Online opsec

Thoughts about online "operations security" for mere mortals

Posted by Antti Peltonen on 25 March 2018

Discussion comes up quite often about balancing ones online footprint and ones sanity and therefore I would like to write down longer response than one tweet here, in my blog, about what I think of the subject matter.

First, lets start from defining few terms:

  1. Online precense, digital fingerprint, trail of bread (or a web cookie?) crums or how ever you wish to classify it means what ever trails you leave while traveling on the information highway. This includes things like web surfing (even with incognito mode enabled).
  2. Joe Average is a someone not working in "the scene" or otherwise somebody whom needs to take a closer look at their digital fingerprint. Your average Joe with his online banking and porn surfing habbit really does have a completely different threat landscape than a diplomat, security researcher or an goverment official.
  3. Opsec or "OPerations SECurity" is a collection of practices, methods and tools that people and organizations use to ensure minimum exposure during activity.
  4. Threat vectors and actors (I am over simplyfying here) describe where certains threats are coming from. For example if you consider Facebook a threat steer clear of like buttons on web sites or Facebook will know where you have been. Easier said than done without some technological know how and the worse part is that you do not even need to click them to leak that information out.

Second, this is what the threat vectors look like during normal web surfing:

  1. You are being tracked. It does not matter if you use social media or not, they still track you. Search engines track you. Advertisers track you. Your behaviour is commodity that can be packaged and sold for good money.
  2. If you happen to live in a more tolitarian country possibility is that your employer or even goverment is tracking you.
  3. Malicious pieces of code try to infect your browser in hopes to gather even more details about you including bank account details, credit card details and similar.

Joe Average

So what can a average Joe do to stop all that tracking? Nothing. Plain and simple. You are tracked, you will be tracked in the mere future and there is nothing you can do about it, period. Bleak, is it not? It is disconcerting idea that you are tracked, monitored and your personality is preeved apart and sold as a commodity, but that is what it is at the moment. Some things you can not even do without a Facebook account. Even some schools have classes where the material is only shared in closed Facebook groups (bad practice btw), but that is the unfortunate landscape of World Wide Web today. And even if WWW is only a subset of the Internet that is what is analogous to majority of the public for "internet" or "web". One just needs to accept currently certain amount of loss in privacy if one expects to use the Internet. Even if you would stop using cellphone and Internet today the chances are that still some information of you leaks out as more and more of traditional industries digitalize their operations and you have to buy bread and milk somewhere.

If stopping the spying is not possible then what should one do? Well, limiting the exposure is always a good idea so basic opsec rules for average Joe are:

  1. Use incognito mode when using online banking, researching a new personal subject matter like self diagnosing illnesses, pregnancy or other things that you would not necessarily share with others during normal discourse. Surfing adult entertainment in relative safety of the incognito mode is always a good idea too. While incognito mode does not actually stop tracking it makes it several degrees more harder and therefore usually unnecessarily complicated for most threat actors that average Joe needs to be concerned about.
  2. Install plugins to your browser to make life harder for most trackers during normal mode web surfing. Good example of such plugins are ad blockers and EFF organizations wonderful "Privacy Badger" plugin.
  3. Never, ever, do anything in public WiFi like in Cafés or similar without some protection. This is 100% comperable of taking a one night stand home and not using any protection. In this case something like a VPN is a must and there are several providers out there even if it takes some research to find a suitable one. There are bad apples out there and some really good ones.

They still track you, but the most advanced threats are not the concern of Joe Average anyway. However you should be relatively safe from malware and phishing even if a behaviour profile is still being built based on your habits and sold to advertisers and similar - adblocker will take care that you dont see those ads though. The idea here is to lower ones stress level and not get a heart attack when thinking about online tracking everytime the news or social media streams flood our senses with terror inducing articles.

My personal flavor

I follow what I preach on most days. Usually threats concerning me are the same as any average Joe's. However there are instances when I need to put some extra effort to obscure what I am doing for one reason or another so I have collected a small toolkit of things:

  1. Tor, The Onion Network. Developed ironically by the US intelligence community to keep their operatives hidden. Also Tor's effictiveness comes under question sometimes so knowing how and when to use it is a key. For example using Tails Linux distribution is a good starting point.
  2. VPNs are a must, in plural. I dont trust just one.
  3. "Jump box" servers around the world. Servers or other machines in different locations on Earth that I can use for multiple different tasks.
  4. Encrypted chats or other forms of OTR (off the record) communications. When you need to get into communications with someone and you do not wish to have any records anywhere about it one does not use Facebook Messenger or Skype to do so.
  5. "Burner" laptop / phone is an extreme measure for extreme situations that, luckily, have not come up personally ever. I do have several laptops that I use in different contextes. For example I have one laptop that I use in security / hacker oriented conferences only and it never touches my home network ever again.

My opsec, as mentioned, usually is the same as any average Joe's, but when I need some extra privacy and security I go to my bag of tricks and pull out one or combination of them. I am not going to describe my protocols here in more detail as it would kind of negate the reason why I have them in the first place and also since using these tools effectively requires quite extensive knowledge.

Be smart, stay safe, it does not require much.