & off line) that I am.

Another thing people should also realize is that just because I am an Open Networker, that does NOT automatically make my friends and associates one as well.

Still standing firm on the No IDK use, but that does not stop me from Archiving an invite anytime the need is (even slightly) felt to.

Thanks for the heads-up Carter, it really is something that should put a bit more thought into.