Cybersecurity 101 - A brief introduction to protecting yourself online.

[Wilkins]

Oh yeah, I tried enabling the XenForo reverse image proxy, but the two problems with that are:

1) The image loggers can then launch identification attacks against the actual server, and
2) People had trouble copy+pasting the URL for stuff uploaded to the forum because it included the fucking proxy URL and the forum couldn't figure out what to do with those images.

I wish they'd fix that.

They could probably get around that by wrapping the pixel in a link shortener and url bbcode, Xenforo is kind enough to follow the link and open the image without asking. Not sure if the add-on addresses that.

The only solution I know is word filtering every link shortener in existence. Either that or disabling img and url tags in private messages but that's a bit extreme.

 

[AnOminous]

What's the point of removing exif data?
Do some people program their name on cameras and phone ? Because I never did that.

It includes all kinds of things, sometimes even GPS data, although you almost have to deliberately turn that on. I sometimes use that particular feature because some GPS apps can use it right from the photo. So I have a directory of photos of places I've been that include GPS data and can get back to them even if I forgot where they are. This is especially useful for places that don't have street addresses.

Some funny things have happened with GPS, like some moron who worked at some fast food place was posting pictures of himself fucking with the food, and it included GPS data, so they tracked him down and reported him to his boss.

Also, a much more common thing is the exif including information on the camera used. If someone has ever posted other photos from the same camera with the same information, it can confirm a suspected hit. That's especially so if there's something else identifying about it, like for instance the camera's clock is off by exactly 26 minutes or something.

Usually, this shit doesn't matter, but it's so easy to disable that there's no good reason not to for the one time in a thousand that it does.

 

[HG 400]

@Wilkins what's the actual risk of having your IP logged? As far as I know that just gives your ISP provider and location to within a few city blocks, and there's no way anyone can ring up an ISP and convince them "Hey my IP is X but I forgot my own name."

Are employees there really so unprepared that they can be routinely tricked by people claiming to be law enforcement or coworkers?

 

[AnOminous]

@Wilkins what's the actual risk of having your IP logged? As far as I know that just gives your ISP provider and location to within a few city blocks, and there's no way anyone can ring up an ISP and convince them "Hey my IP is X but I forgot my own name."

Most competent ISPs now keep logs for some period of time, so it's generally possible to connect an IP address to an actual customer, with some degree of accuracy. I'm sure they get it wrong from time to time or lose the logs, but part of best practices for DMCA compliance involves kicking off repeat offenders.

 

[HG 400]

Most competent ISPs now keep logs for some period of time, so it's generally possible to connect an IP address to an actual customer, with some degree of accuracy. I'm sure they get it wrong from time to time or lose the logs, but part of best practices for DMCA compliance involves kicking off repeat offenders.

Possible for the ISP sure. How the hell would you talk that information out of them, though? They don't even like identifying customers to actual law enforcement.

 

[Ravenor]

Most competent ISPs now keep logs for some period of time, so it's generally possible to connect an IP address to an actual customer, with some degree of accuracy. I'm sure they get it wrong from time to time or lose the logs, but part of best practices for DMCA compliance involves kicking off repeat offenders.

It's a legal requirement in some places, I'm going to hide my power level here but it's quite remarkable what some governments want you to keep.

 

[EI 903]

A public service announcement for our Tumblr friends:

Spoiler

 

[Cubanodun]

A public service announcement for our Tumblr friends:

Spoiler

View attachment 43000

is always the furrys....

 

[Wilkins]

@Wilkins what's the actual risk of having your IP logged? As far as I know that just gives your ISP provider and location to within a few city blocks, and there's no way anyone can ring up an ISP and convince them "Hey my IP is X but I forgot my own name."

Are employees there really so unprepared that they can be routinely tricked by people claiming to be law enforcement or coworkers?

Nobody will ever be able to call an ISP and get information about a user's IP address, I don't care how good they are. They're going to need a name, DOB, and account number at the very minimum. They treat that shit like HIPPA, call center reps who fuck that up are putting their job on the line.

Having someone's IP address can help confirm (or debunk) dox that were obtained through alternate means. By itself it's useless, but it can prove to be an essential piece of the puzzle. Sometimes, rarely, people make public wiki edits with their IP address, or post on a forum that displays their IP public, so it could be the breadcrumb that leads to actual dox.

More concerning though is that if someone has your IP they can nuke your router for as little as $5

 

[AnOminous]

Nobody will ever be able to call an ISP and get information about a user's IP address, I don't care how good they are.

They'll often give such information to DMCA representatives claiming copyright infringement, since it's possible to get a subpoena pursuant to a DMCA action without even filing a suit. Some ISPs will just give it out rather than deal with it. Someone in a dispute with someone online, if that person has quoted their own writings, can even gin up such a subpoena with some degree of plausibility, and then it's an actual subpoena.

While in theory this is an abuse of the process, it's pretty rare for anyone to actually go after someone who has pulled this stunt.

Of course, some people have gone way, way out of line and gotten smacked down hard. (The lawyer mentioned, Marc Randazza, has also represented 8chan, among others. He's a monster who bites the heads off frivolous litigants and spits them back out at them.)

 

[Wilkins]

They'll often give such information to DMCA representatives claiming copyright infringement, since it's possible to get a subpoena pursuant to a DMCA action without even filing a suit. Some ISPs will just give it out rather than deal with it. Someone in a dispute with someone online, if that person has quoted their own writings, can even gin up such a subpoena with some degree of plausibility, and then it's an actual subpoena.

While in theory this is an abuse of the process, it's pretty rare for anyone to actually go after someone who has pulled this stunt.

Of course, some people have gone way, way out of line and gotten smacked down hard. (The lawyer mentioned, Marc Randazza, has also represented 8chan, among others. He's a monster who bites the heads off frivolous litigants and spits them back out at them.)

They'd have to release their own dox in order to submit a DMCA. If you're in the business of pissing people off that badly, probably should be investing a VPN.

 

[AnOminous]

They'd have to release their own dox in order to submit a DMCA. If you're in the business of pissing people off that badly, probably should be investing a VPN.

Most of the litigious type of lolcows who do that are already fully doxed. Often self-doxed.

 

[Ravenor]

Nobody will ever be able to call an ISP and get information about a user's IP address, I don't care how good they are. They're going to need a name, DOB, and account number at the very minimum. They treat that shit like HIPPA, call center reps who fuck that up are putting their job on the line.

Having someone's IP address can help confirm (or debunk) dox that were obtained through alternate means. By itself it's useless, but it can prove to be an essential piece of the puzzle. Sometimes, rarely, people make public wiki edits with their IP address, or post on a forum that displays their IP public, so it could be the breadcrumb that leads to actual dox.

More concerning though is that if someone has your IP they can nuke your router for as little as $5

This is from SANS covers some real world examples. Here is a toolkit you can use to help you one your way, but most of the time you wont need that, most of the time you just need persistance and patience an you'll find some one who is just dumb or a people pleaser over the phone and you'll get a awful lot of that information, even if they can't help they can pass you up the chain of support and most of the higher techs will assume you have already been DPA'd before being passed to them.

 

[Wilkins]

This is from SANS covers some real world examples. Here is a toolkit you can use to help you one your way, but most of the time you wont need that, most of the time you just need persistance and patience an you'll find some one who is just dumb or a people pleaser over the phone and you'll get a awful lot of that information, even if they can't help they can pass you up the chain of support and most of the higher techs will assume you have already been DPA'd before being passed to them.

I'll put $500 down on anyone that wants to bet they can obtain user account information from a call center rep with nothing more than an IP address. You simply need more information. Your only hope is catching someone on their first day who slept through training.

 

[Ravenor]

I'll put $500 down on anyone that wants to bet they can obtain user account information from a call center rep with nothing more than an IP address. You simply need more information. Your only hope is catching someone on their first day who slept through training.

Gullibility in action:

They have one for a call center I'm trying to dig up.

And here is the first result for Social Engineering Call Centers, you can extract a lot of information from a call center that you can't get else ware and verify other information you have got.

 

[Conrix]

Conrix seems to be a more popular name than I thought so I'm good.

Nirxsachit could be traced to my Kiwi shit tho.

 

[Null]

Nobody will ever be able to call an ISP and get information about a user's IP address, I don't care how good they are. They're going to need a name, DOB, and account number at the very minimum. They treat that shit like HIPPA, call center reps who fuck that up are putting their job on the line.

This is patently false. Social engineering is a very real thing and has been used to retrieve unlock passwords from even Apple in the past. If you're charismatic enough you can trick people into giving you what you want.

 

[Wilkins]

This is patently false. Social engineering is a very real thing and has been used to retrieve unlock passwords from even Apple in the past. If you're charismatic enough you can trick people into giving you what you want.

I've been in call center and telephone sales for 14 years. Good luck.

The conversation stemmed from a perp only having an IP address. With that information you will never make it through the front door.

"Thank you for calling Comcast technical support how may I help you."
"Uh hey I have my IP addresses, can you pull up my account?"
"What's your name and account number please."
"Errrr, John?"
"Excuse me?"
"Mark?"
"Sir do you know your name?"
"Steve?"
"Sir I'm going to have to disconnect the line."

Seriously, if anyone thinks they can get anything out of anyone with nothing more than a series of numbers to identify themselves, they are delusional. That's not how real world works.

 

[AnOminous]

I've been in call center and telephone sales for 14 years. Good luck.

You don't call front line service people and ask for shit like this. They deal with that all day long and know not to give out data.

You call people elsewhere, who have access to that information but don't deal with ween calls all day long.

And you pose as people they actually deal with on a regular basis, requiring knowing these roles.

And I should stop this post now before I get more powerlevel ratings.

 

[Wilkins]

You don't call front line service people and ask for shit like this. They deal with that all day long and know not to give out data.

You call people elsewhere, who have access to that information but don't deal with cool guy calls all day long.

And you pose as people they actually deal with on a regular basis, requiring knowing these roles.

And I should stop this post now before I get more powerlevel ratings.

Okay so assuming you know how the inner hierarchy of Comcast tech support works and assuming you know the direct line of a Tier 3 specialist and assuming you know their in house verification process, ultimately you still have to find a valid reason for knowing the contact information of a specific IP address, something for which they're all trained to know the company needs a subpoena in order to release.

Yes SE is possible and yes it can be done, but no I don't think you or anyone else is going to get very far with nothing but an IP address. You'll have better luck penetrating their databases.