back to article Hacker shows Reg how one leaked home address can lead to ruin

It takes nothing more than a home address for hacker "Nixxer" to find enough information to ruin your life. Nixxer is one of Australia’s most skilled good-guy social engineers and at a recent event, and in subsequent chats with The Reg, demonstrated the potential damage rather than actually ruining a life. But the arsenal he …

Page:

  1. Oengus

    People don't listen

    I still don't have a Facebook account and with revelations like this I never will.

    I tell people all of the time that "Social Media" is a treasure trove for nefarious individuals. The usual reply is "It won't happen to me" or "I am too smart for my information to get out". When will they learn. If businesses can make money out of their information the business will sell it to the highest bidder (or anyone that is prepared to pay what is being asked).

    1. Pascal Monett Silver badge

      Re: I am too smart for my information to get out

      That attitude is a one-way ticket to a very nasty surprise down the line.

      I hate "social" sites and I always have. Starting with the pseudo-relationship enablers (Meetic & Co), and right up to, of course, Facebook. The need that most people apparently have to self-divulge their every living moment to everyone is, in my view, a sickness that needs to be cured.

      I have real friends, with whom I have face-to-face or phone/Internet conversations. That is social enough for me. I am smart enough to know that, if you don't want your information to get out, don't post it online. Especially not on a site that is specifically tailored to correlate and sell it.

      1. DropBear
        Mushroom

        Re: I am too smart for my information to get out

        "a sickness that needs to be cured"

        While I insist to have nothing to do with Facebook, ever, I also have deep, deep allergies to any "sickness" that "needs to be cured". Like being gay. Or a jew. Do I really need to Godwin this thread explicitly or is the point clear enough?!?

    2. Cuddles

      Re: People don't listen

      It's not that people don't listen, it's that they don't care. Humans are social animals, and tools like Facebook allow them to socialise with people they might otherwise be cut off from - if a family member moves to a different country, or even just within the same country, you can continue to interact with them where previously you might share a letter once a year at best. That's the trouble with all the whining about how stupid people are to use such tools; they amount to telling people they should become hermits and never interact with anyone if they can't do it face to face. It's certainly possible to share too much, and there are types of information that can make it very easy for others to commit fraud, but that means you should teach people about the actual risks, not tell them to just stop being sociable.

      As for the risk, as others have noted this very article clearly demonstrates just how tiny they really are. For all the supposed cleverness, this guy managed to find a bunch of publicly available information. Births, marriages and deaths are publicly registered. Land ownership is publicly registered. Businesses are publicly registered. Finding out a person's family and company details is not some horrific invasion of privacy only made possible by the internet, it's something everyone is able to access with a couple of calls to the local council. All the internet does is potentially make it a bit quicker and cheaper. If someone has a reason to target you, that's not going to change anything, and if they don't then as others have pointed out, there are over 7 billion other people in the world and many of them are much more tempting targets.

      1. Sir Runcible Spoon

        Re: People don't listen

        Don't bother telling people you don't care about, the more low hanging fruit there is on Facebook et.al. the more effort it would be to target someone with a low profile (like me!).

        Most crims. fish with large nets in common fishing grounds. They would have to have a very good reason to go hiking into the Scottish Highlands with a fly fishing rod and hand made flies - much more effort.

        As a result my main concern is to ensure I don't piss anyone off who has the requisite skills and mindset :)

        Also, people die in car crashes - no-one tells people not to drive. Same psychology at work here I reckon.

        1. Anonymous Coward
          Anonymous Coward

          Re: People don't listen

          It's trivially easy to piss off someone with the requisite skills (find your home address and bother you) and mindset (unemployed and batshit crazy). There's no need to piss them off intentionally, to do it yourself, or to actually be the person they believe did it.

          It's happened to me twice. Once by a notorious troll who stopped after a few weeks of mere online name-calling. Again by a probably-schizophrenic person who only stopped when served by the police with a protection order. Luckily both revealed their identities.

          When faced with multiple anonymous attackers, there's no recourse. Best not to expose yourself (real name, face, address, email, phone, contacts) in the first place.

          1. Pascal Monett Silver badge

            Re: It's happened to me twice

            Given the outcome, I think you can count yourself lucky.

            There are a growing number of perfectly innocent people who's lives have been thoroughly trashed by Internet vigilantism.

            1. Unbelievable!

              Re: It's happened to me twice

              how do we know this is you?

        2. asdf

          Re: People don't listen

          >Don't bother telling people you don't care about, the more low hanging fruit there is on Facebook

          ie you don't have to outrun the lion only your buddy.

      2. Andrew Moore

        Re: People don't listen

        "they amount to telling people they should become hermits and never interact with anyone if they can't do it face to face."

        There's the problem though- Social media does tend to make people hermits in real life. If a family member of mine moved to a new place, I'd like to think that they are interacting with their new community, face-to-face, rather than secluding themselves away and only relying on the internet to connect them to the people they know, long distance. Meanwhile, that person is getting a reputation in their new community...

      3. Milton

        Re: People don't listen

        Hm. I did something I very rarely do and clicked thumbs-down on this comment because I was annoyed, but now I'm annoyed with myself: I should have had the good manners to explain why I disagree.

        1. You're overstating the difficulty of pre-social-media comms. Sharing a "letter once a year at best" implies people who couldn't care less about each other in the first place. Even before the typewriter (heck, before there was reliable postal service) some folks used to write each other daily. I'm ancient enough to remember when we used letters, postcards and long-distance telephone to maintain excellent relationships with distant friends and family. I might even argue that relationships are cultivated better when you have to work at them a little, instead of just squitting out yet another tedious phone photo saying "Hey look, I went in this bar: aren't you fascinated?".

        2. Stats revealed just today in the UK show that one in ten people were cybercrime victims in the past year. That is not evidence for a "tiny" risk. It suggests the risk is sizeable and, if anything, growing.

        3. The fact that some data is publicly available is at least partly missing the point, which is that once a blackhat has some critical information about you, it provides the thin end of the wedge that will be used to expose a great deal more, both public and (supposedly) private.

        I agree there's little point telling people they are stupid to use Facebook, but it is probably true that if you are privacy conscious or have more significant (say, work-related) reasons for privacy, you simply shouldn't be using most social media platforms.

        Facebook could be almost infinitely better at protecting users' privacy, but it doesn't and won't because its whole reason for existing is to exploit its users, principally as consumers of advertising.

        In another world, internet users would never have fallen for the "free" model, and we'd pay a subscription for a service which, because it didn't make money selling its users, would actually work in their interests.

    3. Eddy Ito

      Re: People don't listen

      Let's not forget that even if you're not on Facebook it doesn't mean you're information is not on Facebook. You don't have to post information about yourself since many of your chums will.

      Oh look, there's a photo of you in high school, a pic of you graduating university, and another at a wedding. Oh there's some pics from last weekends BBQ at your house by the pool and look there, it's helpfully been geotagged.

      Sure, it's slightly harder but not impossible for a motivated crim to track you down. I wouldn't be surprised if someone like Nixxer couldn't just pick a random address or name from a phone book and be able to run it to ground regardless of the countermeasures taken. It might be a worthy study to know just how much Nixxer could dig up on himself or another like him just to see how well the defensive measures work.

      1. Anonymous Coward
        Anonymous Coward

        Re: People don't listen

        Assuming Nixxer owns a home, then he'll be vulnerable to all the same stuff. That's probably why he doesn't reveal his real name. Presumably those who hire him in his "day job" have no idea he's "Nixxer" and he never tells them.

        Obviously he knows all the information that can be run down about him, given his real name, and that's why he keeps it secret.

      2. razorfishsl

        Re: People don't listen

        They profile you all the time.

        One of the biggest issues is shite websites using an offsite "facebook in logo".

        Many of those "images" are actually unequally tagged.

        When you go to another site they track via that "cookie", thereby bypassing your security settings.

        Tie that into IP address and it even spans "private browsing" sessions.

    4. Aodhhan

      Re: People don't listen

      Yet you have an account on this website and likely others. Meaning you're IP address is recordable each time you log in, and all your posts and any information in them likely tells a story or two when laid out and studied.

      You think this website or it's host is trustworthy?

      Ohhh.. you only think you need to worry about facebook? There isn't much difference.

      1. Sir Runcible Spoon
        WTF?

        Re: People don't listen

        "You think this website or it's host is trustworthy?

        Ohhh.. you only think you need to worry about facebook? There isn't much difference."

        Really? You don't see the difference between someone having to dig into someone else's systems to obtain additional details and having it all splurged out in plain sight for anyone to see?

        Ok, it's your mind, I'm just glad I'm still capable of making distinctions and haven't completely left the reservation yet :)

      2. Anonymous Coward
        Anonymous Coward

        Re: People don't listen

        you think my details are real on this or any other web site, LOL big time

        1. Sir Runcible Spoon
          Paris Hilton

          Re: People don't listen

          "you think my details are real on this or any other web site, LOL big time"

          That raises a good question, there are some names that you aren't legally allowed to change your name to; is Anonymous one of them?

    5. inmypjs Silver badge

      Re: People don't listen

      Yes, because on balance most people are stupid.

      I have a personal privacy policy that requires me to not provide any valid information to anyone on the internet if I can avoid it.

      I tried creating a Facebook account I guess about 8 years ago although it seems like longer. It was the first web service I came across that rejected all of the throwaway email address services I had access to. That was enough to convince me Facebook was for the stupid and not for me.

      1. Anonymous Coward
        Anonymous Coward

        Re: People don't listen

        That's weird. It accepts hotmail and similar web email accounts. Not sure why you were unable to register a FB account. Perhaps you imagined it.

    6. Anonymous Coward
      Anonymous Coward

      Re: People don't listen

      I deal with this on a much more serious level. Kids of High Net Worths live in this bubble that nothing can happen to them, until I start showing them kidnapping statistics. You don't hear much of this, but even in countries you would consider "safe" like Switzerland, kidnapping happens and especially a child will bear the scars for life.

      The key to such a crime being successful is data collection, and kids help with that by this "sharing". I understand why - these companies have been specifically set up to encourage that bad habit from the moment they get their grubby paws on a child (and let's just say that I'm not overly impressed by their "care" to "avoid" use by younger children, nor do I consider 13 the age of wisdom for such decisions).

      The consequences, however, can be dire, and we're now running an educational program to coach these kids out of those dangerous habits. Once we have this running properly I hope to use the data we gather here to make this a public programme for schools. Children should be protected, and for me, that protections doesn't end at 13. It ends at AT LEAST 16 - basically the age when they are able to legally engage in a contract of their own - because that's what accepting Terms & Conditions really is.

      Personally I think it is time to establish just how much parental control we have. Not because I want to, but more because we HAVE to - left unchecked it's not going to get better.

    7. Fred Flintstone Gold badge

      Re: People don't listen

      I tell people all of the time that "Social Media" is a treasure trove for nefarious individuals. The usual reply is "It won't happen to me" or "I am too smart for my information to get out". When will they learn. If businesses can make money out of their information the business will sell it to the highest bidder (or anyone that is prepared to pay what is being asked).

      Yes, those smart people who don't realise that even if THEY are careful, they cannot prevent the abuse of that giant barn size backdoor in privacy law: you can't prevent your "friends" giving away your data. That was, for instance, in my opinion, the goal of WhatsApp et al: grabbing address books.

  2. Anonymous Coward
    Anonymous Coward

    it's moot

    99.9% of the population will NOT abandon facebook, and the rest, i.e. the lot occupying this space and other fringes, will shun it the way we've always done.

    If I showed this post to a larger group of people, they'd say:

    1. sorry, 2 long 2 read

    2. yeah, well, but what can you do? (shrug).

    3. interesting, let me repost it on my fb page!

    1. Sebastian A

      Re: it's moot

      Those 99% are my canaries. They can be the low-hanging fruit while I myself am just a bit harder to doxx. Means that in most cases there's no reason to bother with my details when there are exhibitionists all over the place just begging to be impersonated.

    2. Michael Hoffmann Silver badge
      Unhappy

      Re: it's moot

      Sadly, very much this.

      I (have to) use it for 2 things: family and sports/hobby activities.

      The former I have a fairly tight rein over (you WILL do this and this and this to have a modicum of protected privacy and security or I will unfriend you - and actual dire threat when much of the family is half a world away).

      The latter... clubs have apparently done away with maintaining websites or other means of updating members or other announcements. No matter how much I've tried to caution (even resigned from a secretary position when I just couldn't take it anymore) the "but it's so convenient and *everybody* uses it" just became knee-jerk. As leaving, in my chosen hobby, would be cutting off my nose to spite my face I can only throw up my hands in disgust and resignation.

      Best I can do is obfuscate and hope for the effing best. :(

      1. getHandle

        Re: it's moot

        Could be worse - lots seem to be turning to WhatsApp. At least I can constrain FB to the browser...

        1. Brewster's Angle Grinder Silver badge

          Re: it's moot

          Why is WhatsApp worse? You're not sharing in a searchable public forum; it's a one-to-one connection with people whose phone number you already know; a cheap way to text.

          1. Down not across

            Re: it's moot

            Why is WhatsApp worse? You're not sharing in a searchable public forum; it's a one-to-one connection with people whose phone number you already know; a cheap way to text.

            Well, for one thing it allegedly uploads all of the contacts to their server. So even though I don't use it, chances are someone might have me as a contact that uses it and thus my information could be on their server without my permission.

            1. Brewster's Angle Grinder Silver badge

              Re: it's moot

              Supposing that's true, then the information is locked away in their servers rather than being handed out to anyone and everyone.

            2. Alumoi Silver badge
              Coat

              Re: it's moot

              Naah, it's the web of trust, you see.

              You don't do social media but one of the people who has some info on you does. And if none of your contacts uses social media then certainly one of their contacts does. And so on.

              I think it's called six degrees of separation or something like this :P

              Bottom line: we're screwed!

      2. anonymous boring coward Silver badge

        Re: it's moot

        " clubs have apparently done away with maintaining websites or other means of updating members or other announcements"

        Yes, but those websites are an even worse sequrity nightmare.

        Perhaps join Facebook with psedonym and no identfiable information, if one must. I resist, as it a PRIVATE company, not some friggin state owned and run utility like people seem to think.

        Money talks, and it tells Google and Facebook to sell out (meaning making it viewable on-line) all info per default, unless you make a massive effort to tighten things up. Not worth it.

  3. Anonymous Coward
    Anonymous Coward

    This article should be read by EVERY user of social media

    before they are allowed to even register for those sites.

    If they proceed then they deserve everything they get including financial ruin.

    sorry to be so brutal but once a few hundred/thousand users get enough people ruined before sites like Facebook are closed down in the face of a million lawsuits. What then Zuck!

    1. anonymous boring coward Silver badge

      Re: This article should be read by EVERY user of social media

      "If they proceed then they deserve everything they get including financial ruin."

      No they don't.

      Not everyone is a computer wiz, and some who think they are still don't get it.

      Several here, for example, seem to think they are safe because they have to show a physical bank card. LOL. Never heard of forgeries?

  4. Tom Wood

    "to open and close his bank accounts"

    “I have enough information at this point to open and close his bank accounts, or do whatever I want,” he says.

    Er, really? Sure, he knows a fair amount about his "victim", but that still shouldn't be enough to do anything particularly lucrative to a criminal.

    Last time I tried to close a bank account, I had to go into the branch (even though it was an "online" savings account), and show the bank card of my linked current account, and sign a form. That was for a dormant account with no money in it - had I actually wanted to withdraw money and close the account I'd have needed the card's PIN and also possibly some other photo ID if the amount in question was large enough. To steal money with online banking, from the two banks I use, I'd need (1) knowledge of logins, passwords etc and (2a) access to my card and PIN or (2b) access to my phone, depending on the bank. The attacker described here doesn't have ANY of that info.

    Maybe this speaks more to the lax security policies of American banks than anything else?

    And being able to gain root access someone's web server (not really sure how that is related to "replicating" a web site) is entirely unrelated to learning anything about their home address, car registration etc, and more the fact they were running an old unpatched Linux distro.

    1. Anonymous Coward
      Anonymous Coward

      Re: "to open and close his bank accounts"

      I suppose gaps in the article about how to get hold of hard data (bank account, etc.) were intentional, i.e. no need to give people ideas. I suppose those who do it for "business" would know anyway, but there are plenty of wannabes who might just copycat the solution if you provide too much detail.

    2. CraPo

      Re: "to open and close his bank accounts"

      “It just worked like that,” Nixxer says, clicking his fingers.

      Of course it did.

      1. Anonymous Coward
        Anonymous Coward

        Re: "to open and close his bank accounts"

        well, I imagine him clicking his fingers is me looking at magic being done in front of my eyes. Matter of perspective.

        1. Anonymous Coward
          Anonymous Coward

          Re: "to open and close his bank accounts"

          Maybe the missing details were "Accio Credit Card"? :-)

    3. Anonymous Coward
      Anonymous Coward

      Re: "to open and close his bank accounts"

      I was also puzzled by the claim that .."I have enough information at this point to open and close his bank accounts, or do whatever I want".. -- from the claim I imagine that the hacker would also be able to empty the bank's account prior to closing it.

      How? No need for all the details, just the global picture (e.g. list of information required to do this as per the bank's documents, steps that could be taken without need for direct identification).

      If I try to close my account I would need to visit personally the bank branch and for sure a manager would like to call me to make sure I want to do this. Heck, I couldn't even cancel Comcast without getting a call in my cell phone for confirmation!

    4. Dan McIntyre

      Re: "to open and close his bank accounts"

      He's described as a "social engineer" and presumably has the skills requisite of that label. Ever read Kevin Mitnick's book The Art of Deception? The details you mention are easy to get hold of for these types of people.

      1. Anonymous Coward
        Anonymous Coward

        Re: "to open and close his bank accounts"

        He's doing well to close a bank account just by snapping his fingers. Last time I tried, having moved house, I had to go to the bank with proof of moving house, and my existing bank card, which they cut up in the bank. Then the branch forgot to tell the main office, who insisted I bring the card in to be destroyed. Despite multiple phone calls, letters, emails etc, I was still getting yearly statements saying the account was still open, because I was unable to take a bank card into the branch to have it destroyed, because, err, they'd already destroyed it.

        I might employ him to shut down my bank account, cos i couldn't fucking manage it.

  5. David Roberts
    Windows

    Dream on

    The vast majority of social media users haven't been attacked and probably never will be.

    This is why fish shoal. Although they provide a bigger target the odds of being missed are apparently much better than if they try and lead a solitary existence.

    A nice chat about profiling a target (although the bit about getting access to a Linux server sounds illegal) but the target showed up as potentially wealthy as well as vulnerable.

    If you uncharitably assume that the majority of SM users are dead eyed mouth breathers living at their parent(s) home on benefits with a poor to terrible credit record then you should see that they have a built in natural immunity. The profiling would have been abandoned very early on as not worth the effort.

    If enough people are conspicuously targetted then the SM platforms will up their game. If a massive threat is publicly identified then users will demand action. Until then the predators are only picking off prey from the fringes of the herd and the herd won't even notice.

    TL;DR I'm on benefits with two maxed out credit cards. Go on - steal my identity.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm on benefits with two maxed out credit cards. Go on - steal my identity.

      Eh? Don't you mean five maxed out credit cards? :o)

    2. Anonymous Coward
      Anonymous Coward

      Re: Dream on

      Fish proving that shoaling is just like every other defence tactic. Only effective in limited situations...

      http://video.nationalgeographic.com/video/ng-live/skerry-bluefin-tuna-nglive?source=relatedvideo

  6. Baldy50

    Nixxer

    Have fun at the DEF CON hacking conference next month bud.

  7. Anonymous Coward
    Anonymous Coward

    Had to revive FB recently

    I needed access to postings about a family member's adventures posted via FB, in all innocence by the organisation. And in the past I had used it to to keep up to date with a similar group from my own youth. Sometimes it is unavoidable. But no one needs to post the sort of details you'd avoid shouting out in public.

    Some of the people on there will post anything. They have to be warned not to post "Here we are in this picture outside our house putting the key under the mat before we go to the airport. Be back in two weeks."

  8. TheProf
    Alert

    Private

    Without being a leet haxor I've found out some interesting things about people with the same name as myself.

    Firstly they, or businesses they deal with, cannot cope with email address containing digits.

    Secondly, Americans seem to put all kinds of 'useful' information the the web.

    theprof-11@postmail.com keeps forgetting he's number 11 and so I've received information about his home address, his DOB, marital status, the name of his wife, her DOB, the number of children he has, the dates he'll be away from home in another state, the name of the church he goes to, the sports he's a tutor in, the make, model and year of his car, the price he paid for his house, (looks like a nice one) the amount he's paid to the city in taxes for the year, the academic courses he's been on etc. I've also been CCd in any number of emails by his friends meaning I (could) have a nice list of his friends and acquaintances.

    All this has dropped into my inbox, I've done nothing to seek it out.

    I usually contact the sender and let them know that a mistake has been made and even managed to track down the American theprof to warn him that his confidential info is being sent out to the wrong person.

    Yes, putting every last detail on a public notice board is a bad idea but you can't fight stupidity.

    Worth a mention: How much information do you think your postman has about you? Name, address, birthday, when you're on holiday, the name of your bank, your employer, the companies you have shares in, your interests. Frightening how much you can learn about someone just by looking at their book-shelf isn't it?

    1. Symon
      Coat

      Re: Private

      @Prof. Are you Dave Gorman?

    2. Anonymous Coward
      Anonymous Coward

      Re: Private

      lol. I've received emails directed to a major D.C. lobbyist who shares my name. Usually from his interns. No good political dirt or steamy sex stuff, but one can imagine :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Private

        Numbers with email addies+Americans. Damn, that probably explains why some American woman's emails come to me from time to time. I've had a Gmail address with my own name since the days when they didn't do evil and you needed and invitation.

        She's probably firstname.familyname9573@gmail.com.

        I'd never thought of that.

        (But her community have had some very unhelpful- to her- responses over the years. As in, "No I didn't order....and have no interest in buying your poxy......". etc. )

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like