Uber Data Breach

Uber concealed massive hack that exposed data of 57m users and drivers

• Firm paid hackers $100,000 to delete data and keep breach quiet
• Chief security officer Joe Sullivan fired for concealing October 2016 breach
• Uber disclosed the year-old hack last week. Taken were names, email addresses and mobile-phone numbers of 57 million riders as well as driver's license numbers of 600,000 drivers.

 

 

Doxing

 

Doxing, from "dox", abbreviation of documents, (also spelled ‘doxxing’ or ‘docxing’) is the practice of researching and broadcasting private or identifiable information (especially personally identifiable information) about an individual. This information may include names, addresses, telephone numbers, family information, financial information, vehicle descriptions, and more.

 

The Fordham Law Review has an interesting discussion of the law as it relates to doxing: "The Doxing Dilemma: Seeking a Remedy for the Malicious Publication of Personal Information" 

 

Once this personal information is published on-line it can be accessed by anyone. Doxing is, in and of itself, not necessarily illegal, but it may spur illegal activity such as stalking, harassment, identity theft, physical confrontations, and threats of violence.

In many cases, information used in doxing is already available through public sources. Voter registration, property records, and information from data brokers, such as Pipl, Spokeo, and ZabaSearch can reveal a lot of detail about a person. Freedom of Information Act (FOIA) / Public Records Requests can reveal information that may not be readily available on-line. Social media (i.e. Facebook, Twitter, and Instagram) can reveal more personal information if privacy settings are not strongly configured or if you are careless about the type of information that you post.

 

Doxing is a technique used by both left-wing and right-wing activists, as well as by others who believe that they have been wronged by the person being doxed. Law enforcement personnel are increasing being targeted for doxing, both by activists who believe that police officers acted unlawfully, or as a means of retaliation by individuals that were arrested by the police for come crime. Doxing can be especially dangerous for undercover officers, where doxing can jeopardize police operations and put officers at risk of attack from violent criminals.

 

Preventing Doxing

 

Doxing is best mitigated through good personal OPSEC. An adversary can’t disclose information that he or she can’t find. Personal threat modeling is an important part of your OPSEC plan. What information do you want to protect? What information is already available to others? It is not generally possible to protect every piece of information, so it is important to focus on protecting the information that you consider most personal or sensitive. Whenever possible, have information about you removed from publicly accessible databases and records. Request that web-site owners and data brokers not display your personal information on-line.  

 

Also, look at your public profile. Do you have a job or hold an office that is likely to generate controversy? If so, limit to the extent possible the amount of personal information that you disclose. Use organization / office identifiers and contact information - avoid personal signature blocks in any general distribution. Keep your "official presence" separate from your personal activities on-line. Always act professionally when doing your job. While you can be targeted for no good reason, it is much more likely that you will become a target if you act like a jerk and think that your official position will shield you from public response. According to an article on MakeUseOf  "The people who are most likely to dox you in a malicious way are those who have something against you. Common sense, I know, but it’s easy to think that you can hide behind Internet anonymity [or your official position] and get away with being a jerk. Don’t be a jerk, don’t be a troll, don’t do or say anything you wouldn’t do or say in person. Basically, don’t give anyone a reason to dox you in the first place."  

 

There are several resources that may help you protect yourself against doxing. A few guides are listed below, but all practices intended to increase your personal privacy help to protect you against doxing.

 

Anti-Doxing Guide for Activists Facing Attacks from the ALT-Right

 

Resisting Doxing & Protecting Privacy: Resources For Vulnerable People

 

Doxing: What It Is and How to Fight It

 

So You've Been Doxed

 

Defense Against Doxing (Schneier on Security)

 

Doxxing Can Ruin Your life. Here’s How (You Can Avoid It)

 

Following the advice in the above guides, and in other privacy related guides, such as my Individual OPSEC & Personal Security Guide, can help protect you against doxing, and mitigate the effect if you are targeted. Even if you are not concerned about being doxed, the information in these guides can help protect you against other threats such as identity theft, or loss of your personal information during a data breach.

 



Operations Security (OPSEC)

 

Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by an adversary, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly information. In a more general sense, OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation).

 

OPSEC is most effective when fully integrated into all planning and operational processes.  OPSEC should also be a part of your personal daily routines and activities. An adversary won’t just target you during duty hours, or through official channels, but will look for any weakness or vulnerability that he or she can exploit.

 

OPSEC is a continuous process.

 

The OPSEC process involves five steps:

 



 

1. Identification of Critical information: Critical information is information about friendly intentions, capabilities and activities that allow an adversary to plan effectively to disrupt their operations.

 

2. Analysis of Threats: A Threat comes from an adversary - any individual or group that may attempt to disrupt or compromise a friendly activity. Threat is further divided into adversaries with intent and capability. The greater the combined intent and capability of the adversary, the greater the threat.

 

3 .Analysis of Vulnerabilities: Examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified conducting analysis of threats. Threat can be thought of as the strength of the adversaries, while vulnerability can be thought of as the weakness of friendly organizations.

 

4. Assessment of Risk: The core premise of assessment of risk is that the probability of compromise is greatest when the threat is very capable and dedicated, while friendly organizations are simultaneously exposed.

 

5. Application of Appropriate OPSEC Countermeasures: Countermeasures must be continually monitored to ensure that they continue to protect current information against relevant threats. Countermeasures include, controlling one's own actions; countering adversary intelligence collection; and creating difficulty for adversary analysts seeking to predict friendly intent.  

 

Know The Laws of OPSEC

 

The First Law of OPSEC

If you don’t know the threat, how do you know what to protect? Although the first step in the OPSEC process is identifying your critical information, different adversaries will be interested in different types of information. Foreign intelligence services are interested in your operations, capabilities and limitations, while criminals are more interested in your personal information. Terrorists may be interested in both. Some threats change from location to location, while others remain the same. You need to make sure that members of your organization know the threat environment for your unit’s location so they can determine what to protect.

 

The Second Law of OPSEC

If you don’t know what to protect, how do you know you are protecting it? The "what" is your critical and sensitive information that the adversary needs to meet his objective. This, of course, depends on your response to the first law of OPSEC. Too many times individuals have found that they were concentrating on protecting information that was already known or wasn’t really important to the adversary.

 

The Third Law of OPSEC

If you are not protecting it (the critical and sensitive information), the adversary wins. You conduct vulnerability assessments to determine how an adversary can exploit your information. These assessments need to look at what you do and how you do it to determine if there is an inadvertent leak of information. Based on the findings of the assessment, you develop countermeasures to the vulnerabilities and the commander then determines what risks are unacceptable and what risks are acceptable

.

On-Line OPSEC Training & Resources

 

You can learn more about OPSEC by taking free, on-line training courses provided by the Department of Defense. I encourage anyone interested in OPSEC to complete all three of these on-line courses.

 

OPSEC Awareness for Military Members, DoD Employees and Contractors

OPSEC Fundamentals

New Faces of Threat Computer Based Training

 

 

The DoD Education Activity provides OPSEC information on their web-site. 

 

IVPN'S, four part article, "Online Privacy Through OPSEC and Compartmentalization" is an excellent overview of personal OPSEC.

 

My guide to Individual OPSEC and Personal Security is available here. 

 

CyberStalking

 

In July 2017, a Pew Research Center survey found that forty-one percent (41%) of Americans claimed to have experienced some form of on-line harassment. Of those claiming to have been harassed on-line, the majority described this harassment as name calling or intentional embarrassment. Only eighteen percent (18%) of those surveyed claimed to have experienced a more sever type of harassment such as "physical threats, sustained harassment, stalking and sexual harassment". (1)

 

Of all of those who claimed to have been a victim of on-line harassment, fifty-eight percent (58%) claimed that the harassment came through social media (i.e. Facebook and Twitter), twenty-three percent (23%) claimed that the harassment occurred in the comments section of a web-site, while fifteen percent (15%) claimed that they were harassed through a text message or messaging app.

 

The most commonly cited reason for being harassed on-line was because of one’s expressed political views. Of those individuals who claimed to have been the victim of on-line harassment, thirty-five percent (35%) related this harassment was in response their expressed political views. Political harassment was equally likely with both Republicans and Democrats. 

 

To summarize the Pew Research Center data, a small percentage (18%) of Americans claim to be victims of the more sever types of harassment, that harassment most often (58% of the time) is posted to social media, and most commonly (35%) relates to the harassed person’s political views.

 

The video "The Use of Technology to Stalk" highlights how technology may be used in more severe forms of cyberstalking. This 15-minute training video was designed to enhance awareness among professionals working with stalking victims of how stalkers use a vast array of technologies available today. 

Most commonly offered advice for victims of on-line harassment goes something like this: Never respond to the harasser, document everything, file complaints with the Internet Service Provider and with the police. While this is reasonable advice, let’s look at a few other things that we might do.

 

First try to identify the reasons you have become a target for on-line harassment. If you are being harassed on-line, you probably have some kind of an on-line presence. Are you posting comments on-line that others might consider inappropriate, offensive, or harassment from you? Yes, you certainly have a right to express an opinion about controversial topics on-line, but others have a right to respond; and controversial topics often lead to heated discussions, some of which may get out of hand. If you are involved in an on-line debate that is getting out of hand, stop posting and commenting yourself, and let the situation cool down a bit.

 

Avoid making public accusations about the person(s) whom you believe to be harassing you. If you are right, this just feeds the cyberstalker and keeps him/her interested in you (never respond to a harasser). If you are wrong you may find yourself facing a lawsuit for libel and defamation. Generally speaking, your best course of action when dealing with cyberstalkers is to block their ability to contact you, and limit their ability to gather information about you (i.e. employ good personal OPSEC).   

 

On most social media sites, you can block other users from contacting you or accessing your on-line posts. You can also set e-mail filters to block e-mail from specific addresses or domains, and to filter out messages containing specific content (such as profanity). On your cell-phone / smartphone you can block text messages and calls from specific numbers. Blocking works when you know who is harassing you. Filtering works when you want to avoid specific content. Whitelisting is another option where you set your accounts to accept messages only from people that you have specifically approved.

 

Most social media platforms have simple steps that you can take to block another user who is bothering you. Here are just a few examples:

 

How to Block Someone on Facebook

How to Block Someone on Twitter

How to Block Someone on Instagram

How to Block Someone on Pinterest

How to Block Someone on Snapchat

How to Block Someone on WhatsApp

How to Block Someone on Gmail

 

On-line Safety Tips



 

 

Practice Individual OPSEC and Personal Security on a daily basis. Incorporating good security practices into your life can protect you from on-line harassment as well as mitigating threats that you may face from other sources.

 

While all of the above applies to your personal social media accounts and personal communications, the question arises: Do public officials have the right to block users who insult them or post scathing comments publicly? According to a ruling by at least one court, the answer is no.

 

An interesting August 2017, article on NextGov.Com discusses this question of

 

How Government Agencies Can Protect Their Social Media Accounts - And Employees

 

Government employees are facing an interesting dilemma. They're trying to meet citizen demands for more personal forms of engagement with government. Yet, when they adopt social media channels to do this, they open themselves up to public feedback and criticism.

 

As a public official, do they have the right to block users who insult them or post scathing comments publicly? Apparently not. In July, the American Civil Liberties Union asked Kentucky Gov. Matt Bevin to stop blocking people from following his social media accounts; Michigan state government accounts were reported to have blocked more than 800 Twitter handles, including @POTUS; and the El Paso Police Department's public affairs staff blocked users from the department’s Twitter and Facebook accounts.

 

This culminated recently when a federal court judge ruled against a Virginia official  who banned a user from accessing her Facebook page. The results of this case pose serious consequences that could reach as far as the White House - a similar suit has been filed against President Donald Trump with regards to his personal Twitter @realDonaldTrump.

 

 



VeraCrypt

VeraCrypt  is a free open source disk encryption software for Windows, Mac OSX and Linux; based on TrueCrypt 7.1a. VeraCrypt allows you to (1) Create an encrypted file container, (2) Encrypt a non-system partition / drive (such as a flash drive), and (3) Encrypt the system partition or entire system drive.

 

Once you have downloaded and installed VeraCrypt on your computer, making an encrypted container is very simple. Just run VeraCrypt, click the ‘Create Volume’ button and follow the steps in the wizard to create an encrypted file container. Once created, the VeraCrypt encrypted file container works like another drive on your computer. Choose an unused drive letter, mount your encrypted file container and everything in the container is available to use. When you dismount the container everything in it is encrypted, helping to protect your sensitive files and folders if your computer is ever hacked, seized, or stolen.

 



To mount an encrypted file container, run VeraCrypt and select the file that is your encrypted container. Click the ‘Mount’ button and enter the password for that container (VeraCrypt recommends passwords of at least 20 characters). The container is then decrypted and becomes available. To re-encrypt everything in the container, just select the drive letter for the container and click the ‘Dismount’ button. You can have multiple encrypted file containers on your computer, as long as you have available space on your hard-drive to create them.

 

VeraCrypt has several additional features, all of which are explained in the VeraCrypt User Guide . Take time to read this documentation and learn how you can use VeraCrypt to safeguard your private and sensitive information. I use VeraCrypt and recommend it as an effective means of adding additional security to your digital files and folders.

 

Download Your Copy of VeraCrypt here: https://www.veracrypt.fr/en/Home.html

 



WHONIX

 

Whonix is a desktop operating system designed for advanced security and privacy. Whonix mitigates the threat of common attack vectors while maintaining usability. Online anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks. Commonly used applications are pre-installed and safely pre-configured for immediate use. The user is not jeopardized by installing additional applications or personalizing the desktop. Whonix is under active development and is the only operating system designed to be run inside a VM and paired with Tor. Whonix is available for all major operating systems. Most commonly used applications are compatible with the Whonix design. https://www.whonix.org/

 

 

Carpenter v. U.S

 

When the US Supreme Court Justices return from holiday break this month they are expected to rule on the case of Carpenter v. U.S. At issue is "whether the warrantless seizure and search of historical cellphone records revealing the location and movements of a cellphone user over the course of 127 days is permitted by the Fourth Amendment."

 

Timothy Carpenter argues that his Fourth Amendment rights against unreasonable search and seizure were violated when the government obtained his cell phone location records from MetroPCS and Sprint without a warrant. The government argues that it has the right to obtain this type of cell-phone record without a warrant under the 1986 Stored Communications Act, that allows this type of data to be searched if the government can show reasonable grounds to believe it will be relevant to a criminal investigation. The government further argues that Carpenter lacks a legitimate expectation of privacy because he voluntarily turned his location information over to a third party when he signed up for cell service.

 

Over a dozen companies are urging the US Supreme Court to rule that Fourth Amendment protections apply to the cellphone location data. Apple, Google, Microsoft, Facebook, Verizon, and other technology and telecom companies have filed an amicus brief with the Supreme Court, arguing that the phone data should not be accessed by law enforcement without a warrant or court order.  

 

The decision in this case is likely to have broad and long-term effects on the privacy rights of Americans. It is my belief that we do have a reasonable expectation of privacy in our digital data. As Justice Roberts said in Riley v. California "Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans "the privacies of life". The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought."