Ultimate OPSEC Guide 2 (part 2)

Hello guys this is 2nd part of OPSEC guide. I recommend you to read 1st part before reading this..



BROWSING PRIVACY BEST PRACTICES
DON’T STAY LOGGED IN: When you are logged into your email or social media account, these services monitor everything you do on the internet. Not only do social media accounts log your “likes” and “tweets”, they also record other sites you go to, accounts that you create, things you purchase, videos you watch, songs you download, appointments you make online, and a wealth of other information. Many people like to remain logged into their Gmail or other accounts constantly because of the convenience it affords. This convenience can be compromising to privacy.

While it is much more work (privacy is neither easy nor convenient), I recommend the following. If you need to check your Gmail, Facebook, or other account that is associated with your name, close your browser and clean it as described below. After you have done this, open your browser, log in, and conduct your business. While you are logged in do not visit any other sites or log into any other accounts. When you have finished, log out of the site, close your browser, and clean your system again.

CLOSE AND CLEAN: I strongly recommend closing your browser between sessions. It is especially important to close your browser after visiting a website to which you have logged in, such as an email or social media account so that all browsing history and cookies are deleted. Simply logging out of the website will not delete the cookies it placed on your computer, and the site will still be able to track your movements around the internet. Though this is not an absolute measure of protection from tracking it does break your data down into smaller pieces. If you never clear your system you are creating a month or year long record of every website you have visited on the internet, and sharing it with hundreds of other parties.

I recommend also cleaning your system between sessions. I recommend using Bleachbit and CCleaner if you are running Windows. These programs will thoroughly delete all browsing history including your internet cache, cookies, download history and location, session history, compact databases, and more.
BE CAREFUL WHAT WEBSITES YOU VISIT: The beauty of the internet is that it puts the world at your fingertips. Any interest you have can likely be explored and expounded upon on the internet. Many of these sites do not have your best interest in mind and care little about your security or privacy. Websites are commonly used as attack vectors for malware, to track your browsing habits, or to get personal information from you. Thoughtfulness is required when browsing the internet. Pornography websites are notorious as being attack vectors for malware. Clicking on the wrong link on a porn site can quickly lead to adware, nagware, ransomware, or worse. Porn websites are not alone in this. Be careful about the websites you visit. Pause and ask yourself two questions when any site is full of pop-ups. Does clicking a link on the site cause a new, unrelated window to open? Does the site cleverly conceal links that end up opening lots of new windows? If the answer to either of these questions is yes, the site is probably one you should avoid.

DO NOT CLICK ADS: Malvertising is an extremely sophisticated attack vector. This threat alone should be enough to dissuade you from clicking on online advertisements. If this isn’t enough to convince you, also consider the fact that even the most benign of these ads will still track your browsing session.

DO NOT IGNORE WARNINGS: If you visit a website and receive a warning from your browser, or from a browser extension like NoScript, it is probably a good idea to skip that site.

DO NOT DOWNLOAD FROM UNTRUSTED SITES: Be very careful about the sites from which you download files and applications. Though torrent sites are fun and many people use them to get free media, they are also rife with malware.

USE CARE WHEN DOWNLOADING APPLICATIONS: When downloading applications, you should always use extreme care. Applications can contain extensive malicious payload, and attention should be paid to the quality of the download you are getting. If at all possible, attempt to download programs directly from their source, and check their signatures before running to ensure you are getting exactly what you want, and not some malicious file.

BROWSER SETUP FOR FRAUD ACTIVITY
Now to setup our browser to conduct fraudulent transactions, we must first take into account the fact that we want to appear as legit as possible. We want the website we are visiting to think we are a common browser user, with common browser settings and a common browser fingerprint. You don’t want any under circumstances more than one or two of the most used add-ons, and not much should be changed on browser settings either.

Our solution to all of this is using a clean hacked RDP. We simply install Firefox or Chrome on that RDP, don’t change any settings, go to the website we want to conduct the fraudulent activity in, and do our magic. That is it. If you want an extra security measure, then just go to about:config and change these 2 settings below.
media.peerconnection.enabled – SET IT TO FALSE webgl.disabled – SET IT TO TRUE
Once you are done carding 1 specific website, don’t ever use that same RDP again for the same website, trash the RDP and move on to another clean hacked one if you want to card the same website. You can use the same hacked RDP for multiple websites, but not more than once if you want your success rate to be high.

With hacked RDPs, we do not have to worry about canvas or browser fingerprinting, since that is not our real machine and any data the website is able to get about that machine will be useless in an investigation. Unless you are connecting to that RDP using your REAL IP. In that case, you are extremely dumb and will most likely get caught. ALWAYS USE A VPN, OR EVEN BETTER, A CHAIN OF 2 VPNs, Tor and Socks5.
Now let’s move on.
It has been suggested that the strongest password is the one you don’t know. Humans are notoriously poor at developing effective passwords because we are limited largely by the constraints of memory and the desire for convenience. Later in this chapter I will teach you how to create effective, difficult-to-crack passwords that are still memorable and usable. I recommend you use a different username and password on all of your online accounts. This may seem terribly difficult, exceedingly inconvenient, and impossible to remember, and generally I would agree. With only the benefit of human memory it would be nearly impossible to remember and use more than just a few passwords of the recommended length and complexity. For that reason, I’ve chosen to begin this chapter with a discussion of password managers, one of the single biggest and most important tools you can employ to strengthen your digital security posture.

I have been using password managers for years, and there’s no way I’d even consider the possibility of going back to not using one. A password manager is a purpose-built application that creates an encrypted database for storing and organizing your usernames and passwords. Password managers solve many of the problems inherent in password development and use by “remembering” your passwords for you so that you don’t have to. This allows you to easily implement the online account best practices of using a different username and password on every one of your online accounts, using passwords that are randomly generated and of the maximum allowable length and complexity, and changing them as often as you deem prudent without fear of forgetting them.

Because password managers store all your passwords in one place, they create an “eggs-in-one-basket” situation. It should go without saying that a password manager should be protected by an extremely strong password, and if at all possible, two-factor authentication. If you can only take the time to remember one very strong, very complex password, you should do so for your password manager. Be especially careful not to lose or forget this password.
Password managers are designed to not let you back in without the correct authentication credentials. This could result in the loss of all passwords for all your accounts, an unenviable situation in which to find yourself. It should also go without saying that your password manager should be backed up, frequently. If you are using a host-based manager and your computer crashes, you must have a way to recover the information the password manager contained. Otherwise you risk being locked out of, and potentially losing, hundreds of accounts.

There are two basic categories of password managers, host-based and web-based. Although I will discuss both, my recommendation is to only use host-based password managers. While web-based password managers are strongly encrypted, they are significantly riskier because they store your passwords in the cloud on machines that you do not personally control. Further, online password databases are a natural target for hackers because of the wealth of information they contain. Though a certain amount of confidence is placed in all online account providers, an extraordinary amount is required to entrust your passwords to all your accounts to an online service. I have not found yet an online service to which I am ready to give this level of trust for my extremely sensitive accounts, and frankly don’t believe I ever will.

HOST-BASED PASSWORD MANAGERS
A host-based password manager is an application that runs locally on a single device. All the information that is stored in a host-based password manager is stored only on that device and is not sent to the cloud or otherwise transmitted. This is somewhat less convenient than a web-based password manager as your passwords are only available on your computer or device. As a result, you may not be able to log into your online accounts from computers other than the ones you own and that store your password database. This is not an issue for me since I’m reluctant to log into an account from a computer that I don’t control and therefore don’t trust. However, there are good reasons to use a host-based password manager. The biggest advantage host-based managers enjoy over web-based password managers is security. I have an instinctual, inherent distrust in cloud storage, and prefer to keep all my

QUBES OS: KEEPASSX
KeePassX is by far my favorite open-source host-based password manager for Linux machines, and it comes pre-installed on Qubes, on the Debian VMs. I recommend you create a new database on a VM labeled “vault” with KeePassX, and to further enhance your security, store that database inside a hidden veracrypt container with a strong password. It’s as simple as downloading the .tar.bz2 file from the veracrypt website, decompressing it, and running a bash command on the folder to install veracrypt. If you’re having difficulty doing this, feel free to contact me and I will help you with that.
KeePassX has a very friendly and easy-to-use user interface. It allows us to create passwords of up to 1000 characters, add URL, and comments to entry.

GLOBAL PASSWORD POLICIES
Regardless of which password manager you choose, I recommend defining global password policies. These policies allow you to quickly choose from a predefined length and character set for given websites. There may still be occasions when you have to build a custom, per-entry policy but these instances should be rare. I recommend building the global policies listed in the table below.

Policy Length Character Set Uses Standard Policy 60+ ALL Most websites and logins Long Policy 99+ ALL Sites allowing very long passwords Short Policy (or policies) 12-32 Customized to site restrictions Sites disallowing very long passwords; sites disallowing the use of certain characters in passwords. I recommend creating a custom policy for each site with such restrictions and using it ONLY on that site Username Policy 24 Uppercase letters and numbers only Creating random usernames for sites where user-selected usernames are allowed (see section below on Usernames)

USERNAMES
With password managers to keep up with all of your login information, it is now possible to elevate your security posture significantly without a corresponding increase in the amount of work required. Generally, usernames are completely overlooked in the discussion of online security. I think this is a huge mistake. I believe that usernames should be considered the very first line of defense for such accounts. Most websites require at least two things to log in: a username and a password. If the attacker cannot find your username, your account I significantly more secure. To launch an attack against your account would require first finding your account and an obscure username greatly reduces the chances of this happening.
A predictable username has several problems, the first of which is susceptibility to guessing. If an attacker is targeting an attack against a specific individual, he or she will attempt to guess the target’s username(s) to various sites. The attacker will base guesses on known information about that person. This information can be gathered online from social media sites, personal blogs, people search sites, and public records. Predictable usernames are most commonly generated from a combination of first, middle, and last names. For example, if your name is Amy Schumer your username might be “ABSchumer”. Sometimes they are combinations of monikers or initials and dates of birth such as “chumer81”. Once the username has been discovered the attacker can now target that account and attempt to break the password. Conversely, the attacker can never begin targeting the account if it cannot be located.
The second problem with predictable usernames is that they are typically used across multiple websites, especially when the email address associated with the account is used as the username. Using the same username across several of your accounts correlates those accounts. This makes them easier to locate and leaks information about you such as your social media presence, interests, the online services and commerce sites you use, etc. This can expose a great deal of information about you. After locating your username, the attacker in this scenario may use a service like KnowEm (http://knowem.com/) to locate other accounts you have. If a common username and password combination are used across multiple accounts, hacking one account can very quickly lead to the compromise of multiple accounts with disastrous consequences. Though you may not care if your throwaway email account or an old social media profile is hacked, it could lead to your bank account or an active e-commerce account being hacked if they share a username and password.

The third major problem with predictable usernames is that when breaches occur, the username and password combinations are usually sold or posted online in massive databases. If you use a username or email address that correlates to your name, a breach can reveal personal information about you, especially if you have an uncommon name. As an example, let’s assume your name is Harrison Tang and your username to a site is harrisontang83, an obvious and easily guessable username based on your name and year of birth. Let’s also assume that a large password breach occurs at a given site, and the usernames and passwords are posted online (which is very common by the way). Anyone seeing this database would easily recognize your name and with some research could probably confirm the user is you. This reveals information about you and your personal interests. This could be a dating site (like Adult Friend Finder or Ashley Madison), a bank, an ecommerce site, or an online service of some sort. This would reveal to anyone seeing this database that you use this dating site, bank, online retailer, or service, leading to further avenues of exploitation.

To combat this, you should consider the username a security measure. If the usernames on your accounts happen to be obvious, change them immediately. If a particular site does not allow you to change your username, consider closing the account and opening a new one using a non-obvious username. I’d personally consider a random-generated username for maximum anonymity. An ideal username would look something like this: 532T4VYL9NQ54BTMDZI1.

PASSWORDS
Though password managers provide most of the memory you need, there are still a handful of passwords that you will need to manually enter on a day-to-day basis. Not only do you want these passwords to be memorable, you also need them to be incredibly strong as the compromise of these passwords could lead to the compromise of all of your sensitive data. For this reason, you need to know how to develop a strong password that you can remember and enter manually.

PASSWORD BASICS: Before I discuss how to build a good, strong password it is critical to understand what comprises one. There are two factors that make (or break) a password: length and complexity. Added length and complexity both exponentially increase the difficulty in breaking a password.

Password length is uncomplicated. With today’s computing power, 20 characters is a prudent MINIMUM length (if your site does not allow a longer password). When passwords are cracked using brute force techniques, powerful processors run through hundreds of millions or billions of possible passwords per second. Every possible combination of a very short password could be tested in a matter of minutes with strong enough computing power, and computers are growing faster every day. Password length is the single most important factor that increases the strength of a password.

When using a password manager, we will use passwords that are much longer than 20 characters, sometimes exceeding 100. If this seems like overkill, consider the following. Regardless of whether a password is 1 character or 100, both require the exact same amount of effort when using a password manager. Why not go with the longest allowable password? If a site with which you are registering does not allow a longer password, think twice before registering with that service.

Complexity can be a bit trickier: Password complexity is created by following some basic rules. Ideally a password will contain characters from the full ASCII suite, including upper and lower-case letters, numbers, special characters (!@#$%^&*_+=-/.,<>?;””:[]}{\|), and spaces. Spaces are very important as they are not commonly used in passwords, and as a result are not commonly searched for by password-cracking programs.

PASSWORD VULNERABILITIES: You may be wondering why such extreme measures are needed to develop an effective password. The reason complexity is desirable is that passwords are not typically cracked by “dumb” brute force methods alone, like starting at lowercase “a” and going all the way through “ZZZZZZZZZZZ”, and testing everything in between.
Though brute-force attacks exist, they are not the most popular or effective method of cracking a password, as they can take an immense amount of time. Time is the enemy of the password cracker, and your goal in designing a password should not be to make it unbreakable. Nothing is truly unbreakable given enough time, but you should aim to make it take an unacceptable length of time. Passwords are usually cracked in a much timelier manner by understanding how people make passwords and designing a dictionary attack to defeat it. Dictionary attacks rely on specific knowledge of the target and heuristics.

Knowledge of the target is useful when cracking a password because personal information is frequently used as the basis for human-generated passwords. An individual may use his or her birthday (or birthdays of a spouse, or children, or a combination thereof), favorite sports team or player, or other personal information or interests. This information can be input into programs like the Common User Password Profiler (CUPP). This application takes such tedious personal data as birthdays, names, occupation, and other keywords, and generates thousands of potential passwords based on the data. This list of passwords can then be programmed into a custom dictionary attack against the target machine or account.

Dictionary attacks work through a trial and error approach. First, a list of passwords is entered into a password-cracking program. This list might be customized against the target (through applications like CUPP as described above), or it may be more generic. Even though “generic” lists are not tailored to a specific target, they are still far more successful than they should be. These lists are based upon the heuristics of how people develop passwords. These lists are developed with the knowledge that many people use the techniques explained in the following list of password pitfalls.

o Never use a dictionary word as your password. Almost all dictionary attacks will include a list of dictionary words in a number of languages. o Do not use a dictionary word with numbers/characters at the beginning or end (e.g. password11 or 11password), and do not use a dictionary word with simple obfuscation (p@ssword). These are the most common methods of adding complexity to a dictionary word-based password, and combinations such as these would be tested in any decent dictionary attack. o Never leave the default password on your devices (Bluetooth devices and wireless routers are notable offenders in the retail market). Default passwords for any device imaginable are available through a simple web search and would absolutely be included in an attack against a known device. o Never use information that is personally relatable to you. As I have discussed, information that is personally relatable to you can be used in an attack that is customized to target you specifically.

The inherent problem with complexity is that it makes our passwords difficult to remember, though with creativity it is still possible to create passwords that are very long, very complex, yet still memorable. Below are two of my favorite techniques to develop strong (and memorable) passwords.

THE PASSPHRASE: A passphrase is a short phrase instead of a single word and is my preferred technique. Passphrases work like passwords but are much more difficult to break due to their extreme length. Additionally, if appropriate punctuation is used, a passphrase will contain complexity with upper and lowercase letters and spaces. A shrewd passphrase designer could even devise a phrase that contains numbers and special characters. An example of a solid passphrase might be the following.

“There’s always money in the banana stand!”

An even better example might be:

“We were married on 07/10/09 on Revere Beach”.

Both of those passphrases are extremely strong and would take a long, long time to break. The first one contains 43 characters, including letters in upper and lowercases, special characters, and spaces. The second is even longer at 46 characters, and it contains numbers in addition to having all the characteristics of the first. Additionally, neither of these passphrases would be terribly difficult to remember.
DICEWARE PASSPHRASES: Diceware is a method of creating secure, randomlygenerated passphrases using a set of dice to create entropy. To create a diceware passphrase you will need one dice and a diceware word list. Numerous diceware word lists are available online. Because of the way passwords are created, these lists do not need to be kept secret. These lists consist of 7,776 five-digit numbers, each with an accompanying word and look like this:

43612 noisy 43613 nolan 43614 noll 43615 nolo 43616 nomad 43621 non 43622 nonce 43623 none 43624 nook 43625 noon 43626 noose

After you have acquired a dice and a word list, you can begin creating a passphrase by rolling the dice and recording the result. Do this five times. The five numbers that you recorded will correspond with a word on the diceware list. This is the first word in your passphrase. You must repeat this process for every additional word you wish to add to your passphrase. For an eight-word passphrase you will have to roll the dice 40 times. Diceware passwords are incredibly strong but also enjoy the benefit of being incredibly easy to remember. A resulting diceware passphrase may look like the following.

puma visor closet fob angelo bottle timid taxi fjord baggy

Consisting of ten short words, this passphrase contains 58 characters including spaces and would not be overly difficult to remember. After you have completed this and compiled the words from the list into a passphrase you can add even more entropy to the passphrase by capitalizing certain words, inserting numbers and special characters, and adding spaces. Experts currently recommend that six words be used in a diceware passphrase for standard-security applications, with more words added for higher-security purposes. You should NEVER use a digital or online dice-roll simulator for this. If it is compromised or in any way insecure, so is your new passphrase. Wordlists are at http://world.std.com/~reinhold/diceware.html

THE “FIRST LETTER” METHOD: This method is a great way to develop a complex password, especially if it does not have to be terribly long (or cannot be because of site restrictions on password length). For this method select a phrase or lyric that is memorable only to you. Take the first (or last) letter of each word to form your password. In the example below, we use a few words from the Preamble to the Constitution of the United States.

We the people of the United States, in order to form a more perfect union, establish Justice, insure domestic Tranquility

WtpotUSiotfampueJidT

This password contains 20 characters, upper and lowercase letters (the letters that are actually capitalized in the Preamble are capitalized in the password), and does not in any way resemble a dictionary word. This would be a very robust password. The complexity and length of this password could be increased greatly by spelling out a couple of the words in the phrase, and more complex still by replacing a letter or two with special symbols as in the following example.

We the People of the United States, i02famPu,eJ,idT

Containing 51 characters, this is the strongest password yet, but would still be fairly easy to remember after taking some time to commit it to memory. The first seven words are spelled out and punctuated correctly, and the last fifteen words are represented only by a first letter, some of which are substituted with a special character of number. This password is very long and very complex, and would take EONS to crack with current computing power.

OTHER PASSWORD ISSUES
Even if all your passwords are strong, there are some other issues to be aware of.

MULTIPLE ACCOUNTS: Though this is covered elsewhere in this book it is worth reiterating. Each of your online accounts should have its own unique password that is not used on any other account. Otherwise the compromise of one account can lead quickly to the compromise of many of your accounts. If a password manager is doing all the work for you there is no reason not to have different passwords on every single online account.

PASSWORD RESET MECHANISMS: Most online accounts feature a password recovery option for use in case you forget your password. Though these are sometimes referred to as “security” questions, in reality they are convenience questions for forgetful users. Numerous accounts have been hacked by guessing the answers to security questions or answering them correctly based on open source research, including the Yahoo Mail account of former Vice Presidential candidate Sarah Palin. The best way to answer these questions is with a randomly generated series of letters, numbers, and special characters (if numbers and special characters are allowed). This will make your account far more difficult to breach through the password-reset questions. If you use a password manager, the answers to these questions can be stored in the “Comments” section of each entry, allowing you to reset your password in the event you become locked out of your account.

If you are prompted to enter a password “hint”, I recommend using purposely misleading information. This will send the attacker on a wild goose chase if he or she attempt to discover your password through the information contained in the hint. You should never use anything in the hint that leaks any personal information about you, and if you are using a strong, randomly generated password, the hint should have nothing at all to do with the password itself. Some examples of my favorite purposely misleading hints might be: My Birthday, Miami Dolphins, Texas Hold’em, or Password, none of which have anything at all to do with the password at which they “hint”.

PASSWORD LIFESPAN AND PASSWORD FATIGUE: Like youthful good looks, architecture, and perishable foods, passwords are vulnerable to the ravages of time. The longer an attacker has to work at compromising your password, the weaker it becomes in practice. Accordingly, password should be change periodically. In my opinion, they should be changed every six months if no extenuating circumstances exist. I change all of my important passwords much more often than that, because as a security professional, I am probably much more likely than most to be targeted (not to mention much more paranoid, as well). If you have any reason to suspect an online account, your wireless network, or your computer itself has been breached you should change your password IMMEDIATELY. The new password should be drastically different from the old one.

If you are using a password manager, a practice I strongly recommend, changing passwords is not difficult at all. Remembering them is a non-issue. If you choose not to use a password manager, or you have more than one or two accounts for which you prefer to enter the password manually, you may become susceptible to password fatigue. Password fatigue is the phenomenon of using the same four or five passwords in rotation if you change them, or are forced to change them, frequently. This impacts security negatively by making your password patterns predictable, and exposes you to the possibility of all the passwords in your rotation being cracked.

With modern password hashing techniques, changing passwords frequently is typically unnecessary. The corporate practice of requiring a new password every 30, 60, or 90 days is a throwback to the days when passwords were predominantly stored in plaintext and there was significant risk of the entire password database being hacked. If passwords are being stored correctly, they should be secure even when the database is breached. With that being said, I am more paranoid than most and regularly change my passwords on all of my important accounts. Though it takes a bit of time and patience to update passwords on multiple sites, doing a few each week in a constant rotation can ease the tedium a bit and ensures that if one of your passwords is compromised it will only be good for a few weeks at most.


Whatsapp Button works on Mobile Device only

Start typing and press Enter to search