Tool mines personal data from across Net

South African security researcher Roelof Temmingh, known for his work on security tools such as Wikto, is taking the search for personal information a step farther.

Temmingh--who spoke at the CanSecWest security conference here Wednesday--has crafted a tool dubbed "Evolution" that associates data found in multiple search engines and social-networking Web sites such as MySpace.com and LinkedIn. It also uses other sites' tools to find information behind Internet Protocol addresses, Domain Name System entries, domain registration and more.

As a result, a search for a person will associate the individual with results found across the Net. The idea is that data found in one place can bring up results elsewhere. For example, an e-mail address may bring up a domain name, which in the next search may bring up a physical address.

The searches could also connect work e-mail addresses with home phone numbers and expose details such as which NASA employees use social-networking sites and find people at the National Security Agency who use Google's Gmail, said Temmingh. Evolution, currently in its early stages, does all that automatically, he said. Temmingh created the tool not just to demonstrate his skills, but also to highlight just how much personal data the Net holds, and how vulnerable it is.

The results can help somebody doing research into an individual, but they can also help a potential fraudster, Temmingh said. A search can expose information helpful for social-engineering attacks. Also, it can expose secondary targets as it will bring up information on individuals' alliances with people or organizations.

Another possible use is "virtual identity theft," Temmingh said. You can assume a person's identity by registering free e-mail addresses in their name, setting up MySpace and LinkedIn profiles as them and getting the identity out so it gets indexed by search engines, he said.