This article is going to be a bit different more like an extensive write-up. I’m going to split this into two main sections: Identifying and Analyzing Threats & Vulnerabilities, and Risk Assessment, Let’s talk OPSEC, or Operations Security, For those who like things defined, OPSEC is essentially the art of figuring out whether our actions are visible to potential threats, gauging the risk of compromising information, and then taking calculated steps to stop those who might exploit our critical data.

OPSEC officially emerged in 1966 during the US’s Operation Purple Dragon. It came about as a response to the need to investigate operational errors and develop a process before operations to avoid serious compromises. You might hear OPSEC thrown around with InfoSec (Information Security) and ComSec (Communications Security), but they aren’t the same, even though they overlap.

InfoSec is like the guardian of all data, focusing on making sure that data stays safe, whole, and accessible only to those who need it, ComSec jumps in for the secure exchange of that information, like making sure emails are encrypted (think PGP), which keeps nosy folks from eavesdropping on sensitive conversations.

Now, OPSEC? That’s a bit different. It’s not just about securing data or communication. OPSEC is about making sure your actions aren’t giving away clues, intentionally or not. It’s like asking, “Is the way we’re handling things putting a spotlight on our plans for anyone looking close enough?”

Core Principles

Imagine you’re running a covert red team op, slipping into a target’s network to snag some sensitive data. Now, you _could_just encrypt the payload and dump it all in one go that’s solid for ComSec, sure, but you’re practically waving a red flag at the IDS. OPSEC would say, “Alright, keep it encrypted, but don’t go making a scene.”

So instead, break the data down, trickle it out in smaller packets, and time it so it looks like ordinary user traffic. It’s like moving through a crowd without drawing a second glance. Guard what you’re holding, but don’t let anyone know you’ve got something worth hiding.

In essence, OPSEC comes down to one key principle: control. It’s about having control over your information and actions to prevent them from being used against you. Whether you’re knee-deep in threat intelligence gathering, engaged in a red team op, or simply gettin’ into an investigation, OPSEC serves as the process overseeing it all.

While textbooks often tout five sacred steps, we’ll focus on a couple, starting with the cornerstone of Identifying and Analyzing Threats && Vulnerabilities. Imagine a process that unveils the adversary’s watchful eye, outlines the information they seek, and pinpoints your vulnerabilities. But that’s just the beginning. We then move on to Assessing Risks and strategically implementing Appropriate Countermeasures. Just a heads-up: I’m emphasizing Anonymity and Privacy throughout this discussion.

The Internet Identity

Alright, let’s break down the Identification of Critical Information. Put simply, it’s about pinpointing what needs to be safeguarded to ensure the operation goes smoothly. Whether it’s your source IP address, the tools you use, or the intricate network of your command and control (C&C) infrastructure, it’s crucial to make this crystal clear. Enter CALI (Capabilities, Activities, Limitations, and Intentions), a simple checklist outlining the essentials for the operation. But before we go too deep and risk confusion, let’s start with a high-level overview and a little of fun.

Now, onto the internet. IP addresses – the gateway to the online world. Your connection to the internet is marked by an IP address provided by your trusty ISP (Internet Service Provider), which is stored in their database. Most countries have data retention regulations, requiring ISPs to log who’s using which IP address and when, for extended periods. If your original IP address is exposed, it leads right back to you. Plus, accessing the internet in many places often requires some form of identification to your provider.

Next, DNS (Domain Name System) – helping your browser find the IP address of a website. It’s like a giant contact list – ask for a name, and it provides the number. When your browser wants to visit a site, it communicates with a DNS service to uncover the IP address of the site’s servers.

Typically, your ISP provides the DNS service, which is automatically set up by the network you’re using. So, when you type in a website address, your request travels through various DNS servers until it reaches the domain’s nameserver, which reveals the IP address and completes the process. For more details, what-is-dns.

But here’s the catch – most DNS requests are unencrypted. Even if you’re browsing in incognito mode or using HTTPS, your browser might still send unencrypted DNS requests, which isn’t exactly covert.

a quick note,

Now that we’ve covered the basics, let’s talk about privacy with encrypted DNS, such as DNS over HTTPS or DNS over TLS. You can set up your private DNS server, either self-hosted with something like pi-hole or remotely hosted with services like nextdns or 1.1.1.1 within the Tor network.

Relying solely on Tor isn’t practical for everyday use – it draws too much attention. To avoid unnecessary scrutiny, we introduce VPNs and Tor, working together to prevent your ISP and other third parties from snooping on or blocking your DNS requests. We’ll explore this dance further later on.

Now, onto MAC addresses – Your MAC address, acting as a unique ID for your network interface, can be used to track you if it’s not randomized. Major companies and device manufacturers maintain logs with MAC addresses, creating a traceable link between devices and accounts. So, randomizing your MAC address is essential, along with concealing both your MAC and Bluetooth addresses. Operating systems like Android, iOS, Linux, and Windows 10 offer MAC address randomization, or you can use tools like MAC Changer

But wait, there’s more. Home routers and WiFi access points also keep track of connected devices, and ISPs can remotely access and analyze this information.

Moving on to Bluetooth MAC addresses – they’re also fair game for tracking. Manufacturers and OS providers log this data, potentially tying it to purchase details or accounts. Despite the safeguards in place, vulnerabilities exist. Consider disabling Bluetooth in your BIOS/UEFI settings or within the operating system. In Windows, you can shut down the Bluetooth device in the device manager to force randomization. Alternatively, consider using a Linux ;)

So, let’s talk about social networks it’s where things get interesting, right? These days, pretty much everyone has a social network account, whether it’s Instagram, LinkedIn, or something else. While I get why some people don’t like them (they do collect tons of data about you!), it doesn’t mean you have to avoid them entirely. You just need a few strategies to protect your privacy and use them smartly. I’ll share some tips I’ve picked up over the years.

Tip #1: Choose a Realistic Identity When creating a profile, things like ethnicity, age, and language actually matter because they affect how much attention your profile might get from verification algorithms. Generally, profiles that match “typical” expectations (like a Caucasian or East Asian person aged 18-22 who speaks the local language) are less likely to get flagged than, say, an Arabic or Black person using non-native language patterns. It may sound strange, but it’s just how the algorithms work. And if you’re in the EU, having an EU-based identity with an EU IP address (like through a VPN) can help you benefit from GDPR protections.

Tip #2: Always Use Unique Profile Details
For each online identity, use a unique profile picture, username, and email address. And avoid using your real phone number whenever possible—many platforms let you verify with just an email. But if a phone number is required (like for Telegram), go for a temporary one or use a pay-as-you-go phone that you bought discreetly (think: cash payment, no cameras, and a location you don’t frequent). Only activate it in a public place, like a coffee shop, then avoid using it again.

never sell no crack where you rest at

Tip #3: Match Your Writing Style
When posting, adapt your writing style to each identity. It might seem minor, but online platforms often use language patterns to “fingerprint” users. Avoid using the same phrases, figures of speech, or favorite words across profiles those unique quirks can make it easy to connect your identities. Just be natural, but stay mindful of what makes each identity distinct.

So, What Are the Challenges?

It’s all about fully understanding your adversaries and the risks involved – like the potential exposure of your source IP, network details, or digital fingerprint. Now, when it comes to the adversary, I’ll do my best to avoid sounding paranoid. Your main goal here is to stay clear of OSINT researchers and avoid doxxing by trolls or anyone who doesn’t have access to advanced tools.

So, let’s take it step by step:

Imagine you’re using Windows or macOS for your school or work research, everyday internet browsing, maybe even using a privacy VPN like mullvad. You carry out regular activities like writing code, editing photos, and browse the internet. This is your main operating system – clean and above board. Stick to using regular emails, social networks, bookmarks, visited sites, and your Wi-Fi access point. This setup provides plausible deniability when needed. opsec101.org for more info.

in the other hand you got a private Virtual Machine (VM) for malware analysis, perhaps even for writing or reversin’ malware. Same rules apply ensure encrypted traffic routing. This VM serves as your sanctuary for privacy, guarding against less sophisticated adversaries.

And now, the pièce de résistance – the Hidden OS, where you conduct anonymous activities from a VM within this covert setup. All network traffic from your client VM is routed through a Gateway VM, which acts as a conductor to the Tor Network, directing (or torifying) all traffic into the Tor Network – essentially, a network “kill switch.” The VM itself connects to your cash-paid VPN service through Tor, enjoying internet connectivity via the Tor Network Gateway. Thanks to the isolated network that mandates traffic through Tor, DNS leaks to your ISP become impossible.

Sure, using Tor alone might raise suspicion on many platforms, leading to pesky captchas, errors, and challenges. But this multi-layered approach significantly reduces the chances of adversaries easily identifying you. You might wonder about using Tor over VPN instead of VPN over Tor. Well, your VPN provider is essentially another ISP, aware of your origin IP, which makes de-anonymization straightforward. Connecting to various services using the IP of a Tor Exit Node raises red flags in many places.

Enter Whonix, a linchpin in the anonymization process. Whonix, a Linux distribution, comprises two Virtual Machines:

You have two options here – the Whonix-only route, where all traffic goes through the Tor Network, and the Whonix hybrid route, where everything goes through a cash-paid VPN over the Tor Network. Choose wisely.

Now, about that anonymous (cash-paid) VPN subscription – you might think, “Seriously?” Aren’t you the one criticizing VPNs? Well, sort of. I typically recommend setting up your own VPN server using a rented VPS to ensure more control and privacy (check out these guides: ProPrivacy and Medium). But let’s be realistic here. You need a VPN that leaves no financial traces leading back to you. This VPN will come into play later when you want to connect to various services incognito, but never directly from your IP. Why? Because trusting VPNs is risky. Only use this new VPN account as directed, and never connect to it using your regular connections. The idea is to use this VPN within a Virtual Machine securely because, let’s face it, we don’t trust those VPN providers’ “no-logging policies.” Your origin IP should remain a mystery to the VPN provider.

This serves two critical purposes: first, all your traffic gets a layer of anonymity through Tor, and second, by keeping your personal and digital lives separate, you avoid any inadvertent mix-ups.

Now, I’ve previously discussed the complexities and limitations of using VPN and Tor simultaneously in a previous post, but let’s revisit the essentials.

Even the Tor project devs advise against using VPN with Tor, except for advanced users. However, It’s complicated. It depends on your threat model and how well you configure everything. Here are the facts: your ISP is DEFINITELY logging your activities, while a VPN MAYBE logging your activities. Another fact is that routing your Tor traffic through a VPN doesn’t guarantee hiding your Tor usage. Your Tor usage and even browsing patterns might be revealed through traffic fingerprints. So, it really depends on your circumstances.

Trust me, all of this can be undone by one mistake. Imagine you fill out a form or visit a site with an IP address linked to a handler, and then, the next day, that site or forum gets breached. Suddenly, all the IP addresses, usernames, passwords, and emails are leaked. Now, anyone can trace that handler back to you.

Here’s the trick: avoid doing anything suspicious. Act like you’ve got nothing to hide. Even if a leak happens, you can’t change the fact that it happened, but what really matters is how much damage you can counter and how well you’ve set up protections to shield yourself from such mistakes.

If a researcher’s handler is linked to a public email they posted on their site or tied to a country they’re known to be from, that’s not a big deal it’s already out there. But if a secret researcher handler gets leaked and it’s associated with the same email address that’s linked to them, that’s a problem. Now, that’s exposed, and things just got a lot riskier.

Risk Assessment

Now, let’s explore identifying vulnerabilities – the weak points that adversaries are eager to exploit. Despite its strength, the Tor Project isn’t an impenetrable fortress against global adversaries, as outlined in the Tor design document here. Successful attacks against Tor have occurred, and advanced techniques claiming a remarkable 96% success rate in fingerprinting encrypted traffic have emerged, exposing the websites you’ve visited. Consider major platforms like Twitter and Facebook – while Tor is often used to access these sites in censored countries, things get tricky when users reveal real names, pictures, and link their accounts to personal information like emails and phone numbers. In such scenarios, the anonymity offered by Tor begins to fade. Additionally, platforms can employ algorithms to analyze your browsing behavior, detect patterns, and potentially link you to other profiles.

Though it’s unclear if governments tap into such data, the possibility remains. Basic information can inadvertently lead back to you. Your digital fingerprint – a unique blend of how you write, behave, click, and browse – from fonts to screen resolution, operating system, and device model – can be triangulated to track you across the web. This is what we call Fingerprinting – the art of identifying someone based on these behavioral patterns. Even seemingly insignificant details like slang or spelling quirks could potentially reveal your identity. Platforms like Google and Meta can leverage this information, mapping it to your past online activities. While the internet is teeming with pseudonyms, the majority are anything but anonymous and can be effortlessly traced back to their real identities.

Also, make sure to disable Bluetooth, biometrics, webcam, and microphone. Enable BIOS/UEFI password protection and disable USB/HDMI ports. These measures help maintain control and fend off certain attacks. And whatever you do, never leave your laptop unattended in your hotel room or elsewhere. Make it as difficult as possible for anyone to tamper with it without raising alarms.

let’s discuss something you carry with you every day – your phone. Phones come with IMEI and IMSI numbers. The IMEI is directly tied to your phone, known by mobile operators, and tracked each time your phone connects to the network. Changing the IMEI is possible but not straightforward, so it’s easier to opt for an old burner phone for anonymity.

The IMSI is linked to your mobile subscription or pre-paid plan and is hardcoded on the SIM card. Like the IMEI, it’s used by apps and OS for identification. Some EU countries maintain a database of IMEI/IMSI associations for law enforcement.

Tracing back IMEI and IMSI to you is a reality. Mobile Operator Subscriber Logs store IMEI and IMSI, linking them to subscriber information. IMEI and IMSI, along with connection data, are logged for precise tracking through signal triangulation, revealing connections to other known phones.

Manufacturers track phone sales using IMEI. Even if bought anonymously, they can correlate this information with other phones present at the time using antenna logs. IMSI is tied to the buyer’s identity, and even in countries allowing cash purchases, details like where and when it was bought can be retrieved.

Google/Apple logs IMEI/IMSI tied to accounts and user history. Government agencies deploy IMSI catchers to force a specific IMSI to connect, enabling various attacks.

Geolocation isn’t solely done through mobile antennas triangulation; it involves Wi-Fi and Bluetooth devices around you. Google and Apple maintain a database of most Wi-Fi access points and Bluetooth devices and their locations. When your smartphone is on, it passively scans for Wi-Fi access points and Bluetooth devices (unless disabled in settings), allowing them to provide accurate locations even when GPS is off. However, this feature also enables them to keep a record of all Bluetooth devices globally for tracking purposes.

For maximum anonymity, use a burner phone with an unlinked IMEI and an IMSI not tied to you. Purchase these in a secure location using cash, and don’t bring your primary phone during the purchase. Never power on the burner phone in a traceable location, especially not where your known smartphone is located, to maintain maximum anonymity during setup and occasional verification.

Note: Don’t take your smartphone with you during sensitive activities if you want to keep them secret. Just leave it at home.

Your devices can be tracked even when powered off. Such devices continue to broadcast identity information to nearby devices using Bluetooth Low Energy, even when turned off. While they don’t have direct access to devices not connected to the internet.

Your devices are like silent informants, persistently broadcasting identity information via Bluetooth Low Energy to nearby devices, potentially leaving a trail. While they lack direct access to devices not connected to the internet, their subtle transmissions reveal more than you might think.

Your smartphone records everything from your voice commands (“Hey Siri,” “Hey Google”) to your movements (Bluetooth devices, Wi-Fi access points), activities (steps, screen time, connected devices data), and network locations. It captures images and videos and likely has access to your logs, including social media, messaging, and financial accounts. It’s not just your smartphone; other smart devices – Apple Watch, Android Smartwatch, fitness devices, smart speakers (Amazon Alexa), and more – join the surveillance party.

When preparing for anonymous or sensitive activities, it’s wise to leave your smart devices behind. They can identify your device and store the location in a database, which might be accessed by third parties or the devices themselves for various purposes. Even when turned off, your smartphone may not be as dormant as you think, as highlighted in this threatpost article.

Let’s discuss Metadata – information about your activities without delving into the actual content. Consider knowing you had a call from an oncologist followed by calls to family and friends. Though the conversation details elude us, the metadata hints at its nature.

Smartphones, operating systems (Android/IOS), browsers, apps, and websites are avid collectors of your metadata, often including your location. Numerous companies likely know your precise location at any time, courtesy of your smartphone. Additionally, files come adorned with metadata – a prime example being pictures with EXIF information containing details like GPS coordinates, device model, and precise capture time. While this may not directly unveil your identity, it could disclose your exact whereabouts at a specific moment, potentially piecing together a larger puzzle.

The depths of the Deep Web and Dark Web, OPSEC Onion

Here’s the reality check – you’re not as special as you might think. Advanced techniques require significant resources, skills, joint effort, and time, unless your goal is to overthrow the government. For most scenarios, investigations and espionage require reconnaissance and intelligence coordination, which, in itself, is time-consuming. However, once you find yourself on some list, it’s too late for OPSEC.

In conclusion, let’s not sugarcoat it – achieving perfect OPSEC is an illusion. Compromises are inevitable. The key lies in your dedication and the measures you’re willing to take. The more time invested and the more cautious you are, the better. Remember the basics: avoid attracting attention, stay vigilant, be patient, blend in, do what makes sense, and, most importantly, Shut the F* up. What is Security Culture

I’ve touched on the shenanigans at play. While not an exhaustive dive into every facet of attacks or vulnerabilities, consider this a 101. It’s designed to stake a claim in the recesses of your damn mind, offering a glimpse into how an OPSEC strategy should take shape against the backdrop of tools and adversary capabilities. And remember, no matter what research you conduct or guides/tips you come across, they might not fit your unique operations. So, how do you make this realistically work? Simple. Build your own OPSEC and execute drills that fit your operation. It shouldn’t take more than a few hours in most cases. Stay sharp, stay secure.

References