Stories
Slash Boxes
Comments

SoylentNews is people

Defense Against Doxing

posted by Fnord666 on Saturday March 11 2017, @12:46PM   Printer-friendly
from the sudden-outbreak-of-common-sense dept.

Phoenix666 writes:

Bruce Schneier has published an article on self-defense against doxing:

Doxing isn't new, but it has become more common. It's been perpetrated against corporations, law firms, individuals, the NSA and -- just this week -- the CIA. It's largely harassment and not whistleblowing, and it's not going to change anytime soon. The data in your computer and in the cloud are, and will continue to be, vulnerable to hacking and publishing online. Depending on your prominence and the details of this data, you may need some new strategies to secure your private life.

There are two basic ways hackers can get at your e-mail and private documents. One way is to guess your password. That's how hackers got their hands on personal photos of celebrities from iCloud in 2014.

How to protect yourself from this attack is pretty obvious. First, don't choose a guessable password. This is more than not using "password1" or "qwerty"; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the XKCD scheme or the Schneier scheme, and to use large random passwords stored in a password manager for everything else.

Second, turn on two-factor authentication where you can, like Google's 2-Step Verification. This adds another step besides just entering a password, such as having to type in a one-time code that's sent to your mobile phone. And third, don't reuse the same password on any sites you actually care about.

You're not done, though. Hackers have accessed accounts by exploiting the "secret question" feature and resetting the password. That was how Sarah Palin's e-mail account was hacked in 2008. The problem with secret questions is that they're not very secret and not very random. My advice is to refuse to use those features. Type randomness into your keyboard, or choose a really random answer and store it in your password manager.

Finally, you also have to stay alert to phishing attacks, where a hacker sends you an enticing e-mail with a link that sends you to a web page that looks almost like the expected page, but which actually isn't. This sort of thing can bypass two-factor authentication, and is almost certainly what tricked John Podesta and Colin Powell.

Most of it is old-hat or even second-nature for many Soylentils, but it's a readable article that could be shared with more non-technical friends and family members.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Defense Against Doxing | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by Refugee from beyond on Saturday March 11 2017, @12:50PM (8 children)

    by Refugee from beyond (2699) on Saturday March 11 2017, @12:50PM (#477727)

    > Second, turn on two-factor authentication where you can, like Google's 2-Step Verification. This adds another step besides just entering a password, such as having to type in a one-time code that's sent to your mobile phone.

    Actually, no. Don’t. Linking your online activity to your mobile phone is also dangerous.

    --
    Instantly better soylentnews: replace background on article and comment titles with #973131.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Informative=1, Overrated=1, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 0, Flamebait) by Ethanol-fueled on Saturday March 11 2017, @03:37PM (3 children)

    by Ethanol-fueled (2792) on Saturday March 11 2017, @03:37PM (#477763) Homepage

    As is using all Jewgle services.

    • (Score: 3, Funny) by linkdude64 on Saturday March 11 2017, @05:15PM (2 children)

      by linkdude64 (5482) on Saturday March 11 2017, @05:15PM (#477793)

      The Red Pill must be administered in smaller doses.

      • (Score: 1) by Scruffy Beard 2 on Saturday March 11 2017, @05:36PM (1 child)

        by Scruffy Beard 2 (6030) on Saturday March 11 2017, @05:36PM (#477797)

        You must also tailor you wording to match your audience. This is not the place for random anti-semitism.

  • (Score: 2) by Nerdfest on Saturday March 11 2017, @03:39PM (3 children)

    by Nerdfest (80) on Saturday March 11 2017, @03:39PM (#477765)

    Google's 2 factor solution is non-connected and is just a time based hash. You can run it on any device you like. I think it's actually open source as well. This is not the typical SMS based 2 factor. The only flaw I'm aware of with the solution is that it's possible to generate a key that will work at a known future point if you have control of the device running the algorithm.

    • (Score: 3, Interesting) by Scruffy Beard 2 on Saturday March 11 2017, @05:33PM (2 children)

      by Scruffy Beard 2 (6030) on Saturday March 11 2017, @05:33PM (#477795)

      This must be new, because I remember hearing about various youtubers getting "hacked"

      Linus got hacked!?!?!? - Honest Answers Episode 3 [youtube.com]

      ..,Linus tech twitter handle, and my personal hotmail and gmail, (and) then by extension, my domain registrar were compromised...
      An individual used... Identity fraud to convince Bell Canada to activate a SIM card in my name.
      Which immediately deactivated my own SIM card and started forwarding all phone calls and text messages to that individuals' phone.
      ...in some cases (SMS) can act as a single authentication factor for lost password requests.
      ...The attackers never got into the Youtube channels....
      They vandalized my Twitter, used registrar dashboard to redirect traffic from Linustechtips.com, and incoming mail to linusmediagroup.com domain.
      ...I feel like it is important to recommend to our viewers to do a security audit to ensure:

      • that their accounts do not: have a single point entry; including though their phone.
      • that they call their provider to ask who is authorized to make changes to the account
      • (ask) what the process is for validating that person's identity.

      Those guys aren't going to understand how serious this problem is until it starts increasing their call volumes, and affecting their bottom lines.

      • (Score: 2) by Nerdfest on Saturday March 11 2017, @07:11PM (1 child)

        by Nerdfest (80) on Saturday March 11 2017, @07:11PM (#477827)

        This is not new, I've been using it for at least five years. They may also have SMS verification available, but not that I'm aware of. Alternatively, if a person has a phone number set up as a fallback, that can be used to send a voice code to (not SMS, but equivalent). Using this fallback is not required.

        • (Score: 2) by Nerdfest on Saturday March 11 2017, @07:17PM

          by Nerdfest (80) on Saturday March 11 2017, @07:17PM (#477830)

          ... also, in your quoute ita says "the attackers never got in the YouTube channels". This may mean that the other accounts had SMS based 2 factor, but YouTube didn't.