The FBI’s warning about doxing was too little too late

by Steve Ragan - Dec 19 2011, 09:00

An FBI intelligence bulletin released over the weekend by Anonymous outlines the threat law enforcement officials face from the practice of doxing, but the FBI’s warning came too late to make any type of difference.

According to the memo, the FBI said law enforcement personnel and other victims are at risk for identity theft. The reason for the risk is due to the nature of doxing, or exposing personal information on a victim to the public. Doxing is something that has become common recently in the aftermath of various AntiSec or Anonymous related attacks.

The standard dox on a person can include all relevant personal details, such as name, address, phone numbers, date of birth, Social Security Number, social networking information, usernames, passwords, images, and anything else that is related to them in an identifying capacity.

“In response to law enforcement activities that have occurred against Anonymous and LulzSec since January 2011, members of these groups have increased their interest in targeting law enforcement in retaliation for the arrests and searches conducted... As more arrests are made against suspected members of Anonymous and LulzSec, the FBI expects hacking activities and ‘doxing’ that targets law enforcement and government interests will continue. This could compromise investigations and result in harassment and identity theft of the individuals named in the ‘dox’,” the memo explains.

The problem is, and this is somewhat explained by the memo, Anonymous has been doxing other Anons, victims, and law enforcement for some time.

Days before the memo was released to the law enforcement community, Anonymous (in support of the AntiSec movement) released the personal information of nearly 7,000 people, including names, email addresses, home addresses, phone numbers, usernames, passwords, and Social Security Numbers.

At the time those people were exposed, AntiSec supporters raided a total of 77 law enforcement domains within the span of a week, and subsequently released additional law enforcement dox, along with more than 7GB of email and sensitive information.

While the FBI’s warning on doxing came too late to make any type of difference, the message is important. Yet, the memo itself failed to address one of the larger issues that led to the exposure of personal information to begin with in any sort of context.

All of the victims doxed and exposed by AntiSec, LulzSec, or Anonymous proper, had their personal information stored in the clear, with no real protection whatsoever in many cases.

In fact, in order to expose the 7,000 people the way they did, AntiSec supporters simply used recycled passwords to access the Missouri Online Training Academy database, located on mosheriffs.com.

That domain was housed on a server with 76 other law enforcement domains. Access to mosheriffs.com was trivial, because it - along with the domains hosted on that server - was poorly developed (web application flaws). This allowed the attackers a chance to upload shell scripts, which gave them full control over the server and all of its domains.

So while the FBI is correct, as doxing can impact investigations and the personal security for those exposed, the mention of “safeguarding material containing personal information pertaining to officers and named victims” as a mitigation without any context, isn’t all too helpful.

The lesson here is to know what data is important, where it is located, how it is used, and the layers needed to protect it. If the data housed on the hijacked domains was encrypted and segregated from the start, then it would have been useless when compromised.

Other recommendations concerning dox mitigation include avoiding the use of recycled passwords and weak passwords. These two things have also helped Anonymous over the years, and more recently the AntiSec movement remain successful when they target an organization.

In many of the cases where passwords were exposed to the public during the aftermath of an AntiSec or Anonymous attack, they were weak, making them easily cracked or guessed.

Another issue is the storage of critical passwords within email.

When AntiSec targeted law enforcement officials in Texas, the officers had their full dox published. The doxing was in addition to the release of email messages taken from hijacked accounts. Yet, within the emails themselves, the live logins to internal police systems, including TLETS, TCLEOSE, and NCIC, were also exposed.

A copy of the Official Use Only memo can be obtained here.

Around the Web