As a pentester, part of my job is running social engineering exercises. To be successful, I look for information I can use that will make my communication appear more authentic, and can be used to create attack vectors. These are the same tactics a bad actor will use to gain personal information on targets and it’s important to be aware of these tactics to protect ourselves and our loved ones. I believe it’s important to be aware so we can all make calculated choices about what we want to allow to be disclosed that ultimately can affect our lives. Think of it as creating our own personal risk model, if you will. This article will focus on four keys things:
- OSINT
- What personal information can be uncovered on the Internet
- How this information is found
- How to take back control of this information
First up – OSINT. OSINT is an abbreviation for Open Source INTelligence. It involves looking up information that is publicly available – no hacking or special skills are required to see it. This information is collected piece by piece. Think of it like a jigsaw puzzle. When putting a puzzle together, each piece on its own means little. But when pieces are put together, the picture starts to become clear. Plus, each piece that is put into place gives a clue to where other pieces fit in. Eventually, you have a complete picture. Similarly, each piece of information uncovered can generate ideas to make even more specifically crafted searches.
This information is uncovered in several different ways. Typically, this will start with an Internet search for the individual. Generally, that leads to social media profiles. Everyone likes talking about their interests – but do your conversations give hints to things like passwords, for example? Do you have a cute and unique username that you think is clever and that you’re proud of? That’s great – just understand that can also be used to narrow down search results and uncover even more of your personal information. Your information can be pinpointed very easily.
Some types of information that can be uncovered include current and previous addresses, phone numbers, email accounts, date of birth, maiden names, relatives, neighbors, online reviews, personal interests, even political affiliations.
We’re all cyber enthusiasts here so you probably know 90% of the Internet is on the ‘deep web’. The deep web of course is different from the dark web. Deep web simply refers to information that is not directly indexed by search engines. But that doesn’t mean the information isn’t accessible when you know where to look. Places like the Wayback Machine or public databases contain all sorts of information if you know how to look for it. One of my favorite examples of this is county and state tax records. If you know approximately where someone lives you can search for their property tax records – this could be a vehicle or real estate depending on the locale - which can uncover all sorts of information. This can include recorded documents like deeds of trust, license plates, type of car you drive, and who your mortgage is with. Again, this will vary depending on the locale, but it can be alarming to see what all is actually in there and visible to anyone who goes looking for it.
Then there are online reviews. People love giving their opinions about places and things. If you do as well, that’s awesome, just understand that also gives insight into places you frequent and other interests that you have. It can also let people know what kind of items you own. Say, for example, you like rare or valuable wristwatches, and you frequently engage in talk on forums about these items. Here’s the thing – once this is combined with the other information we just discussed, you can start to see how all of this can quickly become a concern if someone decides that they want to target you.
This applies to business information, too. On a pentest, we had a repeat client who wanted something ‘different’ this time on their test. I was able to figure out what human resource software this company was using. How, you might ask? I was looking for our client’s logos on the web and one led right to the HR software company website. The reason it did was because our client had a testimonial right on that website, prominently proclaiming how happy they were with the software. I created a fake portal mimicking that login page and sent phishing emails stating that information needed to be validated due to upgrades that were taking place. Spoiler alert – it worked, and it worked really well. It worked because the employees saw something they were already familiar with and happily logged in to make sure their information would transfer successfully to the ‘upgraded’ system.
Here are some examples of information I uncovered on someone who shares the same name as myself. I was able to find basically all of their contact information and even personally identifiable information. It literally took less than 10 minutes to uncover this person’s information. In fact, it took longer to redact the information and create the graphics here than it did to find the information in the first place.
Here’s why this is a big deal: Think about the information that we just looked at and then think about things you’re asked for password resets. Or things you verify to prove who you are to a credit bureau. Many of those questions can often be answered with this kind of information or things posted on social media. If someone decides they want to stalk you, how easy would it be for them to find this information? Again, going back to awareness, it’s up to you to decide how comfortable you are knowing that this information is out there. It doesn’t mean living like a prepper or recluse (unless that’s what you want to do). It’s being aware of what is out there and how much of that information you want to be known.
Before we talk about what to do about it, it’s important to understand how we got here in the first place. There’s an old saying – if you’re not paying for the product then you are the product. This information was gleaned from rewards programs we signed up for, social media posts, mailing lists we’re part of, our web browsing history, public records, services we use, even data leaked by our mobile apps and shopping history. This information is sliced and diced 87,000 ways and sold over and over and over and over again to the highest bidder. So, we kind of did this to ourselves. We did it by NOT reading the terms and services agreements of things we signed up for – apps, programs, etc. – just because it sounded good to save $1 on a loaf of bread on a given day.
How this data is collected and used is a discussion all to itself. But if knowing more about that is of interest to you, John Oliver had a fantastic piece about it where he does a deep dive into how all of this works. In true John Oliver fashion, he does something very funny with it at the end that I won’t spoil here. You can find the piece on YouTube at the link above and I recommend taking a look at it.
Ok, so now that we’ve identified the problem, the next logical question is what can we do about it? Literally, it starts with running a Google search on yourself and see what comes up. See which data sharing sites have your information. And if it’s not one that you want to have your information, there is generally an opt-out page where you can request that the information be removed. Now, this page is not always easy to find. Remember – by opting out, you’re messing with their profit model, and they don’t want that. If the opt-out page is hard to find, Google the service name and opt-out. That can be a quicker path to discovering it. Usually, they’ll ask for a reason for the request. Some of the more commonly accepted reasons are you work in law enforcement and are afraid of retaliation, or you’ve been the victim of stalking or identity theft. Personally, I’ve used stalking and identity theft as reasons, and I’ve never been asked for proof of those events. Secondly, look at the permissions that you’re enabling on mobile apps. Does that game REALLY need to know everyone in your contact list or know your location at all times? Take a minute to think through ‘convenience’ services – what is really being traded for this convenience? Use privacy focused browsers, such as Firefox or Brave, and add extensions to those that can help maintain your privacy while browsing. This also requires a lot of vigilance. Doing it once isn’t enough. Once you do the initial sweep, run the same checks a couple times per year. Sometimes a service gets reactivated or a new one pops up that didn’t exist on the last check. Believe me when I say no one will look out for or care more about your privacy than you will. Act accordingly.
There are also resources that will take you deeper down this rabbit hole if you’re inclined to learn more about this topic:
- Heath Adams has an entire free 5-hour course on YouTube that teaches OSINT. He also has numerous other free videos with some challenges where you can test your OSINT skills.
- Michael Bazzell is an author and consultant who treats this topic like blood sport. He has a book entitled Extreme Privacy where he shows exactly how he helps his clients stay invisible. That said, on his website he has free resources for people to find and delete their information from data broker organizations.
- com is also a paid service, however, they also have a DIY section on their website that is free to use for those who are interested in keeping their data private. Because of the free resources that they offer, I’ve chosen to include them here.
Here's the fun part – now that you know how this information is collected, why not have some fun with it? Does that rewards program really need your actual date of birth or real phone number? So why not mess with the algorithm? Put misinformation out there and keep it out there. Personally, I like using April Fool’s Day or August 29, 1997 for my date of birth. If you know why the August date is funny, congrats you’re as nerdy as me. If you really get into this topic, and especially OSINT, you can practice using these skills with tracelabs.org. Their goal is to crowdsource OSINT to reunite missing people with their loved ones.
If you’re reading this magazine, chances are you’re already interested in maintaining a certain level of security and privacy. Remember too, though, many in our circle look to us as cybersecurity experts. I always say it takes a village, and it’s important that we constantly look out for ourselves, our families, and our loved ones to help all of us stay safe online.