Cybersecurity threat awareness: Prevent your information from leaking out to the bad guys & girls
Operations Security or Operational
Security is the process by which we protect unclassified
information from leaking out via our own actions &
behaviour. The goal of Cybersecurity OPSEC is to minimize
your digital footprint / information leakage and to minimize
the damage when things go bad. In the best of scenarios you
might almost drop off the grid completely.
That is, instead of your adversaries knowing
almost everything there is to know about you, they will be
left with the bare minimum. A decent level of IT privacy is
still attainable, but it does require a constant effort. The
rules for this constant effort is what OPSEC is all
about. Lastly, remember that OPSEC does not replace any other
security disciplines - it supplements them.
Why OPSEC is for everyone
Every wondered why Facebook, Gmail, Outlook,
Skype etc products are (partly) free? Because you are the
product. You, your interests, what products you have bought,
your friends, your family, your wealth, your political
ideology, your calendar, your current position, your
upcoming events... Then add on top where you work, your job
role, your colleagues, your connection, your companies
product development and your milestones...
This is all priceless information about you
and the people around you.
It's mostly about finding the "right ads to show you",
but when you put all of the gathered information
together and place it in the wrong hands, bad things can
follow...
To make a long story short:
George
Orwell was an optimist (TM). That
is, very few things in todays IT
world can be considered to respect your privacy and to be
safe & secure. Even harmless looking devices like
baby "sleep monitors" (IoT box with camera & microphone) can
in capable hands be turned into a small monster (Your
adversaries may have a live camera & microphone feed inside
your house / The device may be part of a criminal bot-net of
some kind). The more devices you have, the more (privacy)
problems you have.
We are all vulnerable to this, but we can
systematically minimize the problem(s) via our own
actions.
Highlevel view of OPSEC
Identity of critical
information (Company information, client, resource
info etc)
Analyze threats (State and/or privately funded IT criminals
etc)
Only put your trust in things that can be verified: open source
It is impossible to know what any closed source solution is really doing: hence they can not be trusted
Open solutions on the other hand can be verified from start to finish: rely on them
Meaning:
Only trust solutions that are completely open (both the client & server parts)
It is not enough if just one part of the client-server side is open
Think: If a boat is leaking / taking in water, it is unwise to ignore it...
Pay attention to (a) with whom you
are communicating with and (b) how you are doing it
Watch out for social engineering /
information leakage - You may be the biggest
security threat
Follow strict but sane: email, texting
and social networking policies - Silence is golden
For confidential material: Only rely on
trusted devices + multiple layers of verifiable e2e
encryption
Have spam, virus and malware mail
filters in place
Don't open any attachments that aren't
cryptically signed by a trusted partner (consider
throw-away WM + dummy user + virus check + secure
tools)
Don't visit any URL's given by unknown
persons in your normal env (consider throw-away WM +
dummy user + Tor browser etc)
Use Tor & Think before you click - All URL's are linkable to something (most specifically URL's with hashes)
Might be a 1:1 mapping to you!
Example: You have gotten a random
looking URL from somebody, you click it, it's
anonymous right?
Wrong: you have been traced: "echo
you@work.com|sha256sum" - >
myurl.com/9e2b29696765a73d26529e83bc95e35...
Be careful with HTML mails - You may be accessing your adversaries systems in realtime...
View them as text-only or tell your email
client not to fetch any external data
Does that mean that you wunderbar HTML
mails will look broken and uggly? Yes. Privacy comes
at a price
When viewing your HTML mail
"normally": The other side might be able to see you in
real-time (in their web server logs etc) since you
just accessed their system from your device
You might
have accessed a unique file which was only generated
for you: unique file access + your ip + host environment info == you
Only use devices if you must & Only record what needs to be recorded (saved)
Consider not using any electronical devices at all - go old school: pen & paper + hard writing surface
Your closed source devices may be listening in on you right now
Remember that each click / picture / chat string / search string / software tool leaves a digital mark
Remember that your mobile operator knows your current & past locations (unless you are in airplain-mode)
Remember that your mobile operator has full access to your non-encrypted network traffic
Disable all third party cloud backups (contacts, images & videos, location leaks)
Disable the GPS image tagging (location leak)
Never connect anything to your devices unless you must
Each device that is connected to your computer / mobile / xxx can cause problems
Even out-of-the-box devices like DVD's, USB-sticks, HDD etc have had viruses on them!
Only connect devices that you trust to your systems. Unplug everything when not in use
Virus / Malware / Backdoor infections, USB data eavesdropping plus whatnot can be one cable away...
Only turn on the features that you need
Less is more: Only turn on a feature when you need it, remember to turn it off when your done
Be safer + save battery power == Silence is golden (TM)
Rationale: Sadly all features mentioned
above have known attacks vectors: Wifi network
attacks, ultrasound attacks over Voice control, GPS
spoofing attacks, Bluetooth & NFS close by
attacks...
Only use your devices in a SAFE PLACE / Be aware of your surroundings
Make sure that nobody else hears & sees what you are typing / doing on your devices
Examples of unsafe places: crammed places, busses, airports / airplains / lounges with multiple ears & cameras etc
When traveling: Only bring what you need
Travel light - Leave everything "extra" at safe-place-X
The ownership of your things may change in a blink of an eye...
If you bring nothing, what is there to open?
If you have no social media accounts - You have fewer problems
When crossing borders / being stopped / prompted: NEVER turn on OR use any device
Keep all devices in a DOWN-POWERED state (hardest to crack open)
Consider using CLEAN DEVICES
Think: Travel / Trip devices which are WIPED before & after your adventure. Consider them unsafe for real work
A old GSM (non-smartphone) that you
have laying around is optimal for this scenario (the
older, the better): the phone is too stupid to cause
big problems for you
Hence, if XYZ gains to access your devices / backdoors them, they gain nothing
Recycle these devices / don't use the same CLEAN DEVICE over a longer period
Encrypt everything: Use the right tools for the job
If your job was to keep something very special safe, would you leave it unguarded, even for
a moment? Probably not. The same rule should
apply to any systems that you hold dear!
Each person, door or any other possible
way in, which is left unchecked can be a
game-changer... Hence apply multiple security solutions and keep
monitoring them!
The more
IDS,
IPS, AIDE and Data Integrity solutions that you
are using which are criss-crossing each others
monitoring areas (using different
technologies), The hard your adversaries job will
become!
Get to know your monitoring systems and your systems normal patterns
Write notes about each system in a safe place (which cannot be altered, GPG, git)
Make sure your systems history data gets
spread out to multiple hosts (and that it cannot be
altered, IDS, IPS, tripwire, GPG encrypted systems, push-only systems,
smart backups...)
Look for spikes or changes in network
connections, bandwidth, cpu, memory, disc activity,
processes etc...
Block everything and only allow network access to what you must!
NOTE: Follow the firewall logs - Mui importante problem / attack spotter!
Think: Why is my device-X attempting to talking to strange country-Y? Red alert!
Supplement your trustworthy firewall with a trustworthy VPN provider
Gain control of what tools are allowed to talk to
the network
Anonymize the traffic that you allowed to pass via a VPN / Tor
Password authentication: Use a strong passphrases (The longer & stranger, the better it is)
Diceware recommendation: at least six randomly chosen words (77 bits).
Example using EFF's wordlist:
distrust schilling acorn dupe proton decent
Strong passphrase == Fifth Amendment
No person can be compelled in any criminal case to be a witness
against himself.
Never use fingerprint, eye, face or any other form of biometric authentication
It may not work / It can be faked / You can be forced to provide it / Not under Fifth Amendment
Never use pattern / gesture authentication
Less time consuming to crack / You can be forced to provide it / Not under Fifth Amendment
Change all default passwords (BIOS, AMT, root/admin, Wifi-boxes etc)
Update all of your systems default
passwords to a strong
passphrase of your choosing
Think: Your adversaries may gain full access to
your systems with
Intel's AMT + default
password 'admin' (game over).
Use multiple passphrases (passwords)
Possible single point of failure - Give
each Internet site / system a unique password
Think: Your adversaries get access to a
single password which unlocks all of your systems
(game over).
WARNING: Keep in mind that each Internet
site / third party system / closed source system-X
(and their friends) may have access to your
clear-text password for that system (your
password + pattern may be known / guessable): Hence use
different passphrases for all systems
Avoid most password management systems
Possible single point of failure - Rely
on open source tools with strong encryption
that can be verified
(some
examples) or write your own wrappers around a gpg
encrypted file...
Never save your passwords in your
browser / some closed sourced cloud solution - Can be
hacked, unreliable & unverifiable shaait stored
somewhere and somehow - Be MUI Careful!
Device fingerprints - Following your devices unique marks
You may be sharing way more
information with each post / media upload /
printout than you think:
All network cards & modems (plus
Operating System + toolchain on top) / cameras /
microphones / printers / etc leave unique marks +
possible meta data inside of their end-product
(images / recodings / printouts)
Some device uniqness is created by
mistake (normal hardware difference), some unique
stamps are deliberate added
This pixel or bit uniqness make it
possible to trace a device, image, media recording
or printer paper back to it's source device with
stunning accuracy!
[ 1,
2
]
Based on the images / media recordings
(voice & video) the location & people present may
also be guessed
Now combine this with social media and
you have the perfect trap
Who is providing all of this
intelligence and paying for it? You
Device power states: Locked or powered-down
When door bell rings / something unexpeted occures: lock / close everything before doing anything else
Never leave unattended devices unlocked / open, even for a short while...
Think: After "that short while" somebody else may have complete access to your systems...
When not in active usage: always keep your devices in a OFF / DOWN-POWERED state
Never leave your unattended devices in a OPEN / STANDBY / SLEEP state for a longer time
When in use:
When done with your work: place your devices in a LOCKED state (requires authentication)
Make sure all ON-POWERED devices automatically go to a LOCKED state after a short INACTIVITY period (lock screensaver)
Change / refresh your (ISP) IP often
The longer you use the same IP, the easier you are to pin down
Remember to reboot / restart your ISP systems often (you should get a new IP)
Use a trustworthy VPN (Your IP trail ends at your VPN provider)
Your VPN provider and it's servers should be in a country with sane ICT laws that respect your rights
Avoid
all Patriot
Act
/
Five eyes and like minden countries - Your (VPN)
data is not safe there!
A "backdoored" VPN will make
things worse - Your whole network traffic is
now tunneled via your adversaries - be careful!
Warning: VPN + Leaky closed source
tools + unwise usage == You are still traceable
(logged in here and there, tool fingerprinting +
metadata leakage which shows your local data...)
Verifiable tools + Changing IP + trusted VPN provider == good base security
Your adversaries can only see that you
have an encrypted connection to a VPN, after that your
trail goes cold / Mui difficult to map who is doing
what...
Your network activity is now mixed in /
a part of the whole VPN user pools network actions +
extra random IP connections going here and there ==
never totally still)...
When used wisely
with trusted & non-leaky tools your network
activity is now anonymous
Make sure that your VPN is not leaking your DNS requests
All your URL requests are going to be resolved to a IP via your DNS resolver (/etc/resolv.conf -> DNS servers IP's)
Problem: This means that the owner of the DNS resolver knows your IP + what URL's you want to visit...
Meaning: No VPN + no encrypted network connection = All your base belongs to your operator
Solution: Use a trustworthy VPN provider with a working DNS setup from a country with sane ICT-laws
Your safe: Your URL requests and IP connections will be mixed in the pool of all VPN users requests
Even your network operator (who
normaly sees almost everything that you do) is left
in the dark, they just see one encrypted connection
going from you to the VPN!
At the very least: remember to use a
VPN in combination with the normal browser
NOTE: Running a hidden Tor server is sadly not that safe or hidden...
But surfing the web using
Tor is (To the best of our
knowledge when changing identity often)...
The most secure & anonymous web setup:
Trustworthy environment + Trustworthy tools + Trustworthy VPN + Tor + Change identity often
Cover your devices camera(s) and unused microphone(s)
Always cover / place tape over your devices camera(s)
Also consider covering your unused microphone(s)
(laptop/pads etc)
Verify it: take a picture & record some sound: it should be blurred
Logic: it's only a bit that shows if your camera or
microphone is on, that bit like everything else can be
side-stepped...
Your adversaries may be looking at you
right now and listening in on your conversations. This
is especially true for all closed source devices. It's
impossible to know what they are really doing.
Never stay logged in Google / Yahoo / Outlook free:ish service
They store everything you do. Login and exit after your done with your work
Don't use virtual voice assistant services (Alexa, Cortana, Google Assistant, Siri...)
Everything you say is stored directly under your profile
They may even be listening to you at
this very moment. Converting the sounds around you to
text + analysing what you are up to. Trying to
identify who you are talking to etc. The perfect
spying tool right in your pocket. Be careful.
Remember that your
mobile calls, SMS and MMS are in clear-text for your
mobile operator & their friends (not to mentioned your
closed source devices own actions...)
Consider only turning your device on
when you need it (When you are on-line you are
visible & leaking loads of info via multiple
systems)
Think five times what you say and
write using mobile devices - You are completely
naked!
Your operator has your IP history,
location history (GSM triangulation & network tower
data) and real-time clear-text access to all of
your unencrypted network traffic
The mobile / ISP operators are bound
by law to store selected network traffic for X
amount of time
WARNING: The encrypted parts of your
IP packets should be safe but your operator
does have full access to each packets meta data
parts (IP source + destination, time stamps etc) -
Even the meta data can be critical information
regarding your privacy (1:1 mapping between your
encrypted actions from device-X at location-Y and
time-Z)
Think: Yes, we can confirm that our
customer-N accessed her bank from her mobile
device-X, at location-Y and at Z-time. Her online
actions started at YYYY-MM-DD HH:MM:SS and ended at
YYYY-MM-DD HH:MM:SS. After that she traveled from
location-X to location-Y, then...
The solution to mitigate the operator
problem is simple - Rely on trusted VPN's,
verifiable e2e encryption and Tor-like anonymization
services for decent privacy - This will break the
1:1 mapping of your devices and network actions -
they will however continue to see your devices
location and that you are doing something!
Dispose all electronic equipment securely - Be very careful where you repair your equipment
WARNING - Professionals data recovery companies are said
to succeed in 9/10 cases of bringing back data from a
faulty hard drive / memory card!
This is great news for your old pictures
etc but very bad news for confidential material.
REPAIR - attempting to get back data from unstable systems
NOTE: Your reparation shop (and their
third party partners) have full SW & HW access to your
device!
This is the perfect place for a data dump +
HW / SW backdoor installation...
Ensure all devices are wiped clean
before sending anything off for reparation
Perform multiple shred + format +
overwrite rounds (at least 8 rounds)
BROKEN HW - Unable to access USB-stick / HDD / SDD data
If you are unable to clean-swipe confidential data, don't send it anywhere!
Physically destroy it: Place it near
a strong magnet for some days + dip it in
strongly salted water + let it dry (corrosion & rust)
+ hammer time + Recycle it in peaces...
If interviewed by XYZ: Always be consistent & polite
Silence is golden (TM)
The people who are asking the questions are only doing their job
If you miss-behave, odds are that XYZ will also do the same (more trouble)
Keep in mind that XYZ may have full
access to your: social media, non-encrypted mails,
cloud data, chat data of supposed secure app-X,
uploaded image with place and time stamp of app-Y,
Skype calls list, Linkedin profile with all of your
connections etc: Pick your words carefully
In short: Be polite & Keep calm & Think five times before answering anything
Store your holiest information in (a) a clean room and (b) on a air-gapped host(s)
Default state for this über secure host is off (only power it up when you use it)
Never connect this über secure host to any network (always off-line)
All communication between this and other safe hosts happends via checked & encrypted special medium-X
Keep a separate access log with time stamps + list of done things
Tripwire everything & follow the reports (always compare the access logs == data must match)