Thoughts on operations security for the masses

by Peter Müller, September 4, 2020

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

The last post discussed a secure configuration of the IPFire firewall engine, and, like all other previous posts of this series, referred to a certain aspect of or information security in general. Although if this is undoubtedly an important aspect of IT security - perhaps the most important one -, it is worth looking beyond the box.

Therefore, this post focuses on operations security (commonly abbreviated as "opsec") and its importance for the masses. We will learn how infosec and opsec affect each other, why opsec should play a role in everybody's life, and how it can look like in particular. Depending on your adversaries and threat level, this post might be too paranoid or not paranoid enough - the author would like to apologise for both cases. Also, it is not directly related to IPFire, however, the author assumes that IPFire users are more security-conscious than the average internet user.

Disambiguation

"Operations security" originally comes from the military. Although it was only coined by US military during the Vietnam War in 1966, signs warning of potentially tapped phone lines already existed in World War I. Virtually all parties involved in World War II used similar campaigns to raise awareness of spies among the population, with striking statements such as "loose lips might sink ships" or "the enemy is listening".

Nowadays, opsec is commonly paraphrased as the process to identify and protect information which might, if aggregated with others, leak critical details of an ongoing or planned operation, involved persons, their organisational structure and their real identities. Countermeasures to protect those or reduce their criticality might be both technical and non-technical.

While the conventional definition includes considerations against specific threats, vulnerability and risk analysis as well, this post is based on the more general definition given above.

Why operations security matters

Even tough the term still strongly reminds of war and military actions, operations security became more and more important to management bodies or senior staff as industrial espionage increased. Obviously threatened individuals or communities such as human rights activists, investigative journalists, victims of domestic violence or regime critics (and, consequently, organisations behind Advanced Persistent Threats (APTs)) usually rely on opsec as well, sometimes without being aware of it.

However, very few of us are likely to belong to these groups, so why care about opsec as an average person in the daily life?

The answer is twofold: First, future threats and adversaries are rarely predictable. Most information disclosed does not look worth protecting in the first place, but might later be used against their source. Catchy examples are party photos on social media that later raise uncomfortable questions in job interviews, or soldiers who inadvertently reveal details of covert missions by using smart fitness trackers. Imagine your employer becoming subject to industrial espionage, future governments being repressive, or similar changing circumstances: As mentioned in an earlier post, it is impossible to restore confidentiality of disclosed information - however, until they are directly affected, most people do not seem to notice about that.

Second, we all have adversaries. Those might be obvious, such as competing companies, but ultimately, the author considers mass surveillance to be every single body’s threat, especially when it comes to surveillance abuse. Since about two decades, we see global surveillance states emerging (among the biggest are USA, China and Russia), "exporting" privacy threats, (self-)censorship and oppression worldwide. An attack on our privacy also impacts the privacy of people we communicate with.

While it might seem a bit far-fetched to consider them as an adversary in terms of opsec, it can be pretty useful to combine opsec and privacy protection, since their ultimate goal is about the same.

Disclose information on a need-to-know basis

Since you won't know about future attackers, their motivations and security incidents at companies having access to your data, the only thing left for you to do is to disclose as little information as possible to anybody at any time.

Do not participate in social media (the author continues to be surprised how easy it is to get confidential information out of them), not even with private accounts. Their content is still visible to the social media operator itself, and could be disclosed to the public due to software bugs or misconfigurations.

If you take pictures of places, relatives, friends or yourselves, do not publish them - they might leak sensitive information by their metadata or be used for targeted phishing campaigns. In fact, companies such as Clearview AI or PimEyes were recently convicted of scraping image files on the web in order to build face databases.

In the author's opinion, this is especially interesting in terms of blanket data retention, which was declared invalid by the ECJ in 2014. However, if people continue to voluntarily share their information, especially - but not limited to - in social media, we have gained nothing. As long as it is legal or without consequences to simply transfer data to regions with more lax data protection regulations in order to be able to process it there in a way that would be illegal in the region of origin, this also counteracts the intention of a GDPR.

If there is no technical reason why something or somebody needs, for example, your correct date of birth, do not put it in.

Never reveal where you are, who you work for or what you are going to do - this goes for technical details as well. Keep in mind this involves your employer, too: Nowadays, many companies strive for a modern appearance, often publishing details (names, departments, sometimes even pictures) about their employees. While this makes them appear in a positive, more personal and customer-caring light, it expands their attack surface even more towards their employees (spear phishing comes to mind) - which are the weakest link in terms of IT security already. The author therefore believes that keeping professional activities secret makes sense for both employees and employers.

It has become hard to leave as little traces as possible within the daily life. Discount offers or bonus programs often require customer accounts, thus making it easier to correlate personal information and consumer behaviour. Credit card companies observe a significant amount of ones' monetary flow. Data exposed to advertising corporations reveal our habits, our health, our worries. Imagine those information falling into wrong hands (such as intelligence agencies buying them to bypass legal restrictions), or just become public - for example, due to security incidents.

Mobiles: Information leak with phone functionality

When it comes to both security and privacy, cellular networks redefine the meaning of "low end". Leaking your location by design, being (intentionally) vulnerable to downgrade and Man-in-the-Middle attacks while requiring closed-source baseband processors and SIM cards running their own (vulnerable) operating system, they are probably the most insecure way to communicate with each other by electronic means still in operation today.

The fact that designing and manufacturing cell phone spy tools is a separate industry says a lot about the drive to make cell phone networks secure. Best known are so-called IMSI catchers, which are supposed to be used by law enforcement agencies and intelligence services. They are often capable of exploiting countless security vulnerabilities, some of them design flaws, and little is known about how exactly they work.

Looking at various operations security failures (such as CIAs "Italian Job", a network of Lebanese informants uncovered by Hezbollah in 2011 or the same terrorist organisation killing Rafic Hariri in 2005), it becomes clear that it is practically impossible to use a mobile phone in everyday life without giving telecommunications companies, affiliated third parties (such as advertising corporations) and law enforcement agencies detailed insights into your own life. Discontinuing to use smartphones is of no use, as simple mobiles are still vulnerable to SIM- or baseband processor-related attacks and continue to leak metadata. Especially in wealthy areas with a high smartphone penetration rate, they also stick out like a sore thumb.

Metadata is no small matter. The NSA kills people on this basis.

Thereof, the author strongly recommends to avoid using mobile phones and cellular networks at all costs.

Do not use biometric authentication

Using biometric characteristics such as a fingerprint, iris or even the entire face in order to pass authentications is quite popular today, since they are easier to use, require less input on tiny displays of mobile devices, and are assumed to be very secure.

While the latter depends on the sensors' quality, its biodetection, and usually several other circumstances, it is often neglected that biometric authentication lacks protection against several abuse scenarios, such as people involuntarily unlocking their devices held in front of their face, or being forced to press their finger onto a fingerprint reader.

Worse, biometric characteristics are effectively public data: You leave your fingerprint pretty much anywhere, so it is trivial to copy. Even worse, biometric characteristics are impossible to change.

To summarise: Biometric authentication means to authenticate people by publicly available, unchangeable information. Even in an ideal world you can tell that this is a very bad idea.

As mentioned at the beginning, operations security also involves non-technical countermeasures. When it comes to biometrics, this includes dress style and appareance: For example, tattoo-based recognition, identification and automated understanding of their meanings is under active research in both USA (NIST, FBI) and Germany (Fraunhofer IOSB) - and probably other countries as well. While it looks chic to wear clothes with prints from conferences you attended, products you bought, or similar, they are effectively information leaks, making identification much easier.

You do not decide what information you disclose - attackers do

As they say, a thousand straws in the wind may or may not make a rope together. This decision is not even up to you, as you do not decide what information you disclose, but what information you intended to disclose. Ultimately, attackers make the former decision, but people are rarely aware of this.

Keeping operations security in mind and acting accordingly is laborious, time-consuming, and often goes along with a loss of comfort. If you are already used to it for professional or private reasons, this is not news for you. Otherwise, consider operations security becoming a part of your daily life - it might pay off later.

A secure configuration of IPFire's Intrusion Prevention System is the subject of the upcoming post.