Spies

&

Social Media

Bryan Hill, Information Security Office

Story Time

Robin Sage

Robin Sage

Robin Sage

Claimed:

  • Age 25
  • MIT grad
  • 10 years security experience
  • N8 in the Navy (AVP-level)

Robin Sage

  • Connected w/ key public figures
  • This built Social Proof
  • Leveraged for more connections
  • Contacted 300+ security experts

Robin Sage

Obtained:

  • Speaker invitations
  • Job offers
  • Dinner invitations

Robin Sage

Obtained:

  • Email addresses
  • Bank accounts
  • Private documents
  • Location of secret military units

The Real Robin Sage

Current Threats

“The past year’s IRS breaches are especially troubling. Taxpayer data was fraudulently accessed, not through a forcible compromise of the computer systems, but by hackers who correctly answered security questions that should have only been answerable by the actual individual.”

How to Protect Myself?

How to Protect Myself?

  • Do a self-background check
  • Have an alias name, phone, address, and email
  • Online Info: If you don’t need it, get rid of it

Self-Background Check

Self-Background Check

Preparation:

  • Log out of all email accounts
  • Log out of all social network accounts
  • Use a browser you’ve never used before
    • Or remove all cookies

Self-Background Check

Placeholder Info:

John Williams

1212 Main Street

Houston, TX 77089

713-555-1234

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Self-Background Check

Echosec: https://app.echosec.net/

  • Search your address
  • Select Area
  • Try workplace, address of friends, family, etc.

Anonymous Communication

Mailing Address

Providing Disinformation:

  • Use when you don’t want to be mailed anything
  • Verify your fake address is not someone else’s!

Mailing Address

USPS PO Box

https://www.usps.com/manage/po-boxes.htm

  • Costs money
  • Use for utilities, medical, bills, invoices, etc.
  • Online shopping?

Email

  • When you request to remove info,

you’ll need an email

  • Use an anonymous email!

Email

(gmail.com)

  • Create an account, populate with false info
  • For the email address, include your real name
    • John Doe: john.doe9000@gmail.com
    • Only use for info removal requests!
  • True-anonymous emails OK for other uses

Email

Gmail (gmail.com)

  • Demo - www.gmail.com

Email

(33mail.com)

  • Anonymous email forwarding service
  • Gets content & metadata of forwarded emails!
  • Forward to a true-anonymous email

Email

(33mail.com)

  • Demo - http://www.33mail.com/

Phone

Providing Disinformation:

  • Always busy:
    • 909-661-0001 through 909-661-0090
    • 619-364-0003 through 619-364-0090
  • Disconnected:
    • 717-980-0000 through 717-980-9999

Phone

(google.com/voice/)

  • Use for phone verification
  • Signup requires phone verification...
  • When it asks for a phone number, use:
    • Hotel
    • Work general line
    • Library

Phone

(google.com/voice/)

  • Call forwarding will be enabled by default...
  • After signup, go to Settings -> Phones tab
    • Uncheck all forwarding options
  • In Voicemail & Text, forward to true-anon email

Blur

(abine.com)

  • Masks email, phone numbers, and credit cards!
  • Not free...

Social Networks

Social Networks

  • Delete everything you don’t need
    • Account Killer (accountkiller.com)
    • Delete Your Account (deleteyouraccount.com)
  • Anything you keep is a worldwide billboard
    • Use that to your advantage!

Databases and

People Search

Databases and People Search

https://inteltechniques.com/hfti.links.html

Chapter Eight: Personal Data Removal

  • See misinformation?
    • Delete if ever correct

Want More?

Want More?

https://security.utexas.edu/Protect-Your-Privates

Want More?

Want More?

Want More?

Takeaway

  • Do a self-background check
  • Have an alias name, phone, and email
  • When you provide info online, think:
    • What’s in it for me?
    • What is the privacy risk?

Email: security@utexas.edu

Spies and Social Media - Google Slides