OPSEC or How to Not Get Owned While Owning Someone
James Schwinabart
September 25, 2012
...... OPSEC
Disclaimer
Use these skills for good, not evil. What you consider good is up to you, but don’t hold me accountable for your own actions, and I do not condone the use of what I’m about to talk about for anything illegal or against the Virginia Tech AUP.
...... OPSEC
Overview
1 Why OPSEC is important
2 Know your enemy
3 Developing a plan
...... OPSEC Why OPSEC is important
WTF is OPSEC?
Operational (or Operations) Security Traditionally used to determine if friendly actions can be observed by adversaries. For purposes of this talk, you can think of OPSEC as “personal security”. (Don’t kill me, please.)
...... OPSEC Why OPSEC is important
Basic Idea
Protect what’s secret
...... OPSEC Why OPSEC is important
...... OPSEC Why OPSEC is important
What can happen if your OPSEC sucks
?
...... OPSEC Why OPSEC is important
Why talk about OPSEC now
{The NSA,CNS,Comcast,NTC} are watching you. Tools are getting easier to use (both for attack and defense). I felt like it.
...... OPSEC Know your enemy
Who is your enemy?
The other teams on the CTF. The sysadmin who owns that box you just rooted. Some government. The Russian mob. A guy in Romania you pissed off on TF2 last night and wants to “dox” you.
...... OPSEC Know your enemy
Why is your enemy...your enemy?
They want the $500 prize and will do almost anything for it. People don’t like when you’re root on their box without them knowing. The government doesn’t like your political views. The Russian mob wants your credit card info to resell. Too much Backburner for his taste?
...... OPSEC Developing a plan
Tailor your practices to fit your needs
Know what your enemies are capable of. If you need to defend against some government, your needs are much different than someone who needs to defend against the other teams on the CTF.
...... OPSEC Developing a plan
Consider potential attacks
Passive sniffing Wifi sniffing Room 641A and the like Man-in-the-middle attacks ARP spoofing “Free Public Wifi” Evil ISPs Software attacks Buffer overflows Misconfigured applications Malware
...... OPSEC Developing a plan
Consider potential attacks
Physical layer attacks Disk imaging Keyloggers Evil maid attack Snooping Port scanning your IP range Open AFS, CIFS, or NFS shares Dumpster-diving Social engineering Blackmail Loose lips (sink ships!)
...... OPSEC Developing a plan grugq's Top 10 Things to Strive For
1 Never reveal your operational details 2 Never reveal your plans 3 Never trust anyone 4 Never confuse recreation and hacking 5 Never operate from your own house 6 Be proactively paranoid, it doesn’t work retroactively 7 Keep personal life and hacking separated 8 Keep your personal environment contraband free 9 Don’t talk to the police 10 Don’t give anyone power over you http://www.slideshare.net/grugq/opsec-for-hackers
...... OPSEC Developing a plan
Some example general rules Use end-to-end encryption for all network traffic. GPG OTR ZRTP TLS IPsec Encrypt your sensitive data. TrueCrypt LUKS ecryptfs encfs Use Tor whenever possible. Warning: Don’t confuse anonymity and privacy! Don’t use closed-source software.
Be aware of your surroundings...... OPSEC Developing a plan
Develop additional rules as needed
While in #anonops, don’t post information that can be linked to you. While at DefCon, disable GSM on your mobile phone. While at a CTF, do not send unencrypted IRC packets. Wipe devices before crossing an international border. If necessary, become someone else.
...... OPSEC Developing a plan
Some rules for a CTF competitor
Don’t believe anyone you haven’t met in person. Don’t send unencrypted packets to other team members. Don’t send flags in the clear over the network. Be aware of who is watching and/or listening.
...... OPSEC Developing a plan
Know Your Weaknesses
Impenetrable is impossible. At least you won’t be surprised if you get owned. Constantly evaluate how you can reduce your own vulnerabilities.
...... OPSEC Developing a plan
Keep In Mind
OPSEC is important. Poor OPSEC can lead to . There is no “one-size-fits-all.” Impenetrable is impossible.
......