I have updated the master list of online information resources. This is the list of over 145 websites that can be useful in finding personal information about individuals and businesses. The entire list can be found HERE.
One of the new entries that I am excited about is PicFog. PicFog is a site that monitors all of the photos being transmitted through Twitter. The home page is a constant stream of photos, and search options allow you to filter by location, user name, or keyword. Below is an excerpt of over 200 photos that were recently uploaded from St. Louis, MO.
Because I am always entertained by the amount of people that post their meals online, I conducted a search for "lunch" and found hundreds of photos of the meals that people were eating right now.
WARNING! Some of the photos may include nudity and inappropriate behavior. Search at your own risk.
Another great site that I added is The Ripoff Report. This site catalogs both the businesses and individuals that have been reported to conduct fraudulent activity. Reports may include scams, illegal businesses, and various individuals that have ripped off people using auction sites. A quick stop at this site could provide great intelligence on your target.
23 more links were added. Take a look and see if anything may be useful to you in identifying information about your children, potential employees, your business, your competitor, or maybe the new neighbor!
Contact me if you have any questions, or if you know of a site that I have not included.
An audience member of a recent presentation in Chicago asked me how she could locate items that had been stolen from her during a recent burglary at her home. There are several techniques that could be applied here, and I will explain the most common. Possessing a list of detailed information about the item will be important, such as make, model, and any characteristics of the item.
Many thieves will no longer attempt to sell stolen items at a pawn shop. These businesses now provide electronic data of all transactions to law enforcement, making it easier than ever to identify a criminal. Now, they go to the internet. Bold thieves will list the item on an online auction site such as ebay and offer to ship the goods. Searching ebay is easy, and the advanced search is very valuable. For this entire post, let's assume that a Canon 40D camera is the item stolen. A search on ebay reveals 11,267 current auctions for this camera:
This is way too many to sort through. Using the Advanced Search option allows us to only search for cameras in an immediate geographical area:
This now brings us to 44 results, which is much more manageable:
As an Investigator, I would now look through these posts and look for any physical characteristics in the photos, such as a scratch, that may identify the camera. I may also click on the person's user name and browse the other items being sold, which may also be stolen goods. If I see a guy selling 22 car stereos with exposed wiring, I think I might be on the right track. Keep in mind, these are only CURRENT auctions, not past sales. In order to view previous auctions, look down on the left menu and check "Show only completed listings". This can be combined with the geographical option to only view previous auctions for a specific item in your town.
Most thieves now avoid ebay because all transactions are documented forever, and valid banking information must be provided by the thief. This information can be given to law enforcement for a speedy arrest. Now, thieves have found Craigslist as an easy avenue to sell stolen goods. Navigating to craigslist.org and then checking your local area (mine is St. Louis), will present you with a search box ready for a search term. Searching for our camera yielded six results, which will also identify the town that the thief lives in:
Once an item sells, the seller usually quickly removes the ad. Searching on craigslist.org will ONLY search the current ads. This will not find recent sales. I prefer using Google to search Craigslist. The below term in Google will search all ads, current and past, listing Canon 40d within the post on the entire site:
2,300 results is too many, so now I will specify to only search the St. Louis portal:
This brought us to 106 results, which is much more manageable. At this point, i will look for sellers that are selling the item for a reduced cost, appear to be in a hurry to sell, or do not appear to know much about the item. A seller with a post title like the following appears to be legitimate:
While a posting like the following may be a little suspicious:
These techniques are not enough to make an arrest. If you believe that you have found your stolen items, DO NOT CONTACT THE SELLER! Contact your local Police Department and advise them of your findings. Allow them to build the case and make an arest. I have been successful on numerous occasions using these methods, and I encourage other agencies to scour the internet weekly for "hot" items.
If you are associated with a law enforcement agency, and would like training on various investigative techniques, I have recently update six new programs focused on police work. These programs run from one to two hours each, as well as an eight hour complete "boot camp" that covers everything. Information can be found here:
http://computercrimeinfo.com/le.training.html
Ah. A fresh coat of paint. I have made many long overdue cosmetic changes to the site and blog. This should make navigation easier. I also repaired the broken video links and added new content. Much more will be coming soon!
NEW: I have added an entire new section titled "Law Enforcement". In this menu you will find SIX new training session devoted to Law Enforcement and High Tech Investigations. Topics include:
Online Investigation Recources (2 Hours)
|
| Identity Theft / Internet Fraud / Email Scams / Hacking (2 Hours) |
Technical Investigation Techniques (2 Hours)
|
Child Safety on the Internet for Police Officers (2 Hours)
|
| Introduction to Computer Forensics (2 Hours) |
| Protecting an Officer's Personal Information (1 Hour) |
Some of these topics are available to sworn law enforcement only. However, some could be applied to other areas including insurance companies, private investigations, and attorneys. Please pass this information along to any agencies that may benefit from the instruction.
We all know that Google has the amazing ability to find anything on the web. I often present sessions on the many ways that criminals use the popular search engine to obtain information such as credit card numbers, sensitive documents, and customer information, with the hopes of convincing businesses to protect their data. Recently, a simple search discovered quite a bit of information about a fairly new online service.
Blippy.com is self described as a "fun and easy way to see and discuss what everyone is buying". The idea is that one creates an account, and then allows it to monitor a credit or debit account to post what the person is buying. Since Blippy "protects" any sensitive data, the information shared is very vague. The screen shot below displays two users, along with how much they recently spent at Starbucks.
This service allows anyone to see what a person spends money on. Searches can also be made on an individual business to see what people are buying, how much they are spending, and when they are shopping. While all of this exposes quite a bit about someone, today it gets worse. A Google search of:
site:blippy.com + "from card"
revealed:
I have intentionally blocked out the credit card numbers, however they are completely visible on the results page. A representative from Blippy.com stated that only four member's numbers were visible, which I believe is four too many. As of this posting, it appears that Google has blocked the above mentioned search, and I assume that Blippy.com is hard at work correcting the problem on their end.
I believe that this is a valuable lesson in regards to announcing too much information on the internet. While Blippy users enjoy sharing their lives on the Internet, it is only a matter of time until something goes wrong. What will be next? Will people be able to search Google for your voice mail messages? Oh wait .... that already happened.
While speaking to various organizations, I am constantly amazed at the lack of concern for protecting a business' online presence. I offer a two hour session that focuses on finding personal information online, which begins to open the eyes of Management, but that was not cutting it. I have developed a new course that will concentrate on protecting a business from an internet view.
This interactive session identifies and demonstrates several methods of searching for information about a company online. This should be conducted monthly by any business that has an online presence. These queries will discover publicly available information that could harm an organization. A sample of topics includes locating complaints about service, employee information, comments from individuals, photos that can be tracked to the company, employee activity online, employee profiles, private emails, inaccurate information, common network vulnerabilities, confidential documents, user names and passwords, and even private customer data. Previous demonstrations have displayed that entire drives full of sensitive company documents were visible online by anyone with an internet connection. Solutions to solve all of these issues will be presented, as well as direct links to the sites that will help one identify the problems.
In a previous post (LINK HERE), I discussed how Peer to Peer software on ANY machine in a business could leak sensitive data to anyone on the internet. These programs, such as Kazaa, Limewire, and BearShare, are very common and usually used to download music. These programs also share data by default, and expose your sensitive information.
As another example, I explain how Meta Data within your documents on your web server may be exposing a lot of information about your employees, your computer systems, and the software that you are using (which exposes serious vulnerabilities). The last location where I presented this information exposed several forgotten documents that were still online which identified several user names, email addresses, illegal pirated applications, server names and directories, copy machine information, and even evidence of plagiarism and theft of intellectual property. This demonstration was conducted from scratch using free software, and completed in less than four minutes.
In total, I display over fifty resources that will help keep your online presence in a form that will benefit the business. I highly recommend that this session is presented to both Management and the individual(s) that will be conducting the inquiries. In order to view the complete presentation, a minimum of two hours is needed.
Please Contact Me to discuss further, or to schedule a presentation.
While speaking in Peoria, Illinois the other night, I presented a small demonstration on EXIF data. This demo then kept going and going until we exhausted the many features of EXIF data, and how it can be used to help or hurt us. First .... what is EXIF?
Exchangeable image file format (Exif) is a specification for the image file format used by digital cameras. Basically, every photo you take with a digital camera or cell phone camera stores a LOT of information embedded in the data that you normally do not see. This can include many bits of data that most people would consider personal and a threat to their privacy. Let's take a look.
Example # 1: Serial Number:
In this photo, there is embedded EXIF data. Click HERE to see the data. The camera that took this photo is a Canon EOS 5D. Other data identifies the lens, Date and Time info, and many particulars about the camera settings used for that photo. Searching for "Serial" on this page will identify the serial number of the camera as 520201773. Let's think about that. Every photo you post to the internet can reveal your camera info including your serial number. So, what if I wanted to find all of the photos that you have uploaded, no matter what name you used? There are several ways. I will demonstrate StolenCameraFinder. This is a small Java Applet that allows you to search a site like Flickr (A photo sharing site) for any photos containing a specified serial number.
The idea behind this software is to locate stolen cameras uploading photos to the web, which is a brilliant idea. However, it could also be used to find information about you that you simply did not want to be found. Let's look at another example.
Example # 2: GPS Data
HERE is a photo of some bicyclists turning onto a road. Extracting the EXIF data through an online EXIF viewer, I can see the exact location of the photographer when the photo was taken. HERE is the link. Many new cameras have GPS enabled by default. Most new cell phones are GPS capable, and many have the GPS on by default. Below is a screen shot of the original photo and the satellite view of the GPS coordinates extracted from the EXIF data. The green arrow identifies exactly where the photographer was standing.
This feature is desired by many that use it. I can only assume that many of us do not realize that this information is being broadcasted without our knowledge. One final example.
Example # 3: Cropping
Every digital photo has a small thumbnail of that photo embedded in the EXIF data. SOME programs do not overwrite this data when cropping the photo. Below is a photo found online of a door to a house. Next to it is the thumbnail found inside the EXIF data, which shows the entire house. HERE is the original photo, and HERE is the EXIF data.
Newer programs such as Photoshop CS3/4 and Microsoft Photo Editor will overwrite the thumbnail with the current cropped image. Many freeware editors like Irfanview do not unless specified. When a photo is found online that has been cropped, a quick run through the online EXIF reader may offer a surprising view of what the photo originally contained.
Are you now thinking about that photo of you on Facebook where you cropped out your ex? Well, Here it is .... just kidding.
Solutions? Several
If you are using Photoshop, open the image and select the "Save for Web" option. This new file will not have the EXIF data in it. JPG Cleaner will allow you to clean all of the EXIF data from multiple photos at once. EXIF Remover is also a great online tool that will remove the data without downloading any programs.
I recommend that everyone looks at the EXIF data embedded in the photos of them on the internet. If the information is too personal, cleaning the photos and re-posting should eliminate most of the concern.
Someone in the Southeast is trying to prey on unsavvy texters by pretending to be their bank and asking them to "verify their account info."
According to this news report out of South Carolina, people have been receiving texts from something called "Homebank.us" telling them they "have received a new e-Banking voice message" and to call a phone number with an 828 area code.
The video below displays what happens.
An automated system tells you, "Welcome to Online Security Center. You've received this secure alert due to repeated log in attempts from a foreign IP address located in India," and then moves on to ask for a credit card number, expiration date, PIN, and security code.
This information is then used to get access to your accounts.
I have added two new presentation options:
Conducting a "Self Background Check" (1 Hour)
This session explains additional resources available that allows someone to request their own personal information. Completing each one of these requests will identify both valid and innaccurate information being reported about you to many industries including credit, insurance, banking, and government. The resources discussed here are completely different than the Using the Internet to Discover Personal Information, Using the Internet for Background Checks, or Eliminating traces of your identity on the Internet. This session pairs well with any of these other presentations. Here is a partial list of resources that will be explained and tested live.
AND
Full Computer Crime Boot Camp (8 hours)
This full day session covers complete lectures on the following:
Identity Theft / Internet Fraud / Email Scams / Hacking
Using the Internet to Discover Personal Information
Eliminating traces of your identity on the Internet
Conducting a "Self Background Check"
Advanced Online Digital Data (Documents, Photos, GPS)
These extended sessions cover everything that I teach about the numerous ways that technology can create torment in our lives. From ID Thieves to password hackers, Social Network Sites to Hidden Digital Photo Information, Cell Phones to Email Analysis, and Online Stalking to Protecting Your Business' Documents, it is all here. This workshop is very "hands on" and conducted in a live online environment. Perfect for yearly employee training. Solutions on how to protect yourself, your family, and your business are clearly explained along with free software applications. Contact me for details.
In my presentations, I discuss how KeyLoggers can record everything you type on your computer into a text file. These files will then automatically forward to a criminal so that he or she can steal your identity or empty your bank accounts. Until recently, many of these small programs were undetectable. I am now using a free program called KL Detector to conduct weekly scans for keyloggers. This program is unique as it works by scanning your local hard disk for any log file created during the monitoring process. Most keyloggers will eventually save the recorded data into a location in the hard disk. KL-Detector will inform you of such log file. This way, the program can detect all keyloggers, both known and unknown. It is a "Portable Application", meaning that it does not require an installation process. It can be executed from anywhere, including a portable flash drive.
The most important part of using this software is to follow the directions presicely:
Close and terminate all running programs
Run the KL Detector program
Click Next
Open a word processing program and type something for a few minutes
Allow the program to run at least 10 minutes
Double Click the icon in the System Tray to learn of any suspicious software.
Due to the nature of this program, it is very possible to discover false positives. A report of suspicious software does NOT mean that you have a keylogger. It may be something else that is still running on your system.
This program is available at the Links Page of my site, or directly from HERE
I have added over 20 new links to my presentation on using the Internet to find information about people. This is commonly used by parents to find out what their children are posting. This can also be used for background checks, locating people, or finding out what is available about YOU out there. I offer two options for this session. A one hour option covers the most beneficial sites to get data quickly. The two hour session expands to the entire 98 sources of information for a complete view of the person you are searching.
The current sites I discuss are here:
Personal Information Links
