06-10-2023, 06:53 AM
Okay,
This thread will just be a few guidelines, rules and my general thoughts
about some OPSEC matters.
First of all "the 10 hack commandments"
1) Don't talk openly
- most hackers get caught bragging. Just don't reveal more than necessary.
2) Don't operate from home
- Everyone fucks up some time. To keep a clear separation have a work place
and work machines that are only ever used for hacking. You might call it burner hardware as well a secure place to hack from.
3) Encrypt everything
4) No logs
5) Create Personas
- We do often talk online. Figure out in fine detail who you want to be represent online.
research the persons profession and keep notes of all the things you have told to others to not create a conflicting narrative.
How does this persona type, what languages can your persona program in etc.
The gist is that the personas fingerprint should be very different than your real one.
This includes your political view, the emojis you use, the mood you have, the technologies you use and so on. Staying close to the main stream is often a good idea for personas. However, have one or two traits that people will associate with you that don't fit your real identity. For example mention that you are a chef at a restaurant and throw in some stories, comparisons here and there. People will see you as a Chef online. In real life operations I have found these clues to be essential. Even though you stick out when you really wanted to blend in. But it will distract a lot from your real identity and it is easier for people to build trust to people where they feel they know them.
6) Don't contaminate
- You should never bring any trace to your real identity to an operation. Also everything done in an operation should stay there. Having concerns clearly separated makes it easier not to mess up.
7) Don't trust
- Goes without saying. Always suspect that the person you are dealing with is a highly capable enemy.
8) Be paranoid
- Better safe than sorry. Simple as that.
9) Don't talk to police
- People in general confess to early. You might be surprised how much is needed to actually convict someone. So never confess too early.
10) Don't give people power over you
- You should never be in a position where someone can force you to do anything.
To not end up there always ask yourself what consequences each action you take has. This is especially true for relationships you build. They also should constantly be re-evaluated. People not helpful for the operation anymore can be cut off.
You should also plan every action you take ahead of time and think about what trace they could leave and how you can conceal these trails.
Also when using tools you should always change the user agent they use.
curl, nmap, wpscan etc. all offer an option to change the user agent.
Don't rely on one technology to keep you safe. Always have a fail safe.
What if TOR is broken some day? Are you using your home ip to connect to TOR?
Your neighbors one won't do either. That is the first thing law enforcement checks once they see other devices had been connected to the access point also.
Also don't "believe". Test everything you do and test what trails is leaves behind.
Use wireshark to inspect network traffic etc.
Reset after each operation. Don't re-use anything from a previous operation.
Also have a kill switch that erases everything belonging to the current operation.
You can also easily build a Faraday cage to airgap your devices.
You also need to have a strong understanding of all the tools you use and what exactly they do. OTR for example does not encrypt file attachments. TOR only tunnels TCP traffic and so on.
For TOR you can also configure a firewall like PFsense to only allow traffic through tor, this can avoid many of these fails. Like DNS leaks and so on.
Don't click on links. Header information might track you. For example the referrer header shows which site you where coming from.
If you have multiple personas you could have different VMs for each different persona, so you don't accidentally mix them.
Always have plausible deniability. This goes hand in had with the action panning I was mentioning earlier.
Code words have also always been used to add some uncertainty and obfuscation.
For example Mike Tyson was training on a number system, so when cus shouted out the number "7", Mike knew to trow a right hook to the body, but the opponent wasn't familiar with the number system / terminology, so he couldn't prepare.
You can't be a famous criminal! If you are famous and a criminal you will end up in very bad situations! The goal is to keep the target on yourself small. Criminals where there is a huge public interest on finding will always be found!
You can't be "The famous master hacker" and not end up in jail or worse.
Also never target national state actors. They pay people more capable than you are to look for any mistake you might have made / or are about to make around the clock. You will get caught!
As said the trick is to keep the target on yourself very small. Limit your exposure. Only have connections that are vital for the operation and cut them once the operation is over.
For DNS it is also a good idea to use DNS over HTTPS.
There is also backdoored firmware on many devices that allows for the installation
of rootkits. Often with direct hardware access over Intel ME for example.
You can install coreboot or libreboot on your device to make this harder.
Also you should enable boot integrity checks to detect bootkits early on.
Everything like chat applications you use should also be properly sandboxed
(might be covered in a follow up thread as this would be too much to cover here)
An Example setup that I used to use:
- use a minimal linux distro like alpine linux for minimal attack surface
- use a LUKS encrypted partition
- you can use veracrypt to hide your encrypted work VMs in a hidden veracrypt volume
- airgap your malware development machines. Windows phones home
- KVM is a great and light weight virtualization solution
Also what you write yourself if probably what you understand best and thus
also use right. For example one could have a custom tool for system integrity checks.
Or a custom linux distribution you really know your attack surface.
You can use infected machines as bridges/proxies before you connect to TOR.
Essentially your own bridge nodes.
Some fails people often fall victim to:
- BRAGGING!
- network tunneling flawed
- money trail. Following the money often works too well
- keeping too much logs and notes (once someone has access to these they know too much about the operation)
- don't understand the technology they use well enough
- using personal information / accessing private data or accounts when on an operation.
How people fail to use TOR specifically:
- BRAGGING (on tor IRCs)
- correlation attacks (egs. when do you have a tor session open)
- connecting to XMPP or IRC but forgetting to tunnel over tor: your IP just got logged!
- using outdated software: can get pwned! Keep your tor browser and chat clients up to date!
- information in PGP key (like clearnet email)
- in general too much information (enough to form a unique fingerprint. Like emoji usage, exif data, meta data in other files, literal fingerprints or wear on hardware)
- related people in the operation don't care so much about OPSEC and break the OPSEC guidelines constantly.
- STUN requests
This is ofc. a lot to take in. In practice you should always define your operation and build a tread model based on that. If you now have that information you can decide how your OPSEC guide for this operation will look like.
In general it is a good idea to ask yourself the following questions:
- Whom/What to protect from?
- What to protect?
- Why to protect it?
- What are the measures I need define for protection?
Spreading a lot of disinformation can also be helpful to misguide the enemy or
even conceal real slip ups on your side. It is easy to hear a mistake if its silent, but if there is constant noise, it will be hard to find.
So maybe set out canaries and honeypots. They will distract your enemy and also
give you an insight on their tactics.
These might include:
- fake social media posts
- fake email accounts
- fake hidden services
- fake news about you in general
You need to decide based on various factors what makes sense in your case.
There are many games and books to cover these topics.
Still a great and tested classic that I can recommend is "The art of war".
It also makes sense to think about the nature of your operation. is it Overt? Do you want people to know it was you? In the case of Hacktivism that might be to consider.
Is it a covert operation? Or can you even find a way to make it clandestine, so no one even knows there was a crime in the first place.
This decision will highly impact the further planning of your operation on the OPSEC measures you will take.
When you are finally ready to write your OPSEC guidelines you should also consider that it should be easy to follow. People are lazy and especially if there are multiple people in the group, they will find workarounds if it is not convenient.
I think this concludes my tips on OpSec for today.
I just wrote down what came to mind and It might be pretty unstructured because of that. But I hope it still has contained some valuable information for some of you.
Thanks for reading!
If you have other topics you would like me to write about, then let me know!
This thread will just be a few guidelines, rules and my general thoughts
about some OPSEC matters.
First of all "the 10 hack commandments"
1) Don't talk openly
- most hackers get caught bragging. Just don't reveal more than necessary.
2) Don't operate from home
- Everyone fucks up some time. To keep a clear separation have a work place
and work machines that are only ever used for hacking. You might call it burner hardware as well a secure place to hack from.
3) Encrypt everything
4) No logs
5) Create Personas
- We do often talk online. Figure out in fine detail who you want to be represent online.
research the persons profession and keep notes of all the things you have told to others to not create a conflicting narrative.
How does this persona type, what languages can your persona program in etc.
The gist is that the personas fingerprint should be very different than your real one.
This includes your political view, the emojis you use, the mood you have, the technologies you use and so on. Staying close to the main stream is often a good idea for personas. However, have one or two traits that people will associate with you that don't fit your real identity. For example mention that you are a chef at a restaurant and throw in some stories, comparisons here and there. People will see you as a Chef online. In real life operations I have found these clues to be essential. Even though you stick out when you really wanted to blend in. But it will distract a lot from your real identity and it is easier for people to build trust to people where they feel they know them.
6) Don't contaminate
- You should never bring any trace to your real identity to an operation. Also everything done in an operation should stay there. Having concerns clearly separated makes it easier not to mess up.
7) Don't trust
- Goes without saying. Always suspect that the person you are dealing with is a highly capable enemy.
8) Be paranoid
- Better safe than sorry. Simple as that.
9) Don't talk to police
- People in general confess to early. You might be surprised how much is needed to actually convict someone. So never confess too early.
10) Don't give people power over you
- You should never be in a position where someone can force you to do anything.
To not end up there always ask yourself what consequences each action you take has. This is especially true for relationships you build. They also should constantly be re-evaluated. People not helpful for the operation anymore can be cut off.
You should also plan every action you take ahead of time and think about what trace they could leave and how you can conceal these trails.
Also when using tools you should always change the user agent they use.
curl, nmap, wpscan etc. all offer an option to change the user agent.
Don't rely on one technology to keep you safe. Always have a fail safe.
What if TOR is broken some day? Are you using your home ip to connect to TOR?
Your neighbors one won't do either. That is the first thing law enforcement checks once they see other devices had been connected to the access point also.
Also don't "believe". Test everything you do and test what trails is leaves behind.
Use wireshark to inspect network traffic etc.
Reset after each operation. Don't re-use anything from a previous operation.
Also have a kill switch that erases everything belonging to the current operation.
You can also easily build a Faraday cage to airgap your devices.
You also need to have a strong understanding of all the tools you use and what exactly they do. OTR for example does not encrypt file attachments. TOR only tunnels TCP traffic and so on.
For TOR you can also configure a firewall like PFsense to only allow traffic through tor, this can avoid many of these fails. Like DNS leaks and so on.
Don't click on links. Header information might track you. For example the referrer header shows which site you where coming from.
If you have multiple personas you could have different VMs for each different persona, so you don't accidentally mix them.
Always have plausible deniability. This goes hand in had with the action panning I was mentioning earlier.
Code words have also always been used to add some uncertainty and obfuscation.
For example Mike Tyson was training on a number system, so when cus shouted out the number "7", Mike knew to trow a right hook to the body, but the opponent wasn't familiar with the number system / terminology, so he couldn't prepare.
You can't be a famous criminal! If you are famous and a criminal you will end up in very bad situations! The goal is to keep the target on yourself small. Criminals where there is a huge public interest on finding will always be found!
You can't be "The famous master hacker" and not end up in jail or worse.
Also never target national state actors. They pay people more capable than you are to look for any mistake you might have made / or are about to make around the clock. You will get caught!
As said the trick is to keep the target on yourself very small. Limit your exposure. Only have connections that are vital for the operation and cut them once the operation is over.
For DNS it is also a good idea to use DNS over HTTPS.
There is also backdoored firmware on many devices that allows for the installation
of rootkits. Often with direct hardware access over Intel ME for example.
You can install coreboot or libreboot on your device to make this harder.
Also you should enable boot integrity checks to detect bootkits early on.
Everything like chat applications you use should also be properly sandboxed
(might be covered in a follow up thread as this would be too much to cover here)
An Example setup that I used to use:
- use a minimal linux distro like alpine linux for minimal attack surface
- use a LUKS encrypted partition
- you can use veracrypt to hide your encrypted work VMs in a hidden veracrypt volume
- airgap your malware development machines. Windows phones home
- KVM is a great and light weight virtualization solution
Also what you write yourself if probably what you understand best and thus
also use right. For example one could have a custom tool for system integrity checks.
Or a custom linux distribution you really know your attack surface.
You can use infected machines as bridges/proxies before you connect to TOR.
Essentially your own bridge nodes.
Some fails people often fall victim to:
- BRAGGING!
- network tunneling flawed
- money trail. Following the money often works too well
- keeping too much logs and notes (once someone has access to these they know too much about the operation)
- don't understand the technology they use well enough
- using personal information / accessing private data or accounts when on an operation.
How people fail to use TOR specifically:
- BRAGGING (on tor IRCs)
- correlation attacks (egs. when do you have a tor session open)
- connecting to XMPP or IRC but forgetting to tunnel over tor: your IP just got logged!
- using outdated software: can get pwned! Keep your tor browser and chat clients up to date!
- information in PGP key (like clearnet email)
- in general too much information (enough to form a unique fingerprint. Like emoji usage, exif data, meta data in other files, literal fingerprints or wear on hardware)
- related people in the operation don't care so much about OPSEC and break the OPSEC guidelines constantly.
- STUN requests
This is ofc. a lot to take in. In practice you should always define your operation and build a tread model based on that. If you now have that information you can decide how your OPSEC guide for this operation will look like.
In general it is a good idea to ask yourself the following questions:
- Whom/What to protect from?
- What to protect?
- Why to protect it?
- What are the measures I need define for protection?
Spreading a lot of disinformation can also be helpful to misguide the enemy or
even conceal real slip ups on your side. It is easy to hear a mistake if its silent, but if there is constant noise, it will be hard to find.
So maybe set out canaries and honeypots. They will distract your enemy and also
give you an insight on their tactics.
These might include:
- fake social media posts
- fake email accounts
- fake hidden services
- fake news about you in general
You need to decide based on various factors what makes sense in your case.
There are many games and books to cover these topics.
Still a great and tested classic that I can recommend is "The art of war".
It also makes sense to think about the nature of your operation. is it Overt? Do you want people to know it was you? In the case of Hacktivism that might be to consider.
Is it a covert operation? Or can you even find a way to make it clandestine, so no one even knows there was a crime in the first place.
This decision will highly impact the further planning of your operation on the OPSEC measures you will take.
When you are finally ready to write your OPSEC guidelines you should also consider that it should be easy to follow. People are lazy and especially if there are multiple people in the group, they will find workarounds if it is not convenient.
I think this concludes my tips on OpSec for today.
I just wrote down what came to mind and It might be pretty unstructured because of that. But I hope it still has contained some valuable information for some of you.
Thanks for reading!
If you have other topics you would like me to write about, then let me know!