Hello guys...Few Words about your Security. Opsec Tut part 1
Enjoy
Basic Computer Security
What if one day your computer was ever stolen from your home, hotel room or rental car? What if it was borrowed by a friend of yours/family relative and lost or forgotten at school or on the bus? What if you were robbed and your backpack stolen? What if the police ever raided your home and took control of your digital devices to conduct a thorough investigation, that could potentially leave you in a dire situation, where you could face years in prison? What if any of a thousand scenarios occurred that resulted in you losing physical control, whether permanently or temporarily, of your computer? In any of these instances the new “owner” of the computer may try to take a look at your data. What will they find there?
On my fully encrypted Windows, Mac, and Linux laptops they would find nothing but a blank screen prompting them for a boot password. My entire hard drives, including the operating system, are encrypted and the devices will not boot without the correct password. Replace my computer with that of most users, and the answer is likely to be credit reports, medical documents, resumes, family photos, saved logins, credit cards, financial information, internet browsing history, hobbies, sexual affinities, criminal evidence, and much more. All of this information, can be used to harass, blackmail, extort, or further exploit you. It could be used to steal your identity, open lines of credit, or commit crimes in your name, leaving you to clean up the mess.
For any of us committing fraud and other similar criminal activities online, this information WILL be used in court to put you in jail for many years. Unfortunately, the US government has a reputation for not going easy on cyber-criminals and if you ever get caught, be sure they will do everything in their power to land you in jail for as many years as they possibly can.
Although basic security is boring, without we cannot rely on the more “advanced” security measures we discuss later in this tutorial. This chapter should serve as a good review of your baseline digital perimeter.
All of the techniques that will be presented in this tutorial, rely upon the assumption that you have a desktop computer that is reasonably secure and free of malware. If your computer is in any way, infected with malware, or is at risk for malware infection, you should fix this before continuing. Some of the most common forms of malware are Spyware, Key Loggers, Ransomware, and Scareware. Simple Google searches will explain you further about each of these viruses if you so wish to read more about it, I will not get into that.
WHICH OPERATING SYSTEM SHOULD I USE?
This is probably THE most important aspect of your security. If you are using an OS, which is closed-source, full of exploitable bugs and easy to hack into, then you are in for a lot of headache. I see a lot of cyber-criminals working with Windows and Mac, and let me tell you, this is absolutely wrong. If you want to be a criminal, then do your homework. Both of these operating systems are closed-source, which means only the developers of Microsoft and Apple are able to look and modify the code of the operating system. This is really bad because we don’t know what kind of backdoors there may be in these operating systems. Law Enforcement agencies could very well have easy access to devices running these OSs. This was the case with Windows 8 recently, where it was found that NSA had a backdoor into it, which in turn allowed them to control and monitor any machine running the operating system. See where I’m going with this?
This is not the only problem with these operating systems. Windows is full of zeroday exploits, bugs, and every single day THOUSANDS of new viruses and exploits are deployed for the Windows OS. The reason for that is because the majority of the world population uses Windows, which means hackers can infect a lot more computers, and earn much more money with Windows than with any other OS.
Mac is definitely much more secure than Windows, and Apple has been firm in their stance to not cooperate with authorities. We’ve seen this recently when the FBI contacted them so they could build a backdoor into the iPhone OS and open the terrorist’s iPhone and Apple refused. However, one common misconception I see a lot is that people think Mac computers are simply immune to viruses, and that is completely wrong. Mac computers are as vulnerable to viruses as any other OS. They just have a much smaller user base than Windows, and so developing viruses and exploits for the Mac OS, is not even close to being profitable like it is with Windows machines. Windows machines are used everywhere, Macs are not. There are exploitable flaws in all operating systems and OS X is no exception.
For us cyber-criminals, the best operating system BY FAR, is Qubes OS. This operating system allows us to run isolated environments. It is basically a giant virtual box. You can run different OSs in Qubes as different virtual machines. For example, we have a virtual machine for the Whonix OS, another for Fedora, Debian, and those are only the VMs that come pre-installed with the OS. You can install Kali Linux in Qubes, Windows, and all kinds of different OSs. If one of these VMs ever get compromised by a virus, we are okay. We simply delete the VM and create a new one. If you want to learn more about the Qubes OS, then navigate to the link below, it is full of tutorials and even videos about the OS so you can get a good look at what we’ll be working with.
https://www.qubes-os.org/doc/
Qubes has a very small compatibility range and so will not work with most computers unfortunately. However, if you want to become truly a professional cyber-criminal, then I highly recommend you invest in a new computer. Don’t be lazy or close-fisted with security, as that will lead to problems and much headache for you in the future, trust me on that. Below are the laptops I recommend, from best (most expensive) to worst (cheapest). All of them work perfectly with the current Qubes 4.0. All of the prices were taken from Amazon at the time of this writing, so keep in mind, you may get cheaper, or more expensive.
LENOVO THINKPAD X1 CARBON 5TH GEN ($1845): This laptop is absolutely amazing, and if you have money to buy it, then do it. It’s totally worth it, as it will last you for many years to come. This was voted the best business laptop at CES 2018. The performance of this laptop is absolutely incredible and will make your work incredibly smooth and easy. This is the laptop that I currently use and the one I recommend to all my clients on top of every other one.
LENOVO THINKPAD T460P ($1350): Also works perfectly with Qubes 4.0 and the performance is amazing. The one above is much better, but if you want to get this one instead and save some money, I’d say go ahead.
LENOVO THINKPAD T450S ($530): This laptop is also very good, although the performance of the above one is much better, this one does boast some impressive features. You can get it on Amazon for very cheap. It comes with i7 processor, 8GB RAM, 256GB SSD (you may want to upgrade the SSD). I have tested this computer with Qubes 4.0 and it also works perfectly and smooth.
LENOVO THINKPAD X230 ($235): This is a last resort type of laptop, and you should only get it if you’re really low on money. The performance will be terrible, but definitely usable. Qubes 4.0 runs perfectly with it, and everything works exactly as it should, just really slow due to the old processor and low memory. If you’re thinking of buying this laptop, keep in mind you will most likely need to upgrade some of the components to make it run smoothly.
CAMERA AND MICROPHONE
You should seriously consider physically disabling the camera on your computer. On machines that permit opening of the case, I prefer to physically disconnect cameras and microphones to ensure they are not being eavesdropped upon. In the case of laptops, this means opening the case and physically severing connections to the camera and microphone. This may sound like an extreme measure, but software protections like disabling the microphone or turning on a light when the camera is on can be overridden by sufficiently sophisticated spyware. Disabling the hardware is the only sure defense, but I realize that the vast majority of individuals will not take it this far. At a minimum, I recommend blocking the camera with tape, a post-it note, or a dedicated sticker.
PHYSICAL SECURITY
With physical access to your device, there are a number of attacks that may be carried out successfully against your computer. This includes the “Evil Maid” bootloader attack to capture your full disk encryption password. USB or optical media attacks work by bypassing your OS password, or the installation of hardware key loggers that cannot be detected by antivirus applications. Though I will not get much in-depth into this, I will give you some basic suggestions to secure yourself against these type of attacks.
I strongly recommend that you carefully control the physical access to your computer, especially when traveling. Though it would be possible for someone to covertly enter your home and exploit your computer, it is not very likely. It is much more likely when traveling, so be especially cautious in hotel rooms. Even though you have locked the door, hotel doors and locks are susceptible to dozens of defeats, not to mention the fact that management, housekeeping, and maintenance all have operating keys to your room. Do not walk away from your computer to go to the restroom in a coffee shop. Do not leave it in your rental car, and do not leave it sitting in the conference room when you break for lunch. If you must leave it unattended in a hotel room or elsewhere, take the following physical security precautions:
o Turn off ALL interfaces including Wi-Fi and Bluetooth. o Ensure your computer is full-disk encrypted and completely shut down o Remove all external media including CDs/DVDs, SD cards, USB drives, external HDDs, etc. and take them with you. o Take any transmitting devices, such as a wireless mouse and its dongle, with you when you leave o Store your computer inside of a safe.
All of these precautions will give you a fighting chance. However, against a very skilled adversary, they cannot guarantee your computer’s security. Again, the absolute best practice is to avoid relinquishing physical control of your devices.
OS UPDATES
Keeping your operating system up to date is one of the most important steps in securing a computer. As software ages, security holes are discovered in it, and attacks are written to take advantage of these holes. Though software updates are occasionally released to add features and to deal with bugs, they are often written specifically to patch security holes. If your software is outdated, it is vulnerable to holes that are, in addition to everything else, well-publicized by virtue of the fact that a patch exists to fix them.
In Qubes OS, you should check for updates on all of your TemplateVMs and dom0 on a DAILY basis. This should take no more than 30 minutes if no major updates were released.
APPLICATION UPDATES
Just as vulnerabilities in the operating system may be exploited, security holes in your installed programs can be used as attack vectors. It is important to keep all software up to date. It is also extremely important to limit the number of installed applications on your device to an absolute minimum. Each application represents potential undiscovered security flaws. I recommend scrubbing your list of installed applications every three months and uninstalling anything you have not used during the previous three-month period.
Your internet browser serves as your computer’s ambassador to the internet. How it presents itself to the websites you visit and their third-party advertisers will, to some extent, influence how those sites and advertisers will behave in return. More importantly, the setup of your browser will certainly dictate what browsing information your computer stores. Setting up your browser is an important step in controlling your virtual security perimeter and protecting your personal privacy.
The first browser setup we will look at is for the protection of your privacy, and so we will try to limit as much as we can the information that is collected from your browsing sessions. If you wish to look at a browser setup for fraud related activities, then I will discuss that at the end of this chapter. I wouldn’t skip this one though as it is very important for using the web normally, when you are not doing anything fraudulent.
THE THREATS
COOKIES: These are perhaps the most common means through which your browsing sessions are tracked. Cookies are small pieces of data placed on your computer by the websites you visit. They are placed there to be helpful. Cookies remember which links you have clicked, the products you have looked at, and sometimes your login information. You may be already logged in when you visit a page again. Accepting cookies is almost always required to complete a purchase or other transaction on a webpage. If your browser won’t accept a cookie, the site you are visiting cannot remember what items are in your cart.
Unfortunately, cookies are capable of doing much more than remembering which videos you have previously viewed on a website. Cookies can also be used to spy on you. Third-party cookies are not placed on your machine by each site you visit, but by a third-party that is partnered with the “host” site. They are purely for analytical purposes and track your browsing from site to site. Some popular websites may allow as many as 40 third party cookies to be installed when you visit their site. Each one of these can record your username, account name, IP address (which can be resolved to your physical location), and each site that you visit. All of this can be used to create a comprehensive picture detailing your online activity.
Making matters worse, these cookies are also very persistent. Cookies are usually designed to last 90 days before they expire (some last longer). During the entire 90-day period the cookie may be used to track you. If you revisit the site where you got the cookie, a new one is installed and the 90-day clock resets. In this way cookies can be used to track users more or less over a lifetime.
I personally recommend clearing cookies frequently and never accepting thirdparty cookies.
BROWSER FINGERPRINTING: This is the process of identifying enough specific characteristics about a browser to make it unique or nearly unique. Though this fingerprint may not positively identify you, it can be used to create a very comprehensive picture of what content you frequent. If you have been, or subsequently are, positively identified, this information can be directly correlated to you.
The factors used to fingerprint a browser are many, and most of the reasons they are requested are legitimate. The sites you are visiting must know some of this information to allow sites to present and function properly with your device. These factors include your screen size and resolution, the fonts you have installed on your device, the time zone to which your computer is set, any add-ons that you have installed, cookie settings, and your browser and operating system details.
Browser fingerprinting is an extremely dangerous form of tracking because it is very difficult to defeat. While you can refuse to accept cookies it is very difficult to change your screen resolution. I will give you some advices to offer some light protection against this form of tracking. The EFF foundations has an excellent browser fingerprinting tool that will tell you how unique your browser is, as well as an excellent white-paper on the topic. I will leave the link to it below.
https://panopticlick.eff.org
WHICH BROWSER SHOULD I USE FOR PRIVACY?
If you wish to setup a browser for maximum security and privacy, I recommend Firefox. The reason for that is, Firefox offers the greatest control over security and privacy settings, and there are numerous add-ons for it that can harden the security of your browser.
The first and most basic step you should take is to ensure your browser is up to date. Outdated browsers with security holes are an extremely common attack vector. Browser updates are issued frequently to patch these vulnerabilities as they are discovered. Once you have ensured your browser is up to date, some settings must be modified to ensure the greatest possible privacy and security. Go to the Firefox Options and change the settings below.
o Change your homepage to https://google.com. Millions of people use this as their homepage and it is completely non-alerting. o Change the downloaded files location from the “Downloads” folder to an encrypted location. o Under Privacy, turn off do not track. Websites have absolutely no obligation to honor your requests, and in fact, they rarely do. We will take much more aggressive steps to ensure we are not being tracked. However, you may elect to tell sites that you do not wish to be tracked if you so wish. o Under History, select “Use custom settings for history” from the pull-down menu. Then, uncheck “Always use private browsing mode” and “Remember my browsing and download history” and “Remember search and form history”. This will prevent Firefox from remembering any history after your browsing session has closed. o Next, still under History, check the box that says “Accept cookies from sites”. This will allow cookies from the websites you visit. Without cookies, it is very difficult to make purchases, use online streaming services, or enjoy many of the other potential benefits of the internet. Though accepting cookies is not ideal, we will take steps to get rid of them upon closing Firefox. Next, under the “Accept cookies from third-party sites” drop-down, select “Never”. Thirdparty sites are sites that you have not visited but that are still attempting to track internet usage for marketing purposes. There is no need to accept their cookies since you have not visited these websites. Under “Keep until” (which refers to how long cookies are retained), select “I close Firefox”. By default, cookies may last 30, 60, or as long as 90 days, and may track your browsing sessions throughout that entire period. This option will ensure they are not saved after your browsing session has ended. After that, check the box that says “Clear history when Firefox closes”.
Before moving on click the “Settings” box to the right. This will bring up an entirely new dialogue that gives you very granular control of the items that Firefox clears upon closing. They are Browsing and Download History, Active Logins, Form & Search History, Cookies, Cache, Saved Passwords, Site Preferences, and Offline Website Data. Select all of them and click OK to close the dialogue. Finally, under “Location Bar” uncheck History, Bookmarks, and Open Tabs. o Under Security check “Warn me when sites try to install add-ons” box. Next, deselect both the “Block reported attack sites” and “Block reported web forgeries” options. Both of these options could allow Firefox to track your web activity by sending the sites you visit to Mozilla for vetting against a whitelist. Though I don’t personally distrust Mozilla or Firefox, I still prefer to send them as little information about my browsing sessions as possible. Finally, deselect the “Remember passwords for sites” and “Use a master password”.
FIREFOX ABOUT:CONFIG
Go to the address bar, and type about:config. This will open a menu where powerusers can make many adjustments to the application. Bypass the warning, and look for these values, change them accordingly.
media.peerconnection.enabled – SET IT TO FALSE network.prefetch-next – SET IT TO FALSE network.http.sendRefererHeader – SET IT TO TRUE browser.send_pings – SET IT TO FALSE beacon.enabled – SET IT TO FALSE geo.enabled – SET IT TO FALSE webgl.disabled – SET IT TO TRUE pdfjs.disabled – SET IT TO TRUE plugins.notifymissingflash – SET IT TO FALSE security.cert_pinning.enforcement_level – SET IT TO 1 network.IDN_show_punycode – SET IT TO TRUE
FIREFOX ADD-ONS
Add-ons are small programs that can be added to Firefox. There are thousands of add-ons for Firefox and most of them are not designed to enhance your privacy or security. The add-ons listed here make Firefox more private and more secure, make it more difficult for your browsing history to be tracked, and reduce the possibility of certain types of malicious attacks successfully targeting you. I won’t get much in-depth into each one of them, I will just list them here, if you wish to read more about each one of them and their features, look them up on Google. I recommend you install each one of these on your browser for maximum privacy. DO NOT USE THESE FOR FRAUD ACTIVITIES, AS THAT WILL 100% LEAD TO A DECLINED TRANSACTION. FRAUD BROWSER SETUP IS AT THE END OF THIS CHAPTER.
o NO-SCRIPT o HTTPS EVERYWHERE o UBLOCK ORIGIN o COOKIE AUTODELETE o USER-AGENT SWITCHER o CANVASBLOCKER
TOR BROWSER
Though it is nearly impossible to be completely anonymous online, Tor is as close as you can get. No discussion of online privacy would be complete without a thorough discussion of Tor. Tor prevents your internet service provider, third-party advertisers and trackers, and even governments from seeing what you’re up to online. Tor is typically demonized in the media as a tool for terrorists and criminals, but hypocritically enough, it was originally developed by the US Navy.
I will give you a brief explanation of the more technical aspects of how Tor provides the anonymity it offers. When using the Tor browser, the traffic you request is not sent straight to and from the website you wish to visit. Instead, Tor makes your traffic anonymous by routing it through three intermediary servers (called nodes) prior to sending the request to the desired website. When you first open Tor Browser, a connection is made with a server (called a directory server) that receives your request. This server will then build your custom network. Traffic is encrypted from the user device, through the network, and is only fully decrypted when it leaves the network en route to its intended destination.
Your traffic is heavily encrypted within the Tor Network, which also contributes to your anonymity. When your request leaves your computer it is encrypted three times. The first node at which it arrives (called the “entry guard”) can see that it came from you. Upon removing the first layer of encryption, it can “see” the next node, it can see the node it was sent from and the node it will forward to, though it cannot tell that the request originated with you, or where the request is ultimately being sent. When your request arrives at the exit node the last layer of encryption is removed and your request is transmitted to its final destination. When your traffic is returned it is routed through the same network.
TOR DISADVANTAGES: Even though I believe strongly in both the philosophical mission of Tor and in the technical implementation of the browser bundle, I would be remiss if I did not mention the disadvantages of using Tor, and its vulnerabilities. The first disadvantage to most people is Tor is inconvenient. By routing all your traffic through three intermediate servers prior to sending it to its destination Tor traffic is much slower than “normal” traffic. Each of the computers through which your traffic is routed may be much slower than your own, and so may be their individual internet connections.
Another major disadvantage is that some sites disallow logins, account creation, or other transactions from the Tor network. Further, many sites will require multiple captcha entries and are generally unfriendly to Tor. As I will say many times, CONVENIENCE AND SECURITY ARE INVERSELY PROPORTIONAL. I believe the slight inconveniences of Tor are more than made up for by the privacy and security it offers. Even though Tor is very secure, it is still not vulnerable.
Finally, Tor creates a very distinctive signature. Packets sent over the Tor network look very different from “normal” internet traffic. I believe this elevates your profile and makes you more “interesting” than non-Tor users. You should seriously consider using a obfs4 Tor bridge to hide your use of the Tor network from your ISP, and even from your VPN provider as well.
Figure: A typical Tor circuit. After the directory server creates the network the user’s traffic is routed through three intermediary servers, each of which can only see one node in either direction. This prevents any one node from seeing both the requested websites and the requestor and prevents the destination website from seeing who made the request.
TOR VULNERABILITIES: All the Tor servers used to re-route communications are hosted by volunteers. The host of the final server your communications are routed through can monitor any transmissions that exit Tor in plaintext though it would still theoretically be anonymous. This is why Tor places such emphasis on the HTTPS Everywhere add-on. When your traffic leaves the exit node it will still be encrypted with the TLS protocol if so supported by the website. This will prevent your traffic from being monitored by a malicious exit node.
You should also be aware that Tor is extensively monitored by law enforcement and intelligence agencies (both domestic and foreign) that may, under some circumstances, be able to observe your traffic. Tor is not a perfect solution and is vulnerable to some types of exploits. Your anonymity can be compromised on Tor in any of several different ways. For example, if you make a purchase on Tor using your credit card or other financial information that is linked to your true identity your anonymity will be breached. Further, Tor may also raise your profile.
Likewise, if you log into an email, social media, ecommerce, or other site that is associated with your name, your true identity will be associated with that entire browsing session. Opening a downloaded document while still connected to the internet is one of the most prevalent ways in which anonymity of Tor is broken.
Further, if you make any modifications to your version of Tor Browser it may be fingerprinted. This fingerprint can track you around the internet and eventually reveal your true identity. The default Tor Browser is designed to prevent browser fingerprinting. It discourages you from installing add-ons, and it makes all versions, regardless of download location, exactly the same. It even warns you not to maximize the browser which can reveal your computer’s full screen size and resolution. Any modification can make your version of Tor Browser absolutely unique and make you trackable. There are many other ways that the veil of anonymity Tor provides can be pierced. To be truly anonymous takes extraordinary effort.
Even if you are using Tor “perfectly” and adhere to all best practices, your anonymity may still be compromised by adversaries with worldwide reach (US Government for example). Such adversaries can correlate the time between a Tor connection being established and the location from which it was established to determine a user’s true identity.