Spies and Social Media

Spies

Social Media

Bryan Hill, Information Security Office

Robin Sage

Claimed:

Age 25
MIT grad
10 years security experience
N8 in the Navy (AVP-level)

Robin Sage

Connected w/ key public figures
This built Social Proof
Leveraged for more connections
Contacted 300+ security experts

Robin Sage

Obtained:

Speaker invitations
Job offers
Dinner invitations

Robin Sage

Obtained:

Email addresses
Bank accounts
Private documents
Location of secret military units

“The past year’s IRS breaches are especially troubling. Taxpayer data was fraudulently accessed, not through a forcible compromise of the computer systems, but by hackers who correctly answered security questions that should have only been answerable by the actual individual.”

How to Protect Myself?

Do a self-background check
Have an alias name, phone, address, and email
Online Info: If you don’t need it, get rid of it

Self-Background Check

Preparation:

Log out of all email accounts
Log out of all social network accounts
Use a browser you’ve never used before

Or remove all cookies

Self-Background Check

Placeholder Info:

John Williams

1212 Main Street

Houston, TX 77089

713-555-1234

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

Search yourself on Google:

Self-Background Check

All-in-One Search Tool:

https://inteltechniques.com/osint/user.html

Self-Background Check

Echosec: https://app.echosec.net/

Search your address
Select Area
Try workplace, address of friends, family, etc.

Anonymous Communication

Mailing Address

Providing Disinformation:

Use when you don’t want to be mailed anything
Verify your fake address is not someone else’s!

Mailing Address

USPS PO Box

https://www.usps.com/manage/po-boxes.htm

Costs money
Use for utilities, medical, bills, invoices, etc.
Online shopping?

When you request to remove info,

you’ll need an email

Use an anonymous email!

(gmail.com)

Create an account, populate with false info
For the email address, include your real name

John Doe: john.doe9000@gmail.com
Only use for info removal requests!

True-anonymous emails OK for other uses

Gmail (gmail.com)

Demo - www.gmail.com

(33mail.com)

Anonymous email forwarding service
Gets content & metadata of forwarded emails!
Forward to a true-anonymous email

(33mail.com)

Demo - http://www.33mail.com/

Phone

Providing Disinformation:

Always busy:

909-661-0001 through 909-661-0090
619-364-0003 through 619-364-0090

Disconnected:

717-980-0000 through 717-980-9999

Phone

(google.com/voice/)

Use for phone verification
Signup requires phone verification...
When it asks for a phone number, use:

Hotel
Work general line
Library

Phone

(google.com/voice/)

Call forwarding will be enabled by default...
After signup, go to Settings -> Phones tab

Uncheck all forwarding options

In Voicemail & Text, forward to true-anon email

Blur

(abine.com)

Masks email, phone numbers, and credit cards!
Not free...

Social Networks

Delete everything you don’t need

Account Killer (accountkiller.com)
Delete Your Account (deleteyouraccount.com)

Anything you keep is a worldwide billboard

Use that to your advantage!

Databases and

People Search

Databases and People Search

https://inteltechniques.com/hfti.links.html

Chapter Eight: Personal Data Removal

See misinformation?

Delete if ever correct

Want More?

https://security.utexas.edu/Protect-Your-Privates

Want More?

https://computercrimeinfo.com/links.html

Want More?

https://inteltechniques.com/menu.html

Want More?

https://inteltechniques.com/hfti.links.html

Takeaway

Do a self-background check
Have an alias name, phone, and email
When you provide info online, think:

What’s in it for me?
What is the privacy risk?

Email: security@utexas.edu