OPSEC 101

[12]

Code:

(repost from breachforums)

OPSEC 101 This is not a specific or technical guide and contains only some generic hints about what to do or not to do to improve your OPSEC. To make it simple: your OPSEC must be tailored on your needs. To be more specific: you have to know what kind of target you can be (for security agencies, from the well-know NSA, or the FBI, or your Government's cyber police, to indipendent researchers. During this guide I'll refer to these agencies with the word "them"). Let's do a small list of possible kind of targets: - small: a.k.a. mr nobody, you are in this category if you only surf the DarkWeb without doing any illegal deeds, or minor illegal deeds (eg. you just use it to download torrents of any kind, or only to be on a forum. If you are reading this guide, than you are in an hacker forum, but this doesn't means that you are going to do something illegal, because to be on a forum is not illegal, even if the named forum is made by hackers) - medium: you are in this category if you are a buyer on any DarkWeb Market, or if you are a beginner hacker that want to improve his skills in order to do something in the future - big: you are in this cathegory if you are (or you're about to become): an illegal goods seller (intels, drugs, fake money, etc...), a professional hacker or hacktivist Now let's talk about what your OPSEC should be for each kind of target, and later I'll talk about some more things to explain that. - small: the Tor Browser is really enough. Nobody will probably never care about you or what you're doing, and you'll be unpunished for life - medium: the Tor Browser is enough, but you should take some more precautions while online, being carefull of not to fuck yourself (do not let "them" connect your online identity to you real identity). If you're planning on use a VPN service, do not register your VPN account with your daily email and do not use that account in your daily connections. However I'll disencourage you to use a VPN service. But let's be more specific: - buyer: if you are on the DarkWeb because you want to buy illegal goods, than the best thing for you is to use a live USB of Tails (with persistent mode, but I will explain this later) - hacker: if you are a beginner hacker, than will be better for you to learn hot to use your OS of choice and being safe at the same time. Of course if you are in this category, you are not a professional but a beginner, so you should avoid to do risky things (like trying to hack some big site or gov sites) - big: you must take extra precautions even when you're using the Tor Browser, be super paranoid thinking about the worst situation that can happen, never never never talk about yourself (your past, your country, the things you like, etc...), never trust nobody (there is no real friend in the DarkWeb), never trust a service (surely not VPNs, not chat/mail clients, but not even Tor: not because it will fuck you, but because it can be compromised without your knowing), never talk about what you do while online to real life people or in a social network (this can sound obvious, but we will see it better later). In poor words: BE FUCKIN PARANOID Now, let's explain something about the services you would use, and the precautions you should take when using them. I'll begin with three quotes from a great person named The Grugq: "Keep your mouth shut." "Nobody will go to jail for you" "If your secure communications platform isn’t being used by terrorists and pedophiles, you’re probably doing it wrong" After these, I'll highly suggest you to read the "Jolly Roger's Security Thread for Beginners". It's a pretty old pdf, but the hints you can find on it are still really valid: you will find a lot of hints about security (most of them related to buyers, to be true) and stories about people get caught, so you will learn from their mistakes. Let's begin with the interesting part! TOR BROWSER The Tor Browser is runned by a non-profit organization for human rights, with the specific intent of enhance everyone's privacy while surfing the web. It's a really good service (particulary because it's free!), always updated to give you the best way to protect yourself's identity. When you connect to the Tor Network, your connection will be end-to-end encrypted (so after the first node, nobody will be able to know your real IP, not even the site you're visiting), and it will pass through 3 nodes and relayes in a chain. These nodes are different for every connection: if you're visiting the site A and, at the same moment, with the same window, you visit the site B, you connection will pass through different nodes (you can easy view your nodes clicking on the little onion at the left of the address bar); but the nodes will be the same for the same site during the same connection: when visiting the site A, if you open a new tab inside the same site, the nodes will be the same of the previous tab, so in order to change the nodes for this site you have to close and re-open the Tor Browser. You will even have the opportunity to change identity (the little broom icon at the right of the address bar), but this will only change the information that the Tor Browser give to the sites about your machine: eg. your OS, your browser, etc... Seems great huh? But it have a leak... well, not a real leak, but it can be a leak for you if you are a big target: yous ISP will be able to see that you are connecting to the Tor Network. "Why is this a leak?" you may think. Because your connection to the Tor Network can be linked to your online activity: eg. you connect to the Tor Network at a certain time, let's say 3:00 PM, at 3.10 PM somone that "they" think is you write something on a forum; at 4:00 PM this user goes offline and at the same moment you disconnect frome the Tor Network. "They" will use everything they can to link your online activity to your real identity. This is a very simple example, read the Jolly Roger's guide to know more. So how to solve this? Bridges! BRIDGES / OBFS4 BRIDGES What is a bridge? A bridge is a node, not known to be part of the Tor Network. The bridge will always be the first node of your Tor connection, in order to spoof to your ISP that you are actually connecting to Tor. You can set up a bridge in your browser: preferences > tor > use a bridge. From here you can choose to reqest a normal bridge to Tor (it will give you the two or three bridges that more fits to your connection); you can use a built-in bridge: obsf4 bridge is reccomended (obfs stays for OBFuScated, a bridge that should grant you a spoofed connection to Tor. This work if Tor is chensored in your country, or if you want to hide your connection to your ISP); or you can provide one or more bridges you know (only for advanced users that know what they're doing). However, not always you can use the Tor Browser, everybody know that it is javascript-proof, so visiting many sites can be hard to do, but you want to use the Tor Network, so what to do? Torifying your connection! TORIFYING CONNECTION Let me begin with a very important thing to say: never use the Tor Browser if you have already Torified your connection! Why? Because you may fall in the issue of having your connection pass through the same nodes (if your entry node is the same of your exit node, well this can be a very big issue for you, my dear target). So, use a Torified connection ONLY in you do not use Tor Browser! The most known Torifying program are Tortilla for Windows, and Nipe for Linux. However, Torifying your connection have a big leak: your connection will pass through Transparent Proxies (this means that your ISP can see that you are connecting to the Tor Network) and you can't use bridges. So be carefull when using it VPN SERVICES Do you remember the first quote? "Nobody will go to jail for you"? This apply not only to people, but most to Services! A VPN owners will not go to jail for you, they will not lose their money for you, they prefer to lose a custome that close their activity. I'm not saying that they're evil, only that they've got your IP, they know your deeds, and if they will receive a court order that impose them to give to "them" their logs history, they will do it. If they do not keep logs for real (hard to believe), than a court order can impose them to start doing this, to collect evidences. Please read the Jolly Roger's guide to know more. Talking about VPNs I want to quote once again The Grugq: "VPN over Tor is ok, Tor over VPN, you're fucked". But what means Tor over VPN and VPN over Tor? Tor over VPN means that you first connect to a VPN service and than to the Tor Network (what the most of people do, to be clear); VPN over Tor means the you first Torify your connection and than you connect to your VPN service. I already talked about the Torified connection issues, so now I want to say another important thing: if you want to use VPN over Tor, please be sure that the VPN account cannot be linked to you, or everything will be useless! What do that means? It means that you don't have to use your daily mail to register your VPN account and that you have never to use this account for non-torified connections! A single little mistake can be enough to fuck your entire work PROXY SERVICES Everybody talks about proxies. They are the same as VPNs, same speech! They can ecnrypt your connection with a military-grade algorithm, but if your deeds point to that proxy, and the owner will receive a court ordes, than they will follow it and give to "them" you logs in clear fuckin text VPNs and PROXIES CONSIDERATIONS So they're useless? No. Thery're good if you want to mantain your privacy against a "normal" attacker (eg. the 95% of hackers and indipendent researchers). But when the attacker is a Government, or a powerfull agency like NSA, well, using a proxy or a VPN against them, is like to use a sheet of paper to protect your body against a machinegun. Once again, read the Jolly Roger's guide to know more about people fucked up by their VPN services of trust MAC ADDRESS Mac Address is a unique string of mixed numbers/letters that identify your device. It is a very good thing to spoof your Mac Address for obvious reasons. "macchanger" is a good tool for Linux. If you're on Windows do a little research (why are you using Windows at all???) to find the one you prefer METADATA Metadata are informations contained into the files. These can be used to knowing details about you: for eg. a photo can contain your camera resolution, the model of your phone, and even the GPS position! So if you want to upload a file, be sure to remove all the metadata that can reveal things about you! If you're using Linux, you can use ExifTool to view, change or remove metadata. If you're using Windows just do a research and choose the program you prefer, I don't know these. It's reccomended to do not use online metadata removal services, for obvious reasons... SHREDDING FILES Do you have a file with sensible data in it and you want to delete it? Do not simply move it to the trash and than empty it! Files removed from trash are not deleted, your machine simply forget about their existence and tells you that the space is free, but things are not so simple: the file has not been removed from disk and a recovery tool can be able to restore it even months later. So what to do? File Shredding! What means to Shred a file? When you Shred a file, you are overwriting it content multiple times and than deallocate it, so even if someone will be able to recover it, the file will be useless because it contains random data. It's reccomanded to Shred a file multiple times, somebody says 3, someone other 7, someone other again 30... Choose the number that makes you be secure, and Shred your sensible data before to delete it! Most of Linux distros comes with "shred" preinstalled, just type "shred --help" to see options PGP KEY ENCRYPTION Last but not least, PGP keys are the best way to protect your comunications. When creating a PGP key, you will create a pair of keys: one public, one private. What's the difference? The Public key have to be shared with other people in order to allow them to send you encrypted messages that you (and only you, or the possessor of your provate key) can decrypt using your Private key. When you want to send an encrypted message, you have to use the Public key of the person you want to send the message to, not yours! Why? Because only a Private key can decrypt a Public key encrypted message, and vice-versa. If a message is encrypted with a Public key, it cannot be decrypted using that same key. Also, if you send a message encrypted with your Private key, everybody that have your public key can decrypt it. So keep your Private key as safe as you can! Another thing to say: you can set an espiration date for your key, this means that after that date, the keypair will become useless (both for you with your Private key and for others with Public key). This is usefull because after the key expires, your encrypted messages will be unavaible for everybody, can you understand what that means? So if you are a big target, let your keys expires more often: don't be lazy, be safe! Tails comes with a very easy to use GnuPG with a graphic interface. Others Linux distros comes with GnuPG preinstalled, but it's more difficult to use (it's not so hard, really, but you have to learn how to do it via terminal, and how to create a PGP key, not a simple GPG key, and how to encrypt and decrypt files) Now the "mechanical" part is over. Let's talk about your behaviour: DARKNET IDENTITY / CLEARNET IDENTITY In contrast of what most people think, to be on the DarkWeb do not means that you have to permanently delete yourself from the ClearWeb. You only have to be very carefull on not allow "them" to link these two identities. How? Remembering the above said things, do not connect to your ClearNet accounts while using a torified connection, a VPN or a Proxy that you use during your DarkNet activities. Do not talk about your DarkWeb activities on social networks (Facebook, Twitter, etc...), or in chat clients (What'sApp, Telegram, etc...), blogs, emails, etc etc... You can have a ClearNet "life" if you act right, and let me say more, you can use this ClearNet activities to cover your DarkNet deeds. How? For example you can connect to a social network or to YouTube with your home pc (so you will appear like online) and than left your home and use a public wifi to do your shit: if you do this in the right way (if "they" are phisically following you this can be very risky, or if you get caught by a surveillance camera), you can spoof your deeds and make yourself an alibi. This is only a stupid example, please do not take it as a normal way of doing things, use your immagination "KEEP YOUR MOUTH SHUT" As I said before, never reveal details about you. Never talk about your country, about your past, about your actual situation (eg. economical, sentimental, etc...). Everything you say will be used against you, will be used to track you, and to profile you. Suppress your ego. PROFILERS "They" are collecting data about everyone. Everything is stored into huge servers and can (and will) be used against a potential target (in this case, you). Do not reveal too much about your OSs, the Add-ons of your browser, your VPN (if you have one), your proxies (if you use), your ISP or DNS, your pc model, etc etc... You have to beware not only to your situation, but even to your behaviour. What do this means? This means that you have to know how to spoof yourself: beware on writing things always the same way like you do in ClearNet or real life, beware on the mistakes with the english language (if you're not english), beware on using always the same words, way of saying things, syntax, etc etc... If you want to know more about this, search The Grugq on YouTube I think that this little guide is now over. Forgive me if I made mistakes, or if I've forgot something. Under here you can find some interesting links: - Tor Browser Manual https://tb-manual.torproject.org/ - Jolly Roger's Thread for Beginners there is no official source, do a little researche, it's easy to find - Tails https://tails.boum.org/about/index.en.html https://tails.boum.org/doc/index.en.html - DNM Bible http://dreadytofatroptsdj6io7l3xptbet6on...d=51cebc65