/ 6 February 2014

How private are you really online?

The internet has made personal information much more readily available.
The internet has made personal information much more readily available.

I have been trawling through Google and Facebook for an hour, looking for an angle of attack. Finally I stumble on to a service where people share maps of their jogging routes. The online alias matches my target's, and I already know it's her home suburb. Bingo! I have her exact home address.

My assignment is simple: dig up as much information as I can about a group of five strangers in the shortest possible time. I don't have access to any nasty NSA-grade hacking tools – just my web browser, my time and my intuition.

No, that isn't an extract from the diary of an online stalker. It's a snippet from my journey into the world of open-source intelligence, or OSINT as security geeks prefer to call it.

That's a highfalutin name for a time-honoured practice: using publicly available sources of information to uncover private information. In other words, snooping.

So, how easy is it, really, for someone to find out private details of your life using nothing but the internet? Are the tales of horror only urban legends, magnified in the telling, or can anyone with a bit of patience find out where you live and what you bought at your local grocery store last Thursday?

Private eye
Private detectives have made a living from this kind of snooping for nearly 200 years. Public records on everything from property to marriage and death have long been ­available to anyone willing to dig for them.

But the internet has rendered this kind of information much more readily available.

Add that to the global explosion in social media – Facebook alone now has 1.2-billion active users – and we have an unprecedented level of access to information about ordinary people.

For hackers and stalkers, this must be like an all-you-can-eat buffet. The only difficult decision must be which unsuspecting dupe to attack.

To test this idea, I posted a call for volunteers on my blog. Who would be interested in having their privacy systematically invaded? Quite a few people, it seems. I was hoping for three or four – instead I got 20 in a matter of hours.

I decided to email them all, just to check they knew what they were getting themselves into.

The overwhelming response? "We're confident of our online privacy. Do your worst."

Gauntlet thrown
So all my targets were both forewarned and forearmed, and quite sure that I wouldn't find much.

I started the experiment with just two pieces of hard data for each target: a full name and an email address. None of my targets is directly related to me and I haven't met any of them in real life. So they are all essentially strangers.

Then, using nothing more than Google, Facebook and a few other online services, I started my digging. At its heart, OSINT is like one of those logic puzzles that keep you busy on the beach: you're told certain facts about a discrete situation – a group of friends eating at a restaurant, say – and you have to work out the rest of the details by process of elimination.

That's how I tracked down the tell-all teenage blog of a respected attorney. Although she abandoned her whimsical, hard-drinking alter ego nearly a decade ago, I was still able to connect the dots after less than two hours of digging. She had used an alternative name on her MySpace account but all it took was one good guess and, voila!, I had her favoured persona.

This process of informational bootstrapping relies on collecting disparate snippets of data and synthesising them into an accurate profile of the target – much in the way serial killers are now tracked. Except that ordinary people are a lot easier to figure out.

Creatures of habit
Part of what makes this possible is that most people are creatures of both habit and individuality. Even when they adopt anonymous online personas, they tend to make them unique and to use them consistently on several online services.

And, even when a target is extremely vigilant about privacy, their friends and family may not be. Your dear old aunty may not have the first clue about privacy settings but, when she tags you in all her ­photos, it's you that's public. This kind of privacy "leakage" is extremely useful to practitioners of OSINT.

On the whole, South Africans have a much easier time protecting their privacy than Americans.

An entire industry has grown around digitising, cataloguing and indexing public records of every kind.

As a result, one of my targets – an American based in South Africa – was a smorgasbord of private data.

Once I had dug up her marriage licence (in mere minutes), I quickly found her parents' current phone number and the address of the house in which she grew up. I even found a satellite photograph of the property courtesy of Google maps.

Using that data, I tracked down the record of when she was arrested on a trumped-up charge of defacing public property. Ouch!

Professional approach
Given what a rank amateur could uncover with a bit of elbow grease, I was interested in seeing what a professional could do.

Dominic White, the chief technology officer of Sensepost (an information security consultancy), kindly agreed to devote a few hours to some of the targets I wouldn't have time to surveil properly.

The most striking difference between Dominic's analysis and mine (apart from the terrifying speed with which he is able to build accurate profiles about people) is that he was able to figure out exactly what make and model of cellphone and laptop his targets were using.

This seems trivial but it significantly increases the chances of successfully hacking a target's devices. It allows you to send exactly the right virus or worm to them by the best possible channel.

And, although neither Dominic nor I were intent on hacking any of these targets, this kind of snooping is often a prelude to just that. By synthesising such comprehensive profiles of people, you create a strong platform for the most effective form of hacking, called "social engineering".

Impersonation tactics
This involves getting sensitive information or access out of unsuspecting people by impersonating either your target or someone they trust implicitly. So you phone a target's personal assistant pretending to be the new IT guy and, with a little smooth talking, you have his work password.

Think about your security passwords at the bank. Aren't they things like your cellphone number and your ID?

An obvious antidote to all this might be to withdraw from the internet completely, quitting Facebook and shutting down your email address. But that is, at best, a short-term solution and a lonely, self-defeating one at that.

Our local public records will eventually be digitised and made public – it's only a matter of time. Neither of my American target's parents had Facebook accounts but I still found their home address.

So rather than cutting yourself off from the greatest invention since moveable type, just practise a bit of common sense. We should not live in fear of snooping and hacking but we should not live in ignorance either. Like a bank that cannot be robbed, or a ship that cannot sink, no one is completely immune to hacking. But we don't have to make it easy.

The targets

The journalist
Age and gender: 27-year-old woman
Level of online privacy: Medium
Private details uncovered:

  • Her exact home address in Vorna Valley (with a satellite image courtesy of Google)
  • Her husband's private cellphone number (thank you, Gumtree)
  • Her work email address (she got a real fright when I emailed her there)
  • Her date of birth (she’s a Virgo)
  • Names and photos of her entire extended family, including pictures of her half-brother and half-sister at their first communion
  • Her sister's approximate address in a small rural town in the Eastern Cape

Tools used: Google search, Facebook, Google Maps and Streetview, jogging route-sharing service

The lawyer
Age and gender: 26-year-old woman
Level of online privacy: High
Private details uncovered:

  • Her private cellphone number
  • Her date of birth (she’s a fiery Aries)
  • Private anonymous blog from her party-mad university days, complete with a charming list of all the places she threw up in one evening
  • Anonymous profile on a dating site (only fans of Queens of the Stone Age need apply)
  • Names and photos of some of her family members, including her little sister

Tools used: Google search, Facebook, MySpace, blogs, forums

The IT worker
Age and gender: 36-year-old man
Level of online privacy: Medium
Private details uncovered:

  • His home address, and a photo of his house (thanks, Google Streetview)
  • His private cellphone number
  • His wife’s name, photo and occupation (she's in advertising)
  • The names and photos of his entire extended family, including the new baby who arrived in September
  • The make and model of his cellphone (as you would expect for a true geek, it's an Android)

Tools used: Google search, Facebook, domain registration data ("Whois"), Google Maps and Streetview, Twitter, Reddit, Photobucket, Image meta-data analyser

The American ex-pat
Age and gender: 34-year-old woman
Level of online privacy: High
Private details uncovered:

  • Record of her arrest on a minor vandalism charge (writing your name in wet cement is frowned upon by frustrated local lawmen hankering for a bank robbery to solve)
  • Names and photos of her entire extended family
  • Her parents' home address and phone number
  • Her marriage certificate (which took less than five minutes to find)
  • Her date of birth (she's focused and hardworking – a typical Virgo)

Tools used: Google search, Facebook, Linked-In, paid search tools for US public records, Google Maps and Streetview, local news sites

The advertising executive
Age and gender: 33-year-old woman
Level of online privacy: High

  • Her date of birth (she was born in the Year of the Monkey)
  • Her mother's private cellphone number
  • Names and photos of her extended family members ­(including her young nephews and nieces)
  • Her triplet sister's entire private wedding album (she looked beautiful enough to stalk and kidnap)
  • Her other triplet's occupation and work telephone number

Tools used: Google search, Facebook, Linked-In, Twitter, Instagram

How to make yourself a less obvious target

  • Check your privacy settings on all the social media platforms you use and make them as restrictive as possible. Facebook, for example, is very open by default. 
  • Click the cog in the top right-hand corner, choose "privacy settings" and make yourself safe.
  • If giving an address is absolutely necessary, make it a PO Box or an office address.
  • Never post your private phone number online – even if it's on a profile you think is anonymous. Beware of publicly tagging your location, particularly when you take pictures of your or other people's children.
  • Don't share the same email address, username or avatar on multiple anonymous profiles or they will quickly cease to be anonymous.
  • Always stop and think before you post anything anywhere. Posting something to the internet is like squeezing a tube of toothpaste – you're never going to get it back in that tube.