Social Engineering - Christopher Hadnagy [25]
Displaying location-based information is a scary aspect of social media websites. Not only do they allow you to post pictures of yourself, they also implicitly reveal your location—possibly without your knowledge.
Sites like ICanStalkU underscore the danger of this information. Check out a story (one of many) that shows how this data is used for home break-ins, robberies, and sometimes more at www.social-engineer.org/wiki/archives/BlogPosts/TwitterHomeRobbery.html.
This type of information can give you a very detailed profile of your target. People love to tweet about where they are, what they are doing, and who they are with. Blippy allows a person to connect their bank accounts and in essence it will “tweet” with each purchase, where it was from, and how much it costs. With pictures including embedded location data and then sites like Facebook, which many use to put personal pictures, stories, and other related info, it is a social engineer’s dream. In a short while a whole profile can be developed with a person’s address, job, pictures, hobbies, and more.
Another aspect of social media sites that makes them excellent sources of information gathering is the ability to be anonymous. If the target is a recently divorced middle-aged man who loves his Facebook page, you can be a young woman who is looking for a new friend. Many times, while flirting, people divulge valuable pieces of information. Combine the ability to be anyone or anything you want on the web with the fact that most people believe everything they read as gospel fact and what you have is one of the greatest risks to security.
Figure 2-4: A typical scene on the homepage of ICanStalkU.com.
Public Reports
Public data may be generated by entities inside and outside the target company. This data can consist of quarterly reports, government reports, analyst reports, earnings posted for publicly traded companies, and so on. An example of these are Dunn and Bradstreet reports or other sales reports that are sold for very little money and contain a lot of details on the target company.
Another avenue discussed in more detail later is using background checkers such as those found at www.USSearch.com and www.intelius.com. These sites, along with many others, can offer background check services for as little as $1 for one limited report to a $49 per month fee that lets you run as many checks as you want. You can get much of this information for free using search engines, but some of the detailed financial data and personal information can only be obtained easily and legally through a paid-for service. Perhaps most shocking is that many of these companies may even provide data like a person’s Social Security Number to some customers.
Using the Power of Observation
Though not used enough as a social engineering tool, , simple observation can tell you much about your target. Does the target’s employees use keys, RFID cards, or other methods to enter the building? Is there a designated area for smoking? Are dumpsters locked, and does the building have external cameras? External devices such as power supplies or air conditioning units usually reveal who the service company is, and that can allow the social engineer another vector to gain access.
These are just a few of the questions that you can get answers for through observation. Taking some time to watch the target, film using a covert camera, and then studying and analyzing the information later can teach you a lot and give your information file a major boost.
Going through the Garbage
Yes, as hard as it is to imagine enjoying jumping through the trash, it can yield one of the most lucrative payoffs for information gathering. People often throw away invoices, notices, letters, CDs, computers, USB keys, and a plethora of other devices and reports that can truly give amazing amounts of information. As mentioned previously, if people