So this guy is a former hacker and now network security engineer. Basically some guy sent spam to him, so for purposes of demonstration, he used this guy's e-mail to show just how much information you can obtain on a person with the Internet: LINK (http://www.attackvector.org/invasion-of-privacy/) and LINK2 (http://www.forbes.com/2010/11/09/secrets-of-online-snoop-technology-snooping.html)

Interesting site. I think he laid a bit too much of the offending spammer's info out there though.

This was extremely informative. I actually googled my email addresses. Thankfully...not much of anything came up. Not that I do anything wrong LOL.
I passed this on.

I was reading one thing to make sure is if/when registering a domain name, get a private registration.

Interesting site. I think he laid a bit too much of the offending spammer's info out there though.


No such thing. Spammers deserve to have their entire lives laid bare. Note, I mean actual spammers. Not some poor sap whose machine got pulled into a botnet as a mail relay.

Not to be a spoiled sport know-it-all, but these articles are pretty trivial. Almost any computer tech knows about these basic methods. These articles didn't seem to cover the more useful tools, like "web bugs" (especially with remote images), Javascript/XSS attacks, and so on.

You can combat the above steps by turning off "View remote images/contents" in your email client, and by changing the email viewing setting to "plain text". You'll lose your neato colors and fonts and pictures by default, but you'll be safer. You can always flip them back on when you want to view a colorful email from a trusted source.

If I can trick your email client or YOU into hitting my web server, I can get obscene amounts of information about your computer.

Also, be advised that geo-locating IPs is rather hit and miss these days, depending on the network provider of the destination IP address. Providers frequently adjust routes frequently, even daily or weekly. But, they don't normally adjust DNS records.

So, for example, you'll see a wa.comcast.net address but it's now in California this week, and back in WA the next week. CenturyLink is "notorious" for this.

A better way is to "traceroute" to the destination IP address and pay attention to the DNS names and IP addresses of the router hops. These will not be transitory and you'll get a good, accurate geolocation.

When I get email addresses or a name (even a partial) then I'm golden. Then I start hitting sites like Intelius and Pipl to start compiling dossiers. I'll have full names, phone #s, additional email addresses, Facebook, Yahoo profiles, pictures, physical addresses, legal actions, voting records, relatives (who also then get dossiers assembled on them, because they are important attack vectors to get to my target). 90% of the time, I can get the information I need without spending a dime on the services I use.

To do your best to combat this, limit your attack surface on the Internet:
- Use different passwords for each site. This is critical
- Refrain from creating accounts on sites, unless you have to, and make sure its a reputable business. Organized cyber-criminals set up web apps to do neat stuff like display a dancing frog, but you'll need to sign up for an account, just enter your username, password, and email address (most people will use the same password they entered for the email account they gave). Once they get access to your email account, you've probably got all kinds of notifications from your bank, your investments, and your porn site memberships, and you're probably using the same password on all of those. As an alternative, look into using services like LogMeNot, that have generic, community-created accounts with bogus data. I use this for nytimes.com all the time.
- Research and use the strictest privacy settings on Facebook, or better yet, don't use it at all.
- Submit removal requests to people finder sites, although from what I've seen they rarely work.
- Spread disinformation. Create Yahoo/Myspace/Facebook profiles with your real name but slightly changed bogus data, such as address, phone number, or name spelling variations.
- Educate friends and relatives (especially wife, parents, your kids) about online privacy. You might be the elitist mall ninja on the planet, but if Mom keeps posting public photos of you on Facebook and tagging them, you're hosed.
- Set up your own "counter-intel" web bugs using Google Analytics (if you're not savvy) and bogus web links that point to a PHP file that logs all of a visitor's browser variables (if you are savvy). These will provide valuable intel and will show you what search terms brought visitors to your site. If you see a lot of searches for "Mr Team Sergeant"
, you know someone is "researching" you.
- Go to google.com/alerts and set up alerts on Google Alerts for you & your family's names, your addresses, your phone #s, etc. You'll get emails daily about new hits that crop up on the web. You'll need to do a little tweaking of the search terms as you go, for the first week or so. Google Alerts are private and reasonably secure, so if you enter sensitive search terms for your alerts, they shouldn't start showing up in Google or be viewable by others.

I hate to mention this story, because I really regret it, but it kind of illustrates the point. I was beginning work on a paper for a very similar topic. As part of the paper & in my infinite wisdom, I wanted to give an in-depth but general walk-through of an attack scenario. On the way to work one morning, I ended up picking out a random person walking into a random house (I knew nothing about the person nor their address, except that they were female and that she was likely in her 20s). Using only legal research methods (a criminal isn't going to care about that part) I approximated their street address using Google Maps.

I ended with knowing everything (I even knew what healthplan they were on) about the person and their spouse. I also found rather explicit nude photos of this couple posted "anonymously" on Reddit. Needless to say, I felt sickened about the invasion of privacy and regretted this idea. It was a bit too effective & I won't be doing an experiment like this again, but it illustrates the dangers. Again, everything was doing using legal web searches and connecting small bits of data with a little bit of hunching following. Imagine what criminals doing this full-time and using illegal methods (breaking into accounts) can find.

References:
http://en.wikipedia.org/wiki/Web_bug
http://en.wikipedia.org/wiki/Traceroute
http://intelius.com
http://pipl.com

Hope this helps somebody. I'll probably be going back and editing this post as I go, so check back.