social network – Xc0re Security Research Group

Downside of keeping everything public – ICWATCH

Posted on July 12, 2017 by Usman

I have been writing and preaching about Social network information harvesting and why it is a bad thing (Check out the post here). I recently stumbled upon something, which is, publicly known though, but still worth mentioning. The mentioned “something” is a very good example of why too much information about one’s self is never a good idea.

I was having some fun with Riddler the other day. For those who do not know what Riddler is, well it is F-Secure’s search engine for web domains and much more. Unlike Shodan where all ports are scanned and then the headers are saved in a database, Riddler can be used to query about specific domains and subdomains and get some very very interesting information. So, as I was saying, that I was having fun with Riddler and I stumbled upon a strange subdomain of (Strange subdomain).

The ICWATCH, contains public database of mainly LinkedIn profiles of people in the United States government employees. Though the website is publicly known. It was quite astonishing to see how much information people have posted on their Linkedin accounts. It makes sense if someone is in sales or normal private sector job, but giving so much information and revealing what the person does, for intelligence community is, well not advised, in my opinion.

Back to the point, open-source intelligence (OSINT) is completely legal and any person/agency can easily gather information about anyone without committing a crime. I usually talk about advertisers, malicious hackers, social engineers etc, who use this to take advantage of the information collected and harm innocent users. People should keep in mind that tracking people across multiple social networking platforms is a trivial job nowadays, for a skilled hacker.

It is very important, not to disclose personal information on the internet. Especially social networks like Linkedin, Facebook, etc. Sharing personal stuff is never a bad thing, but people should be smart about what they share. If you are working for the government, there is no need of writing everything about what you do, on your Linkedin profile.

Peace!

Follow @Xc0resecurity

Facebook ! A Datamining Tool !

Posted on December 6, 2011 by Usman

Hello every one ! Here I am , again criticizing Facebook ! What can I say ? There is so much going on with Facebook that one can write and write and keep on writing ! Though its a great publicity stunt , in other words I am helping more people join Facebook by criticizing it again and again ! This is usually called Negative Publicity , but what the hell Facebook doesn’t need my help to get people now does it ?!

Well whats happening is that the whole world is converging to this social network concept . In offices , unless it is blocked , people stay logged into Facebook , the whole time. First of all I would like to explain what datamining is , for all the people who aren’t familiar with the term? Data Mining is , in a nutshell , process of collecting and harvesting data from different sources and then storing the data to find patterns. Facebook has suddenly started to act very weird. The algorithms used , try to find out the most deepest darkest secret by asking strange questions. For example my album’s picture pops up and I am asked for the location of the album. Why the hell would I want to enter that?

Similarly if we notice , we can see that at first what we entered as random captions , now get saved into specific variables of the backend database. For instance we used to set the caption of a picture as “Me and my bro at moms place” , now Facebooks asks , “Where was this photo taken” “Who were you with” “Caption” ! Now for any programmer or a person who knows how searching can be made efficient , isnt this the faster way to find out stuff ? Or is extracting data from a caption more easy? Its for you to think .

Lastly Facebook is going to a great length to , not letting its users leave Facebook. You would probably be wondering “ahan ! for example ….” ,well try deleting your account from the Accounts option in the top right corner (as is in the current version of Facebook) .

Now to delete the account permanently with every thing including pictures , albums etc go onto the following link !

http://www.facebook.com/help/contact.php?show_form=delete_account , Click Submit !

Notice that the form is displayed through the contact.php’s parameter (show_form)! Now who in the world would have guessed that?

If we sneak peak into the future , then it can safely be said that in the near future , law enforcement agencies would not require high tech surveillance equipment to track any body or get evidence or any thing for that matter , they would just check the Facebook account of that user and a treasure of information would be visible to them. Pattern recognition is currently going on but not on a very large scale .

Its Some thing to think about.

Peace !

Follow @Xc0resecurity

Gatecrashing the Google+ Launch Party

Posted on July 1, 2011 by Usman

[ Disclaimer: All the material shown on this website is for educational purposes ! We would not be held responsible for any illegal use of the material by any one ! ]

Google+ the new buzz in town !! I see every one on Facebook , commenting about Google+. What is Google+ ? Well it is a social networking project by Google. It has alot of very nice features. Though its not mature enough but still the limited release is very nice. As it is a limited version so even if you Invite some one , they would go up on the page and it would not let you get in . A message saying that the limit has been exceeded.

Today Mr. Usman Ahmed and Mr. Ali Raza Khuwaja , friends of mine who are Penetration Testers working with me , found a work around for inviting people for sure. The fun thing is that it has a 100% success rate uptil now.

The bug found , basically takes advantage of the Circles feature. If you directly send the invite , their would be a problem but if you goto your Home page and in your update section Write any update and just beneath it is an option for adding a Circle (group) to whom the update would be visible to. Write the email address of the Gmail person as a Circle and post it.

After a while your friend would receive a mail saying:

<< Update on Google+ >>
[Hyper link to Google+] ==> View or comment on <<Your Name>> post »
The Google+ project is currently working out all the kinks with a small group of testers. If you’re not able to access Google+, please check again soon.

Just click on the hyperlink and your in.

Peace !!!

Facebook Intelligence Or Deception

Posted on June 29, 2011 by Usman

Today I would like to tell you some thing that I noticed a while back in our favorite hangout spot , Facebook ! In today’s world there is nothing that can be called plain and simple.Every thing from Google Search results to Facebook’s friends feeds , are controlled by Algorithms that basically, in simple words control how you see the information.

In Facebook what happens is that it detects and stores your Clicks. Clicks could be any thing ranging from clicking on the like button on some friend’s video or status or comment.Similarly it creates trends of users , for example usually you see that the advertisements shown on your home page are different then that of your friend’s home page. This was harmless and sometimes helped the user to find something of interest in those ads.

Now the scary part. Currently in Facebook what is happening is that those friends with whom u get out of touch on Facebook as in don’t tag them or post any thing on their wall or perform any kind of activity , are automatically removed from the news feeds on your home page.That is you wont see any updates from that friend and you would think that the friend is not using his/her’s Facebook. When in actuality Facebook decided for you whom to see in your feeds and whom not to see.

So I am forced to ask that is Facebook becoming intelligent or is it deceiving us?

Now this for you all to decide!

Peace !!!