What can people find about me from just my email address?

Question_Mark

I listened to a podcast today which gave me pause... the guy was talking about "social engineering", how it's possible to get information on people just based on their email and some other scant pieces of information.

Apparently that's how Scarlet Johanson's pictures were leaked--she'd left a bunch of information online like the name of her pet, what high school she went to, etc, and a hacker could use that to get into her email.

Disturbing, but what disturbed me more was his statement that "I can use your email to see what online forums you're a member of". First of all, I presume that's only the forums where you make your email public? Are there programs or search engines that allow people to put in your email and discover what forums you've logged into with that email, even if the email is kept private?

I've posted on a few forums here and there, and though I never wrote anything too horrible, I wouldn't want a prospective employer or snoopy ex-girlfriend getting to see that.

Any input's much appreciated. If you think this belongs in another forum, or can suggest a better subforum, please let me know

900913

she'd left a bunch of information online like the name of her pet, what high school she went to, etc

Info like that can help when trying to reset an email account password.

Just googling the username or email can reveal loads of info, or using a people search engine like pipl.com.

syklops

The passwords I use, I doubt anyone could piece together all the information about me thats available online and guess them. However through the use of social engineering, most people are vulnerable.

Recently I put together a proposal to harden a companies defences against social engineering and demonstrated a few things. They are a sales company and they take their orders via email and they assured me they had very strong passwords but I told them I could take over their email within a couple of hours and they didn't believe me. Their email address was sales@paddys-sales.ie and dig told me their email was hosted by Acme-Hosting.org, so I cloned acme-hosting's site, and set up a change password form. I then spear-phished their sales person asking them to change their password urgently. They typed their current password into my very authentic looking acme-hosting webform, and typed in a new, very long password. I then took the old password, and logged into their web console, set up a redirect for the mail and changed the password to the new password, so when they logged in, it would say "No new messages", not "Invalid password". I then sent their president a text saying, "I now own your email". This was at 1pm, he had shook my hand agreeing to the project at 10.30am.

Can I suggest you download a tool called the social engineers toolkit(SET), it automates spear phishing attacks and the like. That, and a little creative imagination can lead to some sleepless nights if you are interested or involved in defensive security.

Question_Mark

Disturbing...

I've googled SET but I think at this point it's beyond my ken, most of it's double dutch.

Question_Mark

900913 wrote: »

Info like that can help when trying to reset an email account password.

Just googling the username or email can reveal loads of info, or using a people search engine like pipl.com.

I googled my own gmail account and nothing came up.

Strangely, some results that DO show up on google don't show up on pipl, e.g. there's an alternative gmail I use publicly which shows up with a google search but there are no results on pipl.

One other thing, I tried wink.com, and of the results that came up they can't be clicked/accessed, just a bunch of names etc with a photo beside them. What's the point of this website? Unless I'm missing something obvious.

LoLth

have a look at Maltego from Paterva.com (there is a community edition included in Backtrack and Kali ) , from an email address it is *possible* to trace a lot of information across the interweb. I say possible because in testing I only got interesting results for one or two emails, usually I had to add more information into the mix or at the least know what sort of result I was expecting before I started looking. (email addresses tested were my own or with permission from friends).

!z!

use Mailinator.

Or use a second email for forums and stuff and your main for the important stuff only.

hfallada

I stopped using facebook for the LC and it amazed me how many people I have as friends on facebook.That I dont talk to anymore saying I see you deleted your facebook. I dont really want people that I know, knowing every single thing about me. But a quick google search of a email can often bring up a facebook, linkedin, twitter and maybe your address and mobile number if you are on a club database that is online.

A women phoned my mother tonight, that she never heard of before. She got my mothers mobile number googling our parish and finding a notice on the church site with my mothers number. So its not just an email address you need to worry about

!z!

syklops wrote: »

Recently I put together a proposal to harden a companies defences against social engineering and demonstrated a few things. They are a sales company and they take their orders via email and they assured me they had very strong passwords but I told them I could take over their email within a couple of hours and they didn't believe me. Their email address was sales@paddys-sales.ie and dig told me their email was hosted by Acme-Hosting.org, so I cloned acme-hosting's site, and set up a change password form. I then spear-phished their sales person asking them to change their password urgently. They typed their current password into my very authentic looking acme-hosting webform, and typed in a new, very long password. I then took the old password, and logged into their web console, set up a redirect for the mail and changed the password to the new password, so when they logged in, it would say "No new messages", not "Invalid password". I then sent their president a text saying, "I now own your email". This was at 1pm, he had shook my hand agreeing to the project at 10.30am.

This shouldn't have worked. Office person weak link.

syklops

!z! wrote: »

This shouldn't have worked. Office person weak link.

Matter of interest, why shouldn't it have worked?

On the topic of social engineering, of course the office person is the weak link.

!z!

syklops wrote: »

Matter of interest, why shouldn't it have worked?

On the topic of social engineering, of course the office person is the weak link.

Office Person followed a link in an e-mail you sent to reset password? Am I reading it right?

People shouldn't be falling for this anymore.

syklops

!z! wrote: »

Office Person followed a link in an e-mail you sent to reset password? Am I reading it right?

People shouldn't be falling for this anymore.

Shouldn't be but are.

It was a spear phishing attack. Spear phishing attacks are highly effective. Not to blow my own trumpet, but it did look quite authentic, used the recipients name in the email, the fake password form looked practically identical to a real one, the domain name was cleverly obfuscated.

You're right, it shouldn't be this easy, but in a lot of places, it is.

Yes people should be signing and encrypting emails but they aren't.
Yes people should have agreed procedures for authenticating correspondence from their providers but they don't.
As I am seeing on a day to day basis, people/companies more so in Ireland, are not willing to spend money locking the barn door until at least one horse has escaped.

Edit:
Speaking of things people shouldnt be doing anymore, I saw a telnet server with no password on it on an Internet connected system last week. There's a lot out there that people shouldnt still be doing but are.

[-0-]

!z! is basically saying people should not be vulnerable to social engineering anymore, but they are and always will be.

People are conned every single day.

Khannie

syklops wrote: »

Speaking of things people shouldnt be doing anymore, I saw a telnet server with no password on it on an Internet connected system last week.

That is just so shocking it's actually mildly upsetting.

Telnet should be made illegal.

Question_Mark

I don't know what Telnet is, but given the above post it doesn't sound good...

Keyzer

!z! wrote: »

Office Person followed a link in an e-mail you sent to reset password? Am I reading it right?

People shouldn't be falling for this anymore.

Happens day in and day out in every workplace in the land, mark my words.

We ran a tester a while ago, sent a mail with the usual "hey look at these cute kittens". I was shocked with how many people opened the attachement (which had been embedded with software to inform is who had opened it).

900913

What can people find about me from just my email address?

An email address gives a hacker/cracker a target for a point of entry that if successfully compromised can lead to all your personal info attached to the email acc being exposed, also any accounts like facebook or iCloud, private messages/photos also exposed. *Prism seems to do this anyway.

Your email acc being compromised can also lead to the attacker knowing exactly where you are at any given time by using iCloud and GPS (Find my iPhone).

With access to the iCloud account the FBI reports that the hacker claimed he could track the Garda’s movements in realtime. The hacker boasted in one IM,

“I just got into the iCloud for the head of a national police cybercrime unit. I have all his contacts and can track his location 24/7″

Link:http://sociable.co/technology/compromised-garda-gmail-account-gave-hackers-access-to-fbiscotland-yard-briefing/

Capt'n Midnight

Khannie wrote: »

That is just so shocking it's actually mildly upsetting.

Telnet should be made illegal.

http://gizmodo.com/5979004/print-to-86000-random-printers-around-the-world-thanks-to-google

Google has indexed somewhere around 86,800 publicly available HP printers. Google truncates the results, so you actually only get 73 rather than thousands and thousands.

A little savvy searching shows that you can hit up any of the devices listed by clicking any of the links in the results. Surprise a library in Seattle with several pages of Notorious B.I.G. lyrics. Send the University of Cambridge a hard copy of a Rihanna cover. (We actually did this, and it worked). Congrats, random Chinese IP address, you just got bombed with a fifty copies of a report I once did on War and Peace. P.S. you should probably make your printer private.

telnet towel.blinkenlights.nl

syklops

Khannie wrote: »

That is just so shocking it's actually mildly upsetting.

Telnet should be made illegal.

You will love this video.

And by love I mean make you weep like a little girl.

Capt'n Midnight

https://www.youtube.com/watch?v=F7pYHN9iC9I