If you follow the Anonymous, Occupy, and IT security scenes, you have no doubt heard about a dox release. What is it? How can it hurt you? And most importantly, how can you protect yourself from it? Some of these steps might seem common sense, while others will be an ah-ha! moment. Your private info is both your biggest weakness and your biggest weapon in your battle to remain anonymous. You must learn how to use it as both.
Well, it matters a whole lot. Understand that more and more of your life is stored in databases, on servers and on social networking sites. Nowadays, it doesn't take much personal details to obtain even more information on someone. Once that stack of dominoes has fallen, an attacker has your name, address, Social Security number, and more! An attacker can then open loans in your name, ruin your credit, and many things in-between.
As you can see, it doesn't take a lot to pretty much ruin someone's life. Now, I am not condoning such actions, of course, but I want to make sure Null Byte understands the risks of being so public in a private arena. Let's take a look at where people are doing it wrong.
When an attacker is doxing someone, this is the very first thing they look for. A lot of people leave everything on their profile open to the public. This wouldn't be so bad if it was not a step-by-step of the last five years of your life. I can see who your friends are, who your close friends are, and who you're dating or married to. Usually they can find out where you work, where it's located, and for how long you've been there.
Why does this matter?
Because when an attacker clicks on "forget my password" for your bank account, your bank asks them a security question, like 'where did I grow up' or 'my favorite color'. The hacker can use the information they've gathered from Facebook and make very targeted educated attempts through proxies at answering. Now they have your password.
Why would anyone even bother hacking you if all they needed to do was perform some simple intelligence gathering?
Law enforcement uses the very same technique to break down groups and profile people in investigations. This might not worry you... or it might. Take proper precautions.
With so much tied to your email address, it might shock you to know just how many people use the same email for nearly everything they do. From social sites like Facebook to financial accounts like Bank of America, they will use the same credentials and sometimes even the same password! As most web sites use your email address to login, knowing this means an attacker now has the login to most, if not all, of what you use on the Internet. Your shell of protection is starting to crack now.
You are arguing with some stranger on Facebook and it gets heated. You walk away that night angry, but tired, and you go to sleep. A few days later, your phone rings, waking you. Ignoring the first call, it starts to ring again. You answer it only to be hung up on. You think, "wrong number" and lay back down.
The ringing doesn't stop though and after few hours, your doorbell rings. As you open the door, you greet a pizza deliverer with ten pizzas you did not order. What's going on here? This continues on and off for a week until one day you're at the store and your debit card gets declined. Rushing home to check your account, you discover in horror it's overdrawn!
You know where this dark road goes. Now you must start the process of fixing your stolen identity. Sorting out your bank mess and trying to get things back in order so life can go on. Not an easy task in this day and age.
All is not lost though. With a little work, you can cover yourself—or at least mitigate some of the risk involved with being online. This is a beginner's guide, and once you get the general idea here, you can tailor this to your threat profile. Always remember that security is a trade-off between safety and functionality.
Step 1 Get Off Social Networking Sites
Yes, this is a little bit draconian, but it's the best step you can take. So much information is leaked from Facebook, Twitter and the like, that your best defense is simply not to use them. However, I understand not everyone can or will make that choice, so there is a halfway-between option...
Step 2 Create and Use Fake Profiles
If you must use a Facebook account to keep in touch with family and far-off friends, then perhaps you could create a fake one. Use a false name with a new email address. Don't post pictures of yourself and be mindful of what you say and who you friend. If you can, only visit these sites through a proxy.
Step 3 Ensure You Use a Different Email Address to Log into Various Sites
You don't want to be pinned or tracked down, so use a range of email addresses to help throw off would be doxers. As stated above, logging into them under a proxy is recommended.
Step 4 Use Common Sense
Understand that every product you use that's free, is only free because they are selling you. Inherent in such systems is the stealing of massive amounts of your personal information. Be mindful about what you say, who you give out email addresses to, and such. Try to go over your social profiles and remove information that is unnecessary.
Step 5 Audit Yourself
Go to a website like Pipl and enter your own email address. See what comes up and trace that information back to its source (Facebook, Twitter, etc.) and remove it.
Do you have any doxing tips? Know of any good databases to query? Leave us a comment or visit our forum to share it with us!
Start your White-Hat Hacker journey with Null Byte's Beginner's Guide to Linux Course.