Doxing (or Doxxing) is an abbreviation of 'Document Tracing'. Tracing documents can be part of a penetration test, as you need to find out information about a target. Now, we're going to look at elements of doxing and how you can help yourself stay safe. Doxing usually begins with something small, such as an email address, a forum username or a name.
From here, doxers (is that a word? It is now!) can search for information about that person. Doxing differs slightly from information gathering, because information gathering usually aims to target a server or computer rather than doxing, which tends to use freely available information for the most part. So, I for the purpose of this post, I went onto Twitter and looked at one of the first names that I came across. I wont publish any private information about the person(s) involved such as real name etc.
So, Twitter allows a username in the format @UsernameHere and your name. Now, this person had used her real name as well as a username. So already, I had a username and real name to go on. A quick search on Pipl.com showed that Twitter mining websites had collected previous posts by the lady, lets call her 'Helen'. Helen had posted a photograph which unbeknownst to her, contained a piece of paper in the lower left of the image with her address on - although on her real twitter, it had been deleted. So, normally, that's about as far as you'd need to go with doxing, however, that was too easy, so I continued to dig a little deeper. The photographs posted by the woman showed the following:
- A pet Labrador
- Her at a Chelsea football match
- Her at a Michael Mcintyre gig
- Her at University (I wont mention which one)
- Her at a Drake concert
Underneath the photograph of the pet labrador, was the name of the dog. The text underneath the Chelsea football match had the date she went to the game and so on... The one that struck gold was a tweet saying what her favourite chocolate was. This was almost certainly going to be the secret word/phrase for her email account. And if not, I could have used the brute-force technique in one of my previous posts to attempt to gain access.
At this point - I'll admit, I was thrown off the trail. I almost gave in because I couldn't find any more information about this person.....until I found peekyou.com. Peekyou.com is similar to Pipl.com in the way it harvests information - and it's very scary from a security point of view.
Typing in the lady's twitter name brought up her profile from whenever she'd created her twitter, which told me what school she went to. From there, I could look on Facebook and filter by education - found her! (She wasn't showing up on any searches until I got her previous-education history.)
Helen's Facebook URL had been set to a custom name - different than her Twitter. appending @gmail.com to her custom Facebook URL gave her email address. From here, it was a case of going to Gmail.com and clicking 'forgot password' to confirm that the email address DID exist Someone with different motives than me could have attempted to gain access to her account by simply going back to the login screen and attempting to brute-force the account OR attempt to reset the password using the 'forgotten password' method.
Or, what about phishing? Now a potential attacker has a known email address to target...the options are almost endless. At this point, I told her how to secure her account and insisted she use two-factor auth; we've since had a laugh about it.
Conclusion
So, what can we learn from this? Whatever you put on the information can reveal all sorts of things about you, which can be used in a social-eng attack. Ensure you use complex passwords that aren't your pet names, favourite football club etc. Your password should not be found in the dictionary either.
Be extremely careful when naming your twitter or facebook profile and be careful what you upload. Uploading pictures and tweeting paints a picture of YOU. It allows a 'bad guy' to profile you. In this case, I was able to profile the lady and *probably* would have had some success in stealing her account if I was that way inclined. I would be inclined to hide your Facebook profile from public search and protect tweets so only selected followers can see them.
And finally - implement two-factor authentication. Many websites now allow you to add your mobile phone number to your account - so whenever you log in, you get a text-message with a number on - you simply type that number into the box on the website and you're logged in! This method means that a 3rd party wouldn't be able to access your account.
Stay safe online. Until next time!
No comments:
Post a Comment