Introduction
To keep your adversaries at bay,
following these simply rules each day.
Operational Security - Cybersecurity 1-0-1
Silence means security
B2B: business to business
E2E encryption: End-to-end encryption
GSM: Global System for Mobile Communications
Haas: Hardware As A Service
Hardening computing: Making devices more safe & locked down
HW: Hardware
ICT: Information and Communications Technology
IDS: Intrusion detection system
IPS: Intrusion prevension system
MMS: Multimedia Messaging Service
PGP: Pretty Good Privacy
RTC: Real-Time Communication (multimedia and audio via VoIP)
Saas: Software As A Service
SMS: Short Message Service
SW: Software
VoIP: Voice Over IP
VPN: Virtual Private network
Cybersecurity threat awareness: Prevent your information from leaking out to the bad guys & girls
Operations Security or Operational Security is the process by which we protect unclassified information from leaking out via our own actions & behaviour. The goal of Cybersecurity OPSEC is to minimize your digital footprint / information leakage and to minimize the damage when things go bad. In the best of scenarios you might almost drop off the grid completely.
That is, instead of your adversaries knowing almost everything there is to know about you, they will be left with the bare minimum. A decent level of IT privacy is still attainable, but it does require a constant effort. The rules for this constant effort is what OPSEC is all about. Lastly, remember that OPSEC does not replace any other security disciplines - it supplements them.
Why OPSEC is for everyone
Every wondered why Facebook, Gmail, Outlook, Skype etc products are (partly) free? Because you are the product. You, your interests, what products you have bought, your friends, your family, your wealth, your political ideology, your calendar, your current position, your upcoming events... Then add on top where you work, your job role, your colleagues, your connection, your companies product development and your milestones...
This is all priceless information about you and the people around you.
It's mostly about finding the "right ads to show you", but when you put all of the gathered information together and place it in the wrong hands, bad things can follow...
To make a long story short: George Orwell was an optimist (TM). That is, very few things in todays IT world can be considered to respect your privacy and to be safe & secure. Even harmless looking devices like baby "sleep monitors" (IoT box with camera & microphone) can in capable hands be turned into a small monster (Your adversaries may have a live camera & microphone feed inside your house / The device may be part of a criminal bot-net of some kind). The more devices you have, the more (privacy) problems you have.
We are all vulnerable to this, but we can systematically minimize the problem(s) via our own actions.
Highlevel view of OPSEC
- Identity of critical information (Company information, client, resource info etc)
- Analyze threats (State and/or privately funded IT criminals etc)
- Analyze vulnerabilities (You + unknown amounts of closed source tools & devices doing whatnot etc)
- Assess the risk (Who has access to critical data, how much are you willing to pay for security & OPSEC)
- Apply appropriate measures (Go controlled & hardened open source + OPSEC)
Practical Cybersecurity OPSEC
Table of Contents
- Only put your trust in things that can be verified: open source
- Pay attention to (a) with whom you are communicating with and (b) how you are doing it
- Only use devices if you must & Only record what needs to be recorded (saved)
- Never connect anything to your devices unless you must
- Only turn on the features that you need
- Only use your devices in a SAFE PLACE / Be aware of your surroundings
- When traveling: Only bring what you need
- Encrypt everything: Use the right tools for the job
- Use full-disk encryption on all devices (with a strong passphrase)
- Keep monitoring your systems
- Firewall everything: First line of defence
- Password authentication: Use a strong passphrases (The longer & stranger, the better it is)
- Change all default passwords (BIOS, AMT, root/admin, Wifi-boxes etc)
- Use multiple passphrases (passwords)
- Avoid most password management systems
- Device fingerprints - Following your devices unique marks
- Device power states: Locked or powered-down
- Change / refresh your (ISP) IP often
- Use a trustworthy VPN (Your IP trail ends at your VPN provider)
- Make sure that your VPN is not leaking your DNS requests
- Use the Tor-browser for everything + change identity often
- Cover your devices camera(s) and unused microphone(s)
- Never stay logged in Google / Yahoo / Outlook free:ish service
- Don't use virtual voice assistant services (Alexa, Cortana, Google Assistant, Siri...)
- Your Mobile Operator & ISP knows alot about you - Be careful
- Be very careful where you Repair / Recycle your devices
- If interviewed by XYZ: Always be consistent & polite
- Store your holiest information in (a) a clean room and (b) on a air-gapped host(s)
- Only put your trust in things that can be verified: open source
- It is impossible to know what any closed source solution is really doing: hence they can not be trusted
- Open solutions on the other hand can be verified from start to finish: rely on them
- Only trust solutions that are completely open (both the client & server parts)
- It is not enough if just one part of the client-server side is open
- Think: If a boat is leaking / taking in water, it is unwise to ignore it...
- Meaning:
- Pay attention to (a) with whom you
are communicating with and (b) how you are doing it
- Watch out for social engineering / information leakage - You may be the biggest security threat
- Follow strict but sane: email, texting and social networking policies - Silence is golden
- For confidential material: Only rely on trusted devices + multiple layers of verifiable e2e encryption
- Have spam, virus and malware mail filters in place
- Don't open any attachments that aren't cryptically signed by a trusted partner (consider throw-away WM + dummy user + virus check + secure tools)
- Don't visit any URL's given by unknown persons in your normal env (consider throw-away WM + dummy user + Tor browser etc)
- Use Tor & Think before you click - All URL's are linkable to something (most specifically URL's with hashes)
- Might be a 1:1 mapping to you!
- Example: You have gotten a random looking URL from somebody, you click it, it's anonymous right?
- Wrong: you have been traced: "echo you@work.com|sha256sum" - > myurl.com/9e2b29696765a73d26529e83bc95e35...
- Be careful with HTML mails - You may be accessing your adversaries systems in realtime...
- View them as text-only or tell your email client not to fetch any external data
- Does that mean that you wunderbar HTML mails will look broken and uggly? Yes. Privacy comes at a price
- When viewing your HTML mail "normally": The other side might be able to see you in real-time (in their web server logs etc) since you just accessed their system from your device
- You might have accessed a unique file which was only generated for you: unique file access + your ip + host environment info == you
- Only use devices if you must & Only record what needs to be recorded (saved)
- Consider not using any electronical devices at all - go old school: pen & paper + hard writing surface
- Your closed source devices may be listening in on you right now
- Remember that each click / picture / chat string / search string / software tool leaves a digital mark
- Remember that your mobile operator knows your current & past locations (unless you are in airplain-mode)
- Remember that your mobile operator has full access to your non-encrypted network traffic
- Disable all third party cloud backups (contacts, images & videos, location leaks)
- Disable the GPS image tagging (location leak)
- Never connect anything to your devices unless you must
- Each device that is connected to your computer / mobile / xxx can cause problems
- Even out-of-the-box devices like DVD's, USB-sticks, HDD etc have had viruses on them!
- Only connect devices that you trust to your systems. Unplug everything when not in use
- Virus / Malware / Backdoor infections, USB data eavesdropping plus whatnot can be one cable away...
- Only turn on the features that you need
- Less is more: Only turn on a feature when you need it, remember to turn it off when your done
- Disable / turn-off: Wifi, Voice-Control, GPS, Bluetooth, NFC...
- Be safer + save battery power == Silence is golden (TM)
- Rationale: Sadly all features mentioned above have known attacks vectors: Wifi network attacks, ultrasound attacks over Voice control, GPS spoofing attacks, Bluetooth & NFS close by attacks...
- Only use your devices in a SAFE PLACE / Be aware of your surroundings
- Make sure that nobody else hears & sees what you are typing / doing on your devices
- Examples of unsafe places: crammed places, busses, airports / airplains / lounges with multiple ears & cameras etc
- When traveling: Only bring what you need
- Travel light - Leave everything "extra" at safe-place-X
- Devices, data, images, software, hardware, movies, papers etc
- The ownership of your things may change in a blink of an eye...
- If you bring nothing, what is there to open?
- If you have no social media accounts - You have fewer problems
- When crossing borders / being stopped / prompted: NEVER turn on OR use any device
- Keep all devices in a DOWN-POWERED state (hardest to crack open)
- Consider using CLEAN DEVICES
- Think: Travel / Trip devices which are WIPED before & after your adventure. Consider them unsafe for real work
- A old GSM (non-smartphone) that you have laying around is optimal for this scenario (the older, the better): the phone is too stupid to cause big problems for you
- Hence, if XYZ gains to access your devices / backdoors them, they gain nothing
- Recycle these devices / don't use the same CLEAN DEVICE over a longer period
- Travel light - Leave everything "extra" at safe-place-X
- Encrypt everything: Use the right tools for the job
- Verifiably Secure OS + VPN + secure: voice, email, chat, hdd, sdd, USB-sticks etc
- Strive to mainly use verifiably silent & encrypted solutions (open source)
- Assume that most of your IT actions can be stored & monitored (and probably are)
- If you must use non-encrypted & public systems: pick your words & actions carefully
- At the very least: use a trusted VPN to hide your IP & location
- Use full-disk encryption on all devices (with a strong passphrase)
- Thus making your data as safe as possible (VERY time consuming to crack)
- Server setup: Use SSH dropbear + full-disc encryption with cryptsetup LUKS + strong passphrase...
- If your servers are "stolen", they get nothing
- Even with full encryption: Always think about what & where you store something
- The more places you store your data on, the bigger the info leak problem gets...
- Never use third party non-encrypted cloud drives / unencrypted backups
- Third party backups = shared data. All your OPSEC work may be in vain...
- Even when using strong filesystem encryption: Remember to correctly recycle / destroy your old data!
- Keep monitoring your systems
- If your job was to keep something very special safe, would you leave it unguarded, even for
a moment?
Probably not. The same rule should apply to any systems that you hold dear! - Each person, door or any other possible
way in, which is left unchecked can be a
game-changer...
Hence apply multiple security solutions and keep monitoring them! - The more IDS, IPS, AIDE and Data Integrity solutions that you are using which are criss-crossing each others monitoring areas (using different technologies), The hard your adversaries job will become!
- Get to know your monitoring systems and your systems normal patterns
- Write notes about each system in a safe place (which cannot be altered, GPG, git)
- Make sure your systems history data gets spread out to multiple hosts (and that it cannot be altered, IDS, IPS, tripwire, GPG encrypted systems, push-only systems, smart backups...)
- Look for spikes or changes in network connections, bandwidth, cpu, memory, disc activity, processes etc...
- Useful security, monitoring and system tools
- If your job was to keep something very special safe, would you leave it unguarded, even for
a moment?
- Firewall everything: First line of defence
- Prevent the bad things from coming in & Prevent chatty tools from going out
- Rely on open source firewalls (routers, servers, laptops, mobiles, pads, everything!)
- Routers: Wiki: List of router and firewall distributions (License: GPL / Apache/ BSD)
- Android: F-droid: AFWall+
- Linux, BSD: Wiki:Comparison of firewalls (License: GPL / BSD)
- Block everything and only allow network access to what you must!
- NOTE: Follow the firewall logs - Mui importante problem / attack spotter!
- Think: Why is my device-X attempting to talking to strange country-Y? Red alert!
- Supplement your trustworthy firewall with a trustworthy VPN provider
- Gain control of what tools are allowed to talk to the network
- Anonymize the traffic that you allowed to pass via a VPN / Tor
- Password authentication: Use a strong passphrases (The longer & stranger, the better it is)
- Diceware recommendation: at least six randomly chosen words (77 bits).
Example using EFF's wordlist: distrust schilling acorn dupe proton decent - Strong passphrase == Fifth Amendment
- No person can be compelled in any criminal case to be a witness against himself.
- Never use fingerprint, eye, face or any other form of biometric authentication
- It may not work / It can be faked / You can be forced to provide it / Not under Fifth Amendment
- Never use pattern / gesture authentication
- Less time consuming to crack / You can be forced to provide it / Not under Fifth Amendment
- Diceware recommendation: at least six randomly chosen words (77 bits).
- Change all default passwords (BIOS, AMT, root/admin, Wifi-boxes etc)
- Update all of your systems default passwords to a strong passphrase of your choosing
- Think: Your adversaries may gain full access to your systems with Intel's AMT + default password 'admin' (game over).
- Use multiple passphrases (passwords)
- Possible single point of failure - Give each Internet site / system a unique password
- Think: Your adversaries get access to a single password which unlocks all of your systems (game over).
- WARNING: Keep in mind that each Internet site / third party system / closed source system-X (and their friends) may have access to your clear-text password for that system (your password + pattern may be known / guessable): Hence use different passphrases for all systems
- Avoid most password management systems
- Possible single point of failure - Rely on open source tools with strong encryption that can be verified (some examples) or write your own wrappers around a gpg encrypted file...
- Never save your passwords in your browser / some closed sourced cloud solution - Can be hacked, unreliable & unverifiable shaait stored somewhere and somehow - Be MUI Careful!
- Device fingerprints - Following your devices unique marks
- You may be sharing way more information with each post / media upload / printout than you think:
- All network cards & modems (plus Operating System + toolchain on top) / cameras / microphones / printers / etc leave unique marks + possible meta data inside of their end-product (images / recodings / printouts)
- Some device uniqness is created by mistake (normal hardware difference), some unique stamps are deliberate added
- This pixel or bit uniqness make it possible to trace a device, image, media recording or printer paper back to it's source device with stunning accuracy! [ 1, 2 ]
- Based on the images / media recordings (voice & video) the location & people present may also be guessed
- Now combine this with social media and you have the perfect trap
- Who is providing all of this intelligence and paying for it? You
- Device power states: Locked or powered-down
- When door bell rings / something unexpeted occures: lock / close everything before doing anything else
- Never leave unattended devices unlocked / open, even for a short while...
- Think: After "that short while" somebody else may have complete access to your systems...
- When not in active usage: always keep your devices in a OFF / DOWN-POWERED state
- Never leave your unattended devices in a OPEN / STANDBY / SLEEP state for a longer time
- When in use:
- When done with your work: place your devices in a LOCKED state (requires authentication)
- Make sure all ON-POWERED devices automatically go to a LOCKED state after a short INACTIVITY period (lock screensaver)
- When door bell rings / something unexpeted occures: lock / close everything before doing anything else
- Change / refresh your (ISP) IP often
- The longer you use the same IP, the easier you are to pin down
- Remember to reboot / restart your ISP systems often (you should get a new IP)
- Use a trustworthy VPN (Your IP trail ends at your VPN provider)
- Your VPN provider and it's servers should be in a country with sane ICT laws that respect your rights
- Avoid all Patriot Act / Five eyes and like minden countries - Your (VPN) data is not safe there!
- A "backdoored" VPN will make things worse - Your whole network traffic is now tunneled via your adversaries - be careful!
- Warning: VPN + Leaky closed source tools + unwise usage == You are still traceable (logged in here and there, tool fingerprinting + metadata leakage which shows your local data...)
- Verifiable tools + Changing IP + trusted VPN provider == good base security
- Your adversaries can only see that you have an encrypted connection to a VPN, after that your trail goes cold / Mui difficult to map who is doing what...
- Your network activity is now mixed in / a part of the whole VPN user pools network actions + extra random IP connections going here and there == never totally still)...
- When used wisely with trusted & non-leaky tools your network activity is now anonymous
- Make sure that your VPN is not leaking your DNS requests
- All your URL requests are going to be resolved to a IP via your DNS resolver (/etc/resolv.conf -> DNS servers IP's)
- Problem: This means that the owner of the DNS resolver knows your IP + what URL's you want to visit...
- Meaning: No VPN + no encrypted network connection = All your base belongs to your operator
- Solution: Use a trustworthy VPN provider with a working DNS setup from a country with sane ICT-laws
- Your safe: Your URL requests and IP connections will be mixed in the pool of all VPN users requests
- Even your network operator (who normaly sees almost everything that you do) is left in the dark, they just see one encrypted connection going from you to the VPN!
- Turn your VPN on + visit a DNS leak test page
- https://www.dnsleaktest.com, https://ipleak.net
- BAD: test page show / leaks your operators DNS data! (your traceable!)
- OK: test pages only show your VPN's / Tor nodes DNS data (VPN + anonymous DNS req.)
- Use the Tor-browser for everything + change identity often
- Only use a "normal" open source browser if you must
- Remove all extra plugins from your open source browser
- Make sure that the normal browser has all Privacy Add-ons enabled
- Noscript, Adblock plus, Better Privacy, HTTPS everywhere, stop fingerprinting, Self destucting cookies etc
- At the very least: remember to use a VPN in combination with the normal browser
- NOTE: Running a hidden Tor server is sadly not that safe or hidden...
- But surfing the web using Tor is (To the best of our knowledge when changing identity often)...
- The most secure & anonymous web setup:
- Trustworthy environment + Trustworthy tools + Trustworthy VPN + Tor + Change identity often
- Cover your devices camera(s) and unused microphone(s)
- Always cover / place tape over your devices camera(s)
- Also consider covering your unused microphone(s) (laptop/pads etc)
- Verify it: take a picture & record some sound: it should be blurred
- Logic: it's only a bit that shows if your camera or microphone is on, that bit like everything else can be side-stepped...
- Your adversaries may be looking at you right now and listening in on your conversations. This is especially true for all closed source devices. It's impossible to know what they are really doing.
- Never stay logged in Google / Yahoo / Outlook free:ish service
- They store everything you do. Login and exit after your done with your work
- Instead, use free & privacy respecting search engines like duckduckgo.com, startpage.com
- Don't use virtual voice assistant services (Alexa, Cortana, Google Assistant, Siri...)
- Everything you say is stored directly under your profile
- They may even be listening to you at this very moment. Converting the sounds around you to text + analysing what you are up to. Trying to identify who you are talking to etc. The perfect spying tool right in your pocket. Be careful.
- Your Mobile Operator & ISP knows alot about you - Be careful
- Remember that your mobile calls, SMS and MMS are in clear-text for your mobile operator & their friends (not to mentioned your closed source devices own actions...)
- Consider only turning your device on when you need it (When you are on-line you are visible & leaking loads of info via multiple systems)
- Think five times what you say and write using mobile devices - You are completely naked!
- Your operator has your IP history, location history (GSM triangulation & network tower data) and real-time clear-text access to all of your unencrypted network traffic
- The mobile / ISP operators are bound by law to store selected network traffic for X amount of time
- WARNING: The encrypted parts of your IP packets should be safe but your operator does have full access to each packets meta data parts (IP source + destination, time stamps etc) - Even the meta data can be critical information regarding your privacy (1:1 mapping between your encrypted actions from device-X at location-Y and time-Z)
- Think: Yes, we can confirm that our customer-N accessed her bank from her mobile device-X, at location-Y and at Z-time. Her online actions started at YYYY-MM-DD HH:MM:SS and ended at YYYY-MM-DD HH:MM:SS. After that she traveled from location-X to location-Y, then...
- The solution to mitigate the operator problem is simple - Rely on trusted VPN's, verifiable e2e encryption and Tor-like anonymization services for decent privacy - This will break the 1:1 mapping of your devices and network actions - they will however continue to see your devices location and that you are doing something!
- Dispose all electronic equipment securely - Be very careful where you repair your equipment
-
WARNING - Professionals data recovery companies are said
to succeed in 9/10 cases of bringing back data from a
faulty hard drive / memory card!
- This is great news for your old pictures etc but very bad news for confidential material.
- REPAIR - attempting to get back data from unstable systems
- NOTE: Your reparation shop (and their third party partners) have full SW & HW access to your device!
- This is the perfect place for a data dump + HW / SW backdoor installation...
- Ensure all devices are wiped clean before sending anything off for reparation
- Perform multiple shred + format + overwrite rounds (at least 8 rounds)
- BROKEN HW - Unable to access USB-stick / HDD / SDD data
- If you are unable to clean-swipe confidential data, don't send it anywhere!
- Physically destroy it: Place it near a strong magnet for some days + dip it in strongly salted water + let it dry (corrosion & rust) + hammer time + Recycle it in peaces...
- If interviewed by XYZ: Always be consistent & polite
- Silence is golden (TM)
- The people who are asking the questions are only doing their job
- If you miss-behave, odds are that XYZ will also do the same (more trouble)
- Keep in mind that XYZ may have full access to your: social media, non-encrypted mails, cloud data, chat data of supposed secure app-X, uploaded image with place and time stamp of app-Y, Skype calls list, Linkedin profile with all of your connections etc: Pick your words carefully
- In short: Be polite & Keep calm & Think five times before answering anything
- Store your holiest information in (a) a clean room and (b) on a air-gapped host(s)
- Default state for this über secure host is off (only power it up when you use it)
- Never connect this über secure host to any network (always off-line)
- All communication between this and other safe hosts happends via checked & encrypted special medium-X
- Keep a separate access log with time stamps + list of done things
- Tripwire everything & follow the reports (always compare the access logs == data must match)
