Target Audience: People who are not very familiar with privacy threats related to online information leakage or open-source intelligence collecting techniques.
You can’t go very long on social media without finding another instance of some popular person being compromised; whether in the form of simply doxing, the ever-growing “SIM Swap,” or a more drastic compromise in the form of swatting. If you don’t know what these things are, consider yourself lucky. But it’s time to find out what they are so you can take steps to prevent them from happening to you.
Doxing is, quite simply, the process of finding and publishing identifying information about an individual. This was exceptionally popular a few years ago, when a site named “doxbin” was running and allowed anyone to post dox of anyone else. This information could then be verified, which meant that anyone who looked at it could be reasonably sure that the information is accurate and up to date. Since doxbin died, I have not come across a site so brazen in it’s endeavor, though I’m sure there are plenty of sites where “dox” are still traded. Recently, prominent malware researcher MalwareTech was doxed by several news outlets (whom I won’t link to, out of respect) who published personally identifying information about him when he “accidentally” triggered the WannaCry killswitch.
A SIM Swap is a social engineering attack in which the adversary has collected some basic information about you and then calls your phone service provider in order to convince them to activate your phone number on a phone that they control. This enables them to receive all SMS messages that are meant for you, which presents a lot of risk when you consider how many services use SMS for 2FA. For a recent story on the impacts this had, and hopefully a reminder to double check your own security posture, I recommend reading Cody Brown’s “How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com.” You can also go back in time a little ways and see several prominent YouTubers were compromised via this method.
Swatting is perhaps one of the most dangerous “pranks” adversaries can do with your private information. Swatting is the act of tricking emergency services into sending a SWAT team to your home (or maybe even workplace), usually by falsely reporting some dangerous emergency such as a bomb threat or hostage scenario. There is typically little risk involved for the attacker in this case, while the potential risk to you and your family could be huge. Wikipedia has plenty of notable instances for you to review if you’re so inclined.
Building a Profile
One of the best things you can do to reduce the risk of these types of attacks is to reduce the amount of information readily available for people to find online. In order to best accomplish this, it’s important to first take stock of what is readily available. We’re going to use a set of intelligence gathering techniques known as OSINT, or Open Source Intelligence.
OSINT is the process of using publicly available data to compile as much information as you can about your target. In this exercise, we’ll be targeting ourselves. Unfortunately, since we already know ourselves pretty darn well, we need to pretend we don’t, so that we can capture as much as possible about what might be relevant to an attacker. Let’s start with First Name, Last Name, and a recent location. These are generally pieces of information that an adversary would want to collect early in the process, as it enables much more analysis.
Let’s start building a profile. You can jot this stuff down in notepad or evernote or whatever, just make sure you are able to quickly add links and data to it.
First Name: Dade
Last Name: Murphy
Date of Birth: (Born in 1977?)
Address: New York City?
Using this small profile to base our activities off of, let’s get the collection started. It is important to note at this time that many tools we are going to use will ask you to create an account or purchase a report. I strongly recommend against doing this and just collecting the free information. When it starts asking you for money, move on to another source.
When doing your collection activities, I recommend using incognito mode or private browsing mode in your browser. This will help to avoid many biases in content that you may get from being logged into accounts or having a bunch of cookies in place.
There are tons of resources for this, but to cast a wide net quickly and attempt to narrow down the results, I recommend using Michael Bazzell’s OSINT Menu. From here, select “Real Name” in the side bar. Now you can put your first and last name in the boxes next to the “Submit All” button, and then fire away. This will open a ton of tabs for you to review.
This is the part that gets tedious. Now you comb through the search results and look for records that match what you already know. For now, that is just name and location, but it will probably grow fairly quickly. Anytime you find a record that looks like it could match what you already have, copy that link into your notepad so you can correlate against it later. If a tab isn’t of value to you any longer, close it so that you can keep track of where you’re at.
In order to gain access to Facebook and LinkedIn search results, you may need an account. I would recommend asking a friend if they can search for you. I’ve found that the best thing to model against on Facebook is the “friend of a friend” privacy setting, because of all your friends, at least one of them will very likely accept a friend request from someone they don’t know. You can also use Facebook & LinkedIn’s built in “view as” capabilities to see what the public public or a friend-of-a-friend can see about you.
Once you’ve collected any information that looks like it could be pertinent to you, it’s time to go back through and make sure all your data points correlate with one another. Every new data point that you can confirm will give you another thing to look for in your search.
Do you think you’ve collected enough information? Take your new profile of yourself and repeat the process, seeing if you can find any additional information. Were you able to find details on your significant other? Or your parents or siblings? Repeat the process on them, see if they are leaking information about you.
Have you found a bunch of information that you didn’t expect? Or were you pretty well covered, with most of your sensitive information not showing up? What information did you find that you wouldn’t want an enemy to find? Save your profile of yourself, check on it with some regularity.
There are several places you can go to opt out of your data being available, with one of the most comprehensive lists being da5ch0’s “GTFO: Fantastic Opt-Out Lists and where to find them.” Another popular list of links to delete your account from the web is Just Delete Me, though this focuses more on account deletion than data opt-outs.
There are also several paid options you can use if you’d rather not go through the hassle, or you’re unsure of the risks associated with the data that you’ve found. Consider Michael Bazzell’s website, IntelTechniques if you’re looking for more information or even consultation. You could also use a more automated paid approach, such as Abine’s DeleteMe service.