Practical OpSec

Andrew's suggestions for learning how to code

Practical OpSec

(Based on a “Family OpSec Workshop” deck from Desmond (not his real name).)

Introduction

Objectives

Present an overview of the landscape of risks and protective practices across:

…and also cover some “Advanced Paranoia”.

The Real Objectives

Okay, I was kidding; those aren’t the objectives. These are the objectives:

From here on out, you’ll:

And, best of all, you’ll understand why.

External References

Read this stuff to get more perspectives, ideas, and tools.

Topics

What’s OpSec?

Let’s all be terrible together. All of today’s problems seem intractable at first. You’re not alone. We can work on them; I will help you; let’s make your opsec better one step at a time.

Identity

Diagram of "identity" linked to a bunch of things

Threat Models

Threat Modeling

Threat modeling is a way of organizing and prioritizing your various combinations of risks and defensive measures so you can make good decisions.

One good way to think of a threat model is “An attacker with a capability and an _objective”.

Threat Modeling: Examples

Examples of threats:

Threat Modeling: Example: Ocean’s Eleven

Threat Modeling: Purpose

One purpose of threat modeling is to help you choose between different options based on which threats are either more likely or more damaging, such as in the question “Should I enable automatic updates?” where you must pick either Yes or No.

(The correct answer is “Yes”.)

Threat Modeling: Make Good Trade-offs

The purpose of security measures is to mitigate threats.

The reality of security is that everything is a trade-off. To use any service or technology involves trusting someone or something, which is a risk. To not use a service or technology may incur risks as well.

Being more secure means doing some work, keeping track of secrets and thinking through your decisions. The amount and kind of trust you are willing to give, and the work you are capable of and willing to do should be inputs into your decision-making.

Being specific about which threats you are most concerned with, and how you can mitigate them, will help focus your efforts on realistic, achievable outcomes.

Make Good Trade-offs

When deciding between “more safe” and “less safe”, a key question you need to answer is: “More safe from what?” More safe from one thing may be less safe from something else.

Edward Snowden tweet about security trade-offs

https://twitter.com/snowden/status/1165391070726950913?s=21

Threat Modeling: Good Hygiene

Securing your data and resources is about more than protecting you. Attackers may target you, your data, or your devices in order to achieve an objective that does not directly harm you, such as attack someone else, launder money or stolen credit cards, send spam emails, construct a false persona online, or send anonymous threats.

The multitude of possible threats will break down into a much shorter list of good practices you can adopt, and these good practices are like good hygiene. Good hygiene helps everyone; it doesn’t just help you.

Lots of weird possible scams may use your identity without directly harming you.

Picture of a phone farming scam

Threat Modeling: Breaches

Realistically, the greatest threat to your personal information is also the one you have the least amount of control over: breaches.

A “breach” is a data compromise that exposes data stored by a third party. Data breaches can be huge, potentially affecting hundreds of millions of people at once. This data can include all your personal information, credit history, passwords, email, online dating activity; anything stored on a remote system.

Article summary of a "mega breach"

Breaches happen because companies are lazy. Breaches are not your fault. You can limit your exposure to them, though.

Read more: https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf

A number of account security and other practices we’ll cover help to mitigate the effect of breaches on you. (Most notably, HIBP and using a password manager.)

Threat Modeling: Squirrels

Not every attacker is a person with intent to harm. Even a squirrel could severely affect outcomes you care about, if that squirrel is in the wrong place at the wrong time. A lightning strike could destroy your data as quickly as any online attacker.

Some of the good hygiene practices you adopt can mitigate against these risks, too.

When you’re considering the details of each threat model, you want to be able to “zoom out” to see the big picture, to see how all your decisions could benefit you in combination with each other, so you can make the best combination of decisions.

Threat Modeling: The InfoSec Spiral of Doom

Spiral of Doom

General Advice

Tier 1 Advice

This is the most crucial stuff. Definitely do this.

  1. Enable Automatic Updates
  2. Use a Password Manager
  3. Don’t Re-use a Password
  4. Stay on Top of your Account Security
  5. Don’t get Phished
  6. Use MFA with Key Accounts
  7. Never Give Anyone Your Password
  8. Only Install Trusted Applications

Enable Automatic Updates

Software becomes more insecure as it grows older.

Modern software stacks, from the Operating System to an individual app, on computers, phones, and tablets (iPads), are complex, and have large teams of the most qualified people on the planet constantly evaluating new threats and risks, and applying better testing and tools to improve their software security every day. These people are idealistic and incredibly good at their jobs.

Keeping this stuff up-to-date on your own is real hard.

There is a counter-argument that the capability to automatically update software exposes that software to exploitation by the updating authority (Apple, Google, etc.) as well as Law Enforcement. This is theoretically true, but pragmatically, the greater threat is from all other parties (such as international organized crime).

Relying on centralized, for-profit institutions to keep software secure is like relying on the government to keep roads well-maintained. Neither is a perfect model, but we can’t achieve the same outcomes as individuals that these organizations can.

Threats from Law Enforcement will be covered later under Advanced Paranoia.

Threat Model: Without Automatic Updates

An automated virus which can exploit your out-of-date software with known vulnerabilities so it can steal your data and hold it hostage, forcing you to pay for it.

Use a Password Manager

Password Managers (such as 1Password, LastPass, or Bitwarden) are encrypted personal databases which help you keep track of which passwords are in use for which sites/apps/services, and to generate new secure passwords that fit a given site’s password policy (letters, numbers, etc.).

This makes it easy to follow these rules:

Password Managers have different availability and features on different platforms. Some have apps for phones, some for desktop computers, some support keeping your encrypted password database in a cloud storage solution such as Google Drive. Some phones or browsers have built-in password managers.

Specifically for So You Wanna Code students: It might be good for all of us to be on the same password maanger just so everyone can help each other. Andrew uses and recommends 1Password. If you have any questions about it or need help setting it up, he’ll sort you out.

Don’t Reuse a Password

Don’t reuse a password. This means don’t use the same password on any two accounts.

Once an attacker gains access to a password for one site (such as Netflix), the attacker will then try that name/password combination across all other sites (such as Venmo or Wells Fargo).

Using a Password Manager will eventually fix this problem. Fixing this problem without using a Password Manager is basically impossible, because in 2020 we all have way too many accounts to memorize passwords for all of them.

This does mean going around and fixing all your old accounts where you may have re-used a password. 1Password will help you do this using its “Watchtower” auditing feature, which creates a to-do list of all your reused passwords.

Threat Model: Password Reuse

An Organized Crime Group with access to your password from HBO who wants to try this same password against all your bank accounts.

Stay on Top of Your Account Security

Have I Been Pwned?

Sign up for Have I Been Pwned with all your various email accounts.

Have I Been Pwned website screenshot

Don’t Get Phished

“Phishing” is when someone sends you an email or calls you on the phone pretending to be some business/service/person you trust.

These emails and calls are automated; millions of them are sent per day.

Phishing emails can contain links which, if you click them on your computer or on your phone, can take control of your device and steal your data.

The simplest phishing email will just link you to a web page that looks like your bank or something, and will ask you for your password. If you share your password, then they have your password.

Read More: https://www.phishing.org/what-is-phishing

Example: Phishing emails can look like this!

Image of an example phishing email that looks like a PayPal notification

Do Not Do Things Like This

Image of a "free credit check" phishing scam

Threat Model: Phishing

An Organized Crime Group who can write a reasonably realistic fake email who wants to trick you into giving them your PayPal password.

Use MFA (Multi-Factor Authentication)

MFA is when you configure a site to check for something in addition to a password when you try to log in, for example, by text messaging you a code (SMS MFA).

MFA helps you protect (for example) your bank accounts so that even if your password is stolen by an attacker, they will not be able to access your accounts.

MFA has a potential downside; what happens if you lose your phone? There is a method for this called backup access codes. Otherwise you end up in a customer support queue.

Using U2F (“Universal 2nd Factor”) for MFA is one of the better security choices you can make, but it is a little inconvenient; for example, a YubiKey: https://www.yubico.com/solutions/fido-u2f/

Some more info on MFA from Google:

Google's MFA info page

What it looks like when you log in using MFA on Google:

Google's MFA login page

TODO: Fill this in with a redacted screenshot

Threat Model: Without MFA

An Organized Crime Group with access to your bank account password who wants to transfer all your funds offshore

Never Give Anyone Your Password

Only Install Trusted Applications

Threat Model: Untrusted Applications

A malicious software program which is installed by you on your computer who wants to shower you with ads, steal your data, mine Bitcoin, pretty much anything

Tier 2 Advice

This advice is also important:

  1. Be Aware of Your Privacy Settings
  2. Keep Phones & Computers Locked
  3. Use Disk Encryption
  4. Use GMail
  5. Use an Encrypted Messaging App
  6. Avoid Disinformation / Disable Ad Personalization

Be Aware of Your Privacy Settings

Keep Phones & Computers Locked

In this story, the victim gave a stranger her phone for a very brief period of time.

Story about an Uber driver giving himself a $100 tip using a customer's unlocked phone

See also:

Use Disk Encryption

Disk Encryption is an option you can enable in the Operating System configurations on your computer. In some operating systems, like recent versions of macOS, it is enabled by default.

Because using disk encryption will prevent your data from being recovered in the event of a drive failure, using disk encryption means you should also make sure you have automated backups set up (so you never lose your data). And you should have multiple backups.

If you do not use disk encryption, then if your device is ever lost or stolen, whoever gets it can access all your data (including possibly your online accounts), even if they don’t have your computer password!

Phones have their disks encrypted by default.

Use GMail

GMail is a very secure email provider, and is probably the most secure free email provider. Second-tier email providers are no longer worth using for any purpose.

Having multiple personal GMail accounts for different purposes is entirely reasonable, and free (up to a limit of like ten accounts per phone number).

Your account security across many of the services you use probably transitively boils down to the level of security on your email account. (Because you can reset your password on any account using your email!) So securing your email is vital.

Use an End-to-End Encrypted Messaging App

Avoid Disinformation / Disable Personalization

Disable Personalization

Personalization is when an online service is developing a profile of you based on what content you view or engage with online.

The goal of personalization is to maximize your engagement with the service by maximizing the influence the service has over you by maximizing the impact of each individual content item the service chooses to display to you.

This influence is what ad services are selling to advertisers, and it is what has made online advertising the largest industry on Earth.

Personalization is also a risk because those third party services are creating information about you & your identity.

That information is not accessible to you, may or may not be correct, can never be deleted, and is increasingly shared & used across many non-advertising business categories (for example, insurance).

Many of the larger services (Google, Facebook, etc.) will offer you (deep in their settings) the option to disable personalization & data sharing.

Do that.

Disabling ad personalization on Google:

The Google ad personalization switch turned off

Disabling ad personalization on Facebook:

The Facebook ad personalization switches turned off

Avoid Disinformation

Disinformation as a tactic came out of the Cold War, but is now being used on a variety of fronts which may seem less obviously political, such as lawsuits between corporations.

Anything is political once it exists on a global scale, or affects the movement of billions of dollars.

Your opinions matter – that’s why so much effort goes into manipulating them.

Definition of "disinformation"

At one time, disinformation was a sophisticated propaganda concept which was really only used to target rival governments or intelligence agencies, and was either spread via state-controlled media, or deployed in specific operations to achieve a concrete goal.

Now disinformation is being deployed automatically using the internet and targets everyday people. Additionally, disinformation can be specifically targeted towards a specific individual, using personalization categories and algorithmically generated content (like deepfakes) to specifically support a specific agenda.

Disinformation can automatically be personally targeted to you using standard capabilities of modern social apps / platforms.

Description of "disinformation"

Generally, disinformation relies on you to believe or spread it without thinking critically about it. This is good because it means you do not need to do much work externally verifying something to see if it is untrue.

Sometimes disinformation works by defining a category or injecting some specific use of language which will affect your thinking or reasoning later. (See George Lakoff’s work on “framing”.)

Disinformation also works by appealing to your biases, to make you accept it automatically.

Excerpt from the Wikipedia article on Disinformation

Ultimately, marketing and advertising, in their most powerful and effective forms, are selling mind control.

Until recently, the technology of advertising (such as magazine ads) were pathetic shadows of this possibility.

Unfortunately, now modern technology makes this possibility real:

Headline of NYT article on Amazon warehouse disinformation campaign

The best thing you can do to avoid disinformation is to disable personalization and data-sharing across all social media and advertising services. I can help you do this; just ask.

Anything which personalizes ads for you* is helping to identify and segment you for targeted disinformation (and other purposes).

This is also true for anything which automatically learns your interests.

The second best thing you can do is be aware of The Algorithm. Any online recommendations or algorithmically curated news or social media feed is being structured in exactly that way for a reason. When you look at a list or a feed online, think about what the motivations of the platform are. Then, consider not just the platform itself, but the motivations of any entity powerful enough to manipulate the algorithm or purchase its influence.

Disinformation: More Reading

The most awesome disinformation campaigns ever in all of history were deployed by Russia against 2012-2017, especially targeting the NSA, but also targeting freedom of speech, democracy, and social movements on all political sides and in many countries (including Brexit and the invasion of the Ukraine!). Now though, disinformation is something that all nation-states and some very large companies and wealthy individuals are using, often by exploiting algorithmic curation.

Travel Advice

Travel Advice: Hotel Wifi

TODO: Fill me in!

Advanced Paranoia

Welcome to the InfoSec Spiral of Doom.

InfoSec Spiral of Doom

Advanced Paranoia: What About VPNs?

Fundamentally, when you buy and use a VPN service, you are advertising that “here is some data and network activity that I want to keep secret!” and then handing it all to some party that you don’t know, have no recourse against, and is actively seeking out and advertising for access to confidential data like this. Hmmm.

Advanced Paranoia: Use Keybase

Advanced Paranoia: Conclusion

This paper really sums it up: https://www.usenix.org/system/files/1401_08-12_mickens.pdf

There’s a lot to worry about; you can keep worrying about it forever; ultimately, though, the only sure thing is that you won’t think of everything, and if anything goes wrong, it will be because of something you didn’t come up with, no matter how deep you went into The InfoSec Spiral of Doom.

Questions?

Contact Andrew at andrew@apjanke.net.