Thwart my OSINT Efforts while Binging TV!

There’s been a bit of a social media uproar recently about the data collection practices of people search service FamilyTreeNow. However, it’s certainly not the first, only, (or last) service to provide potentially uncomfortable private information about people on the internet without their knowledge or consent. Even the most technologically disconnected people are frequently searchable.

In conducting OSINT research on people, services like FamilyTreeNow are often a gold mine, and are one of my first stops when I’m searching out useful facts to pivot into more intimate details about a target. Do you really want any casual stranger to know your home address, phone numbers, email addresses, and the names and ages of your kids? While disappearing from the internet completely can be nigh impossible, spending a little time removing easily accessible data can cause frustration and extra work for a nefarious (or nosy) person investigating you. I speak from experience. So, it’s worth taking some time to do, as we always want to make bad guys and gals’ lives harder.

So, grab a snack and a beverage, queue up a TV show to binge watch, and let’s make some quick and easy wins in helping you disappear from the malfeasant public eye. I’ll only ask you do five quick tasks per episode. You can do them during the boring parts.

Before we start, I highly recommend setting up a new webmail account to perform these removals. Almost all of the services require an email to opt out, and many require account registration. Since we’re dealing with firms that collect information about people, it’s sensible to avoid using your day to day or work email.

One last thing! It’s important to remember these services are not always accurate. You may have more than one entry for yourself at any of these services. Make sure to check!

Let’s begin!

  • Let’s get the aforementioned FamilyTreeNow out of the way. Their opt-out form is here: https://www.familytreenow.com/optout. They’ll require you to search for yourself through the opt-out page then click a red “opt out this record” at the top of your entry. (You must repeat this process from the start for every profile you wish to remove.)
  • Next, let’s head over to Instant Checkmate. Their Opt Out form is here: https://www.instantcheckmate.com/optout/ and requires you enter a name, birth date, and a contact email address.
  • We’ll head over to PeekYou, next, which requires you search their database first and provide the numeric profile ID in your page(s) URL, as well as an email address. Their opt out page is: http://www.peekyou.com/about/contact/optout/
  • Next up is Spokeo. You’ll once again need to search for yourself, but this time all you need to do is copy the full URL of your page(s). Then, head here: http://www.spokeo.com/opt_out/new, paste that link and enter your email address.
  • Let’s head to BeenVerified’s opt out page at https://www.beenverified.com/f/optout/search. Simply enter your name and location, select your entry or entries, enter your email, and click the verification link that is immediately sent to you.

SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • So, Whitepages has two different types of profiles – free and paid, and they seem to have little to do with one another in terms of removal. For the free side, you’ll have to sign up for their service to remove entries, (which includes email verification). Once logged in, you simply need to paste the link to your entry here: https://secure.whitepages.com/me/suppressions.
  • For Whitepages Premium, you must open a quick support ticket with their help desk. Full details and the Help interface are here: https://premium.whitepages.com/help#about. You will need to copy and paste the link to your premium profile in the ticket (not the free Whitepages entry).
  • Let’s head over to PeopleFinders, http://www.peoplefinders.com/manage/. This one’s super easy; just use the search box to find your profile, and then click the opt-out button.
  • PeopleSmart is also relatively simple. Search for yourself at https://www.peoplesmart.com/optout-go. You will need to enter an email address and click a verification link.
  • USA People Search’s opt out page is here: https://www.usa-people-search.com/manage/ and simply requires clicking your profile and entering a captcha.

 SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • Let’s head to Radaris, at https://radaris.com/. Search for yourself. Click “full profile”, then click on the down arrow to see the full menu of options. There is one that states “Control Information”. This will prompt you to register for an account with their service and claim your profile as yourself. Once you have done so, you will have the option to “Remove Information” or take your aggregated profile private, at any time.
  • The last information service we’ll tackle today is Peoplelooker, at https://www.peoplelooker.com/f/optout/search. Once again, a relatively easy opt-out process using a verification email.
  • Finally, let’s do a little social media cleanup!
    • If you have a Facebook account, perform a Privacy Checkup. It won’t take too long. Ensure your posts and likes are as private as possible.
    • If you use Google or YouTube services, perform their Privacy Checkup. Once again, ensure nobody but the right friends and family can see your activity.
    • Head to LinkedIn. On the header menu, select Privacy & Settings, then select the “Privacy” tab. Consider how much sensitive detail you are providing about your workplace, their tools and processes, and yourself. Consider restricting certain data on your profile to only connections and members.

Good work! Enjoy the rest of your snack and your show! Be proud that you’ve done some good work cleaning up your public presence, today.

***

It’s important to note that I’ve left a couple services out of this guide that are referenced in other comprehensive lists, (like this one), due to the complexity and frustration of removing data from their services. Notable examples, Intelius (and their many subsidiaries) and US Search unfortunately require a form and photo ID for information removal – the latter by fax or snail mail(!) So, while we won’t tackle these removals while we watch TV and enjoy a nice cold beverage, they are something to consider addressing with a little time and during business hours.

If you are in a sensitive situation and need a clean slate as soon as possible, I do recommend considering a paid data removal service like Abine.

 

101 Ways I Screwed Up Making a Fake Identity

As most of you know, my professional area of expertise in security is incident response, with an emphasis on system / malware forensics and OSINT. I’m fortunate enough in my position in the security education and con community to sometimes get pulled into other directions of blue teaming and the occasional traditional penetration testing. However, the rarest of those little fun excursions are into the physical pen testing and social engineering realm. In the breaking into buildings and pretending to be a printer tech realm, I’m merely a hobbyist. 🙂

Therefore, it was a bit remarkable that in the course of developing some training, there was a request for me to create some fake online personas that would hold up against moderately security savvy users. I think most of us have created an online alter ego to some extent, but these needed to be pretty comprehensive to stand up to some scrutiny. Just making an email account wasn’t going to cut it.

So Pancakes went on an adventure into Backstop land. And made a lot of amusing mistakes and learned quite a few things on the way. I’ll share some of them here, so the social engineers can have a giggle and offer suggestions in the comments, and the other hobbyists can learn from my mistakes. Yes, there are automated tools that will help you do this if you have to do it in bulk for work, but many of the problems still exist. (Please keep in mind that misrepresenting yourself on these services can cause your account to be suspended or banned, so if you’re doing more than academic security  education or research, do cover your legal bases.)

What I messed up

I’m not going to waste everybody’s time talking about how to build a unremarkable and average character in a sea of people or use www.fakenamegenerator.com, nor how we always set up a VM to work in to avoid cookies and other identity leakage (including our own fat fingering). Those have been discussed ad infinitum. Let’s start with what happened after those essentials, because creating a good identity is apparently a lot more involved..

  • It pretty much required a phone number from the get go. I spun up my VMs and created the base sets of email and social media accounts that an average internet user might have, but Twitter was on to me from the start. I wasn’t planning on involving a phone for 2FA at all, but their black box security algorithm tripped in seconds and made me use a phone to enable the first account. So, I’m pretty much terrible. Granted, there are plenty of online services that will give you a phone number, and I could have burners if I felt the need, but it added a layer of complexity. In a good move, it looks like most of social media is now spamming new users to enable 2FA.
  • My super authorial D&D skills at creating dull people in big towns and reposting memes weren’t enough. I had to make friends and meet people to make the profiles pass as real. I knew that was going to be a challenge, but I didn’t expect it to become such a thought problem.
    • Twitter was the easiest once I fleshed out the characters and followed a bunch of accounts they would like, then people following those accounts. Some people just follow back folks who aren’t eggs (I do). I quickly had 40 or 50 followers on the dummy accounts. I’m apparently big in the vegan cooking scene now.
    • LinkedIn wasn’t too bad once somebody clued me into (LION) tags and good old 2000+ connection recruiter accounts. The people who participate in that essentially connect with anybody, regardless of the normal LinkedIn security and privacy rules about knowing people personally. So after making decent profiles, I just had to find a couple people with the tag, then fork out through 2nd degree connections in their vast networks to the correct industries and regions. Of course, I had to do a bit of strategic plagiarizing from other people in my characters’ professions’ skills sections to build believable people, first. (We have yet to see if they got any recruiter messages, but none of them had really lucrative careers.)
    • Facebook was actually the one I struggled with the most, because you really need a starting point in your network to even add other people. I talked to a lot of security folks about my woes there and they made some good suggestions. The first was to play some Facebook browser games for a few minutes (I feel like my time with Candy Crush was worse than the dark web), then go to their community pages and plead “add me”.  Again, people cheating the security / privacy system make it easy to gain a foothold. A couple popular games got me 50-100 friends, and from there by using Facebook’s lovely verbose search system, I could move my network into the regions that my personas “lived in”. For instance, if the character were from Chicago I would search for friends of friends of the connections I had made for people in Chicago, and those people were much more likely to add me because I was a “friend of so and so”. The other effective strategy people gave me was to present myself as an ardent fan of a sports team or political party in article comments. That worked pretty well, but not as fast as the games.
    • Once I had some “friends” on Facebook, moving into specific workplaces and schools wasn’t too hard. Public Facebook Events at those institutions and their associated venues provide lists of lots of people to add who were almost certainly physically present. Again, once I had a few connections in that circle, it became exponentially easier to add more.
    • Pinterest, YouTube, and Meetup were pretty easy – there’s really not a lot of verification of users there, by design. I liked them for this because they’re very public and tie the other social media profiles together nicely. I confess that I did lose my nerve when Meetup group sign up forms asked me detailed questions about my “kids” or my “spouse”, and stuck to ones that weren’t so intrusive, because that just felt creepy (says the woman who looked up a cached copy of your 2004 MySpace page).
  • I don’t normally feel guilty when I’m hacking somebody in a pen testing engagement (it’s for a good cause), but I did feel a little weird and guilty interacting with unwitting strangers on the internet as other people. It definitely took me out of my comfort zone – not only did I have to role play other personalities with wildly different views, but I had to shake my normal security paranoia to do stuff like click “add friend” a lot without hesitation and leak data through privacy settings, strategically.
  • I really had to commit to one character at a time to develop them into a person.
  • Even in a clean VM, there was still apparent tracking to my IP space on LinkedIn! I didn’t bother to use a proxy or a public connection for an educational endeavor, but if I had to flee the mafia or something I would certainly keep that in mind. Internet advertisement tracking is insidious and possibly scarier than any nation state actor.
  • Photos are everywhere yet were strangely really hard to come by. Fake identity creating sites like https://randomuser.me/ provide profile pictures, but anybody half decent at OSINT will immediately reverse image search a suspicious profile’s picture. Their stock art photos have been so abused that searching any one at random provides a trove of suspect business reviews and fake LinkedIn profiles (a blog of its own…). Again, since this was a legal and ethical endeavor, I just used a collection of donated (previously unposted) photos from friends, heavily visually filtered and transformed. Even that required a lot of careful checking for metadata and visual clues that tied them to a location. I’m sure there are more expensive stock art photo sources that are less abused, but I’m not sure how ultimately virginal even their photos are. Maybe I should invest in a good wig and glasses.
  • This was time consuming, and I can see it becoming incredibly time consuming, which is the reason you use tools to automate the wits out it if you do it regularly as a penetration tester. Facebook and Twitter timestamp content, and comprehensive ways around that are the kind of things social media companies give out hefty bug bounties for. On Twitter, you can retweet a years worth of old tweets in temporal sequence, but that will never change your publicly visible account creation date. Similarly on Facebook, you can manually change the date and location of posts, but your account creation date is still pretty easy to see based on other time data and your profile ID number. Ultimately, there seems to be no substitute for good old months and years of the account existing. If somebody has a work around they’d like to share, I’m all ears.

What we can learn about OSINT and defense from this exercise

  1. Not new, but always good to reiterate: people bypassing security and privacy controls for convenience is a really big security issue. People who blatantly bypassed the personal connection requirements on Facebook and LinkedIn made my job a lot easier. If nobody had accepted my fake characters’ invites on social media, I would have been pretty stymied and stuck buying followers or building my own network to be friends with myself.
  2. As an adjunct to #1, be mindful of connections via one of these “wide open” social media accounts (many hundreds of connections, or an indication they don’t screen requests in their profiles).
  3. Reverse image search the photo, all of the time. Maybe on two sites! This should be something you do before dating somebody or making a business deal, just like googling their name. No photos are, as always, a red flag.
  4. Check the age of social media profiles even if they look verbose and well defined. Stealing other peoples’ bios is easy.
  5. Never be connection #1, #2, or #3 to a profile you don’t recognize (you enabler).
  6. Don’t accept connection requests from Robin Sage, (or anybody else who presents themselves as a member of your community with no prior contact).
  7. In fact, don’t accept friend invites from people you don’t know even if they have 52 mutual friends and “go to your school”. I had 52 mutual friends and was bantering with the school mascot about a sportsball team I’ve never heard of, in a few minutes.
  8. Look for some stuff that’s deeper than social media and typical web 2.0 services when you’re investigating a person. My typical OSINTing delves into stuff like public records, phone and address history, and yes, family obituaries. Real people leave more artifacts online over the course of their lives than merely things that require a [Click Here to Sign in with Facebook], and the artifacts I listed are harder to fake quickly.
  9. Forget trust, verify everything.