Doxing (doxxing) – the word – is a neologism that dates back to the 90s, when Usenet’s members posted personal information on fellow users. It basically represents the idea of compiling and releasing digital documents that lead to identity revelation when posted. “Docx” became “dox”.
By the late 2000s the term was widespread in the tech world and in 2008 it entered the Urban Dictionary. The retrieval and exposure of private/personal information on people or groups (doxing) later gained a negative connotation especially that in 2011 Anonymous employed it as one of their harassment tactics.
Since Internet anonymity is considered very valuable and it rhymes with #privacy protection, doxing (sometimes confused with the more innocent online information gathering techniques), usually means resorting to privacy violating.
To dox someone might have consequences on their reputation, Internet “raking” or fame, and is often an action of retaliation. Other reasons are to serve law enforcement or vigilante justice, to enable #business analysis, or for extortion, coercion, harassment, and online shaming.
A famous doxing case is the 2014 unveiling of the Bitcoin founder by Newsweek. The reporter covering this story was compared to a criminal hacker – and “doxing” was the word that summarized the inappropriate behavior.
An even more recent (although offline) example would be the release of Lindsey Graham mobile number by Donald Trump.
Techniques of doxing
Doxing knows controversy: while journalists claim it is an accepted practice in finding out more about someone (although they most likely have in mind a variation of information gathering, and not the real, core doxing), others see it as a threat, and defend privacy against any such techniques. The latter are referring to dark, underground doxing – using hacking techniques. The hackers develop the ability of recognizing which target data is valuable – and they go for it.
There are ways to engage in soft doxing (mainstream, journalistic type): using Google, social media/networking sites, doing a reverse cell phone look up or Whois searches.
One may also find many instructional articles on the Internet, suggesting how to efficiently conduct such a search – and officially accepted or not, many are employing it in trying to build an image of an individual prior to meeting him/her in person (even in the business environment).
This has nevertheless the potential of becoming unpleasant for the object of soft doxing, when the retrieved information serves as the entry point for unlawful exploits. For example, it might serve social engineering and used when weak entry points (human entry points) are identified, in order to trick them into facilitating malware into critical computer systems. More about this – in a different article.
Next level doxing
The middle strength level in doxing would be targeting individuals, but upping the methods of retrieving the data. Instead of searching for publicly/network available information, the doxer gets access to the target’s email, for example. The data stolen belongs to another privacy category. The methods employed presume a degree of hacking into a password-protected virtual space.
Middle level – one may ask. Well, when compared to hacking into an #organization’s entire database and getting hold of thousands of employee’s mail accounts, messages and internal documents, it is middle level. Nevertheless, account or email hacking and data retrieving both violate privacy and may lead to other exploits. From a single cleverly targeted account, the hackers might even end up facilitating the breach into the general database, which would represent the upper level of doxing.
In 2015, the cyber-security author Bruce Schneier brought to attention a hacker practice on the rise – organizational doxing. In hacker terminology this means deploying an attack targeting an organization, stealing its data and making public all its internal messages’ content, as well as its documents. Schneier called it “a devastating attack and a very effective activist tool” and worried about the cyber-security issues to ensue when putting this together with IoT.
The same Bruce Schneier details organizational doxing and the decline of digital secrecy. The debate over privacy vs. transparency is complicated, and it brings into discussion the various types of organizational secrets: short-term, mid-term and forever confidential data.
Since this type of exploit is not only performed by specialized criminals, but also by people committed to steal and publish data – just as such, Schneier considers that any organization should have in mind the possibility of data ending up somewhere public. Moreover, so should government agencies. The picture painted here is a pretty confusing one – wait, we were talking cyber-security… what happened? This topic branches out into principles and sociology all of a sudden.
Looking in the more recent news, in 15 September UK was hit by a doxing incident: on Pastebin surfaced the full contact details of tech personnel employed at hundreds of organizations. Purported to come via the Kasperky Labs clients’ database, the leak is a doxing case. The antivirus company firmly denied it has anything to do with the leak. The real source remained unclear, but the quantity of data clearly suggests organizational doxing.
Doxing Protection
Apparently, uncoordinated and overlapping protection methods do not fully work. When it comes to people with important positions in the companies’ structures, or to enterprise databases – the risks are too high to be neglected.
A professional method of protecting your valuable data is by acquiring one of the services provided by registrars – WHOIS protection, Privacy Guard or others – all serving the same purpose (to protect against online exploits or invasive searches).
When it comes to your cell phone privacy, the FTC provides the National Do Not Call Registry option. It does not cover lots of potential callers – but it is better than nothing. Followed by opt-out strategies applied to any online services that might list your phone number – there are services that take care of that for you, like Lifelock – this ensures a minimal privacy protection.
As for the unwanted texts and spam messages – the ISP or wireless providers might have the answer, by offering special reporting tools.
Other light protective measures, destined for individuals rather than companies, can be logically deducted – using a fake ID or a nickname instead of the real name, not prompting personal details carelessly on networks and visited websites, generally trying to have a discrete online presence.
The companies face a different challenge – since they need a certain degree of transparency and availability. It seems ironical – paying for publicity and brand presence and marketing, yet remaining actively prudent when it comes to the company data that is publicly available on the Internet.
This dilemma is yet to be solved – as well as other cyber-security challenges that puzzle the specialists lately. Organizations should asses their strategy regarding their online presence, as well as their cyber-security policy, and try to educate the employees in following a coordinated online behavior code.
