back to article Hacker shows Reg how one leaked home address can lead to ruin

It takes nothing more than a home address for hacker "Nixxer" to find enough information to ruin your life. Nixxer is one of Australia’s most skilled good-guy social engineers and at a recent event, and in subsequent chats with The Reg, demonstrated the potential damage rather than actually ruining a life. But the arsenal he …

  1. Oengus Silver badge

    People don't listen

    I still don't have a Facebook account and with revelations like this I never will.

    I tell people all of the time that "Social Media" is a treasure trove for nefarious individuals. The usual reply is "It won't happen to me" or "I am too smart for my information to get out". When will they learn. If businesses can make money out of their information the business will sell it to the highest bidder (or anyone that is prepared to pay what is being asked).

    1. Pascal Monett Silver badge

      Re: I am too smart for my information to get out

      That attitude is a one-way ticket to a very nasty surprise down the line.

      I hate "social" sites and I always have. Starting with the pseudo-relationship enablers (Meetic & Co), and right up to, of course, Facebook. The need that most people apparently have to self-divulge their every living moment to everyone is, in my view, a sickness that needs to be cured.

      I have real friends, with whom I have face-to-face or phone/Internet conversations. That is social enough for me. I am smart enough to know that, if you don't want your information to get out, don't post it online. Especially not on a site that is specifically tailored to correlate and sell it.

      1. DropBear Silver badge
        Mushroom

        Re: I am too smart for my information to get out

        "a sickness that needs to be cured"

        While I insist to have nothing to do with Facebook, ever, I also have deep, deep allergies to any "sickness" that "needs to be cured". Like being gay. Or a jew. Do I really need to Godwin this thread explicitly or is the point clear enough?!?

    2. Cuddles Silver badge

      Re: People don't listen

      It's not that people don't listen, it's that they don't care. Humans are social animals, and tools like Facebook allow them to socialise with people they might otherwise be cut off from - if a family member moves to a different country, or even just within the same country, you can continue to interact with them where previously you might share a letter once a year at best. That's the trouble with all the whining about how stupid people are to use such tools; they amount to telling people they should become hermits and never interact with anyone if they can't do it face to face. It's certainly possible to share too much, and there are types of information that can make it very easy for others to commit fraud, but that means you should teach people about the actual risks, not tell them to just stop being sociable.

      As for the risk, as others have noted this very article clearly demonstrates just how tiny they really are. For all the supposed cleverness, this guy managed to find a bunch of publicly available information. Births, marriages and deaths are publicly registered. Land ownership is publicly registered. Businesses are publicly registered. Finding out a person's family and company details is not some horrific invasion of privacy only made possible by the internet, it's something everyone is able to access with a couple of calls to the local council. All the internet does is potentially make it a bit quicker and cheaper. If someone has a reason to target you, that's not going to change anything, and if they don't then as others have pointed out, there are over 7 billion other people in the world and many of them are much more tempting targets.

      1. Sir Runcible Spoon Silver badge

        Re: People don't listen

        Don't bother telling people you don't care about, the more low hanging fruit there is on Facebook et.al. the more effort it would be to target someone with a low profile (like me!).

        Most crims. fish with large nets in common fishing grounds. They would have to have a very good reason to go hiking into the Scottish Highlands with a fly fishing rod and hand made flies - much more effort.

        As a result my main concern is to ensure I don't piss anyone off who has the requisite skills and mindset :)

        Also, people die in car crashes - no-one tells people not to drive. Same psychology at work here I reckon.

        1. Anonymous Coward
          Anonymous Coward

          Re: People don't listen

          It's trivially easy to piss off someone with the requisite skills (find your home address and bother you) and mindset (unemployed and batshit crazy). There's no need to piss them off intentionally, to do it yourself, or to actually be the person they believe did it.

          It's happened to me twice. Once by a notorious troll who stopped after a few weeks of mere online name-calling. Again by a probably-schizophrenic person who only stopped when served by the police with a protection order. Luckily both revealed their identities.

          When faced with multiple anonymous attackers, there's no recourse. Best not to expose yourself (real name, face, address, email, phone, contacts) in the first place.

          1. Pascal Monett Silver badge

            Re: It's happened to me twice

            Given the outcome, I think you can count yourself lucky.

            There are a growing number of perfectly innocent people who's lives have been thoroughly trashed by Internet vigilantism.

            1. Unbelievable!

              Re: It's happened to me twice

              how do we know this is you?

        2. asdf Silver badge

          Re: People don't listen

          >Don't bother telling people you don't care about, the more low hanging fruit there is on Facebook

          ie you don't have to outrun the lion only your buddy.

      2. Andrew Moore

        Re: People don't listen

        "they amount to telling people they should become hermits and never interact with anyone if they can't do it face to face."

        There's the problem though- Social media does tend to make people hermits in real life. If a family member of mine moved to a new place, I'd like to think that they are interacting with their new community, face-to-face, rather than secluding themselves away and only relying on the internet to connect them to the people they know, long distance. Meanwhile, that person is getting a reputation in their new community...

      3. Milton Silver badge

        Re: People don't listen

        Hm. I did something I very rarely do and clicked thumbs-down on this comment because I was annoyed, but now I'm annoyed with myself: I should have had the good manners to explain why I disagree.

        1. You're overstating the difficulty of pre-social-media comms. Sharing a "letter once a year at best" implies people who couldn't care less about each other in the first place. Even before the typewriter (heck, before there was reliable postal service) some folks used to write each other daily. I'm ancient enough to remember when we used letters, postcards and long-distance telephone to maintain excellent relationships with distant friends and family. I might even argue that relationships are cultivated better when you have to work at them a little, instead of just squitting out yet another tedious phone photo saying "Hey look, I went in this bar: aren't you fascinated?".

        2. Stats revealed just today in the UK show that one in ten people were cybercrime victims in the past year. That is not evidence for a "tiny" risk. It suggests the risk is sizeable and, if anything, growing.

        3. The fact that some data is publicly available is at least partly missing the point, which is that once a blackhat has some critical information about you, it provides the thin end of the wedge that will be used to expose a great deal more, both public and (supposedly) private.

        I agree there's little point telling people they are stupid to use Facebook, but it is probably true that if you are privacy conscious or have more significant (say, work-related) reasons for privacy, you simply shouldn't be using most social media platforms.

        Facebook could be almost infinitely better at protecting users' privacy, but it doesn't and won't because its whole reason for existing is to exploit its users, principally as consumers of advertising.

        In another world, internet users would never have fallen for the "free" model, and we'd pay a subscription for a service which, because it didn't make money selling its users, would actually work in their interests.

    3. Eddy Ito Silver badge

      Re: People don't listen

      Let's not forget that even if you're not on Facebook it doesn't mean you're information is not on Facebook. You don't have to post information about yourself since many of your chums will.

      Oh look, there's a photo of you in high school, a pic of you graduating university, and another at a wedding. Oh there's some pics from last weekends BBQ at your house by the pool and look there, it's helpfully been geotagged.

      Sure, it's slightly harder but not impossible for a motivated crim to track you down. I wouldn't be surprised if someone like Nixxer couldn't just pick a random address or name from a phone book and be able to run it to ground regardless of the countermeasures taken. It might be a worthy study to know just how much Nixxer could dig up on himself or another like him just to see how well the defensive measures work.

      1. DougS Silver badge

        Re: People don't listen

        Assuming Nixxer owns a home, then he'll be vulnerable to all the same stuff. That's probably why he doesn't reveal his real name. Presumably those who hire him in his "day job" have no idea he's "Nixxer" and he never tells them.

        Obviously he knows all the information that can be run down about him, given his real name, and that's why he keeps it secret.

      2. razorfishsl

        Re: People don't listen

        They profile you all the time.

        One of the biggest issues is shite websites using an offsite "facebook in logo".

        Many of those "images" are actually unequally tagged.

        When you go to another site they track via that "cookie", thereby bypassing your security settings.

        Tie that into IP address and it even spans "private browsing" sessions.

    4. Aodhhan

      Re: People don't listen

      Yet you have an account on this website and likely others. Meaning you're IP address is recordable each time you log in, and all your posts and any information in them likely tells a story or two when laid out and studied.

      You think this website or it's host is trustworthy?

      Ohhh.. you only think you need to worry about facebook? There isn't much difference.

      1. Sir Runcible Spoon Silver badge
        WTF?

        Re: People don't listen

        "You think this website or it's host is trustworthy?

        Ohhh.. you only think you need to worry about facebook? There isn't much difference."

        Really? You don't see the difference between someone having to dig into someone else's systems to obtain additional details and having it all splurged out in plain sight for anyone to see?

        Ok, it's your mind, I'm just glad I'm still capable of making distinctions and haven't completely left the reservation yet :)

      2. Anonymous Coward
        Anonymous Coward

        Re: People don't listen

        you think my details are real on this or any other web site, LOL big time

        1. Sir Runcible Spoon Silver badge
          Paris Hilton

          Re: People don't listen

          "you think my details are real on this or any other web site, LOL big time"

          That raises a good question, there are some names that you aren't legally allowed to change your name to; is Anonymous one of them?

    5. inmypjs Silver badge

      Re: People don't listen

      Yes, because on balance most people are stupid.

      I have a personal privacy policy that requires me to not provide any valid information to anyone on the internet if I can avoid it.

      I tried creating a Facebook account I guess about 8 years ago although it seems like longer. It was the first web service I came across that rejected all of the throwaway email address services I had access to. That was enough to convince me Facebook was for the stupid and not for me.

      1. Anonymous Coward
        Anonymous Coward

        Re: People don't listen

        That's weird. It accepts hotmail and similar web email accounts. Not sure why you were unable to register a FB account. Perhaps you imagined it.

    6. Anonymous Coward
      Anonymous Coward

      Re: People don't listen

      I deal with this on a much more serious level. Kids of High Net Worths live in this bubble that nothing can happen to them, until I start showing them kidnapping statistics. You don't hear much of this, but even in countries you would consider "safe" like Switzerland, kidnapping happens and especially a child will bear the scars for life.

      The key to such a crime being successful is data collection, and kids help with that by this "sharing". I understand why - these companies have been specifically set up to encourage that bad habit from the moment they get their grubby paws on a child (and let's just say that I'm not overly impressed by their "care" to "avoid" use by younger children, nor do I consider 13 the age of wisdom for such decisions).

      The consequences, however, can be dire, and we're now running an educational program to coach these kids out of those dangerous habits. Once we have this running properly I hope to use the data we gather here to make this a public programme for schools. Children should be protected, and for me, that protections doesn't end at 13. It ends at AT LEAST 16 - basically the age when they are able to legally engage in a contract of their own - because that's what accepting Terms & Conditions really is.

      Personally I think it is time to establish just how much parental control we have. Not because I want to, but more because we HAVE to - left unchecked it's not going to get better.

    7. Fred Flintstone Gold badge

      Re: People don't listen

      I tell people all of the time that "Social Media" is a treasure trove for nefarious individuals. The usual reply is "It won't happen to me" or "I am too smart for my information to get out". When will they learn. If businesses can make money out of their information the business will sell it to the highest bidder (or anyone that is prepared to pay what is being asked).

      Yes, those smart people who don't realise that even if THEY are careful, they cannot prevent the abuse of that giant barn size backdoor in privacy law: you can't prevent your "friends" giving away your data. That was, for instance, in my opinion, the goal of WhatsApp et al: grabbing address books.

  2. Anonymous Coward
    Anonymous Coward

    it's moot

    99.9% of the population will NOT abandon facebook, and the rest, i.e. the lot occupying this space and other fringes, will shun it the way we've always done.

    If I showed this post to a larger group of people, they'd say:

    1. sorry, 2 long 2 read

    2. yeah, well, but what can you do? (shrug).

    3. interesting, let me repost it on my fb page!

    1. Sebastian A

      Re: it's moot

      Those 99% are my canaries. They can be the low-hanging fruit while I myself am just a bit harder to doxx. Means that in most cases there's no reason to bother with my details when there are exhibitionists all over the place just begging to be impersonated.

    2. Michael Hoffmann
      Unhappy

      Re: it's moot

      Sadly, very much this.

      I (have to) use it for 2 things: family and sports/hobby activities.

      The former I have a fairly tight rein over (you WILL do this and this and this to have a modicum of protected privacy and security or I will unfriend you - and actual dire threat when much of the family is half a world away).

      The latter... clubs have apparently done away with maintaining websites or other means of updating members or other announcements. No matter how much I've tried to caution (even resigned from a secretary position when I just couldn't take it anymore) the "but it's so convenient and *everybody* uses it" just became knee-jerk. As leaving, in my chosen hobby, would be cutting off my nose to spite my face I can only throw up my hands in disgust and resignation.

      Best I can do is obfuscate and hope for the effing best. :(

      1. getHandle

        Re: it's moot

        Could be worse - lots seem to be turning to WhatsApp. At least I can constrain FB to the browser...

        1. Brewster's Angle Grinder Silver badge

          Re: it's moot

          Why is WhatsApp worse? You're not sharing in a searchable public forum; it's a one-to-one connection with people whose phone number you already know; a cheap way to text.

          1. Down not across Silver badge

            Re: it's moot

            Why is WhatsApp worse? You're not sharing in a searchable public forum; it's a one-to-one connection with people whose phone number you already know; a cheap way to text.

            Well, for one thing it allegedly uploads all of the contacts to their server. So even though I don't use it, chances are someone might have me as a contact that uses it and thus my information could be on their server without my permission.

            1. Brewster's Angle Grinder Silver badge

              Re: it's moot

              Supposing that's true, then the information is locked away in their servers rather than being handed out to anyone and everyone.

            2. Alumoi
              Coat

              Re: it's moot

              Naah, it's the web of trust, you see.

              You don't do social media but one of the people who has some info on you does. And if none of your contacts uses social media then certainly one of their contacts does. And so on.

              I think it's called six degrees of separation or something like this :P

              Bottom line: we're screwed!

      2. anonymous boring coward Silver badge

        Re: it's moot

        " clubs have apparently done away with maintaining websites or other means of updating members or other announcements"

        Yes, but those websites are an even worse sequrity nightmare.

        Perhaps join Facebook with psedonym and no identfiable information, if one must. I resist, as it a PRIVATE company, not some friggin state owned and run utility like people seem to think.

        Money talks, and it tells Google and Facebook to sell out (meaning making it viewable on-line) all info per default, unless you make a massive effort to tighten things up. Not worth it.

  3. Anonymous Coward
    Anonymous Coward

    This article should be read by EVERY user of social media

    before they are allowed to even register for those sites.

    If they proceed then they deserve everything they get including financial ruin.

    sorry to be so brutal but once a few hundred/thousand users get enough people ruined before sites like Facebook are closed down in the face of a million lawsuits. What then Zuck!

    1. anonymous boring coward Silver badge

      Re: This article should be read by EVERY user of social media

      "If they proceed then they deserve everything they get including financial ruin."

      No they don't.

      Not everyone is a computer wiz, and some who think they are still don't get it.

      Several here, for example, seem to think they are safe because they have to show a physical bank card. LOL. Never heard of forgeries?

  4. Tom Wood

    "to open and close his bank accounts"

    “I have enough information at this point to open and close his bank accounts, or do whatever I want,” he says.

    Er, really? Sure, he knows a fair amount about his "victim", but that still shouldn't be enough to do anything particularly lucrative to a criminal.

    Last time I tried to close a bank account, I had to go into the branch (even though it was an "online" savings account), and show the bank card of my linked current account, and sign a form. That was for a dormant account with no money in it - had I actually wanted to withdraw money and close the account I'd have needed the card's PIN and also possibly some other photo ID if the amount in question was large enough. To steal money with online banking, from the two banks I use, I'd need (1) knowledge of logins, passwords etc and (2a) access to my card and PIN or (2b) access to my phone, depending on the bank. The attacker described here doesn't have ANY of that info.

    Maybe this speaks more to the lax security policies of American banks than anything else?

    And being able to gain root access someone's web server (not really sure how that is related to "replicating" a web site) is entirely unrelated to learning anything about their home address, car registration etc, and more the fact they were running an old unpatched Linux distro.

    1. Anonymous Coward
      Anonymous Coward

      Re: "to open and close his bank accounts"

      I suppose gaps in the article about how to get hold of hard data (bank account, etc.) were intentional, i.e. no need to give people ideas. I suppose those who do it for "business" would know anyway, but there are plenty of wannabes who might just copycat the solution if you provide too much detail.

    2. CraPo

      Re: "to open and close his bank accounts"

      “It just worked like that,” Nixxer says, clicking his fingers.

      Of course it did.

      1. Anonymous Coward
        Anonymous Coward

        Re: "to open and close his bank accounts"

        well, I imagine him clicking his fingers is me looking at magic being done in front of my eyes. Matter of perspective.

        1. Anonymous Coward
          Anonymous Coward

          Re: "to open and close his bank accounts"

          Maybe the missing details were "Accio Credit Card"? :-)

    3. Anonymous Coward
      Anonymous Coward

      Re: "to open and close his bank accounts"

      I was also puzzled by the claim that .."I have enough information at this point to open and close his bank accounts, or do whatever I want".. -- from the claim I imagine that the hacker would also be able to empty the bank's account prior to closing it.

      How? No need for all the details, just the global picture (e.g. list of information required to do this as per the bank's documents, steps that could be taken without need for direct identification).

      If I try to close my account I would need to visit personally the bank branch and for sure a manager would like to call me to make sure I want to do this. Heck, I couldn't even cancel Comcast without getting a call in my cell phone for confirmation!

    4. Dan McIntyre

      Re: "to open and close his bank accounts"

      He's described as a "social engineer" and presumably has the skills requisite of that label. Ever read Kevin Mitnick's book The Art of Deception? The details you mention are easy to get hold of for these types of people.

      1. Anonymous Coward
        Anonymous Coward

        Re: "to open and close his bank accounts"

        He's doing well to close a bank account just by snapping his fingers. Last time I tried, having moved house, I had to go to the bank with proof of moving house, and my existing bank card, which they cut up in the bank. Then the branch forgot to tell the main office, who insisted I bring the card in to be destroyed. Despite multiple phone calls, letters, emails etc, I was still getting yearly statements saying the account was still open, because I was unable to take a bank card into the branch to have it destroyed, because, err, they'd already destroyed it.

        I might employ him to shut down my bank account, cos i couldn't fucking manage it.

  5. David Roberts
    Windows

    Dream on

    The vast majority of social media users haven't been attacked and probably never will be.

    This is why fish shoal. Although they provide a bigger target the odds of being missed are apparently much better than if they try and lead a solitary existence.

    A nice chat about profiling a target (although the bit about getting access to a Linux server sounds illegal) but the target showed up as potentially wealthy as well as vulnerable.

    If you uncharitably assume that the majority of SM users are dead eyed mouth breathers living at their parent(s) home on benefits with a poor to terrible credit record then you should see that they have a built in natural immunity. The profiling would have been abandoned very early on as not worth the effort.

    If enough people are conspicuously targetted then the SM platforms will up their game. If a massive threat is publicly identified then users will demand action. Until then the predators are only picking off prey from the fringes of the herd and the herd won't even notice.

    TL;DR I'm on benefits with two maxed out credit cards. Go on - steal my identity.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm on benefits with two maxed out credit cards. Go on - steal my identity.

      Eh? Don't you mean five maxed out credit cards? :o)

    2. Anonymous Coward
      Anonymous Coward

      Re: Dream on

      Fish proving that shoaling is just like every other defence tactic. Only effective in limited situations...

      http://video.nationalgeographic.com/video/ng-live/skerry-bluefin-tuna-nglive?source=relatedvideo

  6. Baldy50

    Nixxer

    Have fun at the DEF CON hacking conference next month bud.

  7. Anonymous Coward
    Anonymous Coward

    Had to revive FB recently

    I needed access to postings about a family member's adventures posted via FB, in all innocence by the organisation. And in the past I had used it to to keep up to date with a similar group from my own youth. Sometimes it is unavoidable. But no one needs to post the sort of details you'd avoid shouting out in public.

    Some of the people on there will post anything. They have to be warned not to post "Here we are in this picture outside our house putting the key under the mat before we go to the airport. Be back in two weeks."

  8. TheProf
    Alert

    Private

    Without being a leet haxor I've found out some interesting things about people with the same name as myself.

    Firstly they, or businesses they deal with, cannot cope with email address containing digits.

    Secondly, Americans seem to put all kinds of 'useful' information the the web.

    theprof-11@postmail.com keeps forgetting he's number 11 and so I've received information about his home address, his DOB, marital status, the name of his wife, her DOB, the number of children he has, the dates he'll be away from home in another state, the name of the church he goes to, the sports he's a tutor in, the make, model and year of his car, the price he paid for his house, (looks like a nice one) the amount he's paid to the city in taxes for the year, the academic courses he's been on etc. I've also been CCd in any number of emails by his friends meaning I (could) have a nice list of his friends and acquaintances.

    All this has dropped into my inbox, I've done nothing to seek it out.

    I usually contact the sender and let them know that a mistake has been made and even managed to track down the American theprof to warn him that his confidential info is being sent out to the wrong person.

    Yes, putting every last detail on a public notice board is a bad idea but you can't fight stupidity.

    Worth a mention: How much information do you think your postman has about you? Name, address, birthday, when you're on holiday, the name of your bank, your employer, the companies you have shares in, your interests. Frightening how much you can learn about someone just by looking at their book-shelf isn't it?

    1. Symon Silver badge
      Coat

      Re: Private

      @Prof. Are you Dave Gorman?

    2. Anonymous Coward
      Anonymous Coward

      Re: Private

      lol. I've received emails directed to a major D.C. lobbyist who shares my name. Usually from his interns. No good political dirt or steamy sex stuff, but one can imagine :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Private

        Numbers with email addies+Americans. Damn, that probably explains why some American woman's emails come to me from time to time. I've had a Gmail address with my own name since the days when they didn't do evil and you needed and invitation.

        She's probably firstname.familyname9573@gmail.com.

        I'd never thought of that.

        (But her community have had some very unhelpful- to her- responses over the years. As in, "No I didn't order....and have no interest in buying your poxy......". etc. )

  9. Pen-y-gors Silver badge

    Simple solution

    Don't have an address! Keep all you own in a few plastic bags and sleep each night under a different hedge. And to be extra safe, don't have any bank accounts (or cash).

    Or, in the real world, make sure you bank with someone with decent security, and don't use a phone for banking.

    Actually he missed one really sneaky trick for getting names and addresses. I've got this big bundle of paper called "The Phone Book" - it's just chock full of addresses AND NAMES just ripe for identity theft - or not as the case may be.

    Another good trick is to get someone to pay you with a cheque. The fools don't realise that it shows not only their name but also their bank account number and sort code. Surely this means you can now withdraw all the money from their account?

    1. imanidiot Silver badge

      Re: Simple solution

      I think you missed the point here.

      That information ALONE doesn't get you anywhere. But in todays hyper connected world getting all the other information you need is only a click away. The more info you have on a target the easier it becomes for a scammer to use other tricks to talk people into doing his bidding. Like convincing a bank clerk he really is "person x" and he needs the money transfered,

    2. Uncle Slacky Silver badge
      Stop

      Re: Simple solution

      "their name but also their bank account number and sort code. Surely this means you can now withdraw all the money from their account?"

      Isn't that what happened when Jeremy Clarkson did that?

    3. Jo_seph_B

      Re: Simple solution

      @Pen-y-gors - I remember Jeremy Clarkson saying the exact same thing about his account number and sort code back in 2008. Claiming all you could do with them was put money in. Needless to say a donation of £500 was made to Diabetes UK using those very details. He was stupid enough to publish them in a newspaper!

  10. Anonymous Coward
    Anonymous Coward

    This is data that should not be sensitive

    I think this is the wrong approach. We shouldn't need to hide our names and addresses, living in fear of who might find our secret places. It should simply be the case that knowing someone's public information (name, address, relatives, history, ssn, phone number, email address, employer, etc.) should not be sufficient to harm them. That should not be sufficient to enter into any contract, or to make any financial commitment, or perform any banking operations, or do anything sensitive.

    For example, if you want to take out a loan, then simply stating someone's name, address and SSN (all of which is public information) should not be sufficient allow a bank to give it out. Or if they do give out money (which is, after all, up to them), the should not be allowed to legally enforce a debt against a person just because their public name, address and ssn was given to you.

    People need private keys.

    1. anonymous boring coward Silver badge

      Re: This is data that should not be sensitive

      "We shouldn't need to hide our names and addresses, living in fear of who might find our secret places. It should simply be the case that knowing someone's public information (name, address, relatives, history, ssn, phone number, email address, employer, etc.) should not be sufficient to harm them. "

      That works so well when that religious nutcase shows up on your doorstep wielding a machete or worse.

      Or perhaps it's just an Erdogan-like supporting thug. Trump thug?

      1. DougS Silver badge

        Re: This is data that should not be sensitive

        I don't open my door to anyone unless I'm expecting them, so unless that religious nutcase is able to hack through my door or walls with his machete all I have to worry about is 1) calling the cops to deposit him in the nearest psych ward 2) calling my insurance company to make a claim about the machete damage to my door (that might be a new one to them)

        1. DropBear Silver badge

          Re: This is data that should not be sensitive

          ...well, I'd hate to burst your precious bubble, but strictly speaking pretty much all typical non-security-reinforced doors are essentially cardboard-level resistant against anyone actually prepared to hack at them with any sort of hefty sharp instrument.

          1. DougS Silver badge

            Re: This is data that should not be sensitive

            My doors are 2" thick solid oak. Impervious to a machete, but you could get through them with an axe. But not before I could either leave through the other door or grab and load my 9mm.

            I'm pretty much unconcerned with someone trying to axe down my front door and attack me, though. Even if I piss them off online and they find out where I live. Yeah, there are a few stories where that happens, but not as many as there are stories about people who die from being hit by lightning or slipping in their bathtub. If you worry about stuff like that you are going to live your entire life in abject terror when you think about all the terrible fates that could befall you at any moment!

            1. CustardGannet
              Facepalm

              Terrible fates

              FWIW, around 70 people per year die in the UK pulling on their trousers (think hopping on one leg, before falling sideways and smacking your head against furniture).

              Why oh why oh why don't people learn to put trousers over both feet whilst sitting down ? (Or to wear a kilt.) Natural selection, I guess.

              1. harmjschoonhoven
                WTF?

                Re: Terrible fates

                Most people die after drinking water for about 70 years.

                1. anonymous boring coward Silver badge

                  Re: Terrible fates

                  "Most people die after drinking water for about 70 years."

                  That's why I prefer beer.

        2. Anonymous Coward
          Anonymous Coward

          Re: This is data that should not be sensitive

          You don't have windows in your house...?

  11. Will Godfrey Silver badge
    Unhappy

    ID-10-ts

    Even if you keep clear of the crud yourself, you get the FBers who post a reunion picture with a 'helpful' list of everyone in the picture.

    1. Brewster's Angle Grinder Silver badge

      Re: ID-10-ts

      Or your siblings and friends.

    2. hardboiledphil

      Re: ID-10-ts

      So untag yourself and don't click "Allow on Timeline"...

      1. Will Godfrey Silver badge
        Thumb Down

        Re: ID-10-ts

        @hardboiledphil

        How do you untag yourself from a 'service' to which you are not subscribed, on websites you have never visited and in pictures you may never have seen?

    3. razorfishsl

      Re: ID-10-ts

      Which is why I don't allow people to take my picture.

      1. Anonymous Coward
        Meh

        Re: ID-10-ts

        CCTV on the street in shops, attached to ATMs, on neighbours house, police cameras, speed cameras - yes no one has taken your picture, or maybe..

  12. Anonymous Coward
    Anonymous Coward

    well crap

    I hope he never walks past my house !!! so much information there.

    Even worse could you imagine him being a neighbour!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: well crap

      "I hope he never walks past my house !!! so much information there.

      Even worse could you imagine him being a neighbour!!!"

      Riiight.. Head in sand.

      My neighbours know a lot less about me than any cyber criminal can easily dig up.

      1. Anonymous Coward
        Anonymous Coward

        Re: well crap

        Why do you assume this sort of behavior is solely the domain of online miscreants.

        ever heard of identify theft/fishing/dumpster diving??? this is just another tool for it, it has been around for centuries this is nothing new, so please stop running round screaming that the sky is falling.

        1. Anonymous Coward
          Happy

          Re: well crap

          So you do use your shredder?

          1. Anonymous Coward
            Anonymous Coward

            Re: well crap

            nope, got nothing to steal :/

    2. Nixinkome

      Re: well crap

      Taken as sarcastic AC but just in case:

      What if he's your window cleaner [even with extensible water wands]? "We never look inside your windows". OK, what about your window replacement team? Maybe a deliverer of leaflets/free newspapers/clothes collection bags/takeaway menus/repetitive services like food and grocery delivery or rubbish and recycling services. Postmen and women have a regulation of their work in force but the others do not. Canvassing and door to door sales are banned or registered nowadays but one can still infer enough from just ONE pass i.e. the age and [in]firmity of the dweller[s], their car, garden, state of house maintenance and repair for a very quick burglary. Does your local driving instructor use your road regularly - oh, they're earning enough, no worry.

      "They can't touch me, we live in a flat". You still have other services delivered like landline and cable TV/'phone, wireless 'phones, utilities, property inspections etc. Funerals and residents moving out and in and refurbishment work and neighbours - it goes on.

      This physical data IS available and can be used in conjunction [even if it's let slip down the pub] with easily accessible online content let alone credit agencies' and insurance firms' data. This all takes place without your knowledge and no attempt has YET been made to deceive, fluster or out-talk/think.

      In the event of one being as careful as socially possible, there still remains the passing on of copies of our correspondence and photographs and other records. We are not blessed with knowledge of incapacity or death before it strikes and cannot say, "I'll copy them and do it next week" when tomorrow may be the last chance. If that is done and secure, one still has to contend with malicious hackers.

      No sarky bits.

  13. Anonymous Coward
    Anonymous Coward

    Just good sense..

    "deploying a handful of tools including web browser tools such as UBlock Plus, AdBlock Plus, and script blockers"

    This is good advice in general regardless of the motives in my experience. I would love to see this sort hack live and learn from it, not as in how to do it but how it unravels..

    1. Anonymous Coward
      Anonymous Coward

      Re: Just good sense..

      Hitting a browser against web traffic not ran through privoxy first is the equivalent of raw dogging it on skid row.

  14. Anonymous Coward
    Anonymous Coward

    Does Facebook still have that "feature" where if you reply to a message sent by another user they have full access to your profile for 24 hours?

    There's the problem.

    1. Anonymous Coward
      Anonymous Coward

      No, it doesn't. So there isn't your problem.

  15. Anonymous Coward
    Anonymous Coward

    as an experiment I tried to dox myself using only knowledge that a comment form I had just used would have received (first name and IP address)

    Looking up the IP address through ripe reveals that it is registered to a limited company.

    Looking up the limited company details (companies house) revealed my full name and address along with the fact that I hold directorships on a few other companies.

    using those details with the various company check / director check websites (all unpaid) revealed several previous addresses along with my date and place of birth.

  16. Dan McIntyre

    This person is described as a social engineer. These people are experts at obtaining sensitive information about other people using just a few snippets of non-sensitive info (or what most would consider non-sensitive anyway).

    Read The Art of Deception by Kevin Mitnick and then say that this guy didn't have access. In many cases sensitive info is there just for the asking, regardless of whether a person has a right to it or not.

  17. Anonymous Coward
    Anonymous Coward

    Alternative solution...

    be poor.

    Anybody who gets my bank details and phones them for me will be taking a bullet and find they are not that happy with me and would quite like to know where i am and when i will repay my overdraft ;)

    1. Anonymous Coward
      Anonymous Coward

      Re: Alternative solution...

      I had my bank card cloned in the very early days off chip and pin at a petrol station around 2007.

      The bank later sent me a letter reporting there had been 3 attempts to withdraw money in Malaysia.

      The bank advised they hadn't had to block the transactions, as there were insufficient funds in the account.

      They advised they had tried to withdraw £1000, £100, and £10...

      1. Anonymous Coward
        Anonymous Coward

        Re: Alternative solution...

        ..and now there is -£29 pounds in the account because they sent you a letter

  18. 404 Silver badge

    Disappointing

    I like to believe I'm competent, but have zero illusions that I'm some kind of expert*, yet the methods used here by Nixxer are pretty old hat. Other avenues of approach exist that are somewhat easier to exploit and less obvious.

    I was hoping for something different/new.

    *Evidently I'm a 'bad-tempered hacker' according to Tennessee's 10th Judicial DA - I've sent methods/open security issues to 'all the right people', yet I'm the bad guy. I wonder why I even bother, no one listens until they get hit hard by the black hats. <throws hands in the air> fuck it.

  19. Anonymous Coward
    Anonymous Coward

    “These sites are everywhere”

    DATA BROKERS should be ILLEGAL. It's time for WAR against these scum.

    * Forbid the publication or transmission of any individual's name, address, geo location, phone, email, or any sufficiently unique combination of identifying information, without explicit consent (with strictly limited exceptions for business/legal needs)

    * Immediate removal upon request WITHOUT identity verification

    PUBLIC RECORDS need tightening as well.

    * Business and license registrations shall be redacted of street addresses and contact information when published online

    * Property records shall not be published online (only available in person at the local registry)

    1. Aodhhan

      Re: “These sites are everywhere”

      Not making information available, especially where the government is concerned will make corruption much worse than it already is. In the USA, the people have the right to know everything their government is doing, it's part of the constitution and expanded by FOIA. This is one of the reasons Hillary is in such hot water, well, except for the fact she's above the law.

      As far as private companies using this information. Will make it much harder to get insurance, a credit card, bank loan, etc. If you outlaw it, then the rates for using private companies needing information will go way up because their risk increases.

      You don't have to play the game, but you won't exactly get far.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: “These sites are everywhere”

        > Will make it much harder to get insurance, a credit card, bank loan, etc.

        Good. They're a large part of the problem.. and easy credit is a problem in its own right.

        I believe government officials and employees deserve as much privacy in their personal lives as the rest of us. Corruption will decline if we get better people in there, doing their jobs instead of covering their asses 24/7.

      3. MalIlluminated

        Re: “These sites are everywhere”

        "If you outlaw it, then the rates for using private companies needing information will go way up because their risk increases."

        I don't buy it. Insurance and credit have been around a lot longer than creepy internet information brokers. Beyond that, I'm sick of hearing how if we regulate egregious bad behavior, or stop providing governmental incentives, or charge a reasonable amount of corporate tax, or enforce fair labor practices, that private companies are going to raise rates for their services and prices on their merchandise. They raise their rates anyway, to the absolute maximum that the market will bear.

        And I'm pretty sure that Hillary made information *excessively* available. Allegedly.

    2. Mark 85 Silver badge

      Re: “These sites are everywhere”

      On the surface, I agree totally and especially for the data broker part.. For example, lately, I've been getting calls from "Windows Tech Support".. on phone that isn't in my name. Yet they address me by name or if my lady picks it up, they ask for me. Now how in the hell a bunch of crims got my name at that phone number is strange. The only answer is that some place I've done business with* sold my info to a data broker. And that data broker didn't care who bought it, just so long as he/she got money.

      *I do try not to give out the phone number to people I don't know. On websites, I use a throwaway cell phone. Just puzzling.

  20. Aodhhan

    It's not just Facebook

    There are so many different databases online which hold your information it's crazy. It makes doing a background check on someone so easy. What information which is available depends on the country and province/state on where you live.

    Ever been charged (not just convicted) with misdemeanor; even a speeding ticket?

    Been involved in an auto accident?

    Been married?

    Bought a house/land?

    Have a credit rating?

    ...the list goes on and on.

    In this example, he's just using Facebook as a starting point. There are many others.

  21. JLV Silver badge

    just keep your head down

    A few years ago, IIRC, a university research project coupled CCTV footage to Facebook tagged pix, with an off-the-shelf face recognition software.

    Their identification rate was about 30%. I assume it's way higher now, with more tagged pix and better software. Hopefully FB has upped its game to mass scanning of their image data, but I wouldn't count on it. I wonder what Google Image Search is/will be able to "contribute" to that as well.

    This is the kind of crap that we howl about when we learn that our governments are doing it but we actively participate in doing it to ourselves ;-)

    If you do have to be on FB, you may want to skip your address and DoB. And minimize photo tags.

    All's not lost - as someone else said - as long as 95%+ of people are much more permissive in what they share, random attackers will tend to gravitate to the easier marks. That's not unlike what you see in home security - most locks or alarm systems* can be defeated, but why would a bad guy pick one of the harder targets at random? They'll go for the easy ones first.

    So your best bet is to appropriately paranoid wrt to what you feel you have to lose if you get powned and/or what an attacker might gain from doing it.

    And extra cautious - including not being on FB - if you lean that way, more relaxed if you don't care much. Just as long as you know where you stand.

    * you don't have to try very hard where I live, police response time to a burglar alarm is about 20 minutes.

  22. ecofeco Silver badge

    Way too many steps

    Select address>go to local tax assessor's website>done

  23. Terry 6 Silver badge

    What kind and level of privacy do we want or need?

    There is the privacy that says, "I don't want everyone in the neighbourhood knowing my lifestyle".

    Or there's, "I want to protect myself from identity theft"/ "Don't want the burglars to know I'm on holiday".

    Then there's, "I'll be damned if I'm going to help these companies bombard me with adverts".

    Beyond that there's "I don't want anyone to know anything about me, not now not ever, not in this life or the next".

    Beyond that there's paranoia.

    And finally there's commentards on El Reg.

  24. disgruntled yank Silver badge

    Welll...

    Was anyone else astonished by the discovery that a resident of Kansas had a car with Kansas tags in his driveway? Was any American amazed to learn that there was a football field nearby?

    If you had my address, you could learn when we bought the house we now live in and how much we paid for it. That I think is the case in most US jurisdictions; I know that one can look up real estate purchase in Maryland also. Hell, if you had my name, you could look up my salary, for reasons having to do with a particular federal law.

  25. Anonymous Coward
    Anonymous Coward

    Did he really root someone's Linux box just for a demo?

    Did Nixxor really root someone random's Linux box just for a demo, or was he just saying he could?

    If he actually did it... that's pretty clearly stepping over the line. :(

  26. Anonymous Coward
    Anonymous Coward

    Here's an interesting one with regards to data.

    Telephone caller who I shall refer to as "tc"

    tc: Hi, you recently had an issue with the ombudsmen and we would like to do a survey (I did and it was about my utilities)

    me:ok, is this a sales call because if you are selling something I'm not interested.

    tc:No it's just a survey

    me:ok go ahead

    tc: Was your issue with electricity or gas or dual fuel

    me: dual fuel

    tc: what was the company you had the issue with?

    me: excuse me? why are you asking me for information about the name of the company, if you are calling on behalf of the ombudsmen then surely you already have this information,

    tc: sorry, it's ok I don't have that information.

    I then put the phone down.

    is this the world we live in now?

  27. Eve_Mas

    Rigt!

    Great article! Makes you think more about the ways of how to protect your privacy. That's is why we have build CUJO to protect smart devices against Internet threats.

  28. This post has been deleted by its author

  29. Anonymous Coward
    Anonymous Coward

    "Those records did not yield a name and Nixxer did not know if the street address was even real.

    But it didn't take long to verify the address, through Google's and Microsoft's online mapping services, and in geospatial databases"

    He, err, put the address into Google Maps ...?

    Wow, this is like The Matrix, except real

  30. Maty

    small-town solution

    There's no way of keeping your private informaiton off the interent. That ship has sailed. Hell, you can probably dig up more about your great-grandfather than your father ever knew. Great-gramps certainly never posted that information - it's just that the net is great for agglomerating bits of random info into a coherent whole.

    So it's not us, but the gatekeepers who have to change. Banks, social services, and govt departments cannot assume that someone is who he says he is simply because he can provide a lot of personal information. It's not security by obscurity if its not obscure any more.

    The easiest way is to bring personal relationships back into the business. You can't impersonate someone at the bank if the teller knows the real person. I live in a (very) small town. We all know a frightening amout about eachother. But no-one would last a moment trying to impersonate me to a local shopkeeper.

    The problem comes because systems rely on computers having data about people, rather than people knowing people, and today that data is easy to get.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020