Hacker shows Reg how one leaked home address can lead to ruin
Just don't go on Facebook, people. You're giving yourself up to crims
Unrestcon It takes nothing more than a home address for hacker "Nixxer" to find enough information to ruin your life.
Nixxer is one of Australia’s most skilled good-guy social engineers and at a recent event, and in subsequent chats with The Reg, demonstrated the potential damage rather than actually ruining a life. But the arsenal he showed - a mix of open source intelligence, custom tools, a knack for correlation and experience in how to siphon personal information - show how identity theft and worse are not hard to accomplish. And also how the most locked-down Facebook accounts leak like sieves.
Nixxer himself is a ghost. He doesn't use his real name and his real-self can't be found online.
His hacker identity is, however, used in public at events like the Unrestcon security confab in Melbourne, where he demonstrated how he can find enough information to access bank accounts.
To the gallows
On this occasion, Nixxer targeted an address that will lead to a family man in Kansas, US. Nixxer selected the address through a random search of online clipboard Pastebin for the keyword "dox" - the name given to private personal information made public.
Those records did not yield a name and Nixxer did not know if the street address was even real.
But it didn't take long to verify the address, through Google's and Microsoft's online mapping services, and in geospatial databases. Along the way he found not only details of the the man he sought but also the previous owners of the property. Checks against other public databases revealed how much the house cost, allowing the social engineer to make estimates on the household income necessary to purchase the home. He reckoned the combined income was about US$120,000.
Photos of the house on mapping services revealed a car parked in the driveway. Although the license plates were blurred, it was enough for the hacker to learn of the make, model, and US state in which the car was registered. “You can see they are Kansas plates because of the colour, the way they are shaped, and how many letters and numbers it has,” Nixxer says.
A well-loved playground in the house's back yard points to at least some young children in the home. A football field visible behind the house is also useful information.
“There is a local school in town, and a local gridiron team, and that's information you could use to help craft phishing attacks,” Nixxer says.
Online identification services are the scourge of privacy advocates. One service widely-regarded as a notorious treasure trove by social engineers is Salesforce web property data.com which allows tit-for-tat trading of personal information and encourages professionals to upload their contacts in order to access the same number of identities stored within its servers.
The site's impact on privacy can be severe: one of your correspondent's previous home addresses was captured by the site and offered to anyone willing to share their own contacts or open their wallets, despite my efforts to keep it concealed.
And data.com is just one such service among many: the likes of Wayin boast that they hold data on one in 14 humans.
Nixxer used such sites to look up the address from the original Pastebin document and retrieved names for current and former residents of the Kansas property. Armed with this target’s name he then established the man’s previous addresses, personal and work email addresses, and date of birth from the service.
“These sites are everywhere,” Nixxer says with disdain. “You just pay a dollar or something and you get access to whatever you want, it’s all there. It’s scary.”
Facebook is poison to those who take privacy seriously, and it is unsurprising that Nixxer has resisted the temptations to join the online watercooler. Not even with an alias.
He has better reason than most. The hacker has cooked up some nightmarish tools that lay waste to Facebook’s non-default privacy controls that Zuckerland offers as an token effort to entice and retain the tin-foil hat community.
The tools, custom-built during Nixxer’s government agency engagements, can spin up fake profiles to help capture associations and familiar links to a target who has ratcheted up Facebook privacy settings to its fullest effect.
None of the seven fake profiles he loads into the tools need to be accepted as a friend by the target in order for Facebook's privacy controls to be neutered.
At this point in Nixxer's demo, he had learned the identities of his target’s brothers and sisters, parents, and cousins thanks to Facebook and LinkedIn. He also had a pile of personal photographs and information that confirmed all previous findings.
Each of the target's siblings and children worked at what Nixxer now learned was a family-run company.
“Facebook is a spider web of people who can be leveraged,” Nixxer says. “You can use fake profiles to triangulate a target’s movements using nothing more than Facebook.”
Nixxer switches targets to the man’s business and learns that his victim is the director.
“I have enough information at this point to open and close his bank accounts, or do whatever I want,” he says.
With his noose of personal information tied, Nixxer's next step is infiltrate the website of his victim's business. That site is powered by an un-patched instance of Linux. Nixxer quickly gains access to the web server with root privileges. “It worked just like that,” Nixxer says, clicking his fingers. With a malicious site in place, all sorts of other attacks become possible.
Cutting the rope
Can you avoid attacks like that Nixxer outlined above? The hacker thinks you can, with the first step being to avoid Facebook.
"There is no reason to write down where you actually grew up, who your real brothers and sisters are, or where you went to buy clothes yesterday," he advises.
Yet locking down accounts still will not stop Nixxer and the growing army of skilled social engineers across the world from gaining sufficient information on users to bring them ruin.
He recommends users use fake online personas and deploying a handful of tools including web browser tools such as uBlock Origin, AdBlock Plus, and script blockers. ®