"It's basically not feasible for a human to go to the depths that FBStalker script does," he said.
In a slide presentation, Werrett and Lee showed how FBStalker collected data on Joe Sullivan, the company's chief security officer.
FBStalker showed places where Sullivan had been and infer who some of his friends are based on pages he had liked and commented on. Some of the information collected by FBStalker is plainly visible on Sullivan's page, but his friends list is not visible to outsiders.
Werrett and Lee also introduced at the conference "GeoStalker," another Python script that Lee wrote which can be used for remote site reconnaissance as part of physical security tests.
GeoStalker takes an address or a set of coordinates and searches for any data geotagged with the same values, such as photos from Instagram or Flickr, messages on Twitter, FourSquare data and even wireless networks indexed by the Wigle database. It also pulls usernames for social networking accounts linked to the location.
When TrustWave is doing a Red Team test "it gives us a whole bunch of stuff that is quite useful," to mount an attack, Werrett said.
"No one is going to turn back the tide of people posting things to Facebook that potentially could be valuable in somebody else's hands," Werrett said. "If you want to walk away with a lesson, the lesson is that even if you're protecting yourself, what other people are doing with your information, your friendships, your comments and things like that can still be leaked."
"Maybe people will think twice before commenting on someone's drunken photos," he said.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk