Linkedin

Don’t make yourself a target through your LinkedIn profile. If you work in a high-risk field, like cryptocurrency, we highly recommend against broadcasting that information to the Internet (e.g., don’t say where you work, don’t call yourself a crypto evangelist and don’t say you attend monthly crypto meetups)

Locking Down Your Account

Navigate to your account information to view your LinkedIn Security & Privacy settings:

  1. Click the Me icon at the top of your LinkedIn homepage.
  2. Select Settings & Privacy from the dropdown.
  3. Click the Account tab at the top of the page. 

     Login and Security

    • Email Addresses - Any email you have here must have a strong password, 2FA (Google Auth or YubiKey, no SMS) and disabled SMS recovery capabilities.  
    • Phone numbers - This is unfortunately the only method of 2FA for LinkedIn, but you should make sure that the phone number has “Use for password reset” unchecked. Use a phone number that is NOT your mobile number like a Google Voice number. We will limit who can see this phone number or find you via it in a later section.
    • Change Password - Make sure this password is long, complex, and unique. If you haven’t change this in a while, change it now.
    • Where you’re signed in - Review this and remove any session other than the one you are on. You will be asked to login again your other devices. This will clear any rogue session that may exist.
    • Two-Step Verification - Since you’ve turned off “Use for password reset” this is the best 2FA you are going to get with LinkedIn right now. Enable this to point to your Google Voice number.

     Site Preferences

    • Language - Choose your favorite language.
    • Autoplay Videos - Turn this off in the event there is some video-based exploit in the future.
    • Showing Profile Photos - You can leave this on for “Everyone”.
    • Feed preferences - You can leave this alone unless you want to customize who you follow and see updates from.
    • Name, Location, Industry - Pay attention here. This is where a lot of the privacy information comes from within LinkedIn.

      • Your headline leaks where you currently work. Consider changing this to “YOUR_ROLE at Undisclosed” if you work somewhere that might put you at a higher risk.
      • Current position maps to what your current position is in your profile. Leave this as-is for now and we will customize it later.
      • Uncheck “Show education in my intro”.
      • Country/Region - You can leave this as-is or change to something fake.
      • Zip Code - Remove this if there is anything there.
      • Industry - Select something other than Financial Services, Banking, etc.
      • Contact Info - click the “pencil” icon and clear out anything sensitive. Your email there is the email that you login with and we’ll secure that later in this exercise. Click Apply when done. Scroll back down to “Summary”
      • Summary - This is your Bio. Consider against leaking sensitive info that might make you a target.
      • Media - Click the “pencil” to remove anything that might make you a target (e.g., your workplace or any other sensitive info).
      • Click “Save”.

     Subscriptions and Payments

    • Upgrade for Free - Don’t ever do this. Don’t ever do this. 
    • View Purchase History - Don’t need to modify.

     Partners and Services

    • Microsoft - If you have anything connected here, delete it.
    • Permitted Services - If you have any connected here, delete it.
    • Twitter Settings - Remove your Twitter account from here.

     Account Management

  4. Click the Privacy tab at the top of the page.

     How others see your profile and network information

    • Review Settings under Edit Your Profile. The most important piece here is to restrict the visibility of your profile. The less publicly visible, the better. Configure the settings for the following fields:
      • Your Profiles Public Visibility - This is recommended to be turned “Off”.
      • If you don’t want to go that far or can’t for business reasons make the following changes to the radio buttons below:
        • Profile Photos - Set to your connections only.
        • Headline - Show (Consider against mentioning sensitive info) 
        • Websites - Hide
        • Summary - Show (Consider against mentioning sensitive info)
        • Posts & Activities - Hide
        • Current Experience - Hide (Consider against mentioning sensitive info)
        • Past Experience - Hide
        • Education - Hide
        • Volunteer Experiences - Hide
        • Projects - Hide
        • Publications - Hide
        • Courses - Hide
        • Honor and Awards - Hide
        • Languages - Hide
        • Organizations - Hide
        • Groups - Hide
        • Recommendations - Hide
    • Click Back to LinkedIn at the top right.

    • Disable Who Can See Your Email Address. Make your email address only visible to you and ensure the setting to allow your connections to download your email in their data export is set to “No”.
    • Set “Only You” for the option of Who Can See Your Connections. If a hacker is trying to target you, they’ll do that either directly or through one of your connections. Similarly, if a hacker is trying to target someone else or a company, they’ll do that either directly or through a connection, which could be you. Minimizing who can see your connections will make this step of the attack harder.
    • Viewers of this profile also viewed - Change this to “No” this might tip someone off of others who work with you at your workplace even if their profile is sanitized.
    • Minimize Who Can See Your Last Name settings to be abbreviated to just the first letter of your last name.
    • Representing your organization and interests - Set this to “No”
    • Disable Profile visibility off LinkedIn.
    • Microsoft Word - Change this to “No”. 

     How others see your LinkedIn activity

    • Profile viewing options - turn on private mode
    • Manage active status - set to “No One”
    • Share job changes - No
    • Notify connections when you’re in the new - No
    • Mentions or tags by others - Set to “No” someone else could leak your work by tagging you in an article or related message

     How LinkedIn uses your data

    • Review the Manage your data and activity log to see the security settings you’ve enabled over the course of having your account.
    • Disable both the settings allowing people to discover you through phone and email.
    • Disable syncing with your calendars and contact lists.

     Blocking and Hiding

    • Under Followers you can review who is allowed to follow you. As an added layer of security, you should only allowing connections to be followers. If you grant wide open following access to everyone, this will allow people outside your network to follow your public updates.
  5. Click the Ads tab at the top of the page. 

     Ads

    • Ads - Set everything to “No” or uncheck all items on this tab.
  6. Click the Communications tab at the top of the page. 

     Notifications by channel

    • On LinkedIn - turn off items that you don’t want to be bothered about
    • Email - recommended you turn all of these off
    • Push - recommended you turn all of these off

     Who can reach you

    • Connection Request - This really needs more settings but you need leave this open if you ever want to get connection requests. If not, change this to “Only people who appear in your “Imported Contacts” list and never import any contacts.
    • Messages - Turn both these settings off.
    • Research Invites - Change to “No”.

     Messaging experience

    • Read receipts and typing indicator - Change to “off”.
    • Reply suggestions - Change to “off”.