General, Info Sec 4-August-2017 .NetRussell 2 comments

Alohomora! – Unlocking the Potential of Public Data

 

So about six months ago I started researching how to disappear from the internets. I opted out of all the things. I threw mud in the water on social media and I even deleted more than a few accounts. No luck, I still get junk email and, shockingly, some how, even more real junk mail.

Then I got to thinking… If I can’t beat these companies, why not figure out how they’re getting my data, duplicate it if I can, and then abuse the heck out of it to raise awareness.

TLDR;

Download Alohomora

Alohomora is Born

So originally this application was nothing more than some c# printing out to a console window. As I continued down this path though I quickly realized that I had stumbled onto a method that could be abused to seriously harm others. You can read about the method I used in the 2017 Summer Edition of 2600

I decided that I needed to take one of two paths. Either I was going to fully weaponize this tool and just present it but not release it or I was going to release it and it’s source. I opted to release the tool because I believe wholeheartedly that if the public isn’t fully made aware of what’s out there and how it’s being used, then policy will never change.

I presented version one of Alohomora at Defcon 25 2017. During my presentation I showed how the tool can quickly build target profiles on employees of critical infrastructure,  police officers, fire fighters, soldiers and more. With these target profiles a person can see home address, phone number, full name, date of birth, relationships, sexual orientation and more.

The target profiles are just an example of how someone could use this tool. That information could be used for targeted phishing campaigns against nuclear power plants, police departments, schools, and more. It could also be used to locate specific people of interest and harm them physically. I know that when I was a soldier / police officer I wouldn’t have wanted people being able to easily find out where I live.

 

The Next Stage For Alohomora

Currently I’m prepping version two of the tool for DerbyCon 2017.

Some of my goals are:

  • Clean up the UI
  • Be able to locate targets within your immediate vicinity
  • Write a linkedin plugin
  • Write a twitter plugin

 

You can find the source for the tool on my github and you can download a build of the tool at the top of the page.

https://GitHub.com/DotNetRussell/Alohomora 

 

2 thoughts on “Alohomora! – Unlocking the Potential of Public Data

  1. First thing I saw that happened was Avast Free Version See’s it as malware or a virus when I clicked on the .exe file and tried to fire it up so I guess i need to ask how best to check out the software on my Windows 7 system with Avast ?

    1. Oh that’s interesting. I haven’t had any issues with antivirus yet. I’ll see what I can figure out. All the source is available on GitHub, so if you’re worried it’s doing something malicious you can go validate it and make your own build. Otherwise I’d just tell avast to whitelist it.

Leave a Reply

Your email address will not be published. Required fields are marked *