Online conflicts over the last few months have featured a number of notable ‘doxings.’ This bit of hacker/troll slang formerly meant “identifying an anonymous persona to the point that they can be harassed in real life at a known address, or subject to identity theft.”
As online conflicts have spread, concurrent with the growth of social media, the meaning of the term has softened a bit, to the point where it merely means identifying the real owner of a given persona, while the qualified phrase “full dox” is taken to mean date of birth and social security number are available.
This practice is the ‘soft kill’ for anonymous online personas, while swatting is the ‘hard kill.’ The latter is much scarier in the moment, but a SWAT team will leave your home within the hour of arriving, while the effect of being doxed can follow you around for years.
This DailyDot article, I was taught to dox by a master, is a good review of how a competent amateur will go about doxing someone. Your pursuer will dig up every social media account, every email address, every phone number, the names of your friends and family, and then relentlessly apply Google, Yahoo, DuckDuckGo, and other search engines to the task of finding you.
The three search engines mentioned are all applied because each prioritizes results in a different way. If a pursuit stretches into more than a day or two, the searcher will likely employ a mix of Google Alerts and a similar service from Luxembourg based Talkwalker. Paid services such as LexisNexis or Spokeo may be used as well. The unwary new person may fall into the clutches of MyLife, which features poor quality information and a well nigh impossible to cancel monthly service fee. If forced to use this, be sure to use a prepaid card with no more than the monthly fee on it.
Radaris is another site that gets high marks for individuals, and if you have some employment information Yatedo will often display all sorts of business background data available nowhere else.
Social media sites are a boon to the would-be doxer. An open Twitter will reveal your interests, an open Facebook shows where you are and whom your friends and family are while an open LinkedIn provides access to your professional associates. This entire sector is changing as both users and investors realize that social media properties follow a well-defined arc. They start, they take root, they peak, and then they fade away. LinkedIn will never be displaced from professional networking, Twitter has managed to largely eliminate RSS as a way for web sites to publish, but Facebook and every other system that didn’t carve out a defensible niche is doomed to eventually fade.
The great unappreciated hazard in this area is the dormant account. Twitter is full of accounts that were registered, permitted to find friends based on email, and then forgotten. These time capsules can reveal patterns that are inaccessible via accounts that receive daily use. Every year at least one Congressional staffer gets embarrassed when their account on Grindr, a gay hookup site, is discovered. That photo sharing site you haven’t used in two years, but which is still attached to your phone’s camera will be found at a most inconvenient moment.
Facing An Expert
That DailyDot article offers a good overview, but what it represents is by no means what one should expect when facing an expert. Those who are truly dedicated, from skip tracer private detectives, to corporate threat analysts, to political opposition researchers, to the king of the hill trolls, have a bag of tricks that far exceed what that article describes. Tools and tactics can include:
South African penetration toolkit vendor Paterva offers Maltego. This $750 tool can capture the entire details of a domain or a Twitter social network with a few mouse clicks, providing a structured repository for the data collected. Third party queries, referred to as transforms, permit the system to access other data sources, such as blockchain.info’s Bitcoin data. Complexity is no defense against a motivated adversary.
If the target is at all public, which can mean anything from a Congressional candidate to a blogger who writes about a certain niche, they are likely to have Google or Talkwalker alerts for their name. Serve up a page on a blog that mentions them, have something like Sitemeter running, and you’ll get an IP address for them. This gives you either their cellular provider or their home ISP, as well as enough data to narrow down their geographic area.
There are many other ploys available if the pursuer is willing to send a pretext email and unconcerned with the consequences of being caught spearphishing you. Actively engaging a person willing to go to these lengths will end badly, although it might take a while.
Having a bit of knowledge about the sort of problems out there, how do you protect yourself?
First and foremost, protect your financial information. Your state publishes information on dealing with identity theft. Get this and read it until you find their recommendation for a credit watch. Experian’s LifeLock is an example of this. If you have the slightest hint you are facing pursuit, you should do this at once.
If you are in the habit of keeping email, look for everything you ever signed up for but do not use. Work your way through them and eliminate every single one. If any of the services you do use offer two-factor authentication, absolutely turn this on, and that goes double for anything with fiat currency or cryptocoins on the inside.
Google and Talkwalker alerts are not just for the bad guys. Set up a few of your own – your name, your street address, your cell phone number, and so forth. Once you have them working, see if you can zero out any responses. If you are fairly quiet, you can expect a week or two of these systems finding dated information, which you should inspect for hazards.
The world is awash in privacy violation news, with the Sony intrusion, a Morgan Stanley insider leaking personal information of 10% of their wealth management customers, and a thousand other smaller events. Even American Banker says we need to rethink identity; a clear sign that not just law enforcement, but legislation that will compel those who hold identifying information to be more diligent in their security.
Images from scyther5 and Shutterstock.