dox yourself
TRANSCRIPT
![Page 1: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/1.jpg)
Dox YourselfSamuel GreenfeldDecember 3, 2015
![Page 2: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/2.jpg)
Disclaimer• This presentation uses personal examples• Some fields are blacked out in case someone takes pictures• I know you can find the information
• I have no doubt you can make my life or others miserable • Please Don’t
![Page 3: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/3.jpg)
Introduction
![Page 4: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/4.jpg)
![Page 5: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/5.jpg)
![Page 6: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/6.jpg)
![Page 7: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/7.jpg)
SSNs historically predictable• Prior to June 25, 2011, SSNs issued in a predictable sequence• First three digits = state/territory of issuance (+ a few special things)
• After 1973 also based on ZIP code within a state
• Middle numbers = issued in a known sequence • Depending on the year even/odds were used, jumps around a bit• “High Group” lists issued by the SSA tell you the maximum number for this
expected to be issued for any given month for all possible first digit combinations
• Last digit set = issued sequentially within the first two• The IRS required SSNs for dependents in 1987
![Page 8: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/8.jpg)
Florida Driver’s License• LLLL-FNI-YY-DMB-N• LLLL: Based on Last Name• FNI: Based on First Name, Middle Initial• YY: Year of Birth• DMB: Based on Day/Month of Birth & Gender• N: Sequence number in case of collisions
![Page 9: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/9.jpg)
Surprised?
![Page 10: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/10.jpg)
Security Professionals• We love to talk about the latest data breach/security technique/etc.• But we often forget to consider what was “normal” or
“best practices” in the past• We forget to consider what others may already know
![Page 11: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/11.jpg)
![Page 12: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/12.jpg)
Birthday pondering• Government records• Birth Certificates• Driver’s License• Voter Registration
• Commercial records• Websites• Third party surveys/forms/rebates• Data aggregators
• Social Media Profiles/Posts
![Page 13: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/13.jpg)
![Page 14: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/14.jpg)
![Page 15: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/15.jpg)
![Page 16: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/16.jpg)
+
![Page 17: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/17.jpg)
Search engines aren’t picky
![Page 18: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/18.jpg)
A Rigorous Review
![Page 19: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/19.jpg)
What’s the Problem?• Companies want to know who they are dealing with• Authentication/Authorization (strict check)• Advertising (loose might be acceptable)
• Users want to use services/purchase items easily
![Page 20: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/20.jpg)
What’s the Real Problem?• Big Data is the new “in” thing• Many firms want to gather as much data as legally possible• Want to make using their systems as “sticky”/easy as possible• But when everyone has lots of data• How do you identify someone when everyone else has much of the
same information?• How do you differentiate your service?• All of the old information is not going away!• Lots of data already compromised
![Page 21: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/21.jpg)
What’s the Real Problem? (2)• Anyone & Everyone wants to know what you are doing• Stores• Data aggregation firms• Nation states• Your Internet Provider
• Many want to know what your LinkedIn, Facebook, etc. accounts contain, who you know, etc.
![Page 22: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/22.jpg)
![Page 23: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/23.jpg)
The Beginning is still here
![Page 24: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/24.jpg)
But so is your past
![Page 25: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/25.jpg)
Serious case
![Page 26: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/26.jpg)
Authentication
![Page 27: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/27.jpg)
Historical• Password• Security questions• Security pictures
![Page 28: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/28.jpg)
Current Trend: Give Us More Info
![Page 29: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/29.jpg)
Current Trend: Give Us More Info (2)
![Page 30: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/30.jpg)
Two-factor Everywhere• Too many Two Factors!• Phone Calls/SMS• OATH
![Page 31: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/31.jpg)
Custom Two-Factor Authenticators
![Page 32: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/32.jpg)
Many firms want your phone number
![Page 33: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/33.jpg)
Many firms want your phone number (2)
![Page 34: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/34.jpg)
Many firms want your phone number (3)
![Page 35: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/35.jpg)
Cell phone supercookie
![Page 36: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/36.jpg)
Fallbacks to historical approaches still exist• What happens when the user doesn’t have their second factor?• Back to security questions again in many cases
• Be sure to email the user or mail them a postcard/letter when an override is used• If email was part of the process, find another way to contact the user which
does not require something used as part of the override• If a user changes email addresses, be sure to send one final vague message to
the previous address warning them of it.
• When designing any authentication system, be sure to determine what is considered an acceptable level of risk
![Page 37: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/37.jpg)
Mutual Authentication
![Page 38: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/38.jpg)
Analytics
![Page 39: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/39.jpg)
Coffee Makers
![Page 40: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/40.jpg)
Coffee Makers (2)
![Page 41: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/41.jpg)
Analytics• Discovery and communication of meaningful patterns in data.• Site information/performance• User information/demographics
• Can be used both for secondary identification as well as advertising• In either case you are generally not told about it
![Page 42: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/42.jpg)
Supercookies• Method of storing information in a web browser using redundant
methods that are hard to delete• Example proof of concept: Evercookie
• http://samy.pl/evercookie/
• Uses• HTTP Cookies• Adobe Flash Local Shared Objects• Web history (where you’ve been)• Web cache (storing files)• Etags (has a cached file been modified)• HTML 5 Storage (5 types of it)• And much more
![Page 43: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/43.jpg)
Browser Fingerprinting• Attempt to detect the same user without storing anything in their
web browser• Uses things like• Browser type/version• Configured language(s)• Installed plugins/versions• Time Zone• Screen Size/Color Depth• Fonts on computer
• Often can get a unique match, or at least prove a browser is 1:1,000+• https://panopticlick.eff.org/
![Page 44: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/44.jpg)
![Page 45: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/45.jpg)
![Page 46: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/46.jpg)
![Page 47: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/47.jpg)
![Page 48: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/48.jpg)
![Page 49: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/49.jpg)
If you are a user• Realize how much information about you is public• Your daily purchases, interactions, etc. reveal more than you realize• https://history.google.com/history/ is a good place to start
• If you or someone else puts something on the Internet, it may never go away• Consider using ad/site tracker blocking software if concerned,
but realize that these can occasionally break websites
![Page 50: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/50.jpg)
If you are looking to “dox” someone• Consider if you *really* want to do it• You will affect their feelings, even if you told them in advance• There may be legal implications• Search the Internet with you know and go from there• Realize that some sources are completely incorrect, while some are
scarily close to accurate• Don’t publish information online unless absolutely necessary• Outing the wrong person has occurred before!
![Page 51: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/51.jpg)
If you are trying to authenticate users• There is a careful balance between making your service easy to use
and making it secure• Realize that many identifiers are public information, or can be derived
from such• Follow the required regulations/laws for your industry/location(s)• Don’t try to special case things based on known local flaws• Two factor authentication is now probably the norm
![Page 52: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/52.jpg)
If you are into advertising/analytics• Respect your users• Don’t tie site functionality into metric/analytic systems in fragile ways• Don’t overload your site with trackers• Use tools to measure their impact on performance• Try home/mobile Internet connections far away from your datacenter
– not just the office
• If you collect it, someone else can steal it• It’s not if you are compromised, but when you will be
![Page 53: Dox Yourself](https://reader036.vdocument.in/reader036/viewer/2022062302/5883089d1a28abe70d8b6dbb/html5/thumbnails/53.jpg)
Questions