The Benefits of Living Gray – Part Three: On the Internet
By TorchStone VP, Scott Stewart
At 4:30 am on the morning of Feb. 19, 2020, five armed men wearing hooded sweatshirts stormed into a luxurious home in Hollywood Hills to conduct a home invasion robbery. The target of the robbery, Bashar Jackson—otherwise known as the rapper Pop Smoke—attempted to resist and was fatally shot by two of the intruders. The robbers left the house a few minutes later after quickly amassing a large haul of cash, jewelry, and electronics. In July, the Los Angeles Police Department arrested and charged five members of a South Los Angeles street gang with murder and robbery.
The New York-based rapper was staying in a rented home while only visiting Los Angeles with some friends. As long as one’s itinerary is protected and there is no inside source, it is generally considered difficult for criminals to specifically target a VIP during a short-term trip. However, in the wake of this home invasion murder, it was discovered that Pop Smoke and his companions had posted a series of videos and photos on Instagram that showed them flaunting stacks of cash, expensive jewelry, and other luxury goods. One of the Instagram posts even featured a shot of a gift bag that had the home’s address printed on it.
As I’ve discussed in traveling gray and living gray at home, the goal of being gray is to present a neutral façade to outside observers to avoid being perceived as a valuable or vulnerable target. Pop Smoke and his companions’ Instagram posts were the antitheses of gray; not only did they advertise the riches inside the home, allowing the robbers to assess their potential haul, but they also provided the criminals with the address where the loot was located.
Pop Smoke is not the only celebrity who has been targeted based on information posted on social media. There have been several other cases in recent years, perhaps the most high-profile of which was the Oct. 2016 armed robbery of Kim Kardashian West who had some ten million dollars’ worth of jewelry stolen by armed criminals dressed as police officers who invaded her suite in an exclusive Paris hotel.
In a string of residential robberies in 2008-2009, the so-called “Bling Ring” robbers chose to target the homes of celebrities at times they were away from home by following the celebrities’ social media accounts. Such cases illustrate that potential criminals and stalkers will exploit personal information posted online, and thus both celebrities and the average person will benefit by being gray online.
How Not to Dox Yourself
The hacker community uses the term “dox,” short for documents, to describe the process of sweeping the internet for information on a person and then posting it online. Hackers usually publish these documents to publicly identify and then either embarrass or threaten the target of their doing.
Most of us do not share photos of ourselves on social media holding huge stacks of cash like Pop Smoke or wearing a 20-carat diamond ring worth $4.5 million like Kim Kardashian. But as the number of smartphones and apps grows and we add more internet-enabled devices into our lives and homes, we often post information that can be used against us by people with ill intent. We are in effect doxing ourselves.
The first step to avoid doxing yourself is to be conscious and careful of what you intentionally post on the Internet, and to limit who can see what you post. While the only surefire way is to avoid social media altogether, I recommend that you carefully consider who you are connecting to and sharing personal information with when you use social media.
If your job requires you to use social media, it is best to have separate personal and professional accounts. That way you can limit the people you share personal information with to people you know well and trust. Cybercriminals, stalkers, and spies will often work their way close to a target by first befriending less cautious friends of the target (while using an attractive avatar photo), so be wary of accepting connection requests from people who are connected to your friends, but who you don’t know.
Turn Privacy Settings On and Geo Tags Off
An important key to being gray on the Internet is to avoid posting photos or videos of your valuable possessions. You should also avoid posting anything that contains your address, or that provides hints to your address. Privacy and location settings should also be tightened so that they don’t reveal exactly where photos were taken or permit your friends to share your photos and posts with people you don’t know.
We’ve also all had contacts who have had their social media or email accounts hacked. Keep in mind that anything you are sharing with your friends could also end up in the hands of a hacker.
Many people tell the world when they are going on vacation, or away for the weekend. I have even seen colleagues who have thousands of followers on Twitter (and certainly they do not know all of them) announce they are not home by posting that they have arrived at a particular airport or announcing they are going to attend a specific conference for a week, thus alerting potential criminals that their home is vacant and vulnerable to a robbery—or that their teenage daughter is home alone. Don’t do this. If you do want to post vacation photos to social media, I recommend posting them after you have returned home.
Avoid Posting Daily Routines
Your possessions are not the only thing hostile actors may target—they can also target you. For years I have been advising people to avoid setting patterns in their daily routines that criminals can use to target them. This warning goes double for social media. Don’t post information that makes it easy to map your daily routine. I have many friends, including several who are female, who post on social media every time they check into the gym or go for a run. They are proud of their commitment and like to encourage their workout partners. Gyms also encourage check-ins as a form of advertising. Unfortunately, such information can make it easy for a rapist or stalker to identify them.
Certainly, someone stalking you can develop this information in person, but to do so they would be forced to conduct physical surveillance, leaving them vulnerable to detection. Don’t post information that makes a criminal’s job easy, no matter your gender.
Your Online Resume Can Draw the Wrong Attention
Social media sites such as LinkedIn have also proved to be very useful to hostile intelligence officers. We have seen a number of cases in which people were spotted by hostile intelligence officers on LinkedIn. By spotted, I am referring to the part of the human intelligence cycle in which an officer attempts to identify individuals who have access to the programs or technologies being targeted. Some of these cases have even involved hostile intelligence officers developing a relationship with the targeted individual over social media, before progressing to an in-person meeting where the targeted individual is “pitched,” or recruited. Because of this, people with access to classified information and sensitive technologies should be careful about listing that access on sites such as LinkedIn. While such information may help you appear valuable to potential employers, it can also draw the attention of hostile intelligence officers.
Shut Down Cybercriminals
I have so far discussed how being gray helps avoid physical world criminals, but cybercriminals can also use information carelessly posted to social media. Cybercriminals can use information you post in a variety of ways to include identity theft, credit card fraud, email scams, and phishing attacks. For example, a cybercriminal could see a social media post that a person is on vacation and then send an email using a spoofed address to everyone on the poster’s contact list saying he was robbed and needed an emergency money transfer. Information you post regarding the devices and apps you use can also be used by those wanting to hack you.
For years now, I have seen social media messages or games that appear to me to have been specifically designed to elicit the answers to questions commonly used as “security questions” for account logins or password resets. These messages purport to be fun exercises intended, for example, to help people “learn more about each other during the pandemic;” but when the messages ask you to answer questions such as the name of your first childhood pet, the city where you met your spouse, your mother’s maiden name, your father’s middle name, etc., it becomes evident that they are intended for more nefarious purposes. Don’t fall for this trap.
Assess Your Public Profile
At TorchStone, we frequently conduct public profile assessments for our clients in an effort to help them understand what information is available about them on the indexed part of the Internet as well as on the darknet and deep web. We approach this exercise as though we were a hostile actor looking to see what we can learn about the “target” given only their name and company. Based on our findings we can make recommendations on ways they can improve their security and become grayer.
Such assessments can also be conducted by individuals on themselves, and they are helpful in gaining an understanding of what information is available to criminals in the physical and cyber worlds. It can also help you identify information gaps, the information needed to target you that is not available online, thus allowing you to focus your efforts on protecting it, or to identify those attempting to obtain it.
Social media and the Internet can be incredibly useful and entertaining. However, it is important to understand that information we post there can make us targets. By working to keep ourselves gray online, we can prevent criminals from assessing us as valuable and vulnerable targets.