Social Engineering and Facebook For Starters
The post that I wrote the other day about Foursquare and Facebook Places really got me thinking, and well, then it got me into doing mode very quickly.
So, putting on my reconnaissance hat, I logged into Facebook to see what I could find out about a complete stranger, and well, to say that it was interesting is to put it mildly. Bear in mind that I had no idea who this person was, or where in the world they were located before I started digging around.
The details that I managed to dig up about this person were the following:
- In a relationship
- Last 3 employers, as well as current
- Current Job Title
- Universities attended and relevant dates
- Schools attended and relevant dates
- Work e-mail address
- Private e-mail address
- Work phone number
- Home phone number
- Cell phone number
- Home address
- Work address
- Car make and model
- Car registration number
- Roughly how long it takes him to get from home to the office (average of 33 minutes)
- Roughly how long it takes him to get from home to his son’s school.
- Musical tastes
- Photo’s of his house, his dogs and his children
- He spends a lot of time (and I mean a lot) playing World of Warcraft
- He used to run Windows XP, but has recently upgraded to Windows 7
- I managed to map out the first two layers of his family tree
I then decided to do a bit more digging outside of Facebook now that I had all the above knowledge, and managed to find out a bit more about him.
- He goes running each day, and also uploads his routes and stats via Runkeeper
- He’s been in the newspapers a couple of times for good deeds and charity work
- He coaches a kids soccer team at his sons school every other weekend
- He spends a fair amount of time on forums relating to legal highs
- There’s some video’s of him and his family on YouTube
- He has a personal web site, with a photo gallery of his travels with his family
- He runs a server from home, it’s running Windows 2003, IIS, and Exchange
- He’s currently an MCP studying towards his MSCE for Windows 2003, and I have his MCP ID, so far he’s done 3 exams
- He’s been married once before, and looking at photo’s of his ex-wife and his children, and their respective ages, one of the children is from his previous marriage.
- His citizenship
I managed to find all this information in about 10 minutes, now if I really wanted to go all out on this one, I’m pretty sure I could find a lot more information about him and his lifestyle.
Already with the information that I’ve managed to obtain I could quite easily use this for social engineering purposes, and not just against this person, but against most the people in his family. It really does make me wonder why people are so open with all the details that they share online, with just a little bit of effort I feel like I know this person. I also know that if I wanted to attack his company it would be a pretty trivial thing to do.
People, it’s a scary world out there, and you really don’t need to publish all this sort of information, the people that know you and will already know this information, do you really need to advertise it to the world.
I’d like to thank George for taking part in my little experiment