Ultimate OPSEC Guide 2 (part 3)

Hello Guys, This is the 3rd tutorial of OPSEC Guide if you're new then read previous tutorials to understand this.
Click here to read 1st part
Click here to read 2nd part

These days, one does not have to specifically follow security news to know that password compromises happen with shocking regularity. The Wired cover story about the hack on Mat Honan in late 2012 fully underscores the weaknesses in passwords. Mr. Honan is also an excellent case study in the folly of using the same password across multiple accounts. When one of his passwords was hacked, it led to the compromise of several of his accounts. Passwords are becoming a weaker method for securing data. Passwords can be brute-force, captured during insecure logins, via key-loggers, via phishing pages, or lost when sites that do not store passwords securely are hacked.
There is a method of securing many accounts that offers an orders-of-magnitude increase in the security of those accounts: two-factor authentication (2FA). Using 2FA, each login requires that you offer something other than just a username and password. There are several ways 2FA can work, and there are three categories of information that can be used as a second factor. The three possible factors are something you know (usually a password), something you have, and something you are (fingerprint, retinal scan, voice print, etc.). A 2FA scheme will utilize at least two of these factors, one of which is almost always a password.
PGP KEY MESSAGE DECRYPTION: With your account setup with a PGP key that you control setup as a second factor, you will enter your username and password to login. Before being allowed access to the account, you will be presented with an encrypted message, that was encrypted with your own PGP public key. Once you decrypt the message, a code will be given to you. Upon entering the code, access to the account will be granted.
Sadly, I have yet to seen a Clearnet website deploy this kind of security measure. The only websites that have this kind of protection in place are darknet websites and markets. Most likely because of the fact that most people don’t use PGP to communicate, if not on the darknet, so it is not a very popular security measure. This is very unfortunate, as PGP key message decryption, is most likely the single best method to secure your account from hackers, and currently, my favorite.
With Qubes OS, we can create an isolated VM, with no access to the internet, especially designed for the use of PGP, which makes things extremely more secure. I recommend you clone the fedora-26 TemplateVM into fedora-26-pgp and then simply create a new AppVM based on that template, to which you will then label it “pgp” and give it no access to the internet. From there, to use PGP it is as easy as setting up a new key pair and knowing the command line commands to encrypt/decrypt messages. You can follow the tutorial in the link below to accomplish so.
TEXT/SMS: With this method, a code will be sent via text/SMS message to your mobile phone. Upon entering the code, which is typically 6-8 digits, access to the account will be granted.
Using the text/SMS scheme of two-factor authentication is a major security upgrade but is not as good as the next option we will discuss: the dedicated authenticator app. Text/SMS can be defeated if your phone’s texts are forwarded to another number. This may happen if your service provider account is hacked, or if a phone company employee is a victim of social engineering and allows an unauthorized person to make changes to your account. This may seem like a very sophisticated and unlikely attack vector, but several well-documented cases of this attack have occurred.
APP: Another option for smartphone owners and Qubes OS users is a dedicated two-factor authentication app. One such app is the Google Authenticator. With the app installed, you will visit the website and enter your username and password. Then, you will open the app, which will display a six-digit, one-time code for that account (this code changes every 30 seconds). You will enter the one-time code to login. Setup for the app is slightly more complicated than setting up text/SMS, but it is far from difficult.
Once the app is installed on your computer/phone, you visit the site for which you wish to setup 2FA. The site will give you a code that you can input on the app, which links your phone/computer to the account, and adds an entry for the account into the app. Google Authenticator works for a number of sites, including Amazon Web Services, Dropbox, Gmail, Facebook, Microsoft, Wordpress, and more.

Though I generally consider app-based tokens more secure than text/SMS systems, it is important to be aware that they are not invulnerable. While an attack on your phone could get some of your login tokens, the capture of the token that is transmitted to your app could allow an attacker unlimited access to all your twofactor codes indefinitely. This is very unlikely however. In Qubes, you should create a VM specifically for this purpose ALONE, don’t use for nothing else, and don’t download or navigate the web in that VM. There are other VMs you can create specifically for those other purposes. Below is the link to a tutorial in setting up a VM on Qubes for this purpose. If you are having problems, feel free to contact me and I will help you.


DO YOU REALLY NEED AN ACCOUNT? Many online accounts that you are asked to create are unnecessary and time-consuming. Some services require an account. Before you set one up, I strongly recommend considering the potential downsides. You should also carefully consider what data you are willing to entrust to a website. An online dating site may request a great deal of data and periodically invite you to participate in surveys. Of course, it will also ask you to upload photographs. I urge you to use caution when doing so because it is a near certainty that any information you put on the internet will one day be compromised in some manner.

USE ACCURATE INFORMATION SPARINGLY: When signing up for a new online account, consider what information is really important and necessary to the creation of the account. When you sign up for an email account, does it really need your true date of birth? Obviously not. E-commerce sites require your address to ship packages to you, but do they need your real name? Perhaps they do. When you create an online account with your bank, do you need to use complete and accurate information? Yes, you most likely do, unless you are conducting any type of fraudulent activity.

CHECK THE STATUS OF EXISTING ACCOUNTS: An early step in securing online accounts is to ensure they have not been breached. There are a couple of services that will offer you a bit of insight into this by allowing you to cross-reference your email address against lists of hacked accounts. Breachalarm.com allows you to input your email address, which it then cross-references against a list of hacked accounts. If your account has been hacked, change the password immediately.
Haveibeenpwned.com is a similar website that checks both email addresses and usernames against lists of known-hacked accounts. The site is relatively new and maintains a database of breached accounts.

GET RID OF UNUSED OR UNTRUSTED ACCOUNTS: If you have old online accounts that are no longer used, close them down if possible. Some websites can help you do this such as KnowEm (www.knowem.com), AccountKiller (www.accountkiller.com), WikiCancel (www.wikicancel.org), and Just Delete Me (www.justdelete.me). Before closing an account, I highly recommend you get rid of as much personal information as you can in the account. Many services will continue to harvest your account for personal information, even after it has been closed. Before closing the account, login and replace the information in as many data fields as possible. Replace your name, birthday, billing information, email and physical addresses, and other fields with false information.

Social Networks
With the explosion of social networks, many data mining companies are now collecting content from public profiles and adding it to a person’s record. Overall,
society has made it acceptable to provide ever level of personal detail to the corporations that own these networks. We have been trained to “like” or “favorite” anything that we find enjoyable or feel pressured into identifying with. These actions seem innocent until we discover the extent of usage of this data. Think about your online actions another way. Would you ever consider spending time every day submitting personal details to online survey websites? Further, would you consider doing this for free? Would you sit down for an hour each day with a complete stranger and answer invasive questions about the details of your life and your likes and dislikes, knowing that he was going to sell this information? Not to mention the fact that all of this information, is gold in the hands of private investigators and police officers when conducting an investigation and MANY people have been caught because of data found on social networks, and consequently that data was used in court to further persecute their actions.
Essentially, when you create a Facebook account you are agreeing to work as unpaid survey-taker, photographer, and writer. When you “like” a site you are adding to Facebook’s trove of data about you. When you install the Facebook app on your phone you give Facebook permission to access your location data, letting the service track you everywhere you go. When you upload photos to Instagram you are actually giving them, in perpetuity, to Facebook who can use them for almost any purpose whatsoever. When you update your status, submit a photo, or comment on Facebook you are voluntarily giving them data they can resell or reuse in almost any legal way. This in addition to the fact that all your posts, status updates, likes, and other actions are used to build an incredibly accurate profile about you. Your photos are used in facial recognition software so accurate that Facebook could even build a near-perfect 3D model of your body. You aren’t the customer, you are the product. The other danger of social networks and other services that rely on data collection is that they never forget. While you can delete your Facebook or Google account, the information that you have submitted to the service will always be retained in some form. While Google may not keep the entirety of your emails, your profile will be saved for potential future use. While using some of these services, teenagers and adults are making IRREVERSIBLE decisions.
I personally recommend deleting and removing all of your social networks. It is very important that you first replace every single information with fake info, before actually deleting your account.

Every digital photograph capture with a digital camera possesses metadata known as Exif data. This is a layer of code that provides information about the photo and camera. All digital cameras write this data to each image, but the amount and type of data can vary. This data, which is embedded into each photo “behind the scenes”, is not visible within the captures image. You need an Exif reader, which can be found on websites and within applications. Keep in mind that most social network websites remove or “scrub” this data before being stored on their servers. Facebook, for example, removes the data while Flickr does not. If the image has been compressed to a smaller file size, this data is often lost. However, most photo sharing websites offer a full size view. The easiest way to see the information is through an online viewer.

JEFRREY’S EXIF VIEWER: I consider Jeffrey’s Exif Viewer (www.regex.info//exif.cgi) the online standard for displaying Exif data. The site will allow analysis of any image found online or stored on a drive connected to your computer. The home page provides two search options. The first allows you to copy and paste an address of an image online for analysis. Clicking “browse” on the second option will open a file explorer window that will allow you to select a file on your computer for analysis. The file types supported are also identified on this page. The first section of the results will usually provide the make and model of the camera used to capture the image. Many cameras will also identify the lens used, exposure settings, flash usage, date and time of capture and file size. This is a lot of data to share with the world.
Scrolling down the analysis page will then identify the serial number field. This is most common in newer, costlier digital cameras and may not be present in less expensive cameras. These cameras will identify the make, model, and serial number of the camera inside every photo they capture.

EXIFTOOL: As I express constantly on these pages, I typically prefer local solutions over cloud-based solutions. ExifTool is a simple, lightweight tool that will quickly and easily display the Exif data contained on photographs. It runs in portable mode and does not require you to permanently install  the application. To view Exif data for a photo simply open ExifTool and drag the photo onto the command line interface. A list of all available Exif data will be displayed. This tool can be used to see what metadata needs to be removed from the photo, and to verify that it has been removed before uploading. ExifTool is free and available by visiting https://owl.phy.queensu.ca/~phil/exiftool/. A graphical user interface (GUI) that makes ExifTool easier to user, especially for bulk photos, can be downloaded at http://u88.n24.queensu.ca/~bogdan/. 
A serial number of a camera associated with an image can be valuable data. This can help someone associate photos that you “anonymously” posted to the internet directly to you. For example, if a stalker found a photo that you posted on your Twitter feed that you took with your camera, he or she may be able to identify the serial number of your camera. If the stalker then finds a photo and suspects that you took it but posted anonymously, he or she can see if the serial numbers match. I bring this up to explain the next threat.

This site (www.stolencamerafinder.co.uk) was designed to help camera theft victims with locating their camera if it is being used by the thief online. For that use, you would find a photo taken with the stolen camera, and drop it into the site for analysis. This analysis identifies a serial number if possible. If one is located, the service then presents links to photo-sharing websites, such as Flickr, that contain photos with the same serial number. This can locate photos that you may not want to take credit for.

An additional site that provides this service is called Camera Trace (www.cameratrace.com/trace). Type in the serial number of a camera and the site will attempt to locate any online photographs taken with the camera. This service claims to have indexed all of Flickr, Twitter, Twitpic, Panoramio, and 500px.

Many new SLR cameras, and almost all cellular telephone cameras, now include GPS. If the GPS is on, and the user did not disable geo tagging of the photos in the camera settings, you will get location data within the Exif data of the photo. This field will translate the captured GPS coordinates from the photo and identify the location of the photo. Further down an Exif results page, the site will display an image from Google Maps identifying the exact point of the GPS associated with the photo. All Android and iPhone devices have this capability.

Another piece of information that can be located from the Exif data is the presence of a thumbnail image within the photograph. Digital cameras generate a small version of the photo captured and store it within the Exif data. This icon size image adds very little size to the overall file. When a user crops the image, this original smaller version may or may not get overwritten. Programs such as Photoshop or Microsoft Photo Editor will overwrite the data and keep both images identical. Other programs, as well as some online cropping tools, do not overwrite this data. The result is the presence of the original and un-cropped image within the Exif data of the cropped photo. You can now see what the image looked like before it was cropped.
If you have a situation where it is necessary to upload photos to the internet, you may want to consider removing this metadata.

This website (www.verexif.com/en/) allows you to upload a digital image and either view or remove the metadata attached to it. Click on the “Browse” button, locate the photo you want to edit, and click “Remove Exif”. You will be presented with a new download that will contain your image without the Exif data embedded. ExifTool will also allow you to remove this data without touching the internet.

This is by far my favorite method to scrub any Exif data from my pictures, and any metadata from my documents.
Whonix-workstation comes with a pre-installed application called MAT (Metadata Anonymization Toolkit). You can follow the steps in the Whonix website to use this program, but it is fairly straight forward and easy.

Anonymous Purchases
In this chapter, I will explain various ways to protect your privacy while maintaining the convenience of making non-cash purchases online and in person. Before outlining these techniques, I feel obligated to examine how convenience is inversely proportional to privacy and security. The more convenient something is the more personal privacy and control of your identity you are probably sacrificing. Credit and debit cards are one such convenience. With cash you have to make time to visit an ATM, carry bills, and manage change. All of these inconvenience factors are compounded if you make multiple small purchases throughout the month.
Despite its inconveniences, making these multiple small purchases routinely is precisely the reason you should use cash when available. Though it is certainly more convenient to swipe a credit card for purchases than it is to use cash, it also creates a tangible, searchable record of each transaction. Your purchases record a wealth of data about you including your location and movement, interests, hobbies, and a plethora of other information. Some will say this data is protected and only visible to those with proper authority. I counter that argument with whatever data breach is in the headlines while you read this chapter. Further, history has proven that those with proper authority often abuse their power.
Ideally, you want your bank statements to always look something like this.

This type of bank statement, does not raise any kind of suspicion, and will keep you in a low-profile, which is what we want. If you are a cyber-criminal, you do not want any kind of attention to yourself, especially from the IRS or police.
This kind of statement also reveals very little about you. It does not reveal where you buy your groceries, where you eat lunch, dinner, etc... This does not associate your name with any kind of purchase.
I attempt to use cash as much as possible but realize that I will never be able to fully eliminate credit cards from my life. Air travel, rental cars, and hotels all require credit cards. I still find myself in locations where I don’t want to pay exorbitant ATM fees and end up using a credit card. But I use it a lot less, which is what I am truly advocating. Use more cash and less plastic. This reduces the amount of information about yourself that you give over to your bank, your lenders, or anyone curious enough to swipe a statement out of your mailbox.  
There are significant and compelling reasons to keep your purchase history anonymous. Especially for us criminals. Your purchases will reveal almost everything about you. The sporting goods you buy (or don’t buy) probably say a lot about your level of physical activity and fitness. The books you read reveal a lot about your personality including your religious beliefs, your political leanings, your sexuality, and the things you are passionate about. The foods you buy, the restaurants at which you eat, the frequency with which you eat at them, and the alcohol and tobacco products you consume reveal a LOT about your life. This may one day very soon be used against in one way or another.
Using cash isn’t bulletproof, and it won’t make you totally anonymous. But it will lower your digital signature, offer you a lot more anonymity, and make an attacker’s job a bit harder. Every little bit helps. For those situations that do not allow cash purchases, I have some ideas that will decrease the invasive tracking of your buying habits.

I begin with Amazon because it is one of the largest online retailers. I place orders through Amazon weekly and never jeopardize my privacy during the process. If you are already using Amazon and have an account created, I recommend that you stop using that account and create a new one. The details that you provide are extremely important. Before discussing the appropriate methods, please consider an actual scenario.
A friend had recently moved to a new rental house to escape a dangerous situation. She had nothing associated with her real name at the address. The utilities were still in the name of the landlord. She used a PO Box in a different city for her personal mail. She was doing everything right. She created a new Amazon account and provided the name of her landlord and her home address for shipping purposes. This way, her packages would arrive in the name of the property owner and she would stay invisible. She made sure that her name was not visible in any part of the order.

When prompted for payment, she used her real credit card in her name. She verified one last time that her name was not present anywhere within the actual order or shipping information. Her item, a pair of hiking shoes, arrived in the name of the landlord. Her real name was not referenced anywhere on the package. Within 30 days, she received a piece of mail that made her stomach drop. It was a catalog of hiking equipment addressed to her real name at her address. The company had accepted the order through Amazon and was given her name as attached to the credit card. Therefore, the company added her to its catalog delivery list.

All of her hard work was ruined from this one mistake. The lesson here is that you can never tie your real name to your address if you do not want that association to be public.

The following steps will mask your real identity from your Amazon purchases. This technique can also apply to other online retailers. Create a new account with the following information.

o Name: Use the name that you want your packages shipped to. This could be the former resident or landlord at your address, or a complete alias.
o Email Address: You must provide an email address for your new Amazon accounts. I recommend you use Protonmail for this. Do not use your name.
o Credit Card: I personally recommend you head to https://dnt.abine.com/#register and create a new account with them. They allow you to create masked cards and masked cell phones with your real credit card. Supply Amazon with the masked card and provide an alias name that you want to use for deliveries. If you don’t want to get a Blur account, you can simply buy a BTC debit card, and attach that to your account. But make sure the BTCs in the debit card are extra clean.
o Address: This could be your home address if you do not have a better place for deliveries. You can alter this information once the account has been verified. I personally recommend you get a PO box in a different city, and use that as your delivery address. Because the name on the shipment is not a real name, I do not see this as a privacy concern (for your house, do not use a alias for a PO Box you opened with your real ID). I believe it actually helps establish that someone else lives at your residence, and provides great disinformation. You should scrutinize any option that you choose and make sure that it is appropriate for your scenario.
This method should protect you from any association between your name, your purchases, and your home. You could likely use this new Amazon account for all of your purchases and have no problems. However, I encourage you to take things a step further and apply a bit more paranoia to your plan. I create a new Amazon account after each Blur card has been depleted. If I add a $200 Blur masked card to my account, and then use those funds over a period of five orders, I do not add a new masked card to my Amazon account. Instead, I close the account and create a new one. Same thing with BTC debit cards and Amazon gift cards. I create a new account after each purchase. This way, Amazon does not have a single record of all transactions. It will add disinformation to your address and will confuse your delivery person. The only drawback to this is if you subscribe to their Prime membership. You may want to create an account to be used with those benefits.

An alternative strategy for purchasing anonymously on Amazon is to use their gift cards. These are available for sale at many retailers including drug stores such as CVS and Walgreens, grocery store, and even hardware stores such as Home Depot and Lowes. They can also be purchased directly with Bitcoin through a website called PayBis (https://paybis.com/buy-amazoncom-gift-card-with-bitcoin/). Many people used to use eGifter and Gyft, however, they no longer support Amazon gift cards.
These can be purchased in amounts up to $2,000.00, require no additional activation fee as prepaid credit cards do, and some retailers require that you pay cash for them. Using these cards is incredibly simple. Create a new Amazon account, navigate to your payment settings, and add the gift card. When you have used up your gift card balance, open a new Amazon account providing your real shipping address and a false name. Now order items from Amazon as you normally would. This creates disinformation rapidly. Within 30 days of making a purchase on an alias account, you might begin receiving junk mail at your home address in that name.
Taken to the extreme, you could use this technique to make a new Amazon account, complete with a new name at your shipping address, for every purchase you make.  

No discussion of anonymous purchases would be complete without mentioning the infamous cryptocurrency Monero (XMR). Monero is currently the most anonymous cryptocurrency in existence.

The unfortunate disadvantage of Monero is that almost no retailers accept it as a form of payment. However, you can easily purchase BTC with Monero through services such as xmr.to. In fact, I strongly recommend you do this before purchasing an Amazon gift card, to ensure your maximum anonymity.

UQUID (https://uquid.com/uquid-card) is a service that will allow you to get a Monero reloadable debit card, of which you can use as you normally would a bank debit card. The huge advantage to this is the fact that we can remain completely anonymous, and not depend on banks to spend our hard-earned money. These cards also allow for easy withdrawals at any functional ATM. The service is completely free and you can provide them fake information to sign up with them. They do not ask for any kind of ID verification, and even if they do in the future, you can simply send them a scan of somebody else’s ID. I highly recommend you get this card shipped to an anonymous drop that can’t ever be connected to you. Preferably even in another country other than the United States, if you’re a US resident as they don’t ship to the United States. Simply team up with someone and pay them a small fee to reship the card for you.

Whatsapp Button works on Mobile Device only

Start typing and press Enter to search