Doxxing Yourself on the Internet   NICAR 2019  Kristen Kozinski, Security Trainer, The New York Times Neena Kapur, Senior Information Security Analyst, The New York Times Search Engines  Google & Bing Search Operators  Operator  Site What it searches  Example  Provides results of pages located site:facebook.com on a specific domain AND/OR Use the AND operator to return results containing two results. Use the OR operator to return results that contain one result or the other result. “John Smith” AND (Portland OR Salem) Asterisk Google treats the asterisk as a placeholder for a word or words in a search string. “John * Smith” Hyphen This operator allows you to exclude the text immediately following it. “John Smith” -site:personalwebsite.com Filetype Filter search results by a single file type extension filetype:xls intext:youremail@gmail.com Common File Types: ● DOC/DOCX ● XLS/XLXS ● PPT/PPTX ● TXT ● JPG/JPEG/PNG (Image files)   ● PDF Bing Search Operators  Operator  LinkFromDomain Contains What it searches  Example  Creates results that link to every website within a website. LinkFromDomain:website.com Allows you to filter search results by a single file type extension on a specific website. Contains:csv site:website.com Google Alerts  Once you’re signed into your Google account, you can set up Google Alerts here: https://www.google.com/alerts Tip ​ W ​ e recommend you use Google alerts with your personal Gmail account. This way, if you leave the company you still have the alerts. Tip ​ Please note that any alerts you set up are saved in your Google account - while re recommend setting up alerts for information such as your phone number or physical address, we do not recommend setting up alerts for particularly sensitive information, such as your Social Security Number. Public Record/People Aggregator   There are hundreds of people aggregator sites out there - many large sites “feed” smaller sites, making them a good starting point for significantly decreasing your online footprint. ​Below is a short list of sites that we recommend starting with​. Once you’ve tackled those sites, within a few weeks the amount of your personal data across people aggregator sites will significantly decrease.   See if you can find profiles of yourself on these sites and consider taking steps to opt out. Please note that some of these sites will request you provide some personal data to opt out, such as email address, phone number, and address. Here are some tips for this: ● Create a seperate, “burner” email address to use for opting out. If you already have one, just use that. ● Set up a virtual phone number, like Google Voice or Sudo. ● Only provide sites with data they already have about you. If you see that they have an old home address, do not provide them with a current address, just provide them with the address they already have listed for verification. ● Don’t EVER​ provide a copy of any documents, such as driver’s license or passport. People Aggregator Sites (Getting Started)  Site name Website Opt out link CheckThem https://checkthem.co m https://www.checkthe m.com/optout/ Radaris https://radaris.com https://www.safeshep herd.com/handbook/r adaris.com Intelius https://www.intelius.c om/ https://www.intelius.c om/optout Fast People Search https://www.fastpeopl esearch.com https://www.fastpeopl esearch.com/removal White Pages https://whitepages.co m https://www.wikihow. com/Remove-Your-Li sting-on-WhitePages Family Tree Now https://www.familytre enow.com https://www.familytre enow.com/optout Spokeo https://www.spokeo.c om https://www.spokeo.c om/optout Instant Checkmate https://www.instantch eckmate.com https://www.instantch eckmate.com/opt-out Notes You are required to create an account when removing data from Radaris.   Peoplefinders https://www.peoplefin ders.com https://www.peoplefin ders.com/manage MyLife https://mylife.com https://www.privacyd uck.com/mylife-comopt-out-deletion-instr uctions-from-privacyd uck/ Been Verified https://www.beenverif ied.com https://www.beenverif ied.com/f/optout/sear ch People Search Now https://www.peoplese archnow.com https://www.peoplese archnow.com/opt-out TruthFinder https://www.truthfinde r.com https://www.truthfinde r.help/remove/ Advanced Background Check https://www.advance https://www.advance dbackgroundchecks.c dbackgroundchecks.c om om/removal The instructions will say to send a copy of your driver’s license to remove your data please ​do not​ do this! Instead state that you are concerned for your safety in the email. They still should remove your data, but please let us know if you have issues. If you’d like to go further, take a look at IntelTechniques’ ​complete list​ of people aggregator sites with associated opt-out steps - please note that The New York Times has not fully vetted all of these sites.   Social Media  Identify your social media accounts  ● ● Enter your commonly used handles into ​https://namecheckr.com​ to see where that handle is being used. This can help you discover old accounts you may have set up, as well as keep an eye for impersonation accounts Set up two-factor authentication on your social media sites. Check out ​twofactorauth.org for instructions on how to set up two-factor authentication for popular websites. ○ We recommend using an ​authenticator application ​(aka a mobile security app or software token) rather than SMS text messages, as your second form of authentication. This is a more secure method and prevents from attacks such as SIM hijacking​. Facebook  Tip ​ Y ​ ou must have a Facebook account and be logged in to search for other Facebook users. The tool below will not show any results if you are not logged in. ● ● ● ● ● Visit ​https://inteltechniques.com​ → click on the “Tools” menu item on the top. From there, click the “Facebook Profile” menu item on the left, and select “Facebook Tool” from the drop down. ○ Enter a Facebook username into the first field that says “FB User Name” (it’s the small box ABOVE the bigger white box), and press “Go.” You can find your Facebook username by visiting your Facebook profile. It will show up in the URL after the “/”: ○ Once the user number is generated, copy and paste that number into the “Facebook User Number” field and press “Go.” This will populate the additional fields with your user number ○ You must have a Facebook account to see what is publicly available. Remember, you can’t do this for your own account - find someone to help with that. Select the ​View As​ option on your Facebook profile to see what personal information on your Facebook profile a user who is not friends with you can see Consider modifying your privacy settings: ○ Hide your Friends list - Settings → Privacy ○ Set approval request on picture tagging (Settings → Timeline & Tagging) ○ Remove option for search engines to link to your profile (Settings → Privacy) Turn on two-factor authentication Enable alerts ​for unrecognized logins.   Twitter  ● ● ● Twitter simple search: ​https://twitter.com/search-home Twitter advanced search: ​https://twitter.com/search-advance Turn on two-factor authentication Twitter Search Operators  from Messages username is sending out from:yourhandle to Messages being sent to username From:yourhandle to:friendhandle geocode Tweets occurring within range of specific GPS coordinates geocode:40.753830318,-73.9 87329384,1km "mcdonalds" AND/OR Use the AND operator to return results containing two results. Use the OR operator to return results that contain one result or the other result. from:yourhandle OR from:friendshandle since:YYYY-MM-DD until:YYYY-MM-DD Tweets occurring within a specific date range From:yourhandle since:2005-01-01 until:2005-01-31 Instagram   The in app search field only shows users and hashtags related to search terms. Google Dorking for Instagram: ● Site:instagram.com “username” ● Site:instagram.com “username” -site:instagram.com/username” Turn on two-factor authentication​.   LinkedIn  Tip If you are searching for others while logged into your profile, they will be able to see that you viewed their profile with the default settings. ​Me​ > ​Settings & Privacy​ > ​Privacy​ > ​Profile viewing options  Google Dorking for Linkedin: ● Site:linkedin.com “Google” ● Site:linkedin.com “Software Developer at Google” Linkedin Privacy Settings ● To limit & protect your information navigate to: Me → Settings & Privacy → Privacy ● Turn on two-factor authentication Additional Resources  Check to see if you email or username has been associated with a data breach at https://haveibeenpwned.com/ To search the Internet Archive for personal information use ​https://web.archive.org/