DIGITAL OFFICER SAFETY:
Connecting the dots…“All it takes is the right person to put it all together for devastating effect.”
You may not feel like you are a juicy target for a hacker right now. You keep a low profile, you don’t overstep your authority or even speak to the media (someone of higher rank can always do that). Why would a hacker, or a bad guy target you? Well, today you may be clocking in and clocking out routinely…but the nature of your job makes every day unpredictable. Tomorrow, or 5 minutes from now, you could be in a situation that requires you to use lethal force. Now you are in the spotlight at your agency and in the media. Within a few hours, the media is parked on your lawn with a live report for the evening news and protesters are disturbing your neighborhood. It happens almost daily across the nation. How did they find you so fast? Or an arrest you made leads to angry family members and friends of the accused, or criminal organizations that now see you as a target. How quickly could someone with bad intentions find where you and your family live?
With the continued public disclosure of the personal information of various law enforcement officers, it has become necessary for all law enforcement officers to protect their privacy online. Contrary to common belief, the majority of data disclosure is not due to “hacking” instead it is a result of public records and companies in which you do business with selling your information to third party data brokers.
With the rise of social media and the desire to connect with family and friends through these services, individuals are disclosing private information to third parties without fully knowing the recipients of such data. Furthermore, the disclosure of personal information through social networking leaves individuals open to certain forms of computer based attacks such as social engineering.
“Doxing” is a term developed in the computer hacking world in which an adversary developed a personal file on an individual through the use of open source searches, publications, and dumpster diving. Hackers would use this information to compromise computer networks by performing password profiling or through social engineering attacks.
In recent years, “doxing” has been used to publicly disclose the private information, i.e. name, a The hacker collective “Anonymous” has used this information for vicious purposes in the hopes that their adversaries would cease their activities against the collective.
The main source of information for the “doxing” of individuals is through paid data brokers such as Intelius and USSearch. These firms provide subscription and one time use services that allow individuals to obtain personal information on another person for a fee. These data brokers obtain information from a variety of public records and the purchasing of personal data from a variety of companies.
Social networking also provides a significant amount of information for those seeking to “dox” and individual. This information will include pictures, employment history, family relationships, hobbies, and patterns of life.
An interesting and informative guide to doxing can be found here: LINK
THREAT TO LAW ENFORCEMENT OFFICERS:
Since the start of the Occupy Wall Street protests a few years ago, several law enforcement officers have had their personal information released on the internet as a result of their duties during the protests. Some of these law enforcement officers have been subjected to threats, telephone harassment, and surveillance of their residences.
The relative ease in which individuals are able to obtain personal identifying information on members of the service is a threat to them and their families. Therefore, it is important for law enforcement officers to take all necessary precautions to secure their data. However, for those who have already been the target of such a release there is no easy solution due to the longevity of information on the internet.
PROTECTING PERSONAL INFORMATION THROUGH OPT-OUT:
A variety of state and federal laws allow for individuals to “opt-out” of services in which there personal information is retained by data brokers, telemarketers, and direct marketers. Furthermore, most of these companies make available expedited and bulk request processing to members of law enforcement.
National Do Not Call Registry:
By placing your number in the National Do Not Call Registry an individual will not receive unsolicited telemarketing phone calls except in certain cases. By limiting your contact with telemarketers you have less of a chance of your personal information being sold to a larger data warehouse. To place your number on the National Do Not Call Registry fill out the form located at https://www.donotcall.gov/default.aspx.
Prescreened Credit Card and Insurance Offers:
By opting out of pre-screened credit card and insurance offers an individual will no longer receive these offers through the mail. Your personal information is obtained by these companies through the three major credit reporting agencies. The receipt of these offers through the mail may lead to identity theft if someone were to steal your mail and respond to the offer. Also, many times these offers contain a significant amount of personal information that you would not want in the public domain.
You can “opt-out” of these offers by filling out the form located at https://optoutprescreen.com.
Direct Marketing Association Opt Out Service:
The Direct Marketing Association is the largest trade association of marketers in the United States. They provide marketing services for companies through both standard mail and email. By limiting your contact with these companies you reduce the risk of your personal data being sold to third party data brokers. An individual can “opt-out” of these services by filling out the forms at http://www.dmachoice.org. You will still receive marketing material from companies that you do business with.
Bank Financial Institutions Opt-Out:
Credit Security Freeze:
The three major credit reporting agencies provide the ability for an individual to freeze their credit which stops the credit reporting agencies from disclosing your credit report. This prevents any new accounts from being opened in your name. This is an effective way to prevent identity theft, and may be necessary for those members of the service who have had their personal information disclosed.
For a more in-depth look at the importance of a credit freeze, please see my post here.
Data Broker Opt-Out:
Data brokers are one of the easiest methods available in which individuals have obtained personal information on members of the service. Each company has a specific method to opt-out, and most provide specialized “opt-out” services for law enforcement personnel when the request is submitted on official department letter head. However, there are data brokers that provide no “opt-out” services. For information on state laws that may assist qualified individuals with their opt-out requests, see my recent post here.
While there is no all inclusive list available that you can follow to find every website that displays personal information, many sites have attempted to compile lists of their own to assist us with removal requests.
I my opinion, the link below is not only a tremendous resource for identifying sites to target for removal efforts, but it also contains links to many other valuable services.
Other comprehensive lists can be found at:
There are a number of paid services which will remove your personal information from Data Brokers for a fee (typically $100/year) such as reputation.com. However, in reviewing several of
these sites I came to the conclusion that they did not perform a comprehensive removal. Rather, they removed the information for their affiliated sites and a small number of sites in which they have a business relationship. The only way to truly remove yourself in the most comprehensive manner, is to do it yourself. The results you can achieve and the knowledge you obtain is well worth the effort.
Social engineering is one of the oldest forms of data compromise and was pioneered by computer hackers such as Kevin Mitnick and Kevin Poulsen. Social engineers will obtain personal information from you by soliciting a response from you in a personal manner. This may be accomplished by a phishing scam (a fake email from your bank), or pretending to be a person on the phone to solicit information. Social engineers then use this information to compromise your email and social networking accounts and commit identity theft.
In 2011 members of “Anonymous” performed a social engineering attack in which they pretended to be the CEO of a company and called into the help desk requesting their password be reset. The help desk employee believed this person to be the companies CEO and disclosed the current password for the CEO’s computer account and reset the password to one selected by the members of “Anonymous.” The hackers then used this information to compromise the system and lock the CEO out of his account.
Following the start of the Occupy Wall Street protests members of OWS were requesting others on Twitter to call police department’s “police officer information desk or shield desk” in an effort to obtain the first and last names of officers by shield numbers. It is unknown if they were successful.
In the past year there have been a number of high profile computer hacks of major consumer companies that have resulted in the release of personal information. Also, many of computer attacks conducted by “Anonymous” have focused on law enforcement websites. Although we cannot control the data security policies of third parties it is important to know who you are turning your personal and financial data (i.e. a credit card number) to. Also, several of these computer hacks have resulted in the release of passwords for those accounts. Most websites only stored hashed (one-way encrypted) passwords, however, since most users use simple passwords they were easily cracked by available password crackers. It is important to use complex passphrases of at least 12 characters that are not words contained in the dictionary. Also, they should contain a mix of numbers, capital and lower case letters and special characters.
It is very important that individuals use different passwords for each of their online accounts, especially if they have been the victim of a compromise. In many situations a hacker will not stop at one account once they have a valid password they will try all accounts possible to see if the password was reused. Since most users maintain a number of online accounts a password manager such as LastPass (www.lastpass.com) will help you achieve this goal while still remembering a large number of complex passwords.
*Portions of this post were referenced from an article posted by the Philadelphia Fraternal Order Of Police (http://fop5.org)