On Defending Against Doxxing by Benjamin Brown

On Defending Against Doxxing

Benjamin Brown

Who Am I? Benjamin Brown Akamai Technologies

-  Incident Response -  Threat Research -  Actor Profiling -  System Architecture Reviews -  Security Training and Workshops

Overview of Terms -  Doxxing: “Publicly releasing a person’s idenCfying informaCon including [but not limited to] full name, date of birth, address, phone number, and pictures”

-  SWATing: “To cause a SWAT team to be deployed on (an unsuspecCng vicCm) by falsifying a threat”

Why Should We Care?

Pranking, MarkeCng SensiCve InformaCon Leaks

Harassment, Bullying, Stalking Iden:ty The= SWATing

Targe:ng For Physical ABack

Why Should We Care?

From: Tim Oblivious Sent: Wednesday, October 31, 3:55PM To: Paul Bossman Subject: Family Emergency

Paul, I just wanted to let you know that I will not be able to come into work tomorrow. Something came up at home and I had to go to New York this morning for the next couple of days. I apologize for the delayed noCce.

Kind Regards, Tim

Real Cases

From: Paul Bossman Sent: Thursday, November 1, 4:54PM To: Tim Oblivious CC: Jill Director Subject: RE: Family Emergency

Tim, Thanks for le_ng us know – hope everything is ok in New York. (cool wand)

Cheers, PB

Real Cases

Real Cases

Sunil Tripathi -‐ Missing Since March 16th 2013 -‐ MisidenCfied as Boston Bomber -‐ Doxxed on Reddit & 4chan -‐ Family Death Threats, Harrasment -‐ Body Found in Providence River

Real Cases

Amanda Todd’s Bully -‐ Commifed Suicide Following Cyberstalking and Blackmail -‐ Anonymous Doxxed Wrong Man -‐ Had to Quit Job, Move Across Country, Legally Change Name

Real Cases

Michael Brown Shooter -‐ Anonymous Doxxed Wrong Man and His Mother -‐ Never Part of Ferguson Police -‐ Death Threats, Thrown Items -‐ Both Financial VicCms of ID Thei

Real Cases

SWATTing

• Live Recordings of Various Online Gamers • MulCple Gamergate Targets • Ashton Kutcher • Brian Krebs

SWATTing

Chinese "Human Flesh Search Engine" (人肉搜索, Rénròu sōusuǒ) -‐ CollaboraCve, Distributed Human Research on a Mass Scale

Russian Celeb Doxxing -‐ Eastern Bloc, Europe, Americas -‐ Kim Kardashian, Mel Gibson, Ashton Kutcher, Jay Z, Beyonce, Paris Hilton, Britney Spears

Global

The Googles -  Search Operators (“Google-‐Fu”) -  Usernames <-‐> Email Addresses -  Cached Websites

-  (Way Back Machine) -  VariaCons of Usernames and Email Addresses

Resources and Methods

Tools -‐ theHarvester -‐ Maltego -‐ Cree.py -‐ Recon-‐NG


Social Media -  FB, Twifer, LinkedIn, etc.

-  Contact Info, Family Members, Friends, Acquaintances

-  Interests, Haunts, Paferns -  Skillsets, Jobs, Colleagues -  Answers to Security Ques:ons


Social Media -  Forums, Groups, Mailinglists

-  Birthdate, Age, LocaCon -  Hobbies, FeCshes -  Trusted Usernames -  Breaches



Yahoo Groups -‐ Freecycle

- Whois

-  Full Name -  Phone Number -  Fax Number -  Email Address(es) -  Physical Address


Data Brokers -  Spokeo, Intelius, pipl, peekyou, etc.

-  Free -  Full Name (Incl. Maiden Name), Age -  Current and Former Addresses -  Family Members / Ages / Addresses

-  Paid -  Criminal Records -  Schools -  Retail AcCvity InformaCon


Public Records -  Business IncorporaCon, Deeds, etc.

-  Business Partners -  Addresses -  Histories -  Mappings to Other Business


Public Records -  PoliCcal ContribuCons

-  Name, Address, PoliCcal AffiliaCon, DonaCon Amounts

-  PeCCons -  Name, Geographic LocaCon, Fuel For Social Engineering


EXIF Data -  Photos, Videos, Audio

-  Device / Computer InformaCon -  Soiware InformaCon -  Times and Dates -  GPS Coordinates


Social Engineering

-  ISP / Phone Company as Spouse or Delegate

-  Current/Former Place of Work -  Family as Friends -  Friends as Family


Social Media Mindfulness -  Tighten Security and Privacy Se_ngs

-  Facebook, Google+, LinkedIn, etc. -  Restrict Personal InformaCon -  Vet ConnecCon Requests -  Untag Judiciously -  Block, Uninstall 3rd Party Apps

Defense Methods

Secure Your Accounts -‐ Use Strong Passphrases -‐ Use Two-‐Factor Auth -‐ Do Not Reuse Passwords -‐ Shutdown and Clean-‐out Old, Disused Accounts -‐ Don’t Let Retail Sites Save Data

Defense Methods

Defense Methods

Data Clearinghouse Opt-‐Outs -  Spokeo:

-  hfp://www.spokeo.com/opt_out/new -  VerificaCon needed: Email address

-  Pipl -  hfps://pipl.com/directory/remove/ -  VerificaCon needed: Email address

-  ZoomInfo -  hfp://www.zoominfo.com/lookupEmail -  VerificaCon needed: Email address

Defense Methods

More: hfp://www.computerworld.com/arCcle/2849263/doxxing-‐defense-‐remove-‐your-‐personal-‐info-‐from-‐data-‐brokers.html

Data Clearinghouse Opt-‐Outs -  Whitepages:

-  hfps://support.whitepages.com/hc/en-‐us/arCcles/203263794-‐How-‐do-‐I-‐remove-‐my-‐people-‐search-‐profile-‐

-  VerificaCon needed: Email address and Phone Number

-  Intellius (and subsidiaries) -  hfps://www.intelius.com/optout.php -  VerificaCon needed: Government ID

Defense Methods

More: hfp://www.computerworld.com/arCcle/2849263/doxxing-‐defense-‐remove-‐your-‐personal-‐info-‐from-‐data-‐brokers.html

Registering a Fic::ous or “Doing Business As” (DBA) name -‐ Protect Your Name, Your Partners, Your LLC or CorporaCon -‐ County Clerk’s Office or State Government Website or Office

Defense Methods

Land Trusts / Holding Corpora:ons -‐ Protect Your Name, Address, Etc. -‐ Keep Sales Price Private -‐ Consult a Real Estate Lawyer

Defense Methods

Wiping EXIF Data From Media

-‐ ExifTool by Phil Harvey (Win/Mac/Nix) hfp://www.sno.phy.queensu.ca/~phil/exiiool/

-‐ Windows: Property Details

Turn off Loca:on Tagging on Devices

Defense Methods

Маскировка (Maskirovka)

-‐  Use different and ‘Meaningless’ Email Accounts, Usernames, and Passwords

-‐  Employ Pseudonyms -‐  Be Wary of Cloud Services -‐  Rotate Phone Numbers and Passwords Oien

-‐  Shred All IdenCfying Paper / Mail


-‐  DifferenCated InformaCon Release -‐  False InformaCon -‐  Pics of Places You Haven’t Been -‐  “Evidence” of Hobbies You Don’t Have

-‐  Early InformaCon -‐  Late InformaCon -‐ Don’t Post Photos Right Away

-‐  Family / Friends Corroborate


-‐ Always Use (No-‐Split) VPN -‐ Watch for DNS / IP Leaks

-‐ Consider TOR -‐ Don’t Use Skype -‐ Start Building Other IdenCCes -‐ Encrypt All The Things -‐ OTR, PGP, Etc.


- MiCgate Immediate Danger -  Call 911, File a Police Report

-  Fully Document -  Shreenshots, Printouts, etc.

- Clean-‐up -  Close Down Accounts

I’ve Been Doxxed!

- Credit Watch Services -  ID Thei Watch Services -  ID Thei or Blackmail Afempts = Contact FBI

-  Inform Local Police About any SWATing Concerns

I’ve Been Doxxed!

Questions?

[email protected]

On Defending Against Doxxing by Benjamin Brown

Technology

Transcript of On Defending Against Doxxing by Benjamin Brown