Selling your house? Watch what you have in pictures

A picture is worth a thousand words, and in some cases thousands of dollars. There are many reasons you should hide/remove personal effects from your house before you take the pictures for the real estate agent. As it is, people already have the address from a real estate listing. If you leave enough personal stuff in pictures you can give away the size of your family, your interests, and valuables in your home. Real estate pictures can reveal a lot of information, such as if you have a pet, kids, what type of games you like, and what type of food you like.

What could someone do with information about your family? They could figure out your name, find you online, either on facebook or through email (pipl.com is a good resource for finding out information on people for instance.) Suddenly you receive an email from someone offering family portraits for a good price, you click the link in the email and you’re sent to a website that does a drive by download onto your computer and you’re compromised. Either you’re surfing habits are now getting tracked, or a key logger is installed on your machine and all keystrokes are being sent to an out of country server. Maybe you’re computer is now a zombie for a botnet that will participate in a DoS attack.

Going one step further, vanity plates; what can we learn from: Nana Lana? Firstly, that the person who owns/drives the vehicle is a female. Secondly that she has children and grandchildren. Thirdly? That her first or last name is Lana. This doesn’t give us any email addresses or other info, but it can give enough that someone could find her on facebook. Search Lana, in the area you saw the vehicle and it may seem like a long shot but you may find that person after some trial and error. Depending on their privacy settings on facebook this can yield pictures of their family, so you can see the approx number/gender of their family members. Then based off of that you can create any number of social engineering attacks. Maybe this person has their grandchild in a picture with their name, so you can send a message like “Hi so-and-so I’m the parent of a friend of *insert name here* ...”

Finally, the screenshots you take and post online to get computer help, or share something. If taken of the whole screen these shots can contain other tabs you have open in your browser, bookmarks on the toolbar and search terms. From this you can learn someone’s hobbies, interests, and websites they frequent which gives enough info for a social engineering attack.

For example, If I see you have kayaking as a last search term and you have a tab open about a camping site on a lake, I can safely assume you’re going on a trip soon, therefore your house will be empty and ripe for the picking. If I am already an acquaintance and or a friend-of-a-friend I can easily get the dates you’ll be away and I probably already know your address.

Now taking this all into consideration we have to think about the sheer amount of effort involved in getting this information and tracking someone down. Unless we know we’re going to score a big payday, or have a personal grudge against the person then it may not be worth it.

The point isn’t to make you excessively paranoid about what you reveal online or even in real life, but it should make you cautious. We live in a day and age when ignorance isn’t bliss but can be dangerous to your loved ones if you don’t use a little common sense. If you want to see what’s out there about you and your family, a good test is to google yourself. You can find out if you’re online presence is non-existent or if there is information all over.