he beginning of January saw the start of a new era for Internet routing. Well, it almost did. Four of the five Regional Internet Registries (RIRs) have deployed the Resource Public Key Infrastructure (RPKI), a robust security framework for verifying the association between resource holders and their Internet resources.
RIPE Network Coordination CentreThe RIRs, like the RIPE Network Coordination Centre (which is responsible for the European part of the Internet), provide Internet resource allocations, registration services and co-ordination activities. RPKI allows ISPs and network operators to verify the accuracy of routes on the Internet and to prevent fraudulent or erroneous misdirection of Internet traffic. A famous example of erroneous routing happened in 2008 when the YouTube web site was unavailable in several different parts of the world because Pakistan Telecom incorrectly co-opted YouTube’s IP address range as its own.
The only RIR not to implement RPKI yet is the American Registry for Internet Numbers (ARIN). According to their website their deployment has been delayed until “very early in the second quarter of 2011″.
Once AIRN is up and running the use of Resource Certificates will mean that worldwide each resource holder will own a certificate which lists the Internet resources (IPv4 addresses, IPv6 addresses, and Autonomous System Numbers) that are owned by the certificate holder (e.g. an ISP). The certificate are of course encrypted and by using the public keys associated with the certificate owner the list of Internet resources can be easily verified.
Hackers
Wednesday, January 12, 2011
Conference Series Targeting Technical Information Security Professionals Making Spring Debut in Dallas, Texas
Conference Series Targeting Technical Information Security Professionals Making Spring Debut in Dallas, Texas
EC-Council launches the TakeDownCon series – a highly technical information security conference series that promises to be an excellent knowledge acquisition and skills exchange platform.
TakeDownCon will bring together information security researchers and technical experts, both the brightest and darkest, from the corporate and government sectors to academic as well the underground, and make it into one of the world’s premier infosec event where the latest security threats are presented and debated, and vulnerabilities are disclosed and scrutinized.
TakeDownCon will also feature a pre-event training platform offering EC-Council certification training including the world-renowned Certified Ethical Hacker (CEH) and Computer Hacking Forensic Investigator (CHFI) programs. In addition, there will also be highly advanced and technical courses offered by EC-Council’s Center of Advanced Security Training (CAST). These programs are designed by industry practitioners and will allow participants to go through both hands on and real life scenario based training covering domains such as web application security, penetration testing and social engineering.
Jay Bavisi, President of EC-Council said, “There is a huge gap, and we recognize the need for more information security training and education. TakeDownCon will be the ideal platform for knowledge acquisition. Dallas was chosen for its strategic geographical location, and the vast demand for information security training. TakeDownCon, being highly technical, will feature a brand new format, it will be very focused, content driven, and attendees will see no frills, thus making it accessible for the masses.”
This conference will also see the launch of “Nite Locks et all”. It is where physical security vulnerabilities and lock picking skills will be showcased, and a chance for attendees to try their hands on lock picking, under the tutelage of experts in this realm.
The Call for Paper is now open. If you are interested to reveal a zero day exploit, expose a new vulnerability or flag an unknown threat, this may well be the platform for you to showcase and demonstrate your technical expertise and proficiency, as well as demonstrate your thought leadership. Do visit http://www.takedowncon.com/cfp to submit your paper to be considered.
TakeDownCon will make its debut in Dallas, TX from May 14 – 19, 2011. More details can be found at http://www.takedowncon.com.
Share and Enjoy:
Print
Digg
StumbleUpon
del.icio.us
Facebook
Yahoo! Buzz
Twitter
Google Bookmarks
CEH, CHFI, EC-Council, Hacking Conference, LPT, TakeDownCon
EC-Council launches the TakeDownCon series – a highly technical information security conference series that promises to be an excellent knowledge acquisition and skills exchange platform.
TakeDownCon will bring together information security researchers and technical experts, both the brightest and darkest, from the corporate and government sectors to academic as well the underground, and make it into one of the world’s premier infosec event where the latest security threats are presented and debated, and vulnerabilities are disclosed and scrutinized.
TakeDownCon will also feature a pre-event training platform offering EC-Council certification training including the world-renowned Certified Ethical Hacker (CEH) and Computer Hacking Forensic Investigator (CHFI) programs. In addition, there will also be highly advanced and technical courses offered by EC-Council’s Center of Advanced Security Training (CAST). These programs are designed by industry practitioners and will allow participants to go through both hands on and real life scenario based training covering domains such as web application security, penetration testing and social engineering.
Jay Bavisi, President of EC-Council said, “There is a huge gap, and we recognize the need for more information security training and education. TakeDownCon will be the ideal platform for knowledge acquisition. Dallas was chosen for its strategic geographical location, and the vast demand for information security training. TakeDownCon, being highly technical, will feature a brand new format, it will be very focused, content driven, and attendees will see no frills, thus making it accessible for the masses.”
This conference will also see the launch of “Nite Locks et all”. It is where physical security vulnerabilities and lock picking skills will be showcased, and a chance for attendees to try their hands on lock picking, under the tutelage of experts in this realm.
The Call for Paper is now open. If you are interested to reveal a zero day exploit, expose a new vulnerability or flag an unknown threat, this may well be the platform for you to showcase and demonstrate your technical expertise and proficiency, as well as demonstrate your thought leadership. Do visit http://www.takedowncon.com/cfp to submit your paper to be considered.
TakeDownCon will make its debut in Dallas, TX from May 14 – 19, 2011. More details can be found at http://www.takedowncon.com.
Share and Enjoy:
Digg
StumbleUpon
del.icio.us
Yahoo! Buzz
Google Bookmarks
CEH, CHFI, EC-Council, Hacking Conference, LPT, TakeDownCon
PandaLabs Releases 2010 Annual Security Report
PandaLabs, the antimalware laboratory of Panda Security – The Cloud Security Company – has released its 2010 Annual Security Report, which details an extremely interesting year of cyber-crime, cyber-war and cyber-activism. The full report is available at: http://press.pandasecurity.com/press-room/panda-white-paper/.
In 2010, cyber-criminals created and distributed one-third of all existing viruses, creating 34 percent of all malware that has ever existed and been classified by the company. Panda Security’s proprietary Collective Intelligence system, which automatically detects, analyzes and classifies 99.4 percent of all malware received, currently stores 134 million unique files, out of which 60 million are malware (viruses, worms, Trojans and other computer threats).
Despite these dramatic numbers, the report highlights some good news. PandaLabs discovered that the speed at which the number of new threats is growing has actually decreased when compared to 2009. Every year since 2003, new threats grew by at least 100 percent every year, but in 2010, the increase was approximately 50 percent.
Banker Trojans still dominate the ranking of new malware that appeared in 2010 (56 percent of all samples), followed by viruses and worms. In addition, a fairly recent newcomer to the malware landscape, rogueware (fake antivirus software) already comprised 11.6 of all the malware gathered in the Collective Intelligence database, and has become a category, that despite appearing only four years ago, has created great havoc among users. For a visual representation of the breakdown of malware categories, please visit: http://www.flickr.com/photos/panda_security/5299741783/.
The countries leading the list of most infections are Thailand, China and Taiwan, with 60 to 70 percent of infected computers (data gathered from the free scanning tool Panda ActiveScan in 2010). To see a graph of how other countries ranked, please visit: http://www.flickr.com/photos/panda_security/5299741647/.
2010 witnessed hackers exploit social media, the positioning of fake websites (BlackHat SEO techniques) and zero-day vulnerabilities as its primary methods of infection. Spam also kept its position as one of the main threats in 2010, despite the fact that the dismantling of certain botnets (like the famous Operation Mariposa or Bredolab) prevented many computers from being used as zombies to send spam. This created a positive effect in spam traffic worldwide. Last year, approximately 95 percent of all email traffic globally was spam, but this dropped to an average of 85 percent in 2010.
2010: Cyber-crime, Cyber-war and Cyber-activism
2010 was truly the year of cyber-crime, cyber-war and cyber-activism. Although cyber-crime has existed for many years, cyber-war became a much more active and aggressive part of the malware landscape. The most notorious was Stuxnet, a new worm that targeted nuclear power plants and managed to infect the Bushehr plant, as confirmed by the Iranian authorities. Simultaneously, a new worm appeared called “Here you have,” that was created by a terrorist organization known as “Brigades of Tariq ibn Ziyad.” According to this group, their intention was to remind the United States of the 9/11 attacks and call for respect for the Islamic religion as a response to Pastor Terry Jones’ threat of burning the Quran.
And even though some aspects are still to be clarified, Operation Aurora was also in the spotlight. The attack, allegedly launched from China, targeted employees of large multinationals by installing a Trojan on their PCs that could access all their confidential information.
2010 also witnessed the emergence of new phenomenon called cyber-protests or hacktivism. This phenomenon, made famous by the Anonymous group, is not actually new, but grabbed the headlines in 2010 for the coordinated DDoS attacks launched on copyright societies and their defense of WikiLeaks’ founder Julian Assange.
Social Networks in the Spotlight
Besides offering information about the main security holes in Windows and Mac, the 2010 Annual Security Report also covers the most important security incidents affecting the most popular social networking sites. Facebook and Twitter were the most affected, but there were also attacks on other sites including LinkedIn and Fotolog. There were several techniques used for tricking users on these sites, such as hijacking Facebook’s “Like” button, stealing identities to send out messages from trusted sources, exploiting vulnerabilities in Twitter to run Javascript code and distributing fake apps that redirect users to infected sites.
The full report is available at http://press.pandasecurity.com/press-room/panda-white-paper/. Visit the PandaLabs blog for more information about these and other threats.
Source:[Panda Security]
Mono 2.8.2 Fixes Source Code Disclosure Bug
The Mono Project have release Mono 2.8.2 which “contains an important security fix for users of ASP.NET”. The vulnerability, tagged CVE-2010-4225, allows under some circumstances ASP.NET applications to misbehave and return the source code (.aspx) of the application or any other file in the web application directory.
Affected are all 2.8.x versions of Mono. The components affected are the XSP web server and the mod_mono Apache module.
The Mono Project advise every Mono 2.8.xx user to upgrade to Mono 2.8.2 if they host web applications with it.
Affected are all 2.8.x versions of Mono. The components affected are the XSP web server and the mod_mono Apache module.
The Mono Project advise every Mono 2.8.xx user to upgrade to Mono 2.8.2 if they host web applications with it.
Amazon EC2 Used to Hack Wi-Fi – WPA Now Redundant?
German researcher Thomas Roth has announced that he has successfully been able to break into a Wi-Fi network encrypted with the Wi-Fi Protected Access (WPA) protocols in under 6 minutes by using Amazon EC2 cloud computing.
Roth uses a brute force approach to try to gain entry to the network. Using Amazon’s cloud based computing, which can be used for just 28 cents per minute, his technique is to try and decrypt WPA by forceable trying up to 400,000 password per second. This means that in 6 minutes Roth’s software tries 144,000,000 password.
Roth uses a brute force approach to try to gain entry to the network. Using Amazon’s cloud based computing, which can be used for just 28 cents per minute, his technique is to try and decrypt WPA by forceable trying up to 400,000 password per second. This means that in 6 minutes Roth’s software tries 144,000,000 password.
Stealing cell fone network
Okey this one's gonna be a quicky tut on how to make ua no signal sign turn into full signal on ua mobile... This works on all mobiles which my friends eva had cos i tested many times on thier mobiles... Every morning i get up and see that cell tower infront my house and wish there was a way to steal the hell outta those signals... i use docomo.. and the signals are like hell.... so here we go.....
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
First of all let me tell u how exactly these small tricks work ..... The programmers who programmed those towers are smart enough to write tunndd (awesome) algorithms and wat we are doin is to kinda exploit those C or C++ codes used in tat tower ....... For tat u first need to understand the logic bout priority........
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Signal priority
The truth is ua cell phone operator cannot serve everyone of his customers... and thats obvious.... some lakhs of customers and hundreds of towers = no singal !!! So here comes the smart play of software engineers...... they devised a small schema based on who is using the network more at that moment and who isn't .. the person using more will be served wid the best signal and the person who aint using = no signal !! and its very simple.. here is the pseudocode fa that (a pseudocode is normal language coding from this u can translate into any lang u want C or C++ or Java or anything..)
// A loop for the entire block to ensure the program checks the user priority time to time...
for(........)
{
log all the numbers using our network;
for(.............)
{
flush/delete no's which aren't using network at regular intervals;
}
provide the network fa the above sorted out list;
}
How did i get to know this ??? .. I didn't open the box or something... i jus tried to see wat happens if i send a huge chunk of msg to my friend and some oda trail-and-error-method .....
Exploiting the above code:- before doin something one should knw tat every cell phone sends a small msg to the near by tower and gets the info bout the tower and all... so wat we have to do is Type in a large message in ua msg editor and select the contact u want to send the message but don't press the "send" button ... wait for 2 mins and then exit the editor and bingo !! u'll have fun network ... how this works :- Ua cell will send a signal to the nearest tower bout the status of the cell fone ... if its idle u'l loose the network but ua sending the msg so the tower gives u full signal............ there are many methods like givin missed calls or calling our own number and all .. but this one is the simplest.....
Summary:-
(1) U lose ua network ---> u open the message editor and type in a huge message like this -->
asdadadadadkjahdadhakldadjgadhakjdnad
(2) Ur cell fone will regularly send the status signal to the nearest tower.... this time if doesn't send the idle signal so the tower tends to provide u the full network and expects u to send the msg ......
(3) U simply select the contact and will keep ua fone fa 1-2 mins like that without pressing the "send" button ......
(4) from 2nd step .... ull get the full signal as soon as u exit from the editor after 1 min.... ;) ...no sending message nothing \m/ .. Now try this out weneva u don't have signal .. :P
I believe in simplicity, may it ruin my life
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
First of all let me tell u how exactly these small tricks work ..... The programmers who programmed those towers are smart enough to write tunndd (awesome) algorithms and wat we are doin is to kinda exploit those C or C++ codes used in tat tower ....... For tat u first need to understand the logic bout priority........
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
“I like a light touch, a sensitive piano. My wrists aren't that strong, and if I have to hack too hard, they start breaking down. Fortunately, after playing something like that I take a break and have a drink, or move over to the accordion, or just stagger off the stage until my arms recover." by aramis4kill@live.com
Signal priority
The truth is ua cell phone operator cannot serve everyone of his customers... and thats obvious.... some lakhs of customers and hundreds of towers = no singal !!! So here comes the smart play of software engineers...... they devised a small schema based on who is using the network more at that moment and who isn't .. the person using more will be served wid the best signal and the person who aint using = no signal !! and its very simple.. here is the pseudocode fa that (a pseudocode is normal language coding from this u can translate into any lang u want C or C++ or Java or anything..)
// A loop for the entire block to ensure the program checks the user priority time to time...
for(........)
{
log all the numbers using our network;
for(.............)
{
flush/delete no's which aren't using network at regular intervals;
}
provide the network fa the above sorted out list;
}
How did i get to know this ??? .. I didn't open the box or something... i jus tried to see wat happens if i send a huge chunk of msg to my friend and some oda trail-and-error-method .....
Exploiting the above code:- before doin something one should knw tat every cell phone sends a small msg to the near by tower and gets the info bout the tower and all... so wat we have to do is Type in a large message in ua msg editor and select the contact u want to send the message but don't press the "send" button ... wait for 2 mins and then exit the editor and bingo !! u'll have fun network ... how this works :- Ua cell will send a signal to the nearest tower bout the status of the cell fone ... if its idle u'l loose the network but ua sending the msg so the tower gives u full signal............ there are many methods like givin missed calls or calling our own number and all .. but this one is the simplest.....
Summary:-
(1) U lose ua network ---> u open the message editor and type in a huge message like this -->
asdadadadadkjahdadhakldadjgadhakjdnad
(2) Ur cell fone will regularly send the status signal to the nearest tower.... this time if doesn't send the idle signal so the tower tends to provide u the full network and expects u to send the msg ......
(3) U simply select the contact and will keep ua fone fa 1-2 mins like that without pressing the "send" button ......
(4) from 2nd step .... ull get the full signal as soon as u exit from the editor after 1 min.... ;) ...no sending message nothing \m/ .. Now try this out weneva u don't have signal .. :P
I believe in simplicity, may it ruin my life
Uncovering Personal Information over the Internet
well this is some piece of info i got frm a hacking site and i thought it might interest the socail networking addicts. The owner of this post if a friend of my. back in the days when we were still in high school, we use to go to war driving and defacing websites of companys and government organization to impress this hot high cheer leaders. I posted this info for educational purpose only. what ever u do with this info be it legal of illegal am not to be blamed.
Uncovering Personal Information over the Internet
published by aramis4kill .^_^
Hello all. This is my first article ever written for anything anywhere,
and my first real attempt at teaching anything. So any feedback is much
appreciated. You can reach me (sometimes) by e-mail at
aramis4kill@live.com You might even be lucky enough to catch me on
Google Talk. Do not e-mail me saying "it's M-A-Y-B-E", and please be sure
that you've checked for subtle humor before you complain, unless you're
complaining about the subtle humor. I will answer any question, pertaining to
this article or not, provided it is intelligent, and I have the time. Good
luck on the latter.
Part 1 - Generic disclaimer
This information is meant for instructional purposes ONLY. This site and I
are not responsible in any way for anything you may be dumb enough to do with
any knowledge gained here, or elseware.
Part 2 - The introduction
With 'social networking' becoming more and more popular nowdays, it's easy to
meet people online, and in many cases, people that you have never met face-to-
face, or 'in real life'.
This opens quite the array of possibilities, and some questions.
What if this person isn't who they say they are? Often times people will lie
about their identity to protect themselves from those 'online predators' you
hear so much about on those talk shows designed to scare mothers into locking
their children in a cage. Perhaps they are one of these people looking to do
bad things to you, the kind of bad things that are beyond the scope of this
article, and perhaps this whole site (I do have to wonder sometimes, though).
What if you want to know more about this person without revealing too much
about yourself? This is also a valid question. In many cases, there may be a
bit of information you want to know about someone, and even though you have
the best of intentions (right?), they may not want to share this information
with you.
This article is intended to help you in these situations. This topic is far
too complex for step-by-step instructions in most cases, in fact, it's rare to
see any one method give you all the information you need, in most cases
personal information is put together by obtaining many small pieces of
seemingly useless data and putting them all together to reveal the whole, it
may even come to process of elimination.
In other words, this article is an introduction to uncovering information such
as age and location (personal information) about someone without directly
asking. Or, in a broader scope, this is an article on social engineering.
The person's information you want will be called the 'victim' hereon. You
will be 'you'. I will try to make as little assumptions as possible, but I
will assume you have the victim's e-mail, and that the bulk of interaction is
taking place over some sort of instant messaging (Google Talk, MSN, Yahoo,
pretty much any chat room, that sort of thing). I will also assume you have a
good memory, as it's almost essential, unless you want to waste countless
hours looking through notes and conversation logs.
Part 3 - What to do with e-mail
Obviously, you'll want to somehow con them into sending you an e-mail. This
shouldn't be hard, and there's a good chance that it will happen without the
need for any fancy social-engineering. Maby not, though, but the lamest
excuses are known to work here. You may try asking them to send you a file
by e-mail so you can download it later, you might first send them an e-mail
and hope they will reply to it.
Anyhow, once you have a message they sent you, and not a message sent by some
automated service, the first thing you'll want to do is check the 'from'
header. Some people put their full name here, and their real one at that.
Naturally, this is useful information.
You'll also want to flip through ALL the headers. For those that don't know
there are many headers beyond to, from, and subject. In gmail you can view
these headers simply by clicking "show original". There are ways to do this
on other mail services, and figuring that out is your problem. It should be
noted that many of these headers can be spoofed. The from field for example
is similar to the return address on a letter. There's nothing preventing a
person from writing someone else's address here
Back again, you may see a line like this
CODE :
Received: from [24.225.9.69] by web53506.mail.re2.yahoo.com via HTTP...
Those numbers in the brackets represent the victim's IP address. This is
also useful information that will be explained later.
There is one more thing I'll discuss here. As you may know, many social
networking services (Myspace, for example) allow you to search for users by
their e-mail. This can point you to information you don't have, and provides
a good way to check if you have their real e-mail, if you happen to know their
page, profile, whatever on said site. You can, and should, even try to Google
the address. You may be surprised, but you should use your better judgement
with Google results. Say something you found with Google directly contradicts
something the victim told you. Were you lied to? Maby. Google could be
wrong, though. I can't tell you the answer.
There are other things you can do with an e-mail address. Play around with it
and have fun.
Part 4 - IP addresses
Every computer has an IP address. Even ones that aren't on the Internet.
Even ones that aren't connected to ANY network (I'm talking about the loopback
address). I'm not going to get into internetworking here, but you need to
know that an IP is not always specific to any one computer. As if that wasn't
enough, some computers are given IP addresses dynamically when they connect to
the Internet. This means that a computer's IP can change from time to time.
To combat this, you should try to find out everything you can about an IP
while you can be sure the victim's IP hasn't changed (in most cases, if the
victim hasn't 'singed off' or anything like that, the IP should be the same.
Should.), and try to get a new IP and check it every once in a while.
Getting the IP address can be done several ways, depending on the way you
converse with the victim. My personal favorite is setting up a webserver,
configuring it to log IPs, and asking the victim to 'see if it works' for you.
The are many other ways.
The only thing you can do with an IP is trace it, and try to map it
geographically. Neither of these are completely accurate, but can be helpful,
if you want more proof of the victim's location. There are plenty of online
tools to do this for you, and they aren't hard to find, so find them.
I lied earlier. There are other things you can do with an IP address, but
most of them are beyond this article, and I've never found them particularly
helpful in uncovering personal information.
Part 5 - Social networking
Most people make use of some social networking service nowdays. Facebook,
Twitter, Myspace . . . Many people even have more than one. Finding a 'page'
that belongs to your victim is outright easy. Ask them, they'll probably tell
you. There are other ways, like mentioned in the e-mail section if you don't
want your victim to know you've seen their page.
These services are gold mines for people like you. Few stop to think about
unwanted viewers before posting to these things, much less what kind of
personal stuff might be in it. Even if they have it set to 'private' or
'protected' (the name varies), there may be useful info for you. Example:
Myspace allows users to set their profile to 'private', meaning only people
they have allowed can see their full information. However, even if they have
enabled this option, a non-allowed user still sees their age, location, and
gender as entered (yeah, smart people tend to lie here). Along with a
picture and a 'username' of sorts.
Alternatively, you can request that they allow you to see this page. This
usually requires you to have an account with the same service, but most people
will allow this regardless of how well they know you.
Besides that, you can use them to validate information. Think you've found
your victim's real name? Search for them on Myspace. Does it turn up their
real Myspace page?
You can literally spend weeks digging in these mines, but it's usually worth
it. At least in my experience.
Part 6 - Direct interaction
Finally. Some real social engineering. I can't stress this enough - log your
conversations. There is no way you will remember everything, but the time
will come when you can faintly remember something said, and you'll be able to
look it up in your logs. The most important thing is that you pay attention
and watch for things that go against eachother, and it's nice if you can
confirm it before you confront the victim.
Anything that your victim says can potentially be useful, even if it doesn't
seem so. For example:
CODE :
12:00:00 Hey, dude, what time is it?
12:00:01 1:00
Now you know their timezone. Which helps narrow down their location.
Timezone may not seem all that important, after all, it's a pretty general
area. But, think about it. Many people will lie about location on social
networks and even to your face, but most won't think to lie in telling you the
time. Seriously, this works more than you'd expect.
How about this:
CODE :
What's up?
Gettin' ready to go to a concert
Cool. What kind of concert?
Metallica
How does this help you location-wise? With Metallica being the most over-
played band on radio today, I'm sure you can look on the Internet to find out
where they're playing, which is another way to narrow down their location.
Most people will not travel too far for a concert, unless they're following a
tour, in which case you'll probably already know.
In other words, pay attention to what events the victim attends, maby the
event will be big enough for you to find out where it's hosted.
You should also pay attention to the way they talk. Often times, you can give
a good guess at their heritage, location, and age from how they talk, and how
mature they seem to be. Someone who says "y'all" a lot is likely from the
south. Someone who uses "eh" all the time could live in the north. Someone
who uses a lot of question marks could be French. Someone who uses a lot of
exclamation may be Irish.
Gender is usually an obvious one to pick up on. Men and women tend to have
different personalities. I think it's safe for me to assume that anyone that
may read this article knows the differences between men and women.
It may also help you to identify phrases, punctuation, quirks and the like that
the victim tends to use more often than not. These sort of things may help
you identify the victim in certain situations, and may help you spot
impostors. Over time (years), you will be able to recognize the victim
without putting any thought into it, but in the short run, you can look for
unique tendencies, like myself and the word 'maby'.
Part 7 - Conclusion
This may seem like a lot of information to a complete newbie, but I've just
scratched the surface. Uncovering personal information is a broad topic, and
an art that takes years to learn and master. The best way to learn is to make
a few online friends and see what you can learn without them knowing. Or you
can try to surprise your current friends with your skills. Be patient,
listen, and you may surprise even yourself.
Again, please provide feedback either here, or to my e-mail.
Uncovering Personal Information over the Internet
published by aramis4kill .^_^
Hello all. This is my first article ever written for anything anywhere,
and my first real attempt at teaching anything. So any feedback is much
appreciated. You can reach me (sometimes) by e-mail at
aramis4kill@live.com You might even be lucky enough to catch me on
Google Talk. Do not e-mail me saying "it's M-A-Y-B-E", and please be sure
that you've checked for subtle humor before you complain, unless you're
complaining about the subtle humor. I will answer any question, pertaining to
this article or not, provided it is intelligent, and I have the time. Good
luck on the latter.
Part 1 - Generic disclaimer
This information is meant for instructional purposes ONLY. This site and I
are not responsible in any way for anything you may be dumb enough to do with
any knowledge gained here, or elseware.
Part 2 - The introduction
With 'social networking' becoming more and more popular nowdays, it's easy to
meet people online, and in many cases, people that you have never met face-to-
face, or 'in real life'.
This opens quite the array of possibilities, and some questions.
What if this person isn't who they say they are? Often times people will lie
about their identity to protect themselves from those 'online predators' you
hear so much about on those talk shows designed to scare mothers into locking
their children in a cage. Perhaps they are one of these people looking to do
bad things to you, the kind of bad things that are beyond the scope of this
article, and perhaps this whole site (I do have to wonder sometimes, though).
What if you want to know more about this person without revealing too much
about yourself? This is also a valid question. In many cases, there may be a
bit of information you want to know about someone, and even though you have
the best of intentions (right?), they may not want to share this information
with you.
This article is intended to help you in these situations. This topic is far
too complex for step-by-step instructions in most cases, in fact, it's rare to
see any one method give you all the information you need, in most cases
personal information is put together by obtaining many small pieces of
seemingly useless data and putting them all together to reveal the whole, it
may even come to process of elimination.
In other words, this article is an introduction to uncovering information such
as age and location (personal information) about someone without directly
asking. Or, in a broader scope, this is an article on social engineering.
The person's information you want will be called the 'victim' hereon. You
will be 'you'. I will try to make as little assumptions as possible, but I
will assume you have the victim's e-mail, and that the bulk of interaction is
taking place over some sort of instant messaging (Google Talk, MSN, Yahoo,
pretty much any chat room, that sort of thing). I will also assume you have a
good memory, as it's almost essential, unless you want to waste countless
hours looking through notes and conversation logs.
Part 3 - What to do with e-mail
Obviously, you'll want to somehow con them into sending you an e-mail. This
shouldn't be hard, and there's a good chance that it will happen without the
need for any fancy social-engineering. Maby not, though, but the lamest
excuses are known to work here. You may try asking them to send you a file
by e-mail so you can download it later, you might first send them an e-mail
and hope they will reply to it.
Anyhow, once you have a message they sent you, and not a message sent by some
automated service, the first thing you'll want to do is check the 'from'
header. Some people put their full name here, and their real one at that.
Naturally, this is useful information.
You'll also want to flip through ALL the headers. For those that don't know
there are many headers beyond to, from, and subject. In gmail you can view
these headers simply by clicking "show original". There are ways to do this
on other mail services, and figuring that out is your problem. It should be
noted that many of these headers can be spoofed. The from field for example
is similar to the return address on a letter. There's nothing preventing a
person from writing someone else's address here
Back again, you may see a line like this
CODE :
Received: from [24.225.9.69] by web53506.mail.re2.yahoo.com via HTTP...
Those numbers in the brackets represent the victim's IP address. This is
also useful information that will be explained later.
There is one more thing I'll discuss here. As you may know, many social
networking services (Myspace, for example) allow you to search for users by
their e-mail. This can point you to information you don't have, and provides
a good way to check if you have their real e-mail, if you happen to know their
page, profile, whatever on said site. You can, and should, even try to Google
the address. You may be surprised, but you should use your better judgement
with Google results. Say something you found with Google directly contradicts
something the victim told you. Were you lied to? Maby. Google could be
wrong, though. I can't tell you the answer.
There are other things you can do with an e-mail address. Play around with it
and have fun.
Part 4 - IP addresses
Every computer has an IP address. Even ones that aren't on the Internet.
Even ones that aren't connected to ANY network (I'm talking about the loopback
address). I'm not going to get into internetworking here, but you need to
know that an IP is not always specific to any one computer. As if that wasn't
enough, some computers are given IP addresses dynamically when they connect to
the Internet. This means that a computer's IP can change from time to time.
To combat this, you should try to find out everything you can about an IP
while you can be sure the victim's IP hasn't changed (in most cases, if the
victim hasn't 'singed off' or anything like that, the IP should be the same.
Should.), and try to get a new IP and check it every once in a while.
Getting the IP address can be done several ways, depending on the way you
converse with the victim. My personal favorite is setting up a webserver,
configuring it to log IPs, and asking the victim to 'see if it works' for you.
The are many other ways.
The only thing you can do with an IP is trace it, and try to map it
geographically. Neither of these are completely accurate, but can be helpful,
if you want more proof of the victim's location. There are plenty of online
tools to do this for you, and they aren't hard to find, so find them.
I lied earlier. There are other things you can do with an IP address, but
most of them are beyond this article, and I've never found them particularly
helpful in uncovering personal information.
Part 5 - Social networking
Most people make use of some social networking service nowdays. Facebook,
Twitter, Myspace . . . Many people even have more than one. Finding a 'page'
that belongs to your victim is outright easy. Ask them, they'll probably tell
you. There are other ways, like mentioned in the e-mail section if you don't
want your victim to know you've seen their page.
These services are gold mines for people like you. Few stop to think about
unwanted viewers before posting to these things, much less what kind of
personal stuff might be in it. Even if they have it set to 'private' or
'protected' (the name varies), there may be useful info for you. Example:
Myspace allows users to set their profile to 'private', meaning only people
they have allowed can see their full information. However, even if they have
enabled this option, a non-allowed user still sees their age, location, and
gender as entered (yeah, smart people tend to lie here). Along with a
picture and a 'username' of sorts.
Alternatively, you can request that they allow you to see this page. This
usually requires you to have an account with the same service, but most people
will allow this regardless of how well they know you.
Besides that, you can use them to validate information. Think you've found
your victim's real name? Search for them on Myspace. Does it turn up their
real Myspace page?
You can literally spend weeks digging in these mines, but it's usually worth
it. At least in my experience.
Part 6 - Direct interaction
Finally. Some real social engineering. I can't stress this enough - log your
conversations. There is no way you will remember everything, but the time
will come when you can faintly remember something said, and you'll be able to
look it up in your logs. The most important thing is that you pay attention
and watch for things that go against eachother, and it's nice if you can
confirm it before you confront the victim.
Anything that your victim says can potentially be useful, even if it doesn't
seem so. For example:
CODE :
12:00:00
12:00:01
Now you know their timezone. Which helps narrow down their location.
Timezone may not seem all that important, after all, it's a pretty general
area. But, think about it. Many people will lie about location on social
networks and even to your face, but most won't think to lie in telling you the
time. Seriously, this works more than you'd expect.
How about this:
CODE :
How does this help you location-wise? With Metallica being the most over-
played band on radio today, I'm sure you can look on the Internet to find out
where they're playing, which is another way to narrow down their location.
Most people will not travel too far for a concert, unless they're following a
tour, in which case you'll probably already know.
In other words, pay attention to what events the victim attends, maby the
event will be big enough for you to find out where it's hosted.
You should also pay attention to the way they talk. Often times, you can give
a good guess at their heritage, location, and age from how they talk, and how
mature they seem to be. Someone who says "y'all" a lot is likely from the
south. Someone who uses "eh" all the time could live in the north. Someone
who uses a lot of question marks could be French. Someone who uses a lot of
exclamation may be Irish.
Gender is usually an obvious one to pick up on. Men and women tend to have
different personalities. I think it's safe for me to assume that anyone that
may read this article knows the differences between men and women.
It may also help you to identify phrases, punctuation, quirks and the like that
the victim tends to use more often than not. These sort of things may help
you identify the victim in certain situations, and may help you spot
impostors. Over time (years), you will be able to recognize the victim
without putting any thought into it, but in the short run, you can look for
unique tendencies, like myself and the word 'maby'.
Part 7 - Conclusion
This may seem like a lot of information to a complete newbie, but I've just
scratched the surface. Uncovering personal information is a broad topic, and
an art that takes years to learn and master. The best way to learn is to make
a few online friends and see what you can learn without them knowing. Or you
can try to surprise your current friends with your skills. Be patient,
listen, and you may surprise even yourself.
Again, please provide feedback either here, or to my e-mail.
Subscribe to:
Posts (Atom)