electronic opsec - hackcon - the norwegian cyber … - zoz - electronic opsec.pdf · • browser...
TRANSCRIPT
![Page 1: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/1.jpg)
![Page 2: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/2.jpg)
Electronic Opsec:Protect Yourself From Online Tracking And
Surveillance
Zoz
![Page 3: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/3.jpg)
![Page 4: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/4.jpg)
Surveillance is the business model of the internet.-- Bruce Schneier
When we use Google to find out things on the Web, Google uses our Web searches to find out
things about us.-- Siva Vaidhyanathan
![Page 5: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/5.jpg)
�������
![Page 6: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/6.jpg)
![Page 7: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/7.jpg)
![Page 8: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/8.jpg)
* y o u * h a v e * b e e n * B S O D o m i z e d *y y o / \ \ / \ ou | | \ | | u* | `. | | : *h ` | | \| | ha \ | / / \\\ --__ \\ : av \ \/ _--~~ ~--__| \ | v e \ \_-~ ~-_\ | e* \_ \ _.--------.______\| | *b \ \______// _ ___ _ (_(__> \ | be \ . C ___) ______ (_(____> | / ee /\ | C ____)/ \ (_____> |_/ en / /\| C_____) | (___> / \ n* | ( _C_____)\______/ // _/ / \ *B | \ |__ \\_________// (__/ | BS | \ \____) `---- --' | SO | \_ ___\ /_ _/ | OD | / | | \ | Do | | / \ \ | om | / / | | \ | mi | / / \__/\___/ | | iz | / | | | | ze | | | | | | ed | | | | | | d* y o u * h a v e * b e e n * B S O D o m i z e d *
On the Internet, everyone knows you like ASCII Goatse.
PERMANENT
RECORD
![Page 9: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/9.jpg)
What Google Tracks
• Searches
• Things you type into the search bar
• Links clicked following a search
• Videos watched on YouTube
![Page 10: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/10.jpg)
What Google Tracks• Browser fingerprint
• Location history
• Mobile device information including IMEIs
![Page 11: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/11.jpg)
What Google Tracks
• If you use Google tools (e.g. Chrome):
• Browsing history
• Bookmarks
• Passwords
• Credit card data and purchase history
• Travel data including airline tickets
• Hotel stays and car rentals
![Page 12: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/12.jpg)
What Google Tracks
• If you use Google services:
• All your e-mail
• Photos and videos you have taken
• Contacts
• Notes
• Hangouts conversations
![Page 13: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/13.jpg)
What Google Tracks
• Your inferred profile for targeted ads
• And more!
![Page 14: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/14.jpg)
What Google Tracks• Searches
• Things you type into the search bar
• Links clicked following a search
• Videos watched on YouTube
• Browser fingerprint
• Location history
• Mobile device information including IMEIs
• If you use Google tools (e.g. Chrome):
• Browsing history
• Bookmarks
• Passwords
• Credit card data and purchase history
• Travel data including airline tickets
• Hotel stays and car rentals
• If you use Google services:
• Photos and videos you have taken
• Contacts
• Notes
• Hangouts conversations
• Your inferred profile for targeted ads
• And more!
Google can also trivially correlate multiple accounts belonging to the same user.
![Page 15: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/15.jpg)
Google’s Data Store
• Can retrieve some with Google Takeout
• Google notifies on account access, but:
• Developer tools can access without notification
• Auth keys can be stolen by malware and used to access without notification
![Page 16: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/16.jpg)
![Page 17: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/17.jpg)
![Page 18: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/18.jpg)
What Facebook Tracks
• Everything you do on Facebook
• Including messages written but not sent
• Many things you browse not on Facebook
• Via ‘Like’ button tracking
• 2011: tracking cookies from facebook.com even for non-users
• 2012: emotional contagion experiment
• From late 2014: cross-device tracking via Atlas
• Facebook/Instagram ad tracking program
![Page 19: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/19.jpg)
![Page 20: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/20.jpg)
What Big E-Commerce Tracks
• Every item you’ve ever looked at
• Whether logged in or not
• Purchases and purchasing habits
• What you’re willing to pay for items
• Product reviews
• Detailed, predictive ad targeting profiles
![Page 21: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/21.jpg)
PERMANENT
RECORD
![Page 22: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/22.jpg)
E-Commerce Deanonymization
Novak, Feit, Jensen, Bradlow: Bayesian Imputation for
Anonymous Visits in CRM Data, December 2015
![Page 23: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/23.jpg)
![Page 24: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/24.jpg)
Vulnerabilities
• Information is available for purchase
• Commercially available forensic tools can get it
• Can be leveraged by MITM & man-on-the-side attacks
• e.g. QUANTUM, Great Cannon
• OSINT: spearphishing enabler
• Psych profiling, pattern of life/network graph analysis
Elcomsoft Cloud eXplorer
![Page 25: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/25.jpg)
Profiling Tools
• Data mining & inference tools
• Police first, then who?
• Integrate data & assign “threat level”:
• Public & commercial databases
• Deep web
• Social media
• Black box: weightings unknown
• Unpredictable results for you
![Page 26: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/26.jpg)
Resisting Surveillance
• There is no reclaiming data once given up
• Protect the truth from storage
• Corrupt storage with falsehoods
![Page 27: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/27.jpg)
OPSEC
![Page 28: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/28.jpg)
![Page 29: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/29.jpg)
The 7 Deadly OPSEC Sins
• Overconfidence
• Trust
• Perceived Insignificance
• Guilt By Association
• Packet Origin
• Cleartext
• Documentation
![Page 30: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/30.jpg)
![Page 31: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/31.jpg)
Basic Tools• Ad Blocking
• AdBlockPlus, GlimmerBlocker etc
• /etc/hosts: http://someonewhocares.org/hosts/
• Bug Sweeping, Descripting, XSR
• Ghostery (turn off data sharing)
• NoScript, RequestPolicy, µMatrix (Mozilla)
• Privacy Badger
• HTTPS Everywhere
• Search Proxying
• e.g. search.disconnect.me
• Fake your user-agent string
• Clear browser data frequently
![Page 32: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/32.jpg)
VPNs
• Traffic Encryption
• Location Obfuscation
• Request Concealment
• ...Depending On Listener Location
• ...Depending On Provider
![Page 33: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/33.jpg)
VPN Failure Modes
• Leaks
• IPv6 leaks
• DNS leaks
• WebRTC leaks
• “Port Fail” port forwarding leak
• Protocol vulnerabilities
• User error
![Page 34: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/34.jpg)
DNS Leaks
• Exposure methods:
• DNS queries go to default ISP DNS
• ISP implements transparent DNS proxy
• Remedy:
• Set static IP properties before VPN connection
• After connecting, flush DNS resolver cache
• Remove DNS settings for primary interface
• Test for DNS leaks
• After disconnecting, restore DNS settings & flush DNS resolver cache
![Page 35: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/35.jpg)
WebRTC Leaks
• Voice/Video/PTP in browser
• Firefox/Chrome/Opera/Android/iOS
• Javascript can send UDP request to STUN server via all available interfaces
• Cannot be blocked reliably with browser plugins
• Remedy:
• Set firewall rules to enforce all traffic over VPN
![Page 36: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/36.jpg)
“Port Fail”
• Attacker has account at same VPN provider and ability to set up port forwarding at exit IP
• Forward a port, and trick target into connecting to it
• Target’s default route to VPN provider will cause it to make direct connection, exposing real IP
• Remedy:
• Ensure VPN provider does not permit port forwarding for others or separates incoming/exit IPs
![Page 37: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/37.jpg)
Protocol Vulnerabilities
• PPTP vulnerable to masses via CloudCrack since 2012
• IPsec IKE vulnerable to NSA via passive and active means since at least 2009 (100,000 decrypts/hr in 2011)
• 2015: NSA precompute attack on 1024-bit Diffie-Helman key exchange all but confirmed
![Page 38: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/38.jpg)
Mitigation
• IPsec:
• Always use Perfect Forward Secrecy
• Avoid Pre Shared Keys
• OpenVPN:
• 2048-bit EC-DHE
• Generate fresh prime groups
• Harden your SSH too
![Page 39: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/39.jpg)
Be Careful Out & About
![Page 40: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/40.jpg)
Using Anonymity Tools
![Page 41: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/41.jpg)
Case Study: LulzSec/AntiSec
![Page 42: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/42.jpg)
IRC WITHOUT TOR...
...NOT EVEN ONCE
![Page 43: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/43.jpg)
• Don’t Fail Unsafe With Tor
• Always Check What You’re Exposing
• OPSEC Is 24/7
Moral:
![Page 44: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/44.jpg)
Case Study: Harvard Bomb Hoax
![Page 45: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/45.jpg)
What Messed It Up?
• Harvard Network Registration
• Outgoing Traffic Logs
• Pervasive Surveillance Microcosm
• Corporate Parallels
• Moral:
• Bridge Relays
• Traffic Analysis Preparation
![Page 46: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/46.jpg)
Case Study: Silk Road/DPR
![Page 47: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/47.jpg)
What Messed It Up?
?
![Page 48: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/48.jpg)
Case Study: Operation Onymous
![Page 49: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/49.jpg)
What Messed It Up?
• Attacking relays active January 30 – July 4
• Stained Tor protocol headers
• Allows retroactive deanonymization
• Waited to get HSDir & Entry Guard flags
• Injected covert message between them to deanonymize HSs
• Fixed July 2014
![Page 50: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/50.jpg)
Low Latency Is A Compromise
• Timing/Traffic Correlation attacks and temporal graph methods will always be possible
• Plan accordingly
![Page 51: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/51.jpg)
Living With Your Personal Snitch
• How Does Your Phone Betray You? Let Me Count The Ways...
• Metadata
• Location
• Contacts
• Networks
• Unique Identifiers
• Cookies
• Searches
• Weak Crypto
• Repeated Access
• Autoconnect (Pineapple’s BFF)
• Apps
• Pattern Of Life
![Page 52: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/52.jpg)
![Page 53: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/53.jpg)
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Example of Current Volumes and Limits
5
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Dupe Methodology Compare records within various time windows that share
identical selectors and locations, specifically: LAC CellID VLR DesigChannelID IMEI ESN IMSI MIN TMSI MDN CLI ODN MSISDN RegFMID CdFMID CgFMID RegGID CdGID RegIID Kc CdIID CgIID MSRN Rand Sres Opcode RQ1 XR1 Q_CK1 Q_IK1 AU1 NewPTMSI OSME DSME RTMSI PDP_Address TEID TLLI PTMSI PDDG
28
“We kill people based on metadata.”--NSA/CIA Director Michael Hayden
![Page 54: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/54.jpg)
From Phone To Target
• Network analysis:
• Beware closed loops
• Falsify network without “pizza nodes”
• Metadata analysis is primarily temporal
• Manage latency and apparent causality
![Page 55: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/55.jpg)
Phone Alternative• Unavoidable phone compromises:
• Cell tower tracking
• IMSI catcher interception
• Baseband/SIM vulns
• iPod Touch:
• No Android
• Turn off iCloud backup
• Comms:
• VPN
• Signal (Redphone/TextSecure)
• ChatSecure/Tor (experimental), Wickr
![Page 56: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/56.jpg)
Messaging
• After All These Years, E-Mail Still Sucks
• Spam Fighting Aids Tracking
• Non-TLS Mail Still Abounds
• Link Encryption Only, Weak Server-Side Storage
• End-to-end Encrypted Content Not Metadata
• Insecure Client-Side Logging
• Bad Retention Habits
• Psycho Ex Principle
![Page 57: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/57.jpg)
Secure Messaging Alternatives
• OTR Jabber
• Ricochet
• Cryptocat
• Bitmessage
• Retroshare
• We Need More:
• Auditing
• Steganography
![Page 58: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/58.jpg)
So what if I’m a glasshole? You are too.
![Page 59: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/59.jpg)
Stylometrics
• Resist Providing A Corpus
• Obfuscate
• Machine Translate
• Imitate
• Alpha Tools: JStylo/Anonymouth
![Page 60: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/60.jpg)
Spy Malware Goes Mainstream
• 2010: Acoustic airgap-jumping malware theorized
• 2012: Flame state-sponsored espionage malware identified, jumps airgap with Bluetooth
• 2013: Fraunhofer demonstrates POC of covert acoustical mesh networks
• Including acoustical multi-hop keylogger
• 2014: SilverPush develops ultrasonic “audio beacons” embedded in ads to enable cross-device tracking
Hanspach & Goetz: On Covert Acoustical Mesh Networks In
Air, 2013
![Page 61: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/61.jpg)
![Page 62: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/62.jpg)
Beware New Data Sources
![Page 63: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/63.jpg)
Digital surveillance is a public-private
partnershipOPSEC is 24/7
![Page 64: Electronic Opsec - HackCon - The Norwegian Cyber … - Zoz - Electronic Opsec.pdf · • Browser fingerprint ... pattern of life/network graph analysis ... • IPsec IKE vulnerable](https://reader030.vdocuments.net/reader030/viewer/2022011800/5ad70cdc7f8b9ab8378bae21/html5/thumbnails/64.jpg)