CyberSafe Alert 2019 Edition 9

Have you been Doxxed? What it is and how do you avoid it

There have been a lot of headlines recently about Doxxing (no, not boxing, although there have been a few headlines about that as well). So to enlighten you about what it means and how you may be at risk, In this edition of the CyberSafe alert you’ll find out what doxxing is, and how to avoid falling victim to it.

Click HERE to Tweet this 

So what exactly is doxxing?

Doxxing (also written as “doxing”) has been around in the hacker community since the 1990s, but recently it has emerged generally to become a threat to anyone who uses the internet. In the early years of doxxing, hackers would dox a rival out of spite. In these cases, the doxxing focused on identifying the hacker and their misdeeds then turning those details over to the authorities to get them arrested.

The term “doxxing” itself comes from a hacker word for “documents.” “Documents” became “docs” and then “dox.” When you “dox” someone, you are documenting their personal information. The important pieces of information you can find out are a person’s social security number, their address, telephone number, email address, social media profile names, place of work, details of relatives, partners and children, and so on.

Doxing isn’t usually illegal, though it does violate many sites’ terms of service and may result in a ban. Depending on your jurisdiction, it may also be illegal under laws designed to fight stalking, harassment, threats, etc.

 

How does it work?

Doxxing involves researching the details of people’s lives, usually with the purpose of embarrassing the victim, to draw criticism towards them, or to cause them physical harm.

Some doxxing attacks lead to a mass campaign of public shaming, or harassment, as seen in Hong Kong during recent protests when police officers accused of brutality were doxxed.

Mob attacks launched by doxxers also include prank phone calls, overwhelming amounts of abusive email, network-swamping quantities of text messages and even physical attacks on the individual. The effects can cause people to lose their jobs, their families, their homes, and in some extreme cases, even their lives. Targets of major doxxing attacks have been forced into hiding and have had to delete all of their online accounts and change their identities. In other words, doxxing takes cyberbullying to the next level.

Where do doxxers get the information from?

Social media profiles that are open to the public are goldmines of data. While a lot of information can be gleaned from social media and other forums that you post to, there are also some public sources of information that doxxers can also get your information from. Listed below are three of the most common ones.

Data brokers

Many places on the web hold your personal information. Businesses (commonly known as data brokers) profit from storing, collating and in some instances sharing and selling your information. They buy customer lists from other businesses that you would have given your data to. So, for example, if you buy a car, the dealership may put you on a list that they sell to a data broker, unless you have asked them not to.

If you fill in a survey about your favorite soap or enter an online competition you may be inadvertently giving the company the right to store and/or sell the information that you put on the form, unless you opt-out. Selling your information is often a way to help pay for the prize that they offer you.

Once this information is in the hands of data brokers, although they may not deliberately leak it (it does impact their bottom line after all if it’s available for free!), hackers may target them and steal data in bulk.

WHOIS

If you run your own website, or you have a website for your business, the registration information that you filled in to get that domain name is made public to all the world through the WHOIS database.

IP address

Every connection you make on the internet has to carry your internet address on it. This is called an IP address. Doxxers can use an IP logger to trace your online activities and expose your identity by combining it with searches on membership of certain sites.

How to protect yourself against doxxing

The practice of doxxing is on the increase so you need to be cautious about the information that you make available online. Regular readers of the Cybersafe Alert know that we don’t just provide the alert, but actionable steps to help you protect yourself. This issue is no different, so keep reading to find out what you can do to prevent, or at least make it harder to be doxxed.

As with many things on the internet, getting complete protection can be prohibitively expensive and complicated. However, there are ways you can make it much more difficult for you to be doxxed. If you are concerned about doxxing, here are some of the steps you can take to avoid it.

Social media

The more you write on forums and message boards, the higher your chances become of accidentally revealing personal information about you.

If you’ve read the Cybersafe book, you’ll know that there are so many different ways we give away far too much information on social media. Not checking privacy settings, accepting friend requests from anyone just to boost our followers, the list goes on. Suffice to say, some simple advice is to only allow people that you know very well to be your friends on Facebook. Also consider changing your privacy settings so that only friends can see your posts.

Avoid posting details about where you work, or where your children go to school. My personal opinion is that you shouldn’t put any identifying information about your kids on social media at all. After all, they haven’t consented to it, and that information will be a permanent record on the internet when they grow up. Although it’s great posting your fun family moments on social media, it is safer to enforce a policy of not posting photos of your children, and ask anyone else who takes pictures of them at events not to post them online. If you absolutely must post, make the photos as anonymous as possible. I.e. no face shots, names, or identifying locations.

Protect your internet communications

This one’s an easy one to write. If you must use public Wi-Fi, use a VPN! Nuff said, and readers of Cybersafe will be very familiar with the whys and wherefores of this advice.

Protect the data on your computer

Stop hackers from stealing your personal information by installing anti-malware. There are lots of good packages on the market, and these are just as important as the firewall on your computer.

Remove your personal data from your software you install

A lot of times we innocently add personal data into the software we use. Sometimes just for convenience. For example in the properties of Microsoft Office products you can include your name on the documents. This means that every document that goes out from you will have your name (and any other information you’ve added) embedded in it.

You should also check out the settings your gadgets. Is your personal information stored on your camera, your webcam, your set top box or your gaming consoles? Do you allow your camera to store location and other metadata that could be exposed?

Protect your email identity

If you need to sign up to websites and are not sure of their privacy policies, or you don’t want to use your usual email address to sign up to them, then you should use a temporary or burner email address. In addition, consider using a secure email service to encrypt your emails. You can find some recommendations and more details in Cybersafe, or on this list of secure online services if you are unsure what to use.

Vary usernames and passwords

If you have a penchant for visiting ahem..questionable (but legal) sites, you may want to consider using a different user name and also to vary your passwords. That way if one user ID is compromised, it won’t necessarily compromise your entire online presence.

Get your information removed online

In the EU, you have the right to be forgotten. This legislation particularly relates to search engine results. If you get search engines to delist information on you, doxxers will have a lot more difficulty tracking your data.

To do this, You can fill out a form on Google, Bing, or Yahoo to get them to remove search results that relate to you.

In the USA, You can get a quick rundown on where hackers can find you at We Leak Info. Similar to the EU, you can also ask Google to remove information about you. In addition, here’s a selection of sites that you can ask to remove your data.

• BeenVerified: https://www.beenverified.com/faq/opt-out/
• CheckPeople: http://www.checkpeople.com/optout
• FamilyTreeNow: http://www.familytreenow.com/contact
• Instant Checkmate: https://www.instantcheckmate.com/optout/
• Intelius: https://www.intelius.com/optout.php
• Nuwber: https://nuwber.com/removal/link
• OneRep: https://onerep.com/optout
• PeekYou: http://www.peekyou.com/about/contact/optout/index.php
• PeopleFinders: http://www.peoplefinders.com/manage/
• PeopleSmart: https://www.peoplesmart.com/optout-signup
• Pipl: https://pipl.com/directory/remove/
• PrivateEye: http://secure.privateeye.com/help/default.aspx#26
• PublicRecords360: http://www.publicrecords360.com/optout.html
• Radaris: http://radaris.com/page/how-to-remove
• Spokeo: http://www.spokeo.com/opt_out/new
• TruthFinder.com: https://www.truthfinder.com/opt-out/
• USA People Search: http://www.usa-people-search.com/manage/default.aspx

If you don’t have the time or inclination to go through this entire list, you can take a look at Privacy Duck and DeleteMe, who can help identify information about you in the USA and get it removed.

If you want to find out how much information Google has on you, try typing https://myactivity.google.com/myactivity in your browser when logged in to a Google account. Google knows your location as well – you can find your personal Google map with all the places you have visited at the https://www.google.com/maps/timeline URL.

WHOIS

As mentioned earlier, If you run your own website, or you have a website for your business, the registration information that you filled in to get that domain name is made public to all the world through the WHOIS database. However, You don’t have to give your personal information to get a website. Some domain brokers offer you the option of obscuring this information. However, you can get this privacy for free by entering a webmail email address, putting a fake telephone number in the form and giving a made up company name. Although technically false this information rarely gets verified.

Do a regular app and browser cleanse

Mobile apps and browser extensions are known to collect personal data, often without your knowledge or consent - who reads the privacy small print after all? Because of this, it’s worth regularly cleansing apps and browser extensions you use and removing the ones you don’t.

If you have the Cybersafe book, double check the chapter on secure browsing,

Avoid Online Quizzes

We all like to show how clever we are right? And anyway, what’s wrong with a little harmless quiz fun? Well, did you know that some quizzes ask a lot of seemingly random questions, which are actually the answers to common security questions? Plus, it gives attackers more data to work with. Supplying an email address or name to go along with results makes it even easier to associate information from other data sources.

Don’t Login With Facebook or Google

Finally (and I hope I’m hoping this isn’t news to anyone with Cybersafe), when you come across websites and apps that allow users to register using the “Login with Google”, “Login with Facebook”, or “Login with Twitter” buttons please consider using email (see the section on email in this blog post), or the "sign in with Apple" button (if available) instead. Understandably, these services provide a level of convenience by enabling you to complete the registration process with the email you used for your Google, Facebook, or Twitter accounts. However, the downside of using them is that you’ll automatically give the information attached to your Google/Facebook/Twitter accounts to the website. If you still yearn for this convenience, take a look at the Cybersafe alert Edition five, also listed at the end of this blog post for a potential alternative.

Remember, although it’s an odious practice, doxxing is not illegal per se. Hopefully, laws will catch up with that situation soon. Until then, following the advice in CyberSafe should go a long way to keeping you safe online. As we like to say at the CyberSafe alert - Don’t Be Scared; Be Prepared.

 Click HERE to Tweet this...

Are you new to the Cybersafe Alert? If so you’ve missed out on some great information to keep you and your family and business safe online. Here’s what you have missed so far this year:

• Edition 1 - Are your toys spying on you?
• Edition 2 - The unhackable password
• Edition 3 - Is It Safe To Hit 'Send' Now?
• Edition 4 - WhatsApp Hacked!? Here's What To Do About It
• Edition 5 - Is the new “Sign in with Apple” button a game changer?
• Edition 6 - Why your personal calls are not personal anymore
• Edition 7 - Has your wallet been hacked?
• Edition 8 - Your personal data may have been breached - Take action now!

Want a regular briefing about the newest Cyber threats? Subscribe to the Cybersafe Alert now!

If you can't wait for the next CyberSafe Alert to tell you how to protect yourself online, get CyberSafe the book. It's packed with the useful information and strategies you need to keep yourself, your family, and your business safe online.

 

Disclaimer

Every effort has been made to ensure that the content provided in this post is accurate and helpful for our readers. However, this is not an exhaustive treatment of the subjects. No liability is assumed for losses or damages due to the information provided. You are responsible for your own choices, actions, and results.