A Study of Doxing, Its Security Implications and Mitigation Strategies for Organizations

A Study of Doxing, Its Security Implications and Mitigation Strategies for Organizations

A Study of Doxing, its Security Implications and Mitigation Strategies for Organizations Roney Simon Mathews Shaun Aghili, Dale Lindskog Information Systems Security Information Systems Security Concordia University College of Alberta Concordia University College of Alberta Edmonton, AB, Canada Edmonton, AB, Canada [email protected] {shaun.aghili, dale.lindskog}@concordia.ab.ca Abstract—This research paper focuses on the impact of collection, publishing and use of personally identifiable intentional and unintentional exposure or leakage of sensitive information (PII) [2] by doxers, cause privacy implications. personal data elements that- when aggregated and used or Addressing these risks and mitigating them is challenging to disclosed in an unauthorized manner- could impact the both individuals and organizations. As such the focus of this employees of an organization. Doxing usually escalates to paper is on incorporating dox mitigation strategies, within an hacking, espionage and harassment. Such impacts could damage enterprise’s risk management framework. the reputation or competitive advantage of the organization; especially if the targeted employee is a senior management Personal information discussed in this paper refers to the executive. Threat agents use doxing to collect data undetected, exclusive containment of pieces of data (identifier, quasi- from targeted victims. Doxing is a mode of Open Source identifier or sensitive) that an individual may share on the Intelligence (OSINT), aimed at launching sophisticated attacks internet with a restricted group of people. These may be shared on individuals or employees of an organization, through the on blogs, social networking websites, surveys, and websites collection of personal information over time; as such, doxing is that require collection of user information for creating a considered an Advanced Persistent Threat (APT). Some risk registered account or for providing services, as defined in each management strategies today, may not consider the risk website’s Terms and Conditions. Individuals generally restrict associated with doxing; the objective of this research is to create the availability of certain types of information to a certain its awareness and recommend methods for its mitigation. group of people on social networking websites; however, there are instances when an individual may accidently share this Keywords— Advanced Persistent Threat; Doxing; Open Source Intelligence (OSINT); Sensitive Data; Risk Management personal information to a larger audience aside from the restricted group to which it was originally intended. This also occurs due to software misconfiguration or bugs in a website, I. BACKGROUND accidently revealing personalized information of individuals. People and data are critical assets of an organization. Any This is seen in the case where a bug in Facebook’s “Download compromise of data can be considered as a threat to business Your Information” application shared phone numbers and continuity. Doxing generally, a means of vigilantism, is email addresses of 6 million users [3]. Information about an defined as the overt collection, aggregation and publication of individual may also be available from meta-data present in information of a targeted individual (without his/her consent) documents and pictures, already available doxing dossiers and on the internet for public consumption, with the intention of the availability of an individual’s or an organization’s causing embarrassment, humiliation and damages, in a way communications. The information published can include that threatens the victim’s privacy and possibly those around confidential information of the organization, an employee’s the victim (friends, family members etc.) [1]. The doxed PII, corporate programs, sensitive and strategic corporate information could enable further escalations like espionage, information linked to the employee etc. One might argue that hacking, blackmail and other attack vectors that could the disclosure of personal information, meta-data in documents potentially cause harassment, embarrassment and economic and pictures that were published overtly (though accidental) on losses to the targeted individual. Information stored on the internet is still considered public information. This paper webpages, documents and databases are made accessible via aims to create awareness on how doxers could use this the internet to employees, clients and the public using a myriad information and also the privacy risks that are associated with of devices giving doxers (individuals involved in doxing) an such publications overtly on the internet. opportunity to surreptitiously access information and Doxing is not a random act. A doxer selects a target and compromise pieces of this information, if adequate access begins to dox the target by collecting basic information (name, control methods have not been implemented. As the endpoints address, family members, gender, email addresses, user names, of a corporate network are extended beyond its physical registered websites etc.). Doxers use a myriad of sources (news location and mobile devices, doxers use the internet and the media, social networking, applications installed on mobile mobile device’s information gathering and correlation of devices, Government websites etc.). Applications (with information from multiple sources. In this context, the unsecure privacy settings) installed on mobile devices share organization and also centring the organization to be victim to data among other users of the same application, and other threats like social engineering, hacking, financial crimes additionally help form information records for the application etc. (refer to TABLE II in APPENDIX: that show recent data developer’s database. The doxer creates an aggregated disclosures of several organizations). The key factor to mitigate document referred to as the victim’s dossier. Dossiers can the effects of doxing involves actively monitoring the include published information and hacked communications information disseminated via social-media networks, emails from websites such as WikiLeaks. This is published in pro- etc. [1]. doxing websites such as AnonBin, DoxBin and PasteBin. The process involved in doxing is outlined in Fig. 1; however On August 2nd 2011, the Federal Bureau of Investigations describing each of the stages is beyond the scope of this paper. Intelligence Bulletin on Cyber Intelligence broadcasted a bulletin among law enforcement agencies alerting law enforcement officials to a high exposure rate to harassment and Agglomerate/ identity theft through doxing [4]. This bulletin was circulated Find Verify Link Publish Accumulate based on law enforcement agencies activities against Anonymous and LulzSec members. Doxing is a means of retaliation by hactivists. The Bit9 US Global survey of IT Fig. 1. Demonstrates the process flow involved in doxing Professionals report that: sixty two percent (62%) of respondents in North America and fifty seven percent (57%) Hactivists use computers and computer networks to rally from Europe categorized hactivists as the primary attackers of against a political agenda or voice concern about an issue. An organizations; rated higher than corporate competitors, attacker may use this doxed information in performing other disgruntled employees, nation states and cyber criminals [1] attacks like social engineering and hacking; to gather and plan [5]. As such, doxing should be considered as a major threat by intrusive future attacks against an organization. Doxers may be organizations due to its effectiveness and relative simplicity. motivated by financial gain, revenge, mischief or a special Open Source Intelligence (OSINT) involves intelligence cause. gathered from overt sources that are used by security services The purpose of this paper is to provide information security and law enforcement agencies and can be shared amongst professionals with: friendly agencies [6]. Analyzed OSINT reports can become classified and are never shared with the public [6]; however, An awareness of the risk-impacts of doxing to doxing involves publishing to the general public (creating a individuals and organizations; larger audience) and a cause for security concern. There are A review of related findings that tailor towards privacy risk impacts caused due to unauthorized use, disclosure building up a case for the need of a risk model to and retention of personal information. This gathering of mitigate doxing; information overtly is done by performing inference attacks over quasi-identifier (birthdays, address, zip codes, city, gender An ISO/IEC 27005 compliant proposed risk etc.) and sensitive (anniversary dates, vehicle registration model which can be integrated into an numbers etc.) attributes of an individual [7]. By using organizational risk management framework. This background knowledge (common sense and domain proposed risk model should be capable of aligning knowledge), a doxer performs inference attacks to connect and itself to existing risk assessment frameworks; match information elements together, gaining more personal information when combined. Although these information Recommendations aiming to enhance the elements on their own do not provide for neither meaningful mitigation strategy against doxing; information, nor sensitivity, nor impact [6] [7]; through the use The current section provides an introduction to the concept of data mining methods, doxers are able to develop of doxing and

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us