OPSEC and Privacy: Do more, and say less...

This blog post is a good advisory on some of the risks to be aware of on social media, especially when it comes to OPSEC and/or privacy matters.

(Anyone can be listening, and you never know what their intentions are).

OPSEC is military jargon for “Operations Security”. If you’ve ever heard of the term “Loose lips sink ships”, this is an idiom that dates back to World War II. It's the idea that the enemy could be listening to your conversations at any time, and that leaked information could lead to compromised operational details and potentially to lost battles and other unnecessary losses. OPSEC aims to mitigate these risks by implementing easy-to-follow guidelines that usually amount to “Don’t talk about [thing] in public.”

Please note, I am not an authoritative expert on OPSEC and/or privacy. I dabble, I know a few things, and I pay attention. I just want to share my experiences and observations. This article should not be considered an exhaustive authoritative document that details all the risks bad OPSEC and privacy can present to the uninitiated, but I believe it is better than nothing at all.

Screen Shot 2016 11 18 At 5 23 19 Pm
"Loose tweets sink fleets."

Privacy and OPSEC are often paired together, but why? What does privacy (online or offline) have to do with OPSEC? Everything. Your online identity can be used to reveal secrets about you, or your employer. That's why privacy and discretion in the information age are important, because there isn't a limitation as to what information you put out there can be used against you by opportunists.

Most proponents of OPSEC will tell you that if it truly matters to you then you will shun social media and all online forums -- Twitter, Facebook, chat programs, online gaming, etc. However, I’m a realist, and I realize that most of you don’t want to be reclusive shut-ins without an online presence. Therefore, let me advise you on some of the risks to be aware of on social media.

Assume that if a service is provided for free, that you are not a customer; you are a product.

Most social media platforms are free. Give them some information about you, choose a username, and you’re off and running with your friends, family, and peers. I know I’ve been loading up on the adages so far, but here’s another one: “There’s no such thing as a free lunch”.

This adage expresses the idea that even if something is free, there's always a cost associated with it, whether or not it's a cost that you can immediately identify is irrelevant. With social media platforms, you are giving them information about you. Third parties can buy this information and usually this is done in order to better target you with advertisements. If ad agencies can acquire this data, so can others, such as law enforcement (if the company is subpoenaed, or otherwise forced to comply with federal law). Hackers might be able to access this information as well, if the data isn’t well-secured. If there's anything 2016 has taught us with the amount of mega-breaches observed this year, it's that you can never assume that any data you provide is ever truly secure.

This also applies to free services that security professionals use. Consider VirusTotal, for example. While VirusTotal is an extremely useful resource, any files you submit to the service are retained by VirusTotal/Google. Anybody with premium API access or a VirusTotal intelligence account can download files uploaded by any user. VirusTotal also includes generic statistics about what country the file was uploaded from, and/or whether or not it was uploaded from the website or the VirusTotal API. Keep these things in mind if you're working incident response on a sensitive case that isn't public yet, or otherwise doing analysis work that requires careful discretion. Also, keep this in mind before uploading sensitive documents. Consider generating an MD5 or SHA-256 hash of the file you want to analyze to see if anyone else has uploaded the file for analysis already. VirusTotal isn’t the only service like this.

Open books occasionally lead to open doors

As mentioned above, most social media platforms allow you to share information about yourself. If you lack proper privacy controls, then strangers can gather this data without having to register with the service or attempt to friend/connect with you on the social media platform being targeted. This type of information gathering is often referred to as OSINT - Open-source INTelligence gathering - military jargon that is essentially gathering information available to the public, and turning it into intelligence.

Screen Shot 2016 11 18 At 5 26 49 Pm
No spies necessary.

Lying on the internet

Not everyone on the internet that you meet has good intentions, nor are they necessarily telling the truth about who they are, or what they want. "Social Engineering" is the idea that humanity is often the weakest link in the information security chain. If you can build rapport or trust with an individual, that trust can be exploited to gain access to sensitive systems or data.

Screen Shot 2016 11 18 At 5 30 13 Pm
Sometimes, it really is that simple.

Social engineering can often be compared to spying and espionage you normally associate with outlandish spy movies, when in fact it can be as simple as:

Hi Bob,

We met at [random conference]. I found your profile on [such and such] social network, and wanted to friend/connect with you.

Yours Truly,

[Not who I say I am]

You click accept, and now that person has access to your profile that was set to “private”.

Aftermath

Between good social engineering, and OSINT, a lot of data can be gathered about you. Your likes, your dislikes, your family, your friends, when you’re out of town, when you’re going out for a drink, when you’re working late, etc. This information can be used to establish a pattern of life and/or spearphishing (the art of using highly targeted, crafting phishing attacks to target an individual for exploitation).

Bad guys can also potentially gather information about your employer and the technologies they use through your social media profiles. Ever complain about having to configure a particular appliance or piece of hardware/software for work? Do you use LinkedIn? Your profile has to be somewhat public in order to get views from recruiters, or other companies looking to hire talent.

Your social media accounts, and the information therein, are like puzzle pieces of a much bigger picture. The more pieces you put out there, the easier it is for bad guys to piece together the picture and access more information.

If you would like to see a real-life example on how social media can be used against you, consider the story of “Robin Sage”. To paraphrase, the Robin Sage experiment was an attempt to create a non-existent persona to determine how much information and access one could achieve if they had a convincing enough persona. Robin never existed. Her pictures were faked, and of the credentials from her LinkedIn profile were faked. Even still, with no validation whatsoever, Robin acquired access to tons of information, most of it privileged.

To a lesser extent, good offensive security practitioners utilize publicly available data sources on a regular basis as a part of their engagement. Befriend employees of a company, see if they have other social media presences, check out what they’re talking about and use the information as a method of passive reconnaissance and as part of an external penetration testing/security assessment. If you would like to learn more about the phases of a security assessment, please refer to the PTES (Penetration Testing Execution Standard), specifically the section on intelligence gathering.

Recommendations

So, what can one do to combat the threat of OSINT and social engineering? I have a couple of recommendations that can be used to help you retain your privacy:

Use ad-block

While this won’t do much to stop the bad guys from seeing stuff you’ve posted or if you've accepted their friend requests, most social media networks sell your information to third party advertising firms. This is a legitimate revenue stream in which information about you is mined by these advertising companies to target you with ads that they would consider relevant to your interests.

Using an ad-blocker puts a wrench into this operation. If the ad companies pay for information about you, to target ads towards you that you will never see due to implementing an ad-blocker, then there is nothing gained. Using an ad-blocker sends a message that you’re not okay with this, and that the social media platform should consider other means of generating revenue. Not only do you get the benefit of not seeing ads blasted all over your web-browser, you also get the added bonus of being less susceptible to malvertising, or malicious advertisements. Most online ad exchanges do not do any kind of buyer or seller investigation. This lack of regulation contributes to malvertising and malware delivered by ads.

Fill out as little information as possible, use false information where you can

When you join most social media services, you're required to enter some modicum of information about yourself. Don’t offer anymore information about yourself other than what is absolutely necessary to create your profile, and even then, you are under absolutely no obligation to be forthcoming with any of the information you provide. Most social media sites have policies against impersonating other people, but there is no policy about falsifying information about yourself, or providing disinformation. Use this to your advantage.

When filling out profiles on LinkedIn, be vague. Instead of stating you “administer [antivirus platform in use at your company]”, simply state "administers enterprise anti-malware solutions.” Consider using vague terms on your resume as well, because you have no idea where that resume will end up. You can keep a more detailed copy of your resume available that goes into details on what software/skills you have specific proficiency in, but only provide or use this resume in printed form.

Take care when registering your accounts

If it's an account you don't plan on using often, or do not care about having e-mail correspondence from, considering registering to the service through a temporary e-mail provider, such as 10-minute mailguerrilla mail, or similar. These services allow you to setup a temporary e-mail inbox, register to a site/forum, then never have to deal with the e-mail address again. Be aware that if you do this, a lot of forums/social media platforms reset your password over e-mail. So, if you ever lose access to the account, the likelihood of you getting access to that account again is extremely low. To prevent account loss, I highly recommend using a password manager like KeePass to store your account passwords. To avoid account compromise, use two-factor authentication where possible, and never re-use the same password.

Be aware of your online presence

Don’t be afraid to google your real name, or your social media account usernames. Figure out where your profile name and/or real name has shown up, and if you notice accounts that you no longer use/utilize, consider doing some digital housekeeping and closing up your old accounts. The justdelete.me service is excellent for getting instructions about how to remove your online accounts. You might also consider deleting your old comments from various social media platforms from time to time. For example, I discovered the tool twitter archive eraser for bulk deleting tweets.

Always think before you act

The single best piece of advice I can offer you is if it has to stay a secret, then putting it on the internet is a surefire way to ensure that it doesn’t stay secret for long. Always think about the long-term effects of anything you say and do on the internet. Content on your accounts can be deleted, but as many say, nothing on the internet is ever truly gone when it gets deleted; somebody, somewhere archived a copy of something. As you well know, nothing is ever 100% secure (unless the drives are encased in concrete and the case is thrown off a pier). Yes, even if you used top-notch encryption. Yes, even if the service promises to never hand over your data to government enquiries.

Parting Thoughts

As initially stated, this is nowhere near a complete list of things to consider to protect your privacy and operations (whatever they may be), but simply a few suggestions. If this has piqued your interest, here are some interesting security researchers to follow and/or readings to consider:

the grugq

Jessy Irwin

Violet Blue



Close off Canvas Menu