5 takeaways from Bolster Your Digital Safety: An Anti-Hacking, Anti-Doxing Workshop

Dorothy Hernandez (@dorothy_lynn_h), a volunteer with the ONA Resource Team, compiled these key moments from the ONA20 session on Oct. 15, 2020. To view a recording of the session, register for on-demand access to the ONA20 archive. Session participants included:

• Viktorya Vilk, Program Director for Digital Safety and Free Expression, PEN America
• Harlo Holmes, Director of Digital Security, Freedom of the Press Foundation

5 key takeaways:

1. Online abuse is the pervasive or severe targeting of an individual or group in an online setting through harmful behavior. (It’s important to note that just one episode can have an enormous impact on well being! Hence “severe.”) Sources vary: From a group (which can be highly organized even if they don’t look like it), an anonymous person, a very famous person, or even somebody you know in your personal life. The term encompasses a bunch of ever-evolving tactics:
   1. Hacking
   2. Impersonation
   3. Message bombing
   4. Doxxing: publishing of sensitive, private information like address, cell phone, SSN, etc. in effort to extort, stalk, intimidate, etc.
2. Cybersecurity 101:
   1. Practice password hygiene: Use extremely long, complex passwords (16 characters is the bare minimum, because the longer the passphrase, the harder it will be for an attacker to brute force into a particular account). Don’t use the same one across multiple accounts.
   2. Pick difficult answers to security questions.
   3. Use a password manager like LastPass, 1Password (free for journalists), or Dashlane. (Someone asked if it’s dangerous to centralize your passwords, but programs like these encrypt the passwords so it’s more difficult for bad actors to read.)
   4. Set up PIN on mobile account to avoid SIM jacking (when someone calls your cell phone company pretending to be you, saying, “Oh, I got a new SIM card, can you route all of my traffic to this new number”).
   5. Use secure messaging and secure browsing.
   6. Keep software updated: Oftentimes, a security update happens because someone has alerted them to or they have found some kind of massive security breach — and they avoid publicizing that. They quietly fix it, and they push it out as an update, so if you don’t regularly update your software and your apps, you could actually have a glaring security gap in there for weeks or months at a time and not even know because the company didn’t tell you.
   7. From Harlo: All of the techniques are only as secure and effective as the devices that you are using. All of these solutions only work as well as the devices as you’re running them on.
3. You should go through the motions of doxxing yourself, to see what information is available online.
   1. It’s really important to strategically start creating distinctions between person and professional online. That doesn’t necessarily mean having one personal and one professional social media account but it does mean thinking about platforms and how you use them. (See #5).
   2. Google yourself but also try to find results on the deep web and dark web; go beyond the surface.
      1. One way is to log out of all accounts but even in incognito mode, Google pretty much knows it’s you still because of IP address
      2. Google dorking: create searches into the Google search bar that will bring you beyond the surface so using operators like “or” or asterisk for wildcard or pdf. (Find those old resumes you uploaded for that job years ago!).
      3. Reverse image searching to see if your images have started to pop up in places you don’t want or has nothing to do with you (Other than Google, try Bing, which has a lot of rich tools that give you more nuance than what Google provides).
      4. Create Google alert.
      5. Look yourself up on Have I been pwned? This tracks to see if your email has been in a data breach. It’s not so much the fact that bad actors want access to your Adobe account but more so if your email address is linked to a bank account and then they can access your money.
      6. Operational security: Be mindful of posting a photo of where you are at that moment, like at a coffee shop. Use #latergram to protect your privacy.
4. Your personal information is cheap and may be freely available:
   1. Data brokers make money off of scooping your private information off the web and selling it for “literally 5 cents”
      1. Use a website like Spokeo or Intelius to find out what’s out there
      2. There are 400-plus data brokers so consider using a resource like the Big Ass Data Broker Opt Out List (linked below)
5. You should do an audit of your social media account security. Some tips:
   1. Twitter
      1. Use two-factor verification.
      2. Make sure you don’t have your birthday or any other private information in your profile.
      3. Go to Settings > Privacy > Account > Apps and sessions to see where you are logged in via other apps and other parts of the world — revoke access if you don’t know what the app is.
      4. If you ever find yourself in the midst of a particularly unsettling social media attack, protect your tweets. You can untoggle it when things go back to normal.
      5. Turn off DMs.
      6. Don’t let people find you by email or phone number.
      7. Disable precise location.
      8. Turn off personalization and data.
   2. Facebook
      1. Use two-factor authentication.
      2. Review where your Facebook account is logged in and revoke unfamiliar sessions.
      3. Other than getting backup codes to access your email you can also add 3-5 trusted friends to help you regain access to your account.
      4. It’s worth poking around privacy settings on Facebook and being very strategic about what access you permit.
      5. Limit your visibility on search engines.
      6. Have a strategy for addressing tagging. Limit people who can tag you in things.
      7. Location, location, location: Facebook is incredibly nosy about where you are. They’ve got way too much money so don’t feed into that.

Memorable/tweetable quotes:

• “Google dorking is your best friend.” —@vilkviktorya
• On Twitter: “Turn off personalization and data, it makes your ads a lot cleaner and you’re sticking it to them because surveillance capitalism is a thing.” —Harlo Holmes

Links to additional resources

• PEN America Digital Safety Checklist
• Big Ass Opt-Out Data Broker List