General OPSEC Resources
#1
General Operational Security Resources

"[Operational] security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information." - Wikipedia

This is a page of OPSEC-oriented resources that I like. This list of resources will be more actively maintained on my website: https://brokemy.network/opsec-resources/

I thought that some of you folks would appreciate this share, so enjoy.



OPSEC: Because Jail is for wuftpd
Type: Video, conference talk
URL: https://www.youtube.com/watch?v=9XaYdCdwiWU
Description: This video covering hacker OPSEC is a necessary watch for anyone who is interested in the subject, especially hackers. The Grugq covers some very interesting case studies that allow you to learn from other hackers OPSEC failures.

B3RN3D.com
Type: OPSEC blog
URL: http://www.b3rn3d.com/
Description: B3RN3D is a blogger that is well-versed with topics such as operational security, maintaining anonymity, and mass surveillance. I often reference this blog.

GreySec Hacking Forums
Type: Forum board
URL: https://greysec.net/forumdisplay.php?fid=10
Description: GreySec is a community of hacker-oriented types, many of which have an interest in Anonymity/Privacy research, like myself. There are a lot of great threads on this forum worth checking out, and users with unique perspectives on hacker OPSEC.

The Paranoid’s Bible: An anti-dox effort
Type: Resource repository
URL: https://paranoidsbible.tumblr.com/library
Description: Self-described as a “repository of knowledge meant to help people remove their information (Dox) from the web and people search engines.” Excellent, credible resource for removing information about your current identity.

Alpraking's OPSEC guide to being a successful kingpin
Type: Text guide
URL: https://pastebin.com/0CxYx1BD
Description: Alpraking is an experienced drug kingpin in the online black market. In this post, he describes how he manages people and his drug operation with respect to operational security. Without great operational security, he would not be in business. This piece offers fantastic perspective from the black market community.

How to Disappear: Erase Your Digital Footprint, Leave False Trails, And Vanish
Type: Book
URL: https://www.amazon.com/How-Disappear-Digital-Footprint-Without/dp/1599219778
Description: This reading focuses on the offline side of disappearance; Frank Ahearn, an experienced skip tracer, guides us in preventing skip tracers and other parties from tracking our trail. This is an interesting read for anyone whom wishes to conceal his or her real identity. Pro-tip: start by buying this book with cash and a hoodie in a brick-and-mortar bookstore.

How to Lie to People: Achieving Anonymity through Disinformation and Data Poisoning
Type: Text guide
URL: https://pastebin.com/tXhiMk36
Description: DIzzIE provides helpful insight on how to lie effectively, and explains why and how lying can benefit your persona. This excellent resource can be read on your lunch break.

OPSEC failures of spies
Type: Video, conference talk
URL: https://www.youtube.com/watch?v=BwGsr3SzCZc
Description: A case study on targeted surveillance. Explains how “telling” metadata is, specifically metadata pertaining to cellphone networks. This case study provides the opportunity to learn from the OPSEC failures of spies.

How to Master Secret Work
Type: Text publication
URL: http://www.historyisaweapon.com/defcon1/secretwork.html
Description: Discusses the necessity of being able to carry out work and operations with assured secrecy. Governments subject to corruption have used dirty tactics to silence opposition parties in the past, and they will do it again. This resource will aid you in your thinking for illustrating underground operations in secrecy.

Centralised Place for Privacy Resources
Type: Blog, resource repository
URL: https://themanyhats.club/centralised-pla...resources/
Description: A list of privacy resources and security technologies. Great resources, it is definitely worth checking this list out to get more familiar with modern day security technologies and pro-privacy solutions.

Surveillance Self-Defense
Type: Resource repository
URL: https://ssd.eff.org/en
Description: Collection of resources, tutorials, and briefings pertaining to counter-surveillance efforts. Includes tutorials for secure deletion, using PGP, OTR, 2FA, Signal, Tor services, etc.

The Motherboard Guide to Not Getting Hacked
Type: Guide (PDF)
URL: https://assets.documentcloud.org/documen...Hacked.pdf
Description: Generally good advice for security practices. Covers security basics, mobile security, privacy, messaging, and avoiding state and police surveillance.

DEF CON 22: Blinding The Surveillance State
Type: Surveillance conference talk
URL: https://www.youtube.com/watch?v=xCH_q-xn760
Description: Christopher Soghoian discusses the importance of HTTPS for thwarting bulk data collection efforts, the importance of “translating” cybersecurity talk to politicians, lawmakers and court systems, among other things. I would recommend this talk for privacy activists and advocates.

Things NOT to Do
Type: OPSEC Guide
URL: https://www.whonix.org/wiki/DoNot
Description: A list of things that you should not do, with a general focus on the Tor network. Great OPSEC resource.

The CryptoPaper
Type: Personal Security Guide
URL: https://github.com/cryptoseb/CryptoPaper
Description: "Privacy, Security, and Anonymity For Every Internet User"
Reply
#2
Wuarh, this is a LOT of great resources! Thanks!

I have used "OPSEC failures of spies" more than once, to prove a point Wink
Reply
#3
This is a good resource, thank you for sharing.

I do have a problem with OPSEC guides though. Whilst they are very relevant to a beginner, and educate us all about the importance of things like data poisoning, avoiding forensic authorship attribution, and keeping identities separate - they often fail to address the most pressing problem: if you are doing something highly illegal, you will be found out. It might take 10 years in some cases, but it generally always happens eventually. Just look at the creator of Ebury, for example. Law Enforcement are persistent, and if you ever get to the attention of the NSA, then you're screwed - they basically control the internet, which makes tracking your ToR activity very easy!

So whilst OPSEC is very important, often the physical approach to security is the one that matters. By this I mean that say that LE know where you live after years of investigation, they issue a warrant and raid your property and take all your hardware.

- Are all your devices encrypted? If yes, are they turned off. It's worthless if they are switched on! What early warning systems do you have if the Police decide to raid? CCTV, a kill switch to remotely shut down all your devices? Are your PC cases physically secured with a padlock, making it difficult to extract the volatile memory before it expires.

- What about all your flash drives. Even if they are encrypted, flash memory is unpredictable and will store data on different areas that can often be recovered. If you have ever used a flash drive to store scary stuff on, IT MUST BE DESTROYED.

What I would like to see developed, and maybe this is something this community can contribute to, is a list of operation categories, directly related to the severity of operation.

For example:

OPSEC Level 1: Attempted exploiting a vulnerability, no data ex-filtration, very little to some network noise or logs. If using volatile live systems, such as Kali Live, reboot; no further action needed.

OPSEC Level 2: Achieved data ex filtration against a very small target (such as a small company). Unable to cover tracks effectively, did not achieve shell access. Store data on new USB, encrypt with complex password stored within password manager. Password database should be on an encrypted persistent drive on a live operating system, i.e., Tails. Store USB in a hard to find place - do not label, but you may add notes within your password manager.

OPSEC Level 3: Successfully exploited vulnerability & achieved shell access (not root). Some but not all logs were erased to cover tracks. Store data on a new USB, and obfuscate file names and redact metadata that may indicate where the source of the data was. Encrypt with complex password as above, and store a list of the obfuscated filenames with the translation within the password database. If the target was medium or above, or the value of the data was particularly sensitive, e.g., credit cards, destroy the devices that was used to attack the host.

OPSEC Level 4: Exploited host, achieved shell access and ex-filtrated very sensitive on a large scale. Encrypt USB, obfuscate file names, and individually encrypt each file. Create a new TAILS OS, and on this new OS store a list of decryption keys for the files. On the old Tails, store the decryption password for the USB and the de-obfuscated file names. Make sure that any indication of the source of the data s removed from even the de-obfuscated file names. Destroy device used to compromise host, and gateway devices you control in your path (switches, routers, etc). Store the new Tails in a highly secure location unlikely to be search, e.g., dig a hole in the garden.

A process like this would mean that when LE show up, you are considerably more protected. Ideally, there will be no evidence they can access in full. You may be charged with refusing to divulge encryption keys, but that's in all likelihood a much less severe crime! Be interested as to what anyone thinks about this, they were off the top of my head so they are very rough ideas!!
Reply
#4
(03-20-2018, 09:42 AM)EnigmaCookie Wrote: This is a good resource, thank you for sharing.

I do have a problem with OPSEC guides though. Whilst they are very relevant to a beginner, and educate us all about the importance of things like data poisoning, avoiding forensic authorship attribution, and keeping identities separate - they often fail to address the most pressing problem: if you are doing something highly illegal, you will be found out. It might take 10 years in some cases, but it generally always happens eventually. Just look at the creator of Ebury, for example. Law Enforcement are persistent, and if you ever get the attention of the NSA, then you're screwed - they basically control the internet, which makes tracking your ToR activity very easy!

Law Enforcement is persistent and dealing with nation-states as an adversary is definitely challenging. They don't control the Internet, though; there are steps you can take to anonymize yourself as much as possible. These steps can be read about here: https://www.whonix.org/wiki/DoNot

(03-20-2018, 09:42 AM)EnigmaCookie Wrote: So whilst OPSEC is very important, often the physical approach to security is the one that matters. By this I mean that say that LE knows where you live after years of investigation, they issue a warrant and raid your property and take all your hardware.

- Are all your devices encrypted? If yes, are they turned off? It's worthless if they are switched on! What early warning systems do you have if the Police decide to raid? CCTV, a kill switch to remotely shut down all your devices? Are your PC cases physically secured with a padlock, making it difficult to extract the volatile memory before it expires.

- What about all your flash drives. Even if they are encrypted, flash memory is unpredictable and will store data on different areas that can often be recovered. If you have ever used a flash drive to store scary stuff on, IT MUST BE DESTROYED.

If you create a personal data retention policy, your data should not be there by the time your adversary arrives. It is also worth noting that companies will (sometimes) delete certain activity logs after a period of time; in fact, I think it is illegal to keep data after X number of years in companies, or it's just bad practice for the sake of information security.

You bring up a great point with dumping RAM (i.e. cold boot attack), as this is a threat. If your house gets raided and your computer is still running, then it would be in the adversary's interest to do a cold-boot attack to dump the memory currently stored in RAM. For this reason, encrypt all of your devices (LUKS, VeraCrypt?), and keep them powered off when possible.

Plan for plausible deniability. If the data isn't there, then there's nothing to analyze.

(03-20-2018, 09:42 AM)EnigmaCookie Wrote: What I would like to see developed, and maybe this is something this community can contribute to, is a list of operation categories, directly related to the severity of operation.

For example:

OPSEC Level 1: Attempted exploiting a vulnerability, no data ex-filtration, very little to some network noise or logs. If using volatile live systems, such as Kali Live, reboot; no further action needed.

OPSEC Level 2: Achieved data ex filtration against a very small target (such as a small company). Unable to cover tracks effectively, did not achieve shell access. Store data on new USB, encrypt with complex password stored within password manager. Password database should be on an encrypted persistent drive on a live operating system, i.e., Tails. Store USB in a hard to find place - do not label, but you may add notes within your password manager.

OPSEC Level 3: Successfully exploited vulnerability & achieved shell access (not root). Some but not all logs were erased to cover tracks. Store data on a new USB, and obfuscate file names and redact metadata that may indicate where the source of the data was. Encrypt with complex password as above, and store a list of the obfuscated filenames with the translation within the password database. If the target was medium or above, or the value of the data was particularly sensitive, e.g., credit cards, destroy the devices that was used to attack the host.

OPSEC Level 4: Exploited host, achieved shell access and ex-filtrated very sensitive on a large scale. Encrypt USB, obfuscate file names, and individually encrypt each file. Create a new TAILS OS, and on this new OS store a list of decryption keys for the files. On the old Tails, store the decryption password for the USB and the de-obfuscated file names. Make sure that any indication of the source of the data s removed from even the de-obfuscated file names. Destroy device used to compromise host, and gateway devices you control in your path (switches, routers, etc). Store the new Tails in a highly secure location unlikely to be search, e.g., dig a hole in the garden.

A process like this would mean that when LE show up, you are considerably more protected. Ideally, there will be no evidence they can access in full. You may be charged with refusing to divulge encryption keys, but that's in all likelihood a much less severe crime! Be interested as to what anyone thinks about this, they were off the top of my head so they are very rough ideas!!

Excellent point about threat modeling. B3RN3D has a couple blogs for exactly this -- they even use "4 Levels" to gage risk, similar to your suggestion.

https://b3rn3d.herokuapp.com/blog/2014/0...s-of-opsec
http://www.b3rn3d.com/blog/2014/02/17/pe...-of-opsec/

Overall, I agree that we need to do better as a community to define operational security resources. Right now, resources are scattered everywhere. The reason for this is because OPSEC isn't a straight-forward process, it is a different process for each person or group, based on their personalized circumstances.

I am actually working on a project to "bring OPSEC" together for identities, RE bottom of this page. I hope to release this project as a book.

If you ever want to work on a resourceful OPSEC project, I encourage you to get in contact with me!
Reply
#5
(03-20-2018, 04:01 PM)Cypher Wrote: Law Enforcement is persistent and dealing with nation-states as an adversary is definitely challenging. They don't control the Internet, though; there are steps you can take to anonymize yourself as much as possible. These steps can be read about here: https://www.whonix.org/wiki/DoNot

Yes, you are correct, however, I am particularly talking here about the NSA. The NSA have been strategically running virtual machines close to ISPs in order to execute man-on-the-side attacks, which is effectively a speed race, so the closer they are to the core network infrastructure the more likely they are able to successfully execute the attack.

For an organisation that monitors ISPs across the globe (but obviously probably concentrated in the US), tracking activity over ToR is as simple as looking at the packets transferring through your network, from node to node. 

The Tails official website explains this a bit better!

Quote:
A global passive adversary would be a person or an entity able to monitor at the same time the traffic between all the computers in a network.

By studying, for example, the timing and volume patterns of the different communications across the network, it would be statistically possible to identify Tor circuits and thus match Tor users and destination servers.

It is part of Tor's initial trade-off not to address such a threat in order to create a low-latency communication service usable for web browsing, Internet chat or SSH connections.
For more expert information see the Tor design paper, "Tor Project: The Second-Generation Onion Router", specifically, "Part 3. Design goals and assumptions.


Source: https://tails.boum.org/about/index.en.html

So, yes, whilst OPSEC will be effective against LE - if you ever escalate your activities to get on the NSA's radar, or they are asked for assistance, I would say it's highly likely that they will be able to utilise their positions as shadow-ISPs in order to de-anonymise your online activities. This is actually one case where ToR would hurt your OPSEC, as in this situation you are far better off moving around the country and using free wifi points, instead of staying in one location and using ToR.

Quote:If you ever want to work on a resourceful OPSEC project, I encourage you to get in contact with me!

Sounds like a good offer, I will bear this in mind.
Reply
#6
Oh also, I should also add that I think I may be approaching OPSEC from a different definition, as whilst for most people it sort of means "staying safe online", I've been interpreting it to mean "staying safe during active operations", hence why my Levels are specifically looking at a target and compromised data.

I'm not sure if the two are incompatible, but looking at it from a black hat perspective, I don't necessarily care about staying safe online - but when I identify a target, I need to ensure that my reconnaissance is completed anonymously, and any data I exfiltrate is stored appropriately and in a way that gives me the highest amount of plausible deniability.

For example, you mention log retention policy. However, for a black hat attacking a target, there should be no personal logs and all attacks should be on live systems, and maybe in multiple locations, depending on what "Level" we are talking about.

So not sure if my understanding is the same things as OPSEC, or something different altogether - but maybe when anyone goes into "active operation mode", a different set of OPSEC rules should apply.
Reply
#7
I had not thaught this forum had this much dedicated users and also so much wisdom , really happy to be here
Reply
#8
Does anyone have the How to Disappear: Erase Your Digital Footprint, Leave False Trails, And Vanish Without A Trace pdf which is mentioned on your website?
Reply
#9
(08-01-2018, 09:23 PM)Guest Wrote: Does anyone have the How to Disappear: Erase Your Digital Footprint, Leave False Trails, And Vanish Without A Trace pdf which is mentioned on your website?

It's a google search / pirate bay search away
Reply
#10
This is a fantastic list but I notice you haven't updated it in a while.  Do you still keep your website up to date?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Opsec for raspberry pi 3 nova75038 1 3,119 02-14-2019, 03:08 PM
Last Post: enmafia2
  Growing a Flower in the Dark (Mental health & OPSEC) Cypher 2 5,577 12-19-2018, 01:53 PM
Last Post: toxep
  Web OSINT Resources (email, domain, name, phone, location, user, etc) Cypher 1 4,691 03-17-2018, 05:31 PM
Last Post: Vector
  Centralized Place for Privacy Resources Cypher 1 5,679 12-17-2017, 10:19 PM
Last Post: Cuck