This is a little Creepy

Imagine the ability to type in someone’s Twitter handle and find out everywhere that person has been. Their local coffee shop, office building and even the street they live on. A little app called Creepy has made some waves with privacy advocates,  because it does just that.

Cree.py is an application that allows users to gather geolocation related information about other users from social networking sites and image hosting services. The information is presented in a map inside the application’s interface where all the retrieved data is shown accompanied by coordinates or other relative information.

Creepy’s location information is obtained from various sources including: EXIF tags from photos, geolocation feature from hosting API, coordinates from mobile devices and IP addresses transmitted from web checkins. Platforms currently supported are: Twitter, Foursquare, flickr, twitpic.com, yfrog.com, img.ly, plixi.com, twitrpix.com, foleext.com, shozu.com, pickhur.com, moby.to, twitsnaps.com and twitgoo.com. The one catch is that this application only works if the user has location sharing turned on within the platform settings.

Try using this app the next time you have a Skip you’re trying to locate or a target you are trying to serve process. It just may be the tool you need to close that case. Like any application, it has its limitations. But I think it is a worthy weapon in our arsenal.

Creepy may be downloaded from here: http://ilektrojohn.github.com/creepy/

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Searching High and Low

There are many ways to confirm someone’s residence during an investigation. Now depending on local laws, some of these methods could be illegal, so always verify beforehand. In order to find Intel that will confirm a suspect resides at the alleged address, an investigator will sometimes examine letters in the mailbox, look at trash in garbage cans or just wait around for the resident to appear. In some situations they may even have a neighbor or local mail carrier confirm residence, but that is only if anonymity is not a concern. Now the aforementioned ‘low-tech’ methods of confirming residence are usable, but let us explore a couple of high-tech methods as well.

Our first high-tech method requires a WiFi enabled device, e.g., smart phone, tablet or a laptop. Once parked in front of the suspected residence, open your WiFi device’s Wireless & Network settings. A screen similar to the one pictured below should be viewable, revealing a list of available networks. Each network is represented by an SSID aka network name. Some SSID’s are gibberish, but many will be customized by the owner. So if you were sitting outside my house and searched for a WiFi network you may see ‘The HiTech PI’ (example only), along with a strength indicator, which is an added bonus because the closer you get to that residence the more confirmation you will have. As you can also see I have a neighbor by the name of Wesley and another Madison, both true. I have seen many people use good indicators like “Holmes House” or “Craigs Cave”.

The great thing about using SSID as confirmation is that it is in real-time. You know that the resident has current internet service at the address that is broadcasting the signal.

Another high-tech method used to locate/confirm residence are location based social networking platforms such as Foursquare and Gowalla. Along the same lines of network names, are user created ‘venues’ or places with their own names incorporated in them. For example my friend’s home may be a venue called “Joe Smith’s Garage”, which usually lists an exact address or cross street. Even though it may only list a cross street, since these are GPS enabled apps, the marker on the venue map is often an accurate GPS placement. The Foursquare method can be utilized when you are in the area of the suspected residence, or alternatively, venues may be searched at http://www.foursquare.com, where they can be narrowed by city and zip.

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

A Warrior Poet – Bob Holmes (1948-2004)

If I could ever describe my father in two words it would be a “Warrior Poet”

The Warrior Poet- The ‘Warrior’ part of the name is there for a reason. He has lost none of his edge from his rowdier days, and will not hesitate to make use of his fighting skills when all other options have been exhausted. He merely asks questions before he strikes.

Anyone that was lucky enough to know him, knows that the above describes Bob to a tee.  He was one of the most affable tough guys I have ever known. Always quick with a left hook, but quicker with a smile.

As much as we men strive to be our fathers, there is always some aura that we lack, and of course that is what makes us individuals, but it is also what makes us incomplete. ~ Jason Holmes

A Virtual Ghost Town

When the sub-prime mortgage crisis hit the US in 2007, many people lost their homes, either due to financial issues with their mortgage, unpaid taxes or both. This naturally created abandoned real estate, or ghost towns. These empty properties continue to make nice neighborhoods look not-so-nice and in turn, drive down property values.

I am no financier, mortgage broker or salesman. I am an Internet investigator. So the real estate I deal with is not “real” at all, it is more like Virtual Estate. Lately, when I  walk around my neighborhood (the Internet), I increasingly find ugly, unkempt ‘Virtual Estate’ everywhere. You see, when sites like Geocities (of 80’s & 90’s fame), or more recently Myspace, discontinue proper upkeep of their websites, it creates an abundance of pages with broken links and improper formatting. This equals ugly.

Now until these slumlords of the Internet decide to fix-up or shut down their abandoned Virtual Estate, the task is left to the user.

The average user may not necessarily care that their old Myspace or Bebo profile lay in disarray. But the unsightliness of these webpages is not the only reason a person should close down unused profiles. The other is the big ‘P’, Privacy. You would not think it prudent to drop a copy of your driver’s license and credit card in envelopes all around town, would you? By leaving these abandoned profiles online, data is left open to not only investigators like myself, but also criminals. Think for a minute about how much data is stored in your online accounts (ex. Name, Address, Phone, E-mail, Secret Questions, etc.)

If you look at the extensive list of companies and their customers that were recently effected by data breaches, you will see just how susceptible we all really are. As Internet users, we need to be responsible, keep our lives somewhat private and be careful with whom we share our details. I personally do not accept friend requests on Facebook from those who I only consider acquaintances. After all, they are called ‘Friend’ requests for a reason. I also closed my Myspace account over a year ago, due to the same non-use as described above.

As an Internet investigator and privacy fanatic, I implore everyone to sit down and make a list of all websites they have ever created a profile or account with, then determine which ones are no longer in-use and start spring cleaning. Just go to the target website, where you will likely find instructions on how to close your account, which are usually searchable in the FAQ or Help sections.

For additional reference you may also utilize a helper website like www.deleteyouraccount.com, which assists in finding the instructions for you.

Now help make our Virtual World a nicer place in which to live and place that trash at the curb! ~The Hi-Tech P.I.

Copycat

Conducting internet investigations is tedious at times, especially when you run out of corners to look in. The truth is that, there is always more data to find online than what is initially apparent. An exterminator once told me, “If you see one bug on the floor, you can bet there’s twenty more behind the wall.” The same goes for online information. If you find one piece, you can bet that there are several more waiting right around the bend.

One method is to search shared information. If you find another site hosting identical information, then you will have another data source to harvest. This is what I call a virtual-breadcrumb. Say if one of your suspect’s websites has contact information listed, we can Google that data and perhaps find a related website. One problem with searching for similar sites using a common search engine, is the plethora of junk results returned. If you search a phone number, you are almost guaranteed to return page, upon page of reverse phone number search sites (likely owned by Intellius).

This is where I recommend trying a plagiarism checker like Plagiarisma.net or Copyscape.com. If your suspect’s website is an e-commerce site, you can bet that they will likely have another. For reasons of simplicity, many site admins re-use common pages on their websites like; Privacy Policy, TOS, and About US. These pages are where you may find your next virtual-breadcrumb. A search of your suspect’s site URL through one of the above plagiarism checkers will give you a list of websites that share that site’s information. You can then verify the new site, and if connected, you have another source to harvest for Whois data, analytics, etc. ~The Hi-Tech P.I.

Spying? There’s an app for that.

In the detective profession, you will undoubtedly one day have a client or prospective client who is so paranoid they think their neighbor can hear inside their house or their ex-boyfriend can secretly access their mobile phone. A person would usually assume that this is just paranoia brought on by some rivalry between two former friends or ex-lovers. Afterall, how easy is it to bug a house or surreptitiously monitor a mobile phone? Well the latter just got a little easier. A new Spyware program, created by mobile app developer DLP Mobile, was recently released called Secret SMS Replicator. This Spyware may be downloaded and installed on smart phones running Android OS. Once installed on the target mobile phone, the software is programmed to forward every text message received on that phone to a phone number of choice by the installer. To top it off the program runs silently and remains undetected in menus and processes. Apparently the only method of removing this malicious software is to delete the contents of the phone, or the “installer” must text the target phone with digits “000” (or a predetermined code), but must be done from the phone the texts are being forwarded to.

Here is the advertisement seen on YouTube:

This intentionally malicious program is available for purchase to the public on Handango.com at this link Secret SMS Replicator for $19.99. As an Android phone user, I perused the Android marketplace and found software that advertises removal of the above, but it seems relatively untested. So next time a person tells you that someone is intercepting their phone calls or text messages, don’t be dismissive, ask first if they have an Android phone. ~TheHiTechPI

*UPDATE- The Secret SMS Replicator is no longer available at the above link. It may be available somewhere else on the net, but since I do not condone its use, I am not going to search it out. (shame on you for trying 😉

Heeere’s Johnny!

This is a repost of a very informative article from Lifehacker.com on 12/16/2010. The author is the CEO of web company iFusion Labs, and blogger John Pozadzides.

 

 

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forumyou frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutuswwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

READ THE ENTIRE ARTICLE HERE ~TheHiTechPI