Self Doxing: Loose Lips Sink Ships

Talk too much

For anyone who spends any time reading my content, you may remember a recent post that outlines my thoughts on the general basics of Operational Security. A well timed tweet last week, sparked by this article, kicked off some interesting conversations around the topic which resulted in the series of thoughts that sparked what you’re reading now. During the interactions on Twitter, one tweet in particular hit on several areas that I observe to be blatantly prevalent as I travel, work in the field, or observe people in general daily life.

Since these were called out by others during the conversation, and I have had the (mis)fortune of running into some of them recently, I figured I’d expound on the topics. In my normal fashion, I thought some anecdotes could help drive the visibility up a bit and hopefully get some of you thinking a little differently about how you handle yourselves in public.

What is “Doxing”?

First, a little background. Somewhere along the line “doxing” became a recognized form of internet attack. Basically, this tactic requires the attacker(s) to scour internet resources to gather information on a targeted individual, and then broadcasting personal or private information about that person. While the point of this article is not to go in-depth into the world of doxing, some high profile examples are outlined on the Wikipedia page covering the topic.

Typically, attackers will use the collected information to put pressure on targets, or to put them at risk in the most severe circumstances. While this most often is the result of actions taken by attackers against us, all too often people fall victim to “self-doxing”. In these instances, inattention to details or surroundings falsely convince a person that they are in a safe place to divulge certain information. All of these vectors are viable and often employed ‘in the wild’. As an attacker, I exercise these skills without even thinking about it. Here is my take on the subject:

Shoulder surfing

I was sitting aboard a flight recently, exit row aisle seat. I had been drawn to one particular individual who’d caught my attention through his generally boisterous nature during the boarding process. His holier-than-thou arrogance dripped off him, much like the aroma of the Tommy cologne he must’ve bathed in that morning. My eyes, closed as usual to appreciate the sensation of takeoff, opened when the flight attendant came over the PA with an annoyed tone. Her reminder to remain seated through the ascent was prompted by Mr. Important as he was standing in the aisle 2 rows ahead of me, digging his laptop from his belongings in the storage compartment above.

When he settled back into his seat, I couldn’t help myself but to get a peek at what was so pressing. In the hour that followed, I caught sight of documents his company surely wouldn’t want outsiders to see. I didn’t take photos for proof but I’m pretty sure capturing these documents would have been fairly easy to do. I also saw other juicy tidbits like contact information for others within Mr. Important’s company. Were I a bad guy, I could have leveraged the information here in a social engineering campaign to gain access to more sensitive information, and potentially unauthorized access into the company itself.

It’s wise to be mindful of your surroundings, especially when traveling. You never know who’s watching so exposing sensitive data should always be considered a risk in public. These things can usually wait until you’re in a private place where prying eyes are not a concern. However, if you must touch sensitive data in public, use a privacy filter to reduce exposure to onlookers.

Passive conversation listening

I ran into two separate instances on the same trip recently, where the information divulged in conversation provided me with enough information to identify the individuals, and gather significant pieces of private information about them, to make a significant impact upon their personal lives. I wanted to share these experiences here in hopes that we can reduce the number of times so much information is divulged in such a short time.

Mary Loves to Fly

I’d never met Mary before. Nothing about her caught my attention. She was already in the middle seat, one row behind me, when I settled into mine. As the plane filled, conversations rambled as they do, and when Mary’s travel neighbors settled in, she  chatted up a storm with Lucy in the window seat next to her. Now I am usually a pretty passive listener, a skill honed over a lifetime which lets me parse conversations and pick up on valuable tidbits. It’s quite nice for drowning out the general drivel of small talk while still letting me tune in when the conversation turns juicy.

A few minutes into Mary’s conversation with Lucy and I was gleaning bits and pieces of data that officially had me tuned in. Mary had given up her last name within minutes as well as her husband’s name, he was sitting up in first class but she thought the upgrade was not worth the cost, and the names of their 3 kids who were waiting for them on the other side of the flight. By the time we touched down I knew cites of residence, places of employment, and names. With a little OSINT gathering, there was enough public record and social media interaction to provide me with a full profile of all 5 members of this family.

Alexis and Her Lexus

On this same business trip, I was out to dinner at a local establishment. I sat at the bar and soaked up the atmosphere of the locals. 3 middle-aged men were at one corner of the bar sharing all kinds of tall tales, and taking their opportunities to hit on the young bartender, Alexis. Through the conversations they’d strike up with her, I learned she was a very proud owner of a Lexus RC, she was somewhat of a gym rat, and she once threw a full bottle of wine at an ex-boyfriend’s head in a rage after finding out he cheated on her. Oh, and her last name.

I was already in the mindset of the effects of this information leakage, and so I did a little more digging and was again able to gather some pretty deep detail on this subject, just from the couple hours of conversation I listened into at the bar one evening.

With cases like the murder of Kenichiro Okamoto fresh in our minds, we have to realize that oversharing can be deadly. Sure, this is an extreme case but people don’t realize how much information they leak on a regular basis. Stop talking about your children in so much detail with strangers. Don’t be so comfortable to divulge details of where you work with someone you’ve just met – let along in the open air of an airplane with countless unknown listeners.

Dumpster diving

The old adage rings true. One’s trash really can be treasure to another! The information discarded into the trash can often be used to the advantage of a threat actor. Think about what you’re getting rid of and how it might be used in the hands of some nefarious evil doer. As much as we’d like to think it won’t happen to us, the chances are ever increasing that someone will act upon a crime of opportunity and make use of data if it’s easily accessible.

Public computers

I’m always surprised by the number of people I see who are still using shared computers. At the library, in the airport, and most often at hotels, people log into these shared machines for many reasons. I don’t have much to offer here because I strongly recommend bringing your own device to access data when on the road. But if you must use a shared machine:

  • Learn to delete cookie from the web browser
  • Delete any files downloaded to the machine
  • Log out of EVERYTHING

Unattended devices

Here is another vector that just boggles my mind. Why, in today’s hostile world, do people ever find it appropriate to leave their belongings unattended? I can’t comprehend this logic. Even the cheapest MP3 player can be left alone and someone will take it simply because they can! People aren’t nice. If you have something of any value, they’re likely to want it for their own.

Picture you’re in a parking lot, standing between 2 cars among a sea of others. 1/2 mile from anyone else with no surveillance. One car is locked and has a $100 bill sitting on the passenger seat. The other, windows down and unlocked, with a $5 in the cup holder. The chances are great that the $5 gets stolen more often than the $100 simply because of availability and ease of access. Make yourself and easy target and you make yourself a definite target.

My New Year’s Resolution

How did we get here?

As I was enjoying the Christmas holiday with family, a revelation washed over me. My affinity for technology, once a healthy hobby, had devolved into a sick dependency and an addiction. This experience sparked some intense reflection into how I used to love getting my hands on the keyboard and getting online but now the internet is ubiquitous and ingrained into pretty much every aspect of my life. The joy had faded into an expectation and now, when I’m not connected, I find myself wondering what’s happening. I had to acknowledge that I’d fallen prey to FOMO.

I started to become more conscious of this over the days since and I started to see how much time I’d spent on some digital device looking at social media. But it was worse. After spending all day with my face in a screen, rather than have conversations over a meal I would thumb through Facebook and continue to evade the human connection. I started to look back on how many times someone would post something on Facebook or @ me on Twitter when we were in the same room.

How does it happen?

The root of the problem is that we are all, at our base roots, drug addicts. You may not drink. You may not smoke. You may avoid caffeine. But you’re human and therefore you’re an addict. There are some really great articles which explain this in deeper detail than I’ll cover here, but the fact is that we are all driven to seek satisfaction. With the internet, twitter, and texting we now have almost instant gratification of this desire to seek. We no longer have to leave a message on someone’s answering machine, wait for them to get home to listen to the message, and wait for a return call. Now you can just shoot a quick text. This increased level of instant gratification can create a dopamine induced loop. The dopamine starts you seeking, which leads to rewarding satisfaction, which sets us on another search. It becomes harder and harder to stop looking at email, stop texting, or stop checking your cell phone to see if you have a message or a new text.

Taking action

Well, now that I’ve realized how big this dependency has become, I have to do something about it. And being on an endless quest for knowledge and growth, I’ve devised a plan to not only break me from my obsession, but to use the opportunity to level up my skills in psychology and situational awareness.

Cutting the cord

The first step in my plan is to delete the social media applications from my phone. Not only will this help to my aim of breaking the compulsion to be connected, but also from the perspective of fewer distractions from the notifications associated and increased battery life on my smartphone. When I saw this tweet on the topic, I knew I was on the path to doing something right.

Filling the silence

As I’ve been mentally preparing myself for this endeavor, one that I admittedly expect to be quite challenging, I started forcing myself to slowly stop using the phone. When I become conscious that I’m surfing social media, I force myself to put the phone away and reinsert myself into real life. This has helped me to realize how I was getting the added benefit of escaping what was in front of me. Faced with this increased opportunity to engage people I have been enjoying more conversations where there used to be nothing but silence.

And hacking…

As with all things, one only takes from an experience what they put in. While this New Year’s resolution will certainly allow me to get closer with my friends and family, there is also a more nefarious method to my madness. In my continuing quest to improve my social engineering techniques, I intend to increase my use of various tactics during these random encounters with strangers. While these skills might be used for evil, my intent will be more to exercise my conversational techniques so that I might apply them in the field during penetration testing.

Using conversational signals, and techniques like projection, I’ll be working to learn more about how to profile people during random engagements, how to read them on the fly, and how to find the combination of conversational tactics that bring them to a place where I can extract a piece of data.

Conclusion

Today, I delete these apps from my phone. I’ll only be using social media from my laptop, when I’m online and connected. With every day that passes, I feel more and more like I’m living in a society prophesied in the movie Idiocracy. People are simultaneously becoming increasingly harder to deal with and decreasingly smart, and social media on demand only makes it worse. My intention is to learn more about people, learn more about myself, and generally become more present in the moments I have the privilege of experiencing as I navigate the choppy sea of life. Here’s to growth and adventure in 2018!

A Christmas Rant

Please allow me to rant for a moment…

I was engaged in a conversation recently when I was met with a statement that someone “had to buy me a gift, so it might as well be $thing.”

O____________________O

Let me get one thing absolutely straight, for anyone listening.

You are not *REQUIRED* to buy, make, or otherwise procure a gift for me for any reason other than because you want to. I conform to many social conventions to be congenial but I abhor the social requirement of reciprocal gift giving.

If I haven’t impacted your life in a manner significant enough to make you feel like showing your appreciation, don’t phone it in. If you haven’t come across something that just screams me, save your hard earned money. If you’re just buying the biggest canned gift basked that fits within your allotted gift amount because you’re obligated, please don’t.

The fact that someone might be forced into giving a gift totally sucks any enjoyment out of receiving said gift for me, as the recipient, and it puts me in a bit of an angry state when the tables are turned. Gifting used to mean something, and sometimes it still does. But more often than not in this consumer driven world, we use stuff as a substitute for substance. It is not!

I hope this doesn’t come off as me being a jerk- that is not my intent. But the commercialization of holidays like Christmas have completely destroyed the true meaning and have become disgusting perversions of what they’re supposed to mean.

I promise, I will get more joy out of spending time with people who matter, disengaging from a pretty much constant work culture, and finding some time to actually relax, than I will in another tie or reindeer boxer shorts or that knock off android tablet that you won from work.

CAVEAT: Bourbon. Bourbon is always accepted and appreciated.