You are what you leak (2018)

I’ve told this story many times in person but I’m documenting it here so others can be horrified amused…

Note: All of this was 100% public information that I could find via simple searches from my own account. I did not attempt to get additional access, hack any accounts, perform any social engineering, or purchase third party data.


Rewind about five years ago and I started getting team updates for a freshman high school football team outside Denver, Colorado. Since I live in Austin, I asked to be removed and forgot about it.

The next day, I got another update. I asked to be removed and moved on.

The next day, I got another update. I hit reply all – because all the parents were cc’d – and moved on.

The next day, I got another update. Now I was annoyed.

Time for Intelligence Gathering

PICKPOCKETS OPERATE IN THIS AREABased on years of thinking and experimenting with social media, I decided to have some fun with those ~50 parents’ email addresses..

First, I ran them through LinkedIn. Whether it was a work or personal email, I was able to resolve most of their full names, head shots, employer, job title, and time in job.

I found my first gems when I discovered a US Federal Judge and Denver Post reporter were on the list. Further, I found one person who was 3+ years into their job but had a sudden uptick of inbound Recommendations. I suspect they were job hunting.

Then I checked with Facebook. Email alone would have been sufficient but full name and employer narrowed a few questionable ones. I found all but a handful – not the Federal Judge for example – and collected candid pictures and full names of significant others, siblings, some of their parents, and kids names. In many cases, I got personal phone numbers and in a few exceptional cases, I got their street address.

At this point, I had plenty of information to cause trouble. If I was interested in social engineering to collect more, I could have. Someone more evil could make those awful “your son has been in a car accident” calls.

Then I researched the kids. Newsflash: most kids are clueless. They’re not just a little clueless but horribly catastrophic-omg-I-can’t-believe-it clueless so I thought this would be fun.  Based on the school district, I had pretty good ideas where they lived but I took it a step further. Teenagers generally have a job close to home but since freshmen rarely have jobs, I needed another angle. This time, I looked for what church they attended and second, for older siblings and their jobs.

Without exception, I got their phone numbers, pictures of their neighborhoods, and their best friends. In some cases, I got their girlfriends’ names and how much they interacted.

This is when things got odd. I found one father who was interacting with his son’s girlfriend a lot. Not just “I hope you enjoyed the game!” but Liking many pictures, commenting on numerous posts, etc. Luckily, I found her parents’ information too.

The Spreadsheet of Angst

All of this went into my spreadsheet. My spreadsheet had nearly 50 parents with detailed information on their jobs, their neighborhoods, who they interacted with, their kids, and who they interacted with.

Then I sent a single email..

I hit Reply-All again, included the high school principal and the legal counsel for the school district, attached my spreadsheet, and included a message similar to this:

Hi, I’m Keith Casey. I’m not sure how I got added to my mailing list but no one seems willing to remove me so I used everyone’s email addresses to learn about you via social media.

I’ve found a Federal Judge, a Denver Post reporter, a [title] who is looking for a new job, and a father taking a close interest in his 14 year old son’s girlfriend. That seems inappropriate.

Unfortunately, you and your kids share so much information on Facebook and LinkedIn, I know everyone’s names, many of your phone numbers, some of your street addresses, and – due to the football schedule on the school’s website – where your kids will be on Friday at 6pm. (see the attached spreadsheet)

Fortunately, I’m not a bad guy and will not use this for evil purposes but there are people out there who would. Please be sensitive what information you and your kids share on your profiles.

My phone number is XXX-XXX-XXXX and feel free to call me if you want more information.

Yes, there is a line or two in there that could be menacing and that was the point. I wanted to shock people to help them understand the risk and consequences of sharing too much personal information.

I sent the email and waited

Twenty minutes later, the school district’s lawyer called me to find out who I was and beg me not to share the spreadsheet further. I answered all of his questions and promised not to contact the press

Twenty minutes after that, the lawyer called back with the principal on the line. The principal apologized profusely and asked how they could prevent this from happening again. For the coaches, I mentioned sending bcc and using a broadcast-only mailing list to hide email addresses. For everyone, I suggested removing home addresses from their Facebook profiles, removing the About information listed and even limiting that to friends.

I also named the father with the numerous interactions with the girlfriend. I stressed that it could be 100% above board but even then, it seemed excessive. Having a pointed conversation now could head off problems later.

Then I deleted the spreadsheet.

How do I protect myself and my family?

Odds are you’ve put so much information out there, that’s it’s hard to ratchet it back. In fact, Facebook, Twitter, LinkedIn, etc, etc make a ton of money collecting and reselling this information so it’s in their best interest to not really delete it even if you remove it.

If you’re trying to protect yourself, I suggest you start simply:

  • First, understand the difference between friends vs friends of friends. You may only have 100 friends but if one of those has 1000 friends, your information is being spread far and wide.
  • Never, ever, ever list your home address. There is no upside whatsoever.
  • Avoid posting pictures of your house. They’re not as searchable/usable but a person can still make use of them.
  • If you post pictures of your car, cut out the license plate and take those pictures at a park or somewhere not in front of your house.
  • Limit the pictures that non-friends can see.
  • Lock down your phone number to Friends.
  • Remove what relationship information that you can and whatever remains, lock that down to Friends instead of Friends of Friends.

There are no foolproof ways to protect everything but you can make yourself a harder target so the evil version of me moves onto someone easier.



from Hacker News https://ift.tt/2IvSlVQ