During our red teaming projects, we happen to begin with recon about the target. The information we get out of it almost always ends up giving us few attack vectors to test over the target. Over the time, it made us familiar with:
- What is information about you attacker looks for?
- How can you find this information in the way attackers do & before they do it?
- What measures to take in order to prevent & mitigate privacy leakage?
Ever wondered what information internet has about you???
Try the following Google searches with your name:
- Your name + Your Location & Visit all the pages looking for anything about you unwanted.
- Yourname filetype:pdf doc excel png jpg jpeg gif mp3 mp4 3gp svg
- Yourname inurl:facebook.com linkedin.com orkut.com instagram.com tumblr.com reddit.com pastebin.com quora.com
- Yourname insite:facebook.com linkedin.com orkut.com instagram.com tumblr.com reddit.com pastebin.com quora.com
Do you get spam calls?? Is your contact information available openly??
Repeat the same as above for your phone number & email addresses.
Is your mail-id hacked? Search here
Are you suffering from Identity theft? Is your identity for sale??
Repeat the same for your UID’s & Banking Cards.
Do you have webcams/security cams? OR Do you happen to fall under any cameras sight under your daily routine?? Are they with default/guessable credentials?? Do you think you are not being watched by anyone else apart from camera owners??
How to access it would be something controversial (Hint: If you know the IP of the camera, it can help.)
Same goes with wifi
- During this activity, if you found any unwanted information & you can remove it; go ahead. If removing it in your control request the website owners to do so through email & hope that they do it.
- Do this exercise at least bi-annually as a general security check.
- Don’t put anything you don’t like to get publicly associated with; including social media.
Findings in Relevant Pentest cases in which above was helpful:
- Customer SSN’s & card details
- Metadata leaked revealing internal System configuration
- Don’t do this exercise for getting info. of someone else as you can always be tracked down.
The devices you use knows/reveals out a lot more than you can anticipate/allow which we will cover in later series.