FranLMSP/opsec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
be087dce70
opsec/README.md

39 KiB
Raw Blame History

Opsec.

How to improve your Operations Security.

This guide aims to give you pieces of advice that you can follow to reduce the attack surface, as in, reducing the chances of possibly getting affected by a malicious actor.

Important notes

  • I'm not a security expert. Learning about security is hard. All the information found here was sourced from lots of investigations on my own. I have always been concerned about privacy and security, so I'm constantly learning about how to improve my Opsec. Don't take for granted everything mentioned here, as always, do your own research. We are open to any feedback to improve this guide.
  • Evaluate your Threat Model. Improving your Opsec comes at a cost. Sometimes you have to sacrifice some convenience to improve your digital security.
  • Do your own research. As I mentioned before, don't take for granted whatever anyone tells you about security. You will find different opinions from different people, experts, and non-experts.
  • This article isn't about the security of Web Servers. DevSecOps is a completely different beast and should belong in a different article. However, there's one mention of programming languages in this article.

Phishing

Phishing is perhaps the most effective and easy way to hack someone. It's one of the methods of hacking that takes the most amounts of victims every year.

Criminals are always getting more and more creative and coming up with new phishing methods that can be very sneaky sometimes. Some of them are still pretty obvious, but some others can be very sneaky.

Recommendations

  • Investigate and learn about different phishing methods that are used.
  • Configure your browser to warn you about dangerous sites.
  • Use your common sense, sometimes phishing can be quite obvious.
  • Keep an eye open, some other phishing can be not as obvious.
  • Use an ad blocker such as uBlockOrigin (it may not have all features on Chromium-based browsers due to Manifest V3). You can also use the Brave Browser which comes with an adblocker built in.
  • Some relatives of yours may struggle to detect fake stuff when browsing the web. Be patient with them and teach them to spot them.
  • On Chromium-based web browsers, right click on the address bar, and click on "Always show full URLs"

Passwords

Reusing passwords is a bad idea for obvious reasons. Websites get hacked all the time. Some sites don't even hash your passwords in their database and are stored in plain text.

Even if the password is hashed in the database, hashed passwords are still susceptible to password cracking.

That being said, you must use a different password for every online account. Our brains are not designed for remembering different passwords, nor they are good at generating secure passwords.

Don't store them on physical paper, or in an excel/word/plain text document. Doing this isn't very practical anyway compared to available alternatives. The issue with these two approaches is that your passwords are not protected by encryption, and so, anyone with access to the file (or the physical paper) now has access to all of your accounts.

Use the right tool for the job: an actual Password Manager.

Recommended ones can be KeePassXC for desktop computers and KeePassDX for mobile devices. But you can use the one that you like the most and you know it's secure.

Here are the reasons why you would like to use a KeePass-based password manager:

  1. They are usually free (as in freedom) and open source software. You can audit the code yourself and make sure that it meets proper encryption and security standards.
  2. They are offline. The advantage of this is that you are reducing the attack surface by not exposing your password database to the Internet or a cloud (aka: someone else's computer). The catch is that it's less convenient to sync your passwords across devices. Although, you can use syncing tools for this such as Syncthing or a personal cloud.
  3. They are lightweight, they don't take that much of your system resources.
  4. There are many KeePass clients that you can use, so your password database is very portable.

Bitwarden is also fine to use if you prefer the better UI/UX. You can optionally self-host it for better security.

If your love using the terminal and CLI tools, you can try the Unix standard password manager Pass

1Password is also fine. At the time of writing this article, 1Password hasn't had any security incident or data breach. You may not like the fact that it's closed-source.

The password manager that is hard to recommend and you should avoid using, is LastPass. LastPass has a record of security incidents.

Remember, even though your passwords are in theory protected by encryption, and these data breach risks are prevented by encryption, keep in mind that you must use a strong master password to mitigate these issues. Your password database contains a lot of sensitive information. If this is a concern for you, consider using offline password managers. As mentioned before, you can reduce the attack surface by not exposing your passwords to a cloud or online service that is not under your control.

Important note: The whole purpose of using a password manager is letting your password manager generate secure and random passwords for you (Don't just create passwords yourself by combining your second name + your birthdate or similar methods).

Some websites have very dumb rules on the allowed characters for the password field, so parametrize the password generator of your password manager as you need.

It can take quite a bit of time to replace the passwords of all of your accounts, but it's worth the time.

Multi-factor authentication

Multi Factor Authentication prevents an attacker from accessing an account if the password gets compromised.

A fun fact about MFA that many people don't know, most of the MFA codes that you receive on your phone (except SMS), are actually Time Based One Time Passwords, which is a standard that generates codes based on the time, and it doesn't require any Internet connection, preventing man in the middle attacks.

That being said, in most cases (not always), you don't need a specific app to have your OTPs configured, it only needs to support the TOPT RFC 6238 standard, which is the OTP algorithm that most apps use. You can use Aegis For Android or Raivo OTP. These are open source alternatives, but you can use the one that you like and trust the most. Avoid using Authy.

Don't use SMS for MFA. Sadly, this is not always possible as some services still require SMS for MFA. But keep in mind that SMS is a completely broken protocol that shouldn't be used anymore. Also, Your phone number is susceptible to SIM Swap attacks. This is how Jack Dorsey (ex Twitter CEO) got hacked.

Security Questions

Don't be honest answering security questions.

Security Questions are these basic questions about you (ie: "What's your favorite food?", "Where did you study for the first time?", etc) that you can answer in case you forgot your password and you don't have any other way to recover it.

This may sound convenient, but this is extremely susceptible to Social Engineering attacks.

For example, if you were honest in answering a security question, let's say that it was "What's the name of your grandma?", an attacker can gather information about you or your relatives and very easily reset your password.

This is a broken system because you shouldn't forget your passwords if you are using a Password Manager.

Some services (especially bank accounts) still require you to answer security questions. As mentioned, Don't be honest when answering security questions. Put fake data in the answers. You can generate random passphrases with your Password Manager for this.

VPNs

VPNs can be useful for privacy in some cases, but they don't help much for security.

Most websites already protect the data with the HTTPS protocol. Web browsers also support an HTTPS-only mode. A VPN can prevent man-in-the-middle from sniffing a site's data if you visit a non-HTTPS site, but once the requests leave the VPN servers, the data is no longer encrypted by the VPN protocol, so you should avoid visiting those sites anyway.

Also, many VPNs have lied about their no-log policies. Don't think that this is only an issue with free VPNs and that it doesn't happen with paid ones. Just because you gave money to a VPN provider isn't any warranty that they are not going to give your data to someone else anyway. There's no way to know if a VPN is collecting data about you, either intentionally or not.

There are legitimate uses for VPNs, for example, if an organization has internal services that shouldn't be accessible to the public, the organization can host an internal VPN to make IP whitelisting much easier. This was actually the intended use of VPNs when they were created.

If you don't trust your network or your ISP, a VPN can prevent your network provider or your ISP from knowing what websites you are visiting, but keep in mind that you are essentially moving the problem from one place to another, now you have to trust on your VPN provider.

What is a VPN useful for?

  • Hosting an organization's internal services that shouldn't be accessible to the public. A VPN hosted by the organization can make IP whitelisting easier.
  • Prevent your network provider or ISP from knowing what websites you visit.
  • Access blocked content.

Recommended video about VPNs:

Web Browsers

Any modern browser should be fine regarding security. If you are concerned about privacy, you can read this article.

Recommendations

IoT devices

IoT devices, such as your Smart TV, Smart Fridge, Smart Watch, or "Smart Anything" (even smart lightbulbs), are usually built with very poor security standards, and they get hacked all the time.

The more devices you have connected to the Internet, the more you increase the attack surface.

If some of these devices get hacked, it may not affect you directly, but a very common use case of hacking IoT devices is using them for a botnet of DDoS attacks.

Home Routers / Modems

Update your router's admin password. Not the Wi-Fi password. The router admin password.

A lot of routers have very basic admin username and passwords by default, like "admin / admin", or "admin / admin1", etc. Some of them have a random string in a sticker that you can find in the router itself, but those can still be a bit predictable sometimes. Some ISP companies assign similar passwords to a lot of the routers that they distribute, and you can find them online.

So, for example, you could go to someone else's house who you know uses a specific ISP, search on the web for common admin passwords for that specific ISP, log in to the admin panel, and do all kinds of things, like throttling the connection (just to troll), or checking all of the visited websites in the history.

Or, even worse, someone with admin access to your router could upload an infected firmware that can do all kinds of malicious things that you can imagine without you noticing anything.

Recommendations

If you can, and if your ISP allows you to, change the admin password of your router. You can use your password manager for this and generate a random password.

Even better, if you can, build your own custom router. Apart from security, there are lots of other advantages of customizing your own router. If you build your own custom router, you are no longer under your ISP's arbitrary restrictions or bad security practices. Your router can be as secure as you want.

If you are interested in building your own custom router, check these two videos:

Smartphones

Modern mobile operating systems often have plenty of security features. However, some smartphone users (especially Android ones) tend to worsen their security with some bad practices. Here are some general recommendations:

  • Avoid Rooting (Android) or Jailbreak (iOS) your device. The reason why you don't want to do this because you are increasing the chances of privilege escalation from a potential attacker by reducing the principle of least privilege. Also, in the case of Android, rooting your device usually requires disabling the bootloader, and thus, disabling verified boot.
  • Install apps from trusted sources, and, install only apps that you trust, don't just install any random app that you find.
  • Have a strong PIN code. It's recommended to use a 6-digit random generated PIN code.
  • Uninstall apps that you don't need to reduce the attack surface.
  • Follow the principle of least privilege by giving apps only the permissions that they need at the moment.
  • Keep your device up to date. This is usually more difficult for Android users.
  • Use different user profiles, as in, avoid using the same profile for everything. For example, you can have a personal profile and a work profile. The same applies to web browsers on desktop OSes.
  • Avoid using webviews in any app. A lot of apps, specially TikTok, inject code into webviews to add spyware and keyloggers. Copy the link to your clipboard, then open up an actual browser instance and paste the link. Avoid opening links by clicking on them inside the app itself.
  • Use face unlock only if you are sure that your device has the proper hardware to support it, not just with a regular front camera. A lot of devices that "support" face unlock with just a normal front camera, are usually unlockable with a photo of the owner.
  • Avoid Pattern Lock. Pattern Lock usually has fewer possible combinations. Also, fingerprint marks (even after cleaning the screen) are much more noticeable with Pattern Lock, compared to PIN codes.
  • Reboot your smartphone frequently. This mitigates malware that can only live temporally on RAM and is not persisted thanks to Verified Boot.

Android specific

Perhaps the most secure Android experience that you can have (or in smartphones in general for that matter), is using a Google Pixel with GrapheneOS. GrapheneOS has a lot of features to make Android as secure as possible without sacrificing convenience. You can check the GrapheneOS features to understand why is it so secure compared to other Android ROMs, and also why only Pixel phones are supported.

Avoid using custom ROMs. With the exception of GrapheneOS, other custom ROMs such as LineageOS usually worsen the security of your device by requiring you to keep the bootloader unlocked, and so, disabling Verified Boot.

You can read a more detailed explanation here about how Android users tend to worsen the security of their devices.

Desktop operating systems

Desktop operating systems were not designed with security in mind and they are usually more vulnerable than other operating systems.

Here are a couple of recommendations for Desktop operating systems:

  • Lock the screen if you have to leave it turned on. On Windows, you can do this with Ctrl + L.
  • Avoid leaving your system unattended.

Disk Encryption

Disk Encryption or Data at Rest Encryption is a preventive measure to protect your data if your device (hard drive, SSD, etc) is no longer with you, either because you sold it, or because you lost it, or because it got stolen. Even if you format your hard drive or SSD before giving it to someone else, the data is still recoverable. You could perform a Zero Filling to your drive before giving it to someone else, but this takes a long time, can reduce the lifespan of your device and if it gets stolen you obviously won't be able to perform a zero-fill.

Here's how to enable disk encryption on different desktop operating systems:

Secure boot

Secure Boot and TPM are technologies that allow you to mitigate Evil Maid Attacks.

Warnings: Before messing around with BIOS settings, keep these things in mind:

  • Evaluate your threat model before changing BIOS settings. You may mess something up if you don't know what you are doing.
  • Do this only with your own device. Or devices that you know you are allowed to modify BIOS settings.
  • You may void your warranty by modifying BIOS settings (or by reinstalling an OS). This is not always the case and it's pretty rare to void the warranty just by modifying software settings, but it's still a possibility.
  • Secure Boot and TPM are only effective if you protect the BIOS settings with a password. Otherwise, an attacker can just disable it.

If you use a modern Apple desktop device, you can read this article and skip the rest of this section: https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web

Note for Apple users: If you set a firmware password for your Mac device (Macbook, Mac Mini, etc), please remember to remove that password if you are not going to use that device anymore. We already have enough e-waste.

Here are some tips for Windows and Linux users:

  • Windows: If you got a brand new laptop with Windows 10 or Windows 11, more than likely you already have Secure Boot and TPM enabled. Just remember that you need to protect the BIOS settings with a password.

  • Linux: Linux users will have a hard time trying to get Secure Boot to even start up, not to mention all the struggles that you will have trying to make it effective.

    The reason why it is so hard to use Linux with Secure Boot is that motherboard manufacturers use Microsoft's signing keys by default (because most people are going to install Windows anyway), which are obviously not compatible with most Linux distributions.

    A recommendation is to install your Linux distribution with the above mentioned dm-crypt encrypted boot scheme and read this article: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#PreLoader to evaluate the possible methods to enable Secure Boot for Linux.

    You can upload your own keys to your motherboard as mentioned in this guide: https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot but you can potentially brick your motherboard if you don't know what you are doing.

    Effective TPM under Linux is even more complicated. You can know more about it here: https://wiki.archlinux.org/title/Trusted_Platform_Module, but it's recommended to not even bother trying to use it. Just use full disk encryption + secure boot and set a password for your BIOS and pray that an attacker doesn't find a way around it. This isn't bulletproof against evil maid attacks but it's better than nothing.

Remember, evaluate your threat model before considering investing your time doing these practices. For example, if someone breaks into your house, unless you are targeted and they want to specifically get a piece of data from you without using violence, they are probably just going to steal the whole computer and sell it to someone else. In that case, your data is protected by disk encryption.

App Sandboxing

App Sandboxing is a security feature that provides an isolated runtime environment that limits the available resources of your system to the program.

Android and iOS have sandboxing features by default for every app that you install. Desktop operating systems are lacking in this regard.

  • Windows users can use can use the Windows Sandbox utility to run untrusted programs.

  • MacOS users already have their applications sandboxed if they were installed from the App Store: https://developer.apple.com/documentation/security/app_sandbox

  • Linux users have different options: https://wiki.archlinux.org/title/Security#Sandboxing_applications.

    Avoid using Firejail. Firejail runs as root and it increases the potential risk of privilege escalation.

    The recommended sandboxing utility for Linux is Bubblewrap. The catch is that Bubblewrap is not very friendly to use, but it's far more secure and granular compared to other alternatives.

    A friendlier alternative is using Flatpaks which uses Bubblewrap underneath, and you can control the permissions of your applications with Flatseal. There, are, criticisms against Flatpak's sandboxing features. However, using Flatpak + Flatseal is still far better than the traditional way of installing packages on Linux which doesn't have any sandboxing at all.

Pirating software

Hackers who take their time to crack programs, don't usually do it for free, sometimes you are the product. There are many examples of this, but the most recent and most popular one is the case of TLauncher, a Minecraft 3rd party launcher that allows you to play Java Minecraft for free.

It was discovered that this launcher contains very sneaky malware:

Remember, this can happen with any software downloaded from an untrusted source, but this is more common with pirated software. For example, when you pirate a videogame, a Photoshop license, an Office license, etc. At first, nothing appears to happen and you may think that nothing wrong is going on with your PC, but it's probably running malware in the background. Your antivirus usually is not able to detect it either because some malware can be very sneaky, and also, usually these "cracks" require you to execute them as Administrator. If a piece of malware is running as admin, now it is able to do anything to the system, like disabling your antivirus.

If for some reason you want to run pirated software and reduce the risk of doing so, you can do it inside of a virtual machine, although this is less convenient.

Electron Apps

Electron isn't inherently insecure by itself. In fact, Electron has sandboxing features.

However, if you run an Electron app instead of the Web equivalent, you are running such software with higher privileges on your system. For example, an Electron app is able to read your whole home folder (if not properly sandboxed with another tool), and even use zero-day exploits to scale privileges, such as Pwnkit (Note: Pwnkit has already been patched, the point is to reduce the possibility of privilege escalation).

On the other hand, the Web equivalent is sandboxed within the actual browser's environment, therefore, they are a bit more secure than using the Electron equivalent.

Also, many developers don't regularly update the Electron version of their apps, so many Electron apps are using an old version of Chromium and Electron that doesn't have the latest security patches.

For example at the time of writing this article, Discord uses Chromium version 91, and Electron version 13. Whereas the latest stable Chromium version is 109, and the latest stable Electron release is 22. You can prove this by yourself by using this method.

Electron apps that can be used within a web browser:

  • Slack
  • Discord
  • Figma
  • Notion
  • Element
  • Whatsapp Web
  • Zoom

And many others.

Another advantage of using the web equivalent of your apps is that you can save a bit more RAM because each app is using the same browser instance.

Windows specific

  • Enable password for admin privileges.

    You can achieve this by hitting Windows Key + R, typing secpol.msc, then click on "Enter" or "OK", On the left panel, click on "Local Policies" > "Security Options". Double click on "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode", and under the "Local Security Setting" section, select "Prompt for credentials" and persist the changes by clicking on "Apply" and "OK". This prevents privilege escalation from an attacker if you leave the screen unlocked (it can also prevent some Rubber Ducky attacks).

    If you find this inconvenient, you can revert it by following the same steps but selecting "Prompt for consent" instead.

  • Avoid using activation tools such as KMSPico. The reason why is explained below under the "Pirating software" section. You can find legitimate Windows activation keys for very cheap. Also, a lot of motherboards and laptops nowadays already come with an OEM key preinstalled (UEFI).

  • Use Windows Sandbox to run untrusted programs.

  • Enable Bitlocker (how to do so is explained in the "Disk Encryption" section).

  • If you want to download a Windows ISO, Download it from Microsoft's official website directly, not from any other source, that way you make sure that the ISO hasn't been tampered with.

  • Avoid using Windows 8.1 or lower. these systems are no longer supported by Microsoft and they are vulnerable. Consider upgrading to Windows 10 or higher.

  • Enable filename extensions to be aware of what kind of programs you are double clicking on.

Linux (desktop) specific

Despite the typical belief, Linux is perhaps the least secure desktop operating system compared to Windows 10/11 or MacOS.

The technical reasons why are explained here.

Here are some tips on how you can improve Linux Desktop security:

  • Use Wayland instead of Xorg/X11. Xorg is a very ancient program with really ancient code, designed under a very ancient protocol (X11). Linux sandboxing is flawed mostly because of possible sandbox escapes through X11. The catch is that you may have compatibility issues with Wayland, for example, you may struggle with screen sharing. However, Wayland's development is improving with time.
  • Use Pipewire instead of Pulseaudio. Pipewire provides better sandboxing and security features. Most Linux distributions are starting to ship Pipewire instead of Pulseaudio.
  • Use hardened_malloc. This is a bit more extreme and it's not recommended if you don't know what you are doing, as some programs may break.
  • Use doas instead of sudo. sudo has had security vulnerabilities that took years to patch. sudo is a really big program, and doas is much smaller in comparison. doas has fewer features than sudo, but for desktop usage, doas is usually more than enough.
  • Avoid using SystemD. Although this can be hard for most people due to compatibility issues with other init systems.
  • Use the sandboxing utilities mentioned in the App Sandboxing section

Wireless devices

Wireless devices can be very convenient to use because cables can be annoying for some people. However, because you no longer need physical access to hijack the communication between devices, the attack surface is increased because someone nearby can be exploiting a vulnerability on your devices.

Bluetooth has always been insecure and you should avoid using it if you can.

Wi-fi is much more secure compared to other wireless technologies, but the advantage of using a wired connection (ie: an Ethernet cable), is that it will be more secure and also much more stable.

Examples of wireless technology being insecure:

Social media

Social media is inherently susceptible to social engineering attacks and you should avoid using it.

There are some things that you can do to improve your privacy and prevent attackers from gathering personal information about you:

  • Don't just accept any friend requests or follow requests. This is just common sense.
  • Configure your social media in such a way that your posts are only visible to the people that you trust.
  • If you wanna make a post public, be careful with personal information that you may make public.

However, keep in mind that there are still many pitfalls when it comes to privacy when using social media.

Chat applications

Perhaps the most secure and privacy respecting chat application that you can use is Signal.

Here's a comparison between different chat alternatives:
Open Source server and client, but centralized server, requires phone number Signal
Federated/decentralized (sometimes not e2e encrypted due to federation issues) Matrix, XMPP
Serverless GNU/Jami, Tox, Session, Briar
E2E encrypted but still proprietary iMessage, Whatsapp
Open Source client, but proprietary servers and not E2E encrypted by default Telegram
Proprietary and not E2E encrypted Discord, Slack, Facebook Messenger, Instagram, TikTok, etc
Hahaha SMS

Cloud storage

Cloud services are very convenient, but they could be susceptible to security incidents. You have to trust your cloud provider with the security of your files. If you want to upload to the cloud and you don't want the file to be readable by your cloud provider (or a potential attacker), encrypt your files with a randomly generated password before uploading them to the cloud. You can use AES-256 or Cha Cha 20 or the encryption method of your preference.

On Unix-like systems, you can run this command to encrypt a file with AES-256:

gpg --symmetric --no-symkey-cache --cipher-algo AES256 your-file

Ransomware

Any operating system is vulnerable to this (Android, iOS, Windows, Mac, Linux, etc). Getting infected by a Ransomware is not just a matter of how, but when.

Some ransomware can be so sophisticated that they can even detect backup drives and encrypt that as well.

One recommendation can be making regular backups of your important files on different drives or clouds. Keep one backup on an external drive that is physically disconnected from any other device. Do backups within different time frames. For example, let's say that the ransomware takes one week to encrypt all your files. If you do daily backups, there's a chance that some of the files that you are backing up are already encrypted by the ransomware. So you can do a monthly backup + a separate weekly backup.

Programming languages

If you can, use programs that were written in memory safe languages, such as Rust.

If you are a software developer yourself, consider using Rust for writing your programs. But if you can't, or you don't want to, consider learning about Rust's memory safety features and try to implement them in your programming language of preference.

For example, the "null" value doesn't exist in Rust, an enum has to be used instead, forcing the developer to always handle a case when there's no value.

This isn't just Rust evangelism, it's just that most of the security flaws come from memory unsafety issues, not just with Chromium, but with all kinds of other programs as well.

Note: There are all kinds of security flaws that can happen with any programming language, even with Rust. This section is about memory safety specifically.

Other recommendations:

  • Have good validations in your software, never trusting user input.
  • Prevent SQL Injections, or any sort of code injection (ie: XSS, etc)
  • Keep your SSH keys safe

Conclusion

Don't blindly trust whatever anyone tells you about security. No piece of technology is bulletproof, anything can be vulnerable, even people themselves with social engineering attacks.

General recommendations:

  • Evaluate your threat model. Just because you could get hacked, doesn't necessarily mean that you will get hacked. This guide is mostly just attack surface reduction.
  • You can use Wireshark to audit the network traffic of your devices or programs.
  • Try pentesting on your own. For example, you can use Hashcat to test how secure your passwords are.
  • This is just scratching the surface. Do your own research. Learn about security yourself.
  • Recommended site: https://security.stackexchange.com/

Recommended videos