Secrets Internet knows about you

Updated on 11th September 2018
By piyush
2 Minutes Read
32 Views

During our red teaming projects, we happen to begin with recon about the target. The information we get out of it almost always ends up giving us few attack vectors to test over the target. Over the time, it made us familiar with:

  • What is information about you attacker looks for?
  • How can you find this information in the way attackers do & before they do it?
  • What measures to take in order to prevent & mitigate privacy leakage?

Ever wondered what information internet has about you???

Try the following Google searches with your name:

  • Your name + Your Location & Visit all the pages looking for anything about you unwanted.

yourname.png

  • Yourname filetype:pdf doc excel png jpg jpeg gif mp3 mp4 3gp svg
  • Yourname inurl:facebook.com linkedin.com orkut.com instagram.com tumblr.com reddit.com pastebin.com quora.com
  • Yourname insite:facebook.com linkedin.com orkut.com instagram.com tumblr.com reddit.com pastebin.com quora.com

Do you get spam calls?? Is your contact information available openly??

Repeat the same as above for your phone number & email addresses.

Is your mail-id hacked? Search here

C:\Users\P1yu8Tek\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot from 2018-08-24 03-51-47.png

inurlPastebin.png

Are you suffering from Identity theft? Is your identity for sale??

Repeat the same for your UID’s & Banking Cards.

ssn.png

cvv.png

Do you have webcams/security cams? OR Do you happen to fall under any cameras sight under your daily routine?? Are they with default/guessable credentials?? Do you think you are not being watched by anyone else apart from camera owners??

How to access it would be something controversial (Hint: If you know the IP of the camera, it can help.)

Same goes with wifi

Mitigation:

  • During this activity, if you found any unwanted information & you can remove it; go ahead. If removing it in your control request the website owners to do so through email & hope that they do it.

Measures:

  • Do this exercise at least bi-annually as a general security check.
    • Don’t put anything you don’t like to get publicly associated with; including social media.

Findings in Relevant Pentest cases in which above was helpful:

  • Customer SSN’s & card details
  • Metadata leaked revealing internal System configuration

Disclaimer:

  • Don’t do this exercise for getting info. of someone else as you can always be tracked down.

That said:

The devices you use knows/reveals out a lot more than you can anticipate/allow which we will cover in later series.

Piyush Tekade
Piyush Tekade
Security Researcher at QOS Technology

Leave a Reply

Your email address will not be published. Required fields are marked *

shares
We're proud to collaborate with Govt. of Karnataka in their latest initiative, Center of Excellence in Cyber Security, to promote Cyber-safe Karnataka and build a pipeline of Cyber Security talent.Learn More
+