Monday, October 1, 2007

Reconaissance: LinkedIn and social engineering

I attended Ed Skoudis's SANS 504 track in Las Vegas last week, and picked up a lot of useful tidbits. One of the more interesting offhand comments Ed made was about using LinkedIn to assess what vendors a given organization is buying from based on their recent link adds.

It makes for a fun exercise, and could potentially be useful when doing recon of an organization for penetration testing. A quick look at my own contacts lends some credence to the idea, and given a bit of other research, a LinkedIn survey seems like a clever method to get a few extra bits of information.

Does this mean that using professional social networking should be banned? Probably not, but it is a great reminder of the level of detail an intelligent aggressor can gather given a bit of cleverness and time.

No comments: