10 Golden Rules for OPSEC

In this posts, we shall discuss the 10 golden rules for effective operational security (OPSEC) which were inspired by the awesome work of a gentleman called the Grugq whose work we highly recommend. So in no particular order and some may relate to each other, these are the golden OPSEC rules for those who need serious anonymity and pseudo-anonymity online.



OPSEC Rule 01: Always Keep Your Mouth Shut

This means never revealing operational details. For example, you don't tell people you use nested VPNS and tails or Tor or that you use a Debian laptop or you love iPhones. An example could be just simply messaging to your freedom fighter or associate and complaining that Tor is slow. Don't do it! You're revealing operational details, you should never reveal plans of what you intend to do. Remember if you don't say it you don't have to encrypt it you don't have to protect it. In public places where you could be overheard or recorded never be explicit, use code words.

OPSEC Rule 02: Trust no one

Use the zero trust model, assume everything and everyone cannot be trusted and operate from this perspective by mitigating the risk through security controls and distributing trust.

 

Information should be given out on a need to know basis only as the less you say to people the better you are, the smaller group of co-conspirators the better you are and especially do not trust co-conspirators as they can be turned to work for your adversary or may BE your adversary. They are not friends and do not treat them as friends. Furthermore, they will become criminal codefendants if your adversary arrests them so the less they know about you and all the operational activity the better because people don't keep their mouth shut and people won't go to prison for you. 

 

Watch for co-conspirators who disappear and then come back all habits change, they could have been caught and are now under the control of your adversary. And beware of people offering to buy information as this is a common law enforcement agency tactic. If possible operate alone don't tell friends or family. Don't allow people to take power over you so it can be used against you! Never let anyone get in a position to blackmail you! Don't let people take control of your actions or life!

OPSEC Rule 03: Never Contaminate Identities

This means do not share anything between aliases, email addresses, accounts, friends, IP addresses, cookies, browsers, email clients, operating systems, locations or anything, you shouldn't even have the same password among identities as this is total contamination. Don’t use different identities at the same time, for example, don't post via your real identity on Facebook while logged into your freedom fighter identity in Tor C Channel since this can be correlated.

 

Don’t visit sites and locations associated with other identities with other identities, I don't go into my personal Facebook account or real email while on tor. It's a different identity and this can be correlated. Never log into accounts as an anonymous identity through Tor or other such anonymizing services that you were previously logged into without anonymizing, your adversary could then associate an anonymous connection with a real IP. 

 

Don't make connections with those involved with operations relating to your other aliases whenever possible. If you are using an offsite internet connection to protect your anonymity, don't take any mobile phone associated with other identities or your real identity as this too can be linked. If your adversary is of significant means and the consequences are high don't use an internet connection at your house your home or location connected to your real identity. We’ll cover more on this later in offsite connections but otherwise, always use anonymizing services. 

 

Always use aliases separated through isolation and compartmentalization in separate security domains For example maybe a separate laptop or virtual machine VPN Tor browser configuration etc… Or storing sensitive data encrypted in the cloud which we cover later. Always use one phone for one identity and don't call contacts of one identity with the phone of another

OPSEC Rule 04:  Be Uninteresting

This means make everything as uninteresting as possible. Fly under the radar, don't make a force, don't be outspoken. When it comes to technology use things like Stenography - Hide your knowledge and conceal your use of security controls. Avoid high-risk areas and actions for example don't hang around on political forums making posts if you are political dissidents, don't hang around on hacker forums if you're a hacker freedom fighter. 

 

If at all possible don't maintain accounts especially in high-risk places. If you have to post on forums keep to the business at hand and no chat about anything else, don't post questions if you can help it. 

 

Don't draw the attention of a well-resourced adversary whenever possible don't perform actions that could shine a light on you for further investigation, for example, don't get caught breaking the law by doing something silly like speeding which results in a house search which results in you getting sent to jail for your counter government material discovered. 

 

Make sure to establish an average identity a believable identity. Don't make yourself a 6 foot 6 lesbian with red hair; a 30-year-old john the accountant is much better. And finally, don’t do anything longer than you have to because the longer you do something the more likely it can be correlated.

OPSEC Rule 05 - Be Paranoid

Be paranoid now instead of when you get caught. Be actively paranoid! If you have an active adversary and you know it, then they are out to catch you so you should be paranoid. Always consider all the angles - Spend time thinking about all the possible angles from your adversary’s perspective and remember your adversary will always try the easiest route to catching you so tighten up the simple things first like patching a laptop before you worry about bouncing your traffic around the world through tor pluggable transports and nested VPNs. So be aware at all times and plan for things going wrong and how you mitigate the risk when they do if they do. 

 

Use fail-safe or fail close technology like VPN kill switches so that if something fails in a way that continues to protect you. If you don't use them disable or remove wireless Bluetooth webcams or cover the webcam with tape, disable the microphone, don't use a wireless keyboard mouse or monitor if you can get away with not using all of those don't use them. 

 

If you talking about anything sensitive remove the battery out of your phone or as a minimum turn it off, switch off all the electric devices such as tablets smartphones TVs. when using someone else's Wi-Fi or network assume everything is logged and maintain all the same security privacy and anonymity security controls that you would normally, at a minimum the IP will tie you to a physical location and time and that could be enough to identify you. 

 

Never leave your devices unattended and the screens unlocked preferably store them in physically secure or hidden places. Power off your devices especially if you're using whole disk encryption and you should be using whole disk encryption. 

 

If possible against your real identity never promote or discuss security privacy in and anonymity matters, don’t share your PGT key or mention Tor, VPN or anything that would raise a slight flag that you're interested in these topics

OPSEC Rule 06 - Know your limitations

Operate at the level of your abilities. If you don't fully understand what you're doing then either stop what you are doing until you do or accept the risk that your lack of knowledge could get you caught. Stick with technology and processes you understand and can effectively implement and try to keep it as simple as possible so as not to introduce complexity that can get you caught. 

 

Physical security domains can be simpler when things become too complex they go wrong. For example, it can be easier to have a separate secure USB stick with tails on it than engage in complex virtualization for compartmentalization if you just don't understand it enough.

OPSEC Rule 07 -Minimize Information

No logs equal no crime. Avoid logging anything if you can, keep operational information that you need but destroy everything else, browser history, for example, is not required. So where possible don't leave evidence. It’s better to not leave it than encrypt it and leave it. If it is not needed don't keep it especially not tied to your real identity on your laptop logs, browser history etc… 

 

Minimize what people can find even if it's fully protected. Send as little information as possible in communications because the less said the better. You can see perfect examples of this on the TV show The Sopranos; they say things like “I bring the thing”, “Meet you at the place” etc… It’s easy for your defence later if you or they don't send clear text messages. 

 

Everything should be encrypted even if it's non-sensitive since If you only encrypt what is sensitive then that in itself gives away that it's sensitive. Never leave anything behind that might be traced back to you. Your real identity environment and security domain associated with you should have no contraband and be evidence-free and don't leave a money trail.

OPSEC Rule 08- Be Professional

If your adversary is professional and the consequences are high for you then you must also act equally professional. Don't be an amateur and get caught. You must treat your OPSEC security privacy and anonymity with the seriousness it requires. “A man must know his limitations but if you have limitations that create risk you need to educate yourself” Take a logical and systematic approach to what you're doing and treat it as a business, don't make it a pursuit of pleasure. Make it a business and treat it as one

OPSEC Rule 09- Employ Anti-Profiling

This means avoid revealing personal information or stories about you as it can be used for profiling. This includes in chat discussions, voice calls, forum posts, private messages and encrypted messages everywhere even if you think these are private they are not. 

 

Never reveal your real gender, location, jobs, hobbies, hair colour, height, weight, physical attributes, where you were born, your favourite sports team, the car you drive or what tattoos you have, nothing no personal information! Do not even include personal information in your online identity your nickname your username your handle or even a similar name don't even indicate your gender. 

 

Do not reveal anything that can reveal your location or time zone like talking about location references where the political events entertainment events or by using special characters from a keyboard related to your language. Avoid keeping regular hours as this can reveal a time zone and a geographic location if you do. If you can don't keep regular routines habits or methods being consistent and unpredictable.

 

Use misinformation to mislead - change your time zones or speak a language not your own and If you know them use alternative spellings as well. For example, if you are from the US use UK spellings, Australian spellings and words as part of a UK alias and maybe add metadata to photos and documents snottily pointing to your fake identity to provide misinformation. 

 

Provide misinformation to your co-conspirators. If they ask you any question, answer as your alias and use authorship recognition evasion methods that we'll discuss later.

OPSEC Rule 10- Protect your Assets

Don't send data without encryption. Use various security controls tools technologies processes to enable your security privacy and anonymity to protect your assets and your secrets. Based on your level of risk acceptance your adversary and the consequences you need to choose the right technology and configure it correctly. Protect what matters most. You'll know if it worked. If not you’ll get a knock at the door
10 Golden Rules for OPSEC 10 Golden Rules for OPSEC Reviewed by Admin on March 22, 2020 Rating: 5

No comments:

Theme images by Barcin. Powered by Blogger.