You might be exceedingly careful on Facebook, dutifully changing privacy settings every time Facebook automatically opts you in to a new change, but it only takes one friend who is not careful to open the way to harvesting a wealth of personal information about you. Now, thanks to FBStalker and GeoStalker, new Open Source Intelligence (OSINT) data-mining tools, if just one of your online "friends" posts unwisely, then almost anyone can reverse-engineer that post and dig into your "private" life.
At Hack in the Box security conference in Kuala Lumpar, Keith Lee and Jonathan Werrett of Trustwave's SpidersLabs presented "Facebook OSINT: It's Faster Than Speed Dating" [pdf]. Although OSINT is not new, they developed tools to automate the process. The duo demonstrated how to use Facebook Graph with other sources like LinkedIn, Flickr, Instagram and Twitter to harvest information about a target, such as places and websites regularly visited, work, school or online friends and display the data on Google Maps.
Facebook's Graph Search previously returned results for queries about people, photos, places and interests, but then added searches for status updates, comments, photo captions and check-ins. Even if you've locked down your Facebook privacy settings, and your "friends" are not visible, FBStalker reverse-engineers Graph Search to determine your Friends, Likes and so much more. The data-mining tool works best if any part of any post was made public, such as being tagged in a photo, liking or commenting on a post.
For example, you might have been tagged in a photo. More than likely, you know the other people tagged in that photo. If you happen to comment on a post, then that implies you are associated with that person. In fact, that is one way FBStalker can find out about you through someone with whom you are not Facebook friends.
FBStalker can be used to determine the times when a target is usually online, as well wake or sleep times. The automated analysis can also reveal a target's interests and commonly visited place. If a pen tester wanted a way into a target's life, then FBStalker can provide social engineering targets, associates of those targets and the strength of associations.
But wait, there's more in the form of Lee and Werrett's GeoStalker, an OSINT data-mining tool for geolocation-related sources. Just as FBStalker only requires a Facebook user profile name to get started, GeoStalker only needs a location address or coordinates to start digging into a target's life. It can provide wireless access points near-by the address, which can reveal a target's additional wireless devices, photos taken at that location and even other social media accounts the target uses.
As you can see in their application flow slide below, GeoStalker takes that geolocation and then retrieves location data from Flickr, Foursquare, Instagram, Twitter and Wigle.net. That reveals a userID, which GeoStalker uses to search social network accounts for similar names; it can therefore find that target's other social media accounts across networks like Facebook, Google+, LinkedIn, YouTube, Instagram, and Google Search.
FBStalker and GeoStalker are wrapped as "osintstalker" Python scripts available on GitHub from Keith Lee. To stay updated about any changes, follow @osintstalker. "Instructions for FBstalker: Install Google Chrome and ChromeDriver on Kali Linux." Here's GeoStalker in action:
In case you are curious, the "Facebook OSINT: It's Faster Than Speed Dating" [pdf] slide presentation by Keith Lee and Jonathan Werrett shows some real-world social engineering examples of how they used the tools.
Like this? Here's more posts:
- How Microsoft invented, or invisibly runs, almost everything
- Misery by Microsoft: IE11 mangled Google, Windows RT 8.1 bricked some devices
- Wireless feature disabled on pacemaker to stop hackers from assassinating Cheney
- Report: NSA tracks and maps American citizens' social connections
- Researchers develop attack framework for cracking Windows 8 picture passwords
- Extreme tech for covert audio surveillance
- Have you protected your privacy by opting out of cross-device ad tracking?
- Most parents allow unsupervised internet access to children at age 8
- Not even Microsofties trust Microsoft’s approach to privacy
- Wham bam thanks for giving up your Facebook and Google privacy, ma'am
- Chris Hemsworth goes to 'nerd school' for hacking in cyber-terrorism thriller 'Cyber'
- Are Bing it on challenge claims a bunch of bunk?
Follow me on Twitter @PrivacyFanatic