I talk shop a lot. I talk to people who are security concious, I talk to people who aren’t, and I talk to people who think that ‘security’ means evil hackers from russia who are going to steal their credit cards. Think of security this way:

You run a shop. In this shop you sell things. Some things are physical, and some things are purely informational. In this store you run, do you put the combination to your back safe on a post it note on the cash register? Do you leave the keys to the front door out where the customers can get at them? Do you lock the safe and doors when you leave? Are there security cameras? Will you know if something gets stolen, or if someone is shoplifting, or if an employee is embezzling? These concepts are exactly the same, and sometimes when it comes to data, they’re far far more important. Data controls all of our financial transactions, for example. Data controls how we do most of our buisness these days. Who *DOESNT* use data for business transactions, banking information – or keeping secret data secret?

I keep saying to folks who I talk shop with: “Security isn’t what you think it is”. This is a perfect example. Tiny flaws in ones security strategy, or even lack of any security can lead to an attacker (or law enforcement or a private investigator) being able to glean information to further their purposes.

Recently I was asked to “find someone”. There was an individual being abusive and one of the people on the receiving end came to me asking for my help. This abusive individual was hiding their identity by way of a pseudonym, a separate email address, separate blog and other means of distancing their alter ego from their real one.

I had a feeling that the subject was not a technical person, having read through some of the blog posts and articles they wrote. This person had a lot to say and didn’t care about the damage their words did. The subject frequented political blogs and basically dropped bombs on people. One of the things they said one day crossed the line.

My client gave me a few leads: an email address, a couple blog posts.. that was it. Not too much to go on.

I hit google like anybody would have done, and started searching about for any clues that could potentially uproot some juicy info. I ended up finding a twitter feed, and a little while later a wordpress 2.6.5 blog.

I raised an eyebrow. Wow. 2.6.5? TODAY? when 2.8 is out? This person is not detail oriented, and clearly has no idea how significant being that out of date is. This was a pretty big clue. I started perusing around the blog and found outright that this blog was a fresh install, with just a simple theme slapped over it and no actual content.

“Perfect” I thought. “This person is likely to have not even read that ’10 ways to secure wordpress’ blogpost I ran across a while back”

Certainly enough, wp-content/themes was browsable, and so was wp-content/plugins. Fairly slim pickings though, a couple of different themes which didn’t yield any data, akismet and hello.php in the plugins dir.

I clicked hello.php, being not entirely certain what it was for (I’d tried to look up its purpose before but either I don’t remember or I couldn’t find a real valid purpose) and I was presented with a PHP error. It looked something like this:

Fatal error: Call to undefined function add_action() in /home/<subjects twitter nick>/<subjects domain>/wp-content/plugins/hello.php on line 61

Bingo! I immediately recognized the twitter nick as one I’d seen before, and this person was well known for being very, shall we say ‘verbal’ about their political views and had no remorse for their actions. I read a few of this persons blog posts on their personal blog, and compared the writing style to that of the subject I was approached about. The were congruent. Same writing style, same words used etc.

The abusive individual who was trying to hide their identity made a mistake. They thought that directory names on their webhost didnt matter, so they could just use something familiar. I’m sure the username/password combination they used on the blog was the same for a handful of other things they use as well. Either that, or the directory name didn’t even cross their minds – to setup an account somewhere and leave NO TRACE of who they really were. This person was far too concerned with stirring the pot and making trouble to even consider actually thinking twice about how badly they wanted their identity kept a secret. Another big tell was that this persons alter twitter account and their real twitter account didn’t follow eachother, but they followed HUNDREDS of other peripheral people and organizations with the same political alignments and interests. Both identities lived in the same city. It would be a stretch to think that they follow the same few hundred people and have never heard of eachother.

I prepared an email for my client stating what I had found, and where, and citing some examples.

Case closed!