(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-P9PC2DD'); Skip to content

Trending tags

How to Setup LinkedIn for Better Privacy and OPSEC

Joel Latto

20.05.19 10 min. read

When it comes to privacy and social media platforms, LinkedIn is the necessary evil we have to put up with. While it’s a no-brainer to delete your Facebook account and the likes of Snapchat attention-span-of-a-goldfish platforms are easy to skip, but so much of job recruitment revolves around LinkedIn that it’s a lot harder to severe ties with it. Many companies don’t even post their offerings anywhere else than on LinkedIn, and prefer applications that come directly through the platform. It’s also a great tool for headhunters to find suitable candidates.

So let’s assume you have a LinkedIn profile, you want to build up your online resume and personal brand, and want to be able to jump on a once-in-a-lifetime opportunity if it presents itself. However, you can accomplish all that without revealing every aspect of your professional self for the whole world to see. Let’s start of with LinkedIn settings and then move on to platform behavior and other tips.


Settings

Account

Login and security

Email addresses: No need to have more than one. Delete old ones, at least.

Phone numbers: See two-step verification.

Change password: LinkedIn suffered a massive data breach in 2012. I’m assuming you’ve changed your password since, but with a password manager, it’s not a big deal to change it again.

Where you’re signed in: it’s basic security hygiene to every now and then log out of all your active sessions.

Two-step verification: unfortunately, LinkedIn supports only SMS-based 2FA. It’s still better than nothing, so enable it.

Partners and services

Microsoft: Do not connect accounts.

Permitted Services: Do not permit services.

Twitter settings: If you want to direct people from your profile page to your Twitter page, then this can be enabled. Remember if you do that, your Twitter feed is now an extension of your professional image – this might not suite everyone.

Privacy

How others see your profile and network information

Edit your public profile: This actually opens another page, full of settings to tinker with.

  • Custom URL: best to make one and thus “own” it
  • Your profile’s public visibility: this guide is written on the premise that your profile is public.
  • Profile photo: only your network.
  • Rest of the settings I’ve selected in a way that if a person (who I know or have met in person) searches for my profile, they will be able to identify the profile belonging to me. Meanwhile, for random people the profile is just, well, a random profile. You don’t need to boast with your job experience and education to every stranger.

Who can see your email address: There’s actually two settings in here. First, who can see your email address. I’d suggest keeping it visible only to you, or 1st degree connections. Important thing here to note is that if someone can see your email address, they will be able to contact you directly.  Second setting asks for your permission for the email address to be shared in data exports, and that’s a strong No.

Who can see your connections: Connections are never fully public, they are visible either to just you or your connections. Still, it’s better to err on the side of caution and make the connections visible only you to.

Viewers of this profile also viewed: No, for two reasons. First, you don’t want to redirect potential recruiters to other profiles. Second, there’s a lot of fake and other unwanted profiles (sex workers and such) that you don’t want to be displayed in your profile page.

Who can see your last name: It’s trivial to find your full name with all the other data you have on your profile, so I don’t see a reason to limit the visibility of your last name only to its first letter.

Representing your organization and interests: Up to you, but I see this as a useless profile leak.

Profile visibility off LinkedIn: “Should we show information from your profile to users of permitted services such as Outlook?” Hell no.

Microsoft Word: No

How others see your LinkedIn activity

Profile viewing options: Select either Private profile or Private mode.

Manage active status: No one

Share job changes, education changes, and work anniversaries from profile: Eh, the humble(?) brag setting. For me this is a No.

Notifying connections when you’re in the news: Ibid.

Mentions or tags by others: This might be useful. At least it helps to know what others write and expose about you.

How LinkedIn uses your data

Download your data: “Your LinkedIn data belongs to you”, but not only you. Download this to understand what you have shared to LinkedIn and third-parties so far. A good eye opener.

Manage who can discover your profile from your email address: Nobody

Manage who can discover your profile from your phone number: Nobody

Sync contacts: No

Sync calendar: No

Salary data on LinkedIn: No

Search history: Clear all

Personal demographic information: Up to you, but no need to fill these.

Social, economic and workplace research: No

Job seeking preferences

Job application settings: Opens up another page where you can manage these two settings.

  • Save onsite application answers: No
  • Save external application answer: No

Let recruiters know you’re open to opportunities: Obviously depends on your current situation. If you’re not looking to change position, I’d keep this turned off.

Signal your interest to recruiters at companies you have created job alerts for: Ibid.

Sharing your profile when you click apply: Yes. At least for me this is literally the reason why I have a profile in the first place.

Blocking and hiding

Followers: Your call. If you are one of those persons who publish a lot on LinkedIn to build your personal brand, then it might be useful to keep this as “Everyone on LinkedIn”. If not, then select “Your connections”.

Ads

General advertising preferences

Insights on websites you visited: No

Ads beyond LinkedIn: No

Profile data for ad personalization: No

Data collected on LinkedIn

Interest categories: All settings in this category are up to you. If you’re looking for a new job, but you’re not focused on getting some specific role and/or in a specific company, you can turn the relevant ones of these on. In all other cases, I’d keep these turned off.

Connections: No

Location: No

Demographics: No

Companies you follow: No

Groups: No

Education: No

Job information: No

Employer: No

Third party data

Interactions with businesses: No

Ad-related actions: No

Communications

Who can reach you

Connection requests: Unfortunately, as I’d advocate against importing your address books to LinkedIn, the only viable option for this is “Everyone on LinkedIn”.

Messages: Allow InMail, do not accept Sponsored InMail.

Research invites: No

Messaging experience

Read receipts and typing indicators: Off

Reply suggestions: No


Fake invites, LION, and managing your network

You are a target. Even if you’d not consider yourself to be especially interesting, your profile is still a way in for scammers and other adversaries to gain more credibility within your company and LinkedIn network. These accounts are used for phishing and especially spearphishing C-level targets, as well as for sending malicious URLs via InMail. LinkedIn is just as riddled with fake accounts as Twitter or Facebook, make no mistake about it.

These fake profiles might use e.g. your company’s public event as an excuse to send you a connection invite. If the contact request appears to come from within your company, ping the person and ask if they have sent it (also doubles as a check-up to see if that name can be found from your IM system). Another easy way to start assessing an account’s credibility is to do a simple reverse-image search of their profile picture. Unfortunately, there’s no one easy way to telling if an account is fake or not, but if you’re convinced about the fakeness, please report them to LinkedIn. Personally I only accept invites from people I have actually interacted with, preferably face to face.

 

Examples of fake LinkedIn profile invites received by my colleague Laura. Images published with her permission.

LION, or LinkedIn Open Networking, is a phenomenon where self-identified LIONs try to amass as big of a LinkedIn network as possible by both sending a lot of invitations and accepting also pretty much any invitation. Generally, these people have thousands or tens of thousands of connections. Do not accept any invites from LION profiles. If I’m doing OSINT on LinkedIn, I try to connect my sockpuppet with as many LIONs as possible, because that greatly expands the LinkedIn search capabilities (and usefulness), as others’ profile visibility increases. Getting connections this way is also a fast way to increase the credibility of a sockpuppet.

And once again, do not sync your address book with LinkedIn. LinkedIn has had several different ways to trick users to do so in the past, so think twice when LinkedIn asks for your email address and/or extra permissions.

To wrap things up, few words about OPSEC in LinkedIn publishing. Once again, common sense goes a long way: don’t post pictures of your new and shiny ID badge, don’t share confidential material (those labels are there for a reason), and generally you don’t need to share details of the tools you use or IT infrastructure you have. By the way, this same advice goes for recruiters: don’t post your full tech stack in job ads! (H/T @Notquiteyou for that one.) Let’s at least make our adversaries’ lives a bit harder when they are doing their recon, instead of giving everything on a silver platter. There’s not a single role in any company that couldn’t contribute to this.

You don’t need to share pictures of your workstation or your working area in general. If you want to publish photos of your company, the lobby or outside the premises is a lot better option.

Remember: you’re not just a target, you’re an attack vector towards people who trust you.


Other resources:

Cultivating Trust and Security on LinkedIn – LinkedIn Blog

LinkedIn Transparency report

If you want to go deeper, here’s a list of the best online privacy guides.


This guide was crossposted from my personal blog. For more social media hardening guides, please follow this link.

Joel Latto

20.05.19 10 min. read

Categories

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.