General, Info Sec 11-April-2017 .NetRussell No comments

Don’t be a Bargain Bin Product

Look there’s no easy way to say this, so I’m not going to sugar coat it for you. You’re a product. I know people say that all the time but I don’t think people really truly comprehend that. Every year your data is bought and sold millions of times and there’s next to nothing you can do about some of it.

That intro paragraph summarizes 99% of the articles out there these days and is partially the reason why we are so numb to this epidemic of our personal data being pillaged. Unfortunately they never go far enough to show you actually what is happening and why this is a serious problem. A problem so big that the government and our laws are enabling it.

 

How this Article was Born

I’ve spent the last couple years attempting to purge my personal information from the internet. However, at that same time, I want to keep a public profile for job opportunities. Here in lies the problem. How do you keep a public profile while also not over exposing yourself on the web? I decided that this would be an excellent conference session so I set out to answer this using my personal experience scrubbing myself off the web as a starting point.

 

Down The Rabbit Hole

Initially, I just wanted to see if I could get myself off of the web. I started by googling myself, and removed those things. Then purged my facebook and twitter of personal info and beefed up the security on them. I also check my personal blog for anything I didn’t want on there.

After that was all complete though, there was still a ton of info on the web! Unfortunately there’s these things called databases and once you’re in them YOU’RE IN THEM…

Fortunately for me though, many of them offered an opt-out method. I’m not going to go to deep into how I did my web purge in this article because I’m going to do an entire article on it next. For this one, let’s just focus on the issue at hand. How and why you’re a product.

As I scrubbed these sites, linkedin, whitepages, etc, I noticed something odd. The people search database pages all seemed to be not only pulling from profiles like linkedin but also from public databases as well.

Further digging confirmed this. The people search engines aren’t seeded by social media usually, they’re seeded by public data!

Just think about that. Companies are scraping public data, which you have zero control over, without your permission, and turning it into a revenue stream by selling it to other companies so they can market to you. All of this without ever notifying you!

 

There’s a New Currency in Town, YOU

If you think your identity information isn’t valuable then you’re a fool. Entire billion dollar companies have spawned out of marketing of you and to you. Facebook is just one of the offenders.

Remember that old saying?

“…If the service is free then you’re likely the product…” 

That’s pretty much true for the entire internet. The entire internet, all apps, and all services that are “free to use” as long as you sign up. Your data has been mined, smelted, buried and mined time and time again. You might as well accept that you’re a cow roaming the Facebook pasture and they’re milking you everyday.

The real question is, if companies find this information so valuable, valuable enough to spend millions upon millions of dollars connecting your public data to all your private data, then why don’t we all consider it valuable too?

 

Have Value in Yourself

Baring that you’re a super spy, notorious gangster turned state witness, or a guy with a tinfoil hat that “knows people”, you only get one identity. You get one social security number and you get only a handful of phone numbers and living addresses in your life.  This in and of itself should alert you to the fact that it’s valuable information.

Furthermore, most people keep the same Facebook, twitter and emails for years. These might as well be a giant neon sign that points to you, your interests and desires. Once all of this data can be correlated, you’re ready to be chopped up, packaged, stamped and shipped off to the local market.

Don’t believe me? Well, I had a feeling that everything I just wrote would fall on, numb, deaf ears, so I decided to pull down the Ohio Registered Voter database and see how much info I could get myself. Let’s see what we get!

 

Practical Exercises with Real Data!

Defining My Data-set

I looked at a number of public data sources such as:

  • County Court (Cuyahoga County Ohio)
    • Allows you to query by name, case number or by date range. (I was able to query Cuyahoga County for every traffic ticket given in 2016.)
    • For traffic tickets it provides full name, date of birth, current address, vehicle year, plate state and plate number.
  • Voter registration database
  • Property tax information (Cuyahoga County Ohio)
    • Allows you to query by persons name, address, parcel number.
    • Provides owner information, sale price, property information, tax information such as how much is paid each year and if there’s any back taxes.

Now, though scripting these queries would be pretty trivial, especially in bash or python, I chose to see how big of a data set I could build up with as little hacking of government sites as possible. So naturally I downloaded the voter database, which to my surprise, contained records on 6.3 million people in Ohio. Just to keep it in perspective, Ohio only has 11.5 million people so that database accounts for over half of the people in the state.

One short import into Azure later….

Analysing The Data

So before I start building giant databases on people’s social networks, phone numbers, and emails, let’s see what I can infer just from the data that the government gives us.

 

DISCLAIMER: Though the government doesn’t redact anything from their database, I feel it’s socially and morally irresponsible to post someone’s personal information on the web without them knowing, so I will be redacting it here. 

 

I’ll start by finding all the people on my street that voted republican.

In such a politically charged time, I’m not sure that I feel comfortable with any psycho being able to figure out which candidate I supported.

 

Perhaps I don’t care about politics though. Maybe, instead I want to find elderly people that I can attempt to trick into buying something, or worse, steal their checks out of their mailbox. One quick query later and I have over 1.1 million possible targets.

 

Maybe harassing people of the opposite political party and robbing old people isn’t your thing though. Instead, perhaps you’d like to find all of the young girls that live near you. This next query will find all of the 18 year olds near me. I can pretty easily scan and find the girls.

(Remember this search because we’re going to use it again in our next section)

 

If you thought that last example wasn’t creepy, wait until I show you what comes next…

 

 

Building the Ultimate Stalker Database

So far we’ve shown that we can get some pretty sensitive information from just free government data. I sure as hell know I don’t want anyone knowing where my elderly relatives live. Unfortunately though, that wasn’t the end of the examples. The next thing we’re going to do is tie all of our personal data into social networks, emails, phone numbers and more.

All of the techniques I’m about to outline AND MUCH MORE are covered on IntelTechniques.com if you’re truly interested in Open Source Intelligence Techniques then I also recommend their book.

I could go on for days extracting information from the web with what we have so far on every person. However, I’m going to go right for the kill and use one of my favorite API’s, the Pipl API. Though I am providing their website link you can easily script this url.

To illustrate my point of the dangers of this data, I literally chose the very first girl from our list above. I put her First Name, Last Name, City she lives in and State she lives in, into the Pipl API. Here’s what I found…

  • Her full address (which confirmed what was in our database)
  • Her email
  • Her parents names and address
  • Her Facebook
  • Her cellphone number
  • Her gender (which wasn’t tracked in the voter database but is now confirmed)

Now that we have all of that, let’s go check out her facebook page and see if we can find any useful information there.

 

Sure enough, we find an unrestricted facebook page. From here I can see her friends, family, photos, interests. I can even see that she lists herself as single but is in a relationship with some guy that spells Thomas wrong…

 

Now let’s see if I can manually find some more profiles online. Most young hip people these days have instagram. So I head over to their site (without having to log in) and use their search functionality.

Simply by searching our targets name, I have turned up another public profile and more personal information about the target. She plays the violin, recently went to New York and I’ve identified what high school she attended.

 

Consolidating The Information

So what do we know about our person?

  • First and Last name
  • Date of Birth
  • Gender
  • Race
  • Address
  • Email
  • Phone number
  • The high school she attended
  • A recent trip to New York
  • Facebook page providing detailed info
  • Photos of the person
  • Relationship status
  • Significant other’s name, photo and Facebook Profile
  • Sexual Orientation
  • Parents (and all of their information)

Oh and also

  • She plays violin
  • What sports teams she follows
  • The music and movies she likes
  • Her favorite TV shows
  • What apps she has downloaded
  • All of the likes she’s given to local restaurants

It’s not hard to see that this is a WEALTH of information, all seeded from the voting database. Also, I did all of this research while I was writing this article. Realistically, you can do all of this in a matter of minutes.

 

What Potential Threats Does Our Targeted Person Face?

You’d think this would be where I’d say, well, that depends. However, it’s not… With the information I have, I could open online accounts in her name and with her photo to impersonate her. I could call and harass her on the phone, or worse, I could use the personal information I’ve collected on her to either blackmail her or trick her into giving me money. Not to mention I know where she lives which is probably the worst of all.

Identity theft and phishing attacks are extremely common and I wouldn’t be shocked if attackers used the very methods that I outlined in this article.

 

So What Can She Do?

Well if I were this girl’s father I would start by ripping the internet off of the face of the planet because this would terrify me. Realistically though she should start by locking down her online presence. There’s absolutely no reason for people to be able to see your facebook profile if you don’t know them. It provides intimate details about your life that strangers don’t need to know. Next, I’d contact my local government and insist they stop sharing the entire voter database in a downloadable format. It’s INSANE that people and companies can get this.

So in closing, just remember. You’re the product. Companies want to buy you and sell you. Your identity is worth a shit load to them and if you don’t start respecting it then they never will. You’ll never get entirely out of their databases but you have the power to decide if you want to be a top shelf product or a dollar general bargain bin product.

Leave a Reply

Your email address will not be published. Required fields are marked *