April 19, 2007 11:36 AM PDT

Tool mines personal data from across Net

VANCOUVER, B.C.--Who needs to dive through dumpsters or steal snail mail when so many details on people are available simply by searching the Web?

South African security researcher Roelof Temmingh, known for his work on security tools such as Wikto, is taking the search for personal information a step farther.

Temmingh--who spoke at the CanSecWest security conference here Wednesday--has crafted a tool dubbed "Evolution" that associates data found in multiple search engines and social-networking Web sites such as MySpace.com and LinkedIn. It also uses other sites' tools to find information behind Internet Protocol addresses, Domain Name System entries, domain registration and more.

As a result, a search for a person will associate the individual with results found across the Net. The idea is that data found in one place can bring up results elsewhere. For example, an e-mail address may bring up a domain name, which in the next search may bring up a physical address.

The searches could also connect work e-mail addresses with home phone numbers and expose details such as which NASA employees use social-networking sites and find people at the National Security Agency who use Google's Gmail, said Temmingh. Evolution, currently in its early stages, does all that automatically, he said. Temmingh created the tool not just to demonstrate his skills, but also to highlight just how much personal data the Net holds, and how vulnerable it is.

The results can help somebody doing research into an individual, but they can also help a potential fraudster, Temmingh said. A search can expose information helpful for social-engineering attacks. Also, it can expose secondary targets as it will bring up information on individuals' alliances with people or organizations.

Another possible use is "virtual identity theft," Temmingh said. You can assume a person's identity by registering free e-mail addresses in their name, setting up MySpace and LinkedIn profiles as them and getting the identity out so it gets indexed by search engines, he said.

See more CNET content tagged:
LinkedIn, domain name, search, e-mail address, MySpace


Join the conversation!
Add your comment
Unlisted phone number first line of defense
The simplest, quickest, and cheap-enough way to cut down your exposure on the web is to get an unlisted phone number. The web directories get their name/address/phone info on you from telephone listings, which your primary provider is obligated to sell to them unless you are unlisted. The $3/month you'll have to pay AT&T will be worth it in the long run. Without those listings much of the other info on the web about most people can't be pieced together into an identity.
Posted by Razzl (1318 comments )
Reply Link Flag
Re: Unlisted phone number first line of defense
Razzi: You are exactly right. I recently took my name out off for a couple of dollars a month too.
I had an college friend that could not figure out how their number is "on the internet". I laughed and told her to go to www.yellowpages.com and she said..."ohhhh". I continued to laugh.
Posted by drjackryan (12 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.