OPSEC for the Security Practitioner

okay hello everyone i'm going to do a talk about operational security for us everyone in this room probably does it for organizations but we don't do it very well for ourselves and we can't trust industry and government to do it because either they can't or they won't it is what it is so who am i um i came from the world of software development now i do security work for companies um and do other things i play guitar um parent ski etc okay why am i here talking about this this isn't a talk that i found because it was something i was passionate about it's a talk that found me because i kept getting letters saying that i'd been

part of yet another breach i was part of the anthem breach got that twice from two different employers no doubt opm which if anybody was in part of the opm breach there is nothing left to be breached about you as a human being they have it all um yahoo awesome linkedin um i didn't get hacked on the other stuff but i imagine that was very embarrassing for those people who did so i'm here to tell you some things you can do to make your life a little safer first i gotta want a quick show of hands who here has done a security freeze all right we have a handful of people who are not sitting ducks for

getting uh their identity stolen um so if you get part of a hack they get they send you a letter that says that they are going to offer you credit monitoring credit monitoring is terrible all they do is promise to give you the essential telephone call that the barn's on fire but the barn's already on fire you know you uh your house is on fire it's it's it's too late too little too late um and they're not really liable so if you get uh your identity stolen too bad they're not going to help you with it so there's limited liability and researching identity theft came up some really astounding number of hours because companies don't make it their business

model to help you deal with in identity theft they make it their business model to harass you because they think you owe them money so goal here is to stay out of trouble okay so i thought about how to approach this and i figured the best way to do it is pen test concepts vulnerability assessment concepts first thing you need to do is determine what the attack surface is and we all have an attack surface the internet knows all there are companies uh who do nothing but collect data about you as individuals so they can resell it to advertisers to people who are looking to open up credit uh in your name so the goal here is to

determine what does the internet know about me uh the answer was a lot but first let's go let's let's go with a cautionary tale don't be this guy okay i should not know much about him except what i see on television or read about in the paper so he registered a vanity domain um you can read it if you can't oh good i put it up there sean spicer.com he's fixed this but you know you type in the who is and what do we have here we have his home address we have his email address we have his phone number um and uh someone i know created this graphic because it's pretty awesome that you can find

out this much information about him the vice president's wife also registered a domain for something called towel charms i don't know what that is but anyway you can look you can look her up too i believe she also has changed it to private but if you just google uh towel charms so we're gonna check our tax attack surface first thing we're gonna do is vanity searching open up a search engine start looking for yourself look for your name where you were born uh social security number think even things that you think that that should never be on the internet uh your social security number for example should never be on the internet and then set up a google search alert

for those things because if anything shows up if your social security number for example showed up on the internet you'd like to know that make sure your domain registrations are private people forget about that stuff man you know sometimes you might have registered it 5 10 15 years ago and you've long forgotten about what's on there aggregation websites there are dozens of these companies and they collect all kinds of information about you some of it is highly accurate some of it's wildly inaccurate um when i was doing it kept suggesting that my wife's name was linda my wife's name is not linda i don't know anyone by that name at the moment um when you find your information

aggregate aggregation websites some of them make it very easy for you to opt out and remove your information some of them are terrible at it the worst require you to mail them a photo id i'm sorry i'm mailing my photo id to anybody that's just stupid but you can remove a lot of this information and when you do you start seeing that you don't appear as often or at all and what that's kind of the goal social media everybody's doing social media and every social media company is terrible at protecting you the individual minimize what can be seen and try to do the same for your family i know that doesn't make you a very

popular person at home when you try to convince loved ones that's that security is an important thing um then uh so domain registrations if you got it if you got to use one that uh isn't private just tie it to a po box or something else get a po box that you can use for uh any registration that you're not certain you trust we walk around with cell phones in our pockets that contain everything about us financial who we know if you've got email on it it probably has all sorts of things about your employer your personal life and it's the one device that's going to be used for uh multi-factor authentication for most websites

portable devices access cloud storage and social media email financial these are all huge serious points of failure the router you bought at best buy chances are is not configured for your safety google it look for what the vulnerabilities are and fix them close those dang ports that are open to the outside world delete facebook from your phone good lord if you've ever read the terms of service delete it it can read everything you do i'm not real wild about social media on on phones in the first place because phones have all your information set up periodic reminder to go through the privacy settings they change them every two or three months if you wait a year could mean that for

nine months something was visible you didn't want to be visible maybe your phone number maybe your email address and then test often when you're googling yourself also look at yourself uh set the site to a particular thing like google your name site colon uh linkedin.com see what shows up make sure you're happy with what shows up and remember always you are the product not the customer the next one might be pretty obvious but really be careful when you log into things and use a vpn uh if you're if you can't uh if you don't trust a network and be super careful about consuming everything from a single ecosystem i know apple and google would very much like you to do that

uh the challenge with it is it becomes a single point of failure where if your email address or account is compromised they have access to virtually everything that's important to you and if you want to look at some cautionary tales just search for these three individuals who all have their lives pretty dang upended simply because somebody wanted their twitter account

and the last reminder on computing is that a desktop that antique of the past is always more secure than a portable device because it isn't easy to steal it doesn't have a microphone it doesn't have a camera it's it's stuck to the wall it requires a power plug um and lastly back everything up i can't repeat that one enough store s at least a backup of all your important stuff somewhere that isn't online don't trust cloud for everything so are we all feeling a little better i like to give you all a few more things we can we can do all right implement a security freeze for all major credit bureaus credit is something that you only should

be seeking a few minutes of the year it shouldn't be something that is available 365 days 24 hours a day to the entirety of planet earth if somebody does get your information and they open up a account in your name you'll spend the next year or true to trying to resolve that far better to simply put a freeze on your accounts no one can open credit in your name not even you you can open it uh when you need to so i bought a car a year ago on the phone with my bank told them it's going to get rejected tell me which bureau it is walk over to my computer real quick you put in a

you go to the website you put in a code it comes back on the car loans approved go back to the computer log back in turn it off that's it real easy to get to to get credit when you need it encrypt all the things if it gets stolen think about what your phone has on it what your laptop has on it which tablet has on it encrypt it uh laptop basic safety of course is keep them closed tape over the webcams turn on the os based firewalls it's amazing how many things ship with a firewall but not configured to actually run and i love crowdsourced apps to get rid of spam calls mr number is

freaking awesome went from getting four or five spam calls a day to none um use unique email addresses for anonymous social media you don't really want anonymous to tie back to you uh password stores i love keepass there's others use them the best password is one you don't know set it to the maximum like entropy 20 characters all you know numbers uh garbage characters all of it install anti-theft devices on your mobile devices uh replace default phone apps with things that are more secure i like signal um and lastly multi-factor authenticate all the things if it has multi-factor authentication please do it there's no reason we should be living in a world where user id

and password are the only way to authenticate to things browsers go to panopticlick the eff has this great tool that shows how unique your browser is because that's what advertisers want they want to know who you are and there's all kinds of extensions that both block ads and also fuzz the results so that you appear to be somebody you are not my favorite is the one that makes you look like you're on windows xp even if you're using another operating system that's a pretty cool one you block origin is great for getting rid of getting rid of ads privacy badge is a nice tool to to obfuscate who you are and if you're really paranoid there's a whole bunch of

other ones uh self-destructing cookies is is pretty interesting every time you leave a website it just gets rid of the cookies on that were placed on your computer but the goal here is to be a little more secure get a voip phone number use it for anything where you don't really trust something google voice is one there's a whole bunch of them uh alternate email addresses that are tied to the voip number so that you can start to create a new persona for yourself for higher risk situations uh use throwaway email addresses for low trust accounts event registration etc it also cuts down on the spam get a vpn for low trust computing situations um it's that's a fantastic thing if

you're staying in a hotel you're in a starbucks or something like that you can't trust their network heck you don't even know if you're connected to their network you might be connected to that guy who's sitting a few feet from you who's a man in the middling all the traffic travel travel's gotten really weird in the last couple of months but i'll get to that in a minute um but you have to start thinking about security at borders now you have to think about security from your own government because they are asking for you to give them your devices so they can copy them i can think of a hundred reasons why that would be really bad idea and your

employer probably wouldn't like it much either so there's things you can do uh one is use a phone and a laptop particularly just for travel some companies even issue blank devices that you then configure when you get to your destination uh ub key alternate boot you can use even a micro sd card to boot a laptop so if they have your laptop and they open it up all it's going to do is boot into an operating system that doesn't have any of your information on it it's all being kept on the micro sd um and i got to get running a little short on time um uh use a travel account a cloud account for storage that

you can access when you get to your destination rather than keeping it on the device that you travel with i registered a domain to start storing all this stuff because i couldn't find any one single location for information for yourself there are a lot of websites that are designed for every aspect of organization security i just couldn't find something that was useful for the individual so i've got a bunch of things that i found that are helpful and they're all on the on the website which is opsec dot solutions and yes that's a real top-level domain these days um again back to the security freeze in virginia it's about ten dollars a piece unless you've already been hacked in

which case you need to supply a police report from your uh identity threat from identity theft which isn't really ideal and it doesn't work for children so if you got hacked your kids are still unsafe people can open accounts in their names and it doesn't work in michigan i don't know why and i've got a bunch of tutorials on how to remove your information from the internet personal security there's a great book it's written primarily for women in mind but has a lot of great privacy tips just for everyone um creating personas for yourself so if you wanted to uh in order to better remain anonymous on the internet uh eff has some great recent articles and

what you can and cannot do uh as far as your uh crossing the border as regards your first and fourth and fifth amendment rights which is interesting um in a nutshell uh your rights are awesome but once you leave the united states the constitution no longer protects you and it doesn't protect you uh if when you're returning until you get through customs identity theft stories because man when you read these stories about how somebody's entire life can be upended simply because a person got social engineered at helpdesk somewhere all right what still is a pain in the rear end uh the government is really slow to move toward protection despite massive rampant fraud the irs still hasn't uh figured out how

to stop people from filing tax returns in your name and then sending the money to a place where you don't live mind-boggling uh voting records property records and things like that are public in most jurisdictions so you remove your data from the internet and it's going to come right back because that's where they get it from uh and then the weak link is always still humans because humans can still be social socially engineered so they're not going to always protect you and they may give they may reset your password and give it to someone who is not you and humans click on all the things does anybody have questions yes in the back

is it just a dc specific thing okay you can't in virginia i do not know about other states that's it still blows my mind that the irs permits anybody to submit a tax return and they don't verify who you are it just blows my mind in the back

i'm not that paranoid um people who are more paranoid than me don't have facebook accounts i know people who work in uh for highly secure cu customers

yes they can

that would be correct so uh there's websites called uh name check that that will be in the on the website um that allows you to look at you type in a single thing you can determine uh some 70 or 90 social media uh uh websites and determine where that is being used you can both register yourself never use it so no one else can not a bad idea or you can see if anybody's trying to impersonate you no i haven't awesome how do you spell his last name v-a-z-z-e-l-l awesome okay i'll do that

that is awesome advice thank you

excellent

and social media public records that the government keeps we'd have to convince congress to do something about that you can't lock that down so if you own a house you vote in many jurisdictions those are public records virginia has it as well that's a fascinating thing to do if you uh if you're ever thinking about working for somebody or or going into business with somebody looking at their arrest record and their court case record very

interesting you mean like a reputation defending type thing i have not i have read both good and bad things um but that they are in general if they can lower the bad information further down in a search so that it doesn't show up on page one it might show up dozens of pages down uh i haven't used it thankfully anybody else

ten dollars uh no lifetime that's it um and in some cases it's not the big three are ten dollars each but once you do it nobody can open a crate a trade line in your name that would be correct uh but your existing uh your existing companies can access your credit so um if you own a house you have home insurance they run a credit check on you once a year they can access it uh your bank can access your credit if because you've already allowed them yes ten dollars that's it ten dollars it's it's the biggest no-brainer if you don't remember anything else i told you credit freeze ten bucks just do it

i think it's free uh the time i've done it okay okay and again how many times in your life do you ever apply for credit it's not very often anyone else okay thank you very much i hope it was useful