"The moment you're online, no matter how you hide, people still find your line."

===

This post is for educational purpose. Read the side note at the bottom for more info.

===

The reason why I write this note is to strongly express my concern and confirmation on my 4 years old hypothesis: How safe are our identities?

I was shocked to find people social/insurance numbers, home address; even blood type and birthday. These are exactly not supposed to be on the Internet. And I only conducted low level of doxing on co-coordinated search(es). Why the fuck are these shits online??

The potential danger of this problem is unimaginable. There are more than 101 ways to exploit, use and harm people on the net. As long as yer attacker(s) have creativity and evilness then your life is fucked up.

You may see this list as BS, troll place or even trash. Fine. I won't mind. I write this just to have a link for more serious report since I don't want to make extra blog on other sites. Keep in mind, I can't help you if you can't help yourself.

===

For a while I learn how to dox, a method of identity searching/harvesting which sometime combined with social engineering and even require mid-to-high level of hacking.

At my very first moment of experiencing with this type of analysis, I was extremely suspicious on the search engine database. I could go deep into the level that those are not supposed to be there.

Then I have built up my supporting statement on this problem. As I slowly conclude my points, there are 3 levels of human resources of identity data:

Level 1: The External

Description: This is the most basic level, that you cannot hide everything from normal search engine database. Such as:

- Online assumed* name of victim(s).
- email(s), WHOIS database, DNS, DNS's region, IP(s), assumed* server's operator phone and address.
- People who related to victim(s)

= Attack Skill and Requirements: Strong knowledge of search engine usages, such as Google Dork/Hacking, multi-realtime-search-engines, basic-to-advance WHOIS, tracing, real-time domain tracking.

Level 2: The Internal

Description: This is level needs combinations between mid-level doxing and social engineering. Also this level is a cross between extra data harvesting and confirmation of previous level. Such as:

- Online confirmed* name of victim(s).
- Victim(s) Real Name (Full).
- Age(s) and Gender(s).
- Confirmed* victim(s) current phone(s) and address(es)
- Victim(s) previous address(es) and phone number(s)
- People who related to victim(s) and their personal's data.
- Password(s).

+ Extra riff-raff: Career/job(s) and previous one(s), confirmed* real life favorite(s) and interest(s), relationship(s), family, pet's registered data (if has/had), educational places such as elementary/high-school(s) and college/university, educational diplomat(s) information, workplace(s), activities.

+ Last but not least: confirmed* victim(s) personalities. (not assumed personality through social engineer, that's why I called this level is part of confirmation)

= Attack Skill and Requirements: Veteran knowledge/skill of search engine usages and social engineering. Well made-up fake/pseudo identity. Advanced identity generation. Advanced co-coordinated attack planning. Tons of backup plan. Cunning. Decent knowledge of exploitation.

Extra required attacking using blind/GHBD attack (if victim(s) has/have website/login-database): SQL injection, XSS, PHP injection, dictionary attack, brute-forcing.

Level 3: The Root

Description: This is where you could kill your victim(s), psychologically and even physically if your victim(s) is/are enemy. It is fucking difficult to carry out this level; require losing some resources, common sense and patience.

I scrapped/destroyed all the victims' data and my hard disk ($78 bucks T.T) once I confirmed this level because it could send me to jail for life time and worse. Such as:

- Social number(s).
- Healthcare's data (if have/had)
- Confirmed* birthday(s) and gender(s).
- National ID number(s).
- Bank/credit data(s). CVV/CDC numbers, without social engineering.
- People who related to victim(s) and their ID numbers.
- Private/public transaction(s). Such as Paypal, European Union.
- Confirmed* national background(s), religion/belief, culture(s), exactly number of spoken language.
(These could be found with the 2nd level and even the 1st if attacker in luck. However I have come across some pretty shitty results and I have to conduct this damn level to confirm. FML!)

+ Passport's data.
+ Blood types.
+ Health and sickness info. Med and pill took/taking.
+ Salary.
+ Crime record(s) (if victim(s) has/have/had)
+ Taxing's data

++ Extra shit: Family tree, ancestry(ies), 2nd confirmed favorites, family member's data info and personality (if had/have). (just for the joy, my creativity and tiredness-holding had limits...)

= Skill and Requirements: I don't know how to describe the skill for this level because I confuse at my skill too since mostly based on luck. But 100% sure you need heavy and concrete knowledge of database searching, scientific/logical intuitions, strong programming skills, data exploitation and cryptology.

Also, sometime needed combinations of physical social engineering, dumpster diving, stalking, informational harvesting and physical contacting with victims to confirm your online info.

Extra matters: For the first attempts I was heavily relied on search engines and data spoofing. It was extremely difficult since my covers can blow and in-confirmed data. I finally wrote a custom database spoofing/harvesting program. i also used my password cracking program.

To cover my IP and such to avoid tracking during this level and the 2nd one, I use public and anonymously access such as library's computers, un-logout university/Internet cafe computers, remote stolen botnet victims from worldwide, cracked WiFi networks. I don't trust VPN, Tor and proxies, not even my botnets.

===

Concerning

There were over 500 co-coordinated attacks carried out to confirm, on all level. 27 failed on the last level.

I carried out various of aim on different national victims, especially on the countries that I was bias on their security's reports within 2 years.

They were: China, USA, Canada, UK, Germany, Sweden, Switzerland, Finland, Iran, Israel, Japan, Korea, Egypt, S.Africa, Italy, Greece, Mexico, Chile, Argentina, Brazil, India, Russia, Ukraine, Serbia, Vietnam, Singapore, Thailand, New Zealand, Australia, Austria.

The countries that I have the least concerns: Germany, Sweden, Switzerland, Finland, S.Africa, Austria, Israel.

The rest is fucking dangerous. Excluding UK and USA. They are in between.

The problem is the informational leaking by human, not machine error. Truly PEKBA. People love to post their shits everywhere. Some even think that a few level of fake identity could hide themselves. They don't scrap their leftover data. Random Facebook's socializing. And more socializing shits...

I could imagine a bunch of security experts bunched together in sec conferences and talk about software security like boss. But I have yet to find a decent/good report and speech on sec error by human. Fuck Hack in the Box and Sector.

Here is my questions, for the world governments: Why do you let our private data leak out so easily? Any motives? Why don't the sec experts who work for gov stop the leak? Why do the private info's database are online? Shouldn't they be secure and only be accessed by top gov agents?

===

Conclusion

Like I said, there are hundreds of way to exploit and use these harvested data. But here are the list of my most concerned matters that can happen:

= For future use of phising and spoofing by spammers.
= Treasures for advertisement and survey companies.
= Fake identity creating by criminals and illegal immigrants.
= Foreign government usage on spying, rendition and assassination. (recent Mossad's assassination)
= Foreign governments cyber-warfare's exploitation.
= Can your own government(s) exploit yer info and use as all shit above?

---

I'm not like other security experts, in fact I hate to call myself a sec 'expert'. I do overlook this problem as black and white. It has the pro too, although relatively small. Here is the pro:

= If you are looking for a lost friend, family member or an exiled person that you know for long time. This 'attack' is very helpful. With limited information, you can find the exact data. I did this for my sister and cousins to find their friends that lost physical contact for very long time.

===

Solution, or Question?

Better safe than sorry. I think, you can have the least exposed data as good as possible.

Never put your data online. Use fake identity. Never expose any data related to your real identity. Don't ever assume that you can fake one but put real another, you are fucked up either way. Stay suspicious, all the time. Watch out for attempting social engineering by strangers, you can fall in the trap anytime.

I love the conservative people have criticism on folks that concerning on privacy, yet they don't know or care the potential dangers on this matters. Please do not be like one of them.

===

Side notes: All the co-coordinated attacks carried out by me. All the target's data collections are scrapped and destroyed once charts, graphs and confirmed reports written down. Although, I can re-harvest again if needed for future supporting and confirming facts. Targets were random chosen per country. I have graphs, charts and reports on this matter. PM me, if you want more facts. I, do not and won't show/help people to do this attack nor sharing my tools.

I can cross my fingers and put a bet on with my life, that all the data I have collected are only for the work of this research.