The OPSEC of Protesting

hello everyone uh welcome to track two from b-sides uh san antonio uh here we have oshawn marshall with the opsec of protesting let me introduce oshan real quick he is a developer and security consultant with a background in computer science education and machine learning in his roles as secure ideas he works with he works on ongoing development projects using amazon web services and breaks other people's web applications when he's not swallowing gallons of devops kool aids he can be found blasting two steps from hell while hacking blogging and coding he's going to speak just a little bit about what opsec is what a protesters threat model may look like and opsec tactics i'm really excited for his

presentation here's oshan all right hopefully i'm not muted welcome to the opposite of protesting don't worry about taking screenshots or having to take notes everything and i do mean everything i'm talking about is at tiny si opsec that's my entire slide deck as well as references and citations to all the research going into this all right so who am i what do i do i code i teach i hack so when like in the intro before i am a full-time developer and a full-time cyber security consultant and when i'm not doing either of those things i'm teaching people how to take over the world so when i'm doing a penetration test i'm diving into networks and other

people's web applications i get to show up show them their vulnerabilities tell them that their baby sucks and then go home but that's last part is really important it's all fine and dandy if i find an exploit but if i cannot explain in simple terms why a particular vulnerability would increase their operational security risk to my clients or customers and to their customers i should say that i really can't help them improve their security posture so this talk is to help invite you in that same mindset from the perspective of an activist last year i wrote a blog on the opsec of protesting this was immediately after the george floyd brianna taylor ahmed ameri tony mcdade

and dion johnson protests and this was a collection of advice i was handing over to some activist friends i really focused in on the how so use mfa everywhere encryption at wrestling transit password managers the whole nine yards and that's in line with my background and the security consulting part of it but i didn't really focus on the why and why is really important why is critical why determines the risks and that leads us to the appropriate countermeasures we're in a quiet moment now but that doesn't mean that the government or some other institution isn't going to do something that you disagree with so protesting is not just a right here in america it's a responsibility

and societies that fail to adapt crumble and they become stagnated or bureaucratic the best feature of free and open democracies and republics is the ability to make pull requests you can change society's source code and once you're successful that change is merged into new legislative policy new executive action or judicial reinterpretation of law and you have to do this through pure for open and honest speech and that's the best way to get people to change minds and sway thoughts to and sway public opinion my goal here in this talk is to arm you to the teeth because as a human being you have the right to vocalize and present your opinion without the fear of going into prison

and i respect those rights regardless of the outcome let's follow the principle here and get into opsec so opsec is the systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying controlling and protecting generally unclassified evidence of the planning and execution of sensitive activities the whole point of opsec is protecting yourself from threats by knowing and controlling evidence of your thoughts plans and actions there are no hypotheticals here these tactics and thought processes are immediately practical so say this with me aya that is i quadruple a this is this is the five step process of opsec these steps don't have to be taken in any particular order

but any pre-thought and planning in a previous step will help you in subsequent steps so that first step is identification of critical information second is analyzing your threats the third is analyzing your vulnerabilities once you've got threats and vulnerabilities you go to number four which is assessing risk and then finally the application of appropriate countermeasures they all tie together real neatly so the first step identify critical information so what exactly is sensitive information i'll give you an example of what is not sensitive information and that is my naked body um i shower at the local ymca so if you really want read-only access to me you just have to be mail make a commute and wake up

at five in the morning but knowing that information does not prevent me from being a cyber security professional it doesn't prevent me from holding a job and i t um also it's not ex this sorts of vulnerabilities are not exclusive to me so if you've taken a flight from 2009 to 2013 you me and you've gone through the tsa uh remember those full body x-ray back scanner things that they had going on uh yeah so my point is is people think that certain bits of information are critical but they're not and so what is critical depends i'll give you an example from the department of defense according to the department of defense anything about dod activities intentions

capabilities limitations that the adversary seeks to gain a military political technological economic or diplomatic advantage is is a critical information so usually for a protester these are the sorts of things that are critical information time and location if you're consciously breaking the law uh personal network or donor list you may be really good at securing your perimeter and good on your opsec but is your significant other is your grandmother do you sometimes go to your grandmother's house and use her grandmother's wi-fi with a weak wi-fi password so there's some risk there amoral and illegal activity of senior members so if you've got an activist organization and someone in senior leadership there has is a convicted felon or is cheating

on their wife if that's if that sort of thing gets out or gets leaked then that poses some reputational risk to your organization so ask any politician for example so you really need to identify critical information then we go into the analysis of threats so if you're making any meaningful change to society source code you will be opposed now threats are any potential occurrence that can create an undesired outcome hurricanes are threats but in opsec we mostly focus on people threats and we call them adversaries so who are your adversaries when you're protesting you've got nation states so you've got governments and law enforcement but you also have counter movement protesters if you are protesting non-violently

your goal is to persuade the mostly inactive majority to your cause some people would put mainstream media as an adversary and that's not necessarily the case most media outlets don't really care one way or another they simply cater to certain demographics to continue retaining their attention and deriving them as a revenue source media only opposes you if you are boring or your goals and ambitions run contrary to the revenue streams so now that you know who your adversaries are and are not now you need to dive in now you need to dive into what is your adversary's intent and capability from there you can derive the adversary's goals now some adversaries want complete subjugation of

your people group um some want full-on genocide others are just want to maintain a nice status quo so usually the goals of an adversary are to limit or suppress or stop the goal any of the goals of protesters if you do engage in a protest the goals could be like influencing a court decision uh influencing local and re national elections or putting pressure on certain institutions the list can go on an adversary's goal is anything that shuts down any of that so what tactics does the adversary use infiltrators are a real good one thurgood marshall leaked information to the fbi about naacp activities to weed out communists um in the in the 50s or 60s nowadays when you have a large

protest you notice that as the crowd builds up to a couple hundred to a thousand people someone will and someone will all of a sudden will throw a brick or a molotov and chaos disseminates from there so violence is also another tactic just because you're protesting peacefully doesn't mean that counter protesters are necessarily are protesting peacefully they may try to egg you on and try to provoke a response which will be and become captured by the media and then that narrative will be spun now surveillance is another good tactic that the adversary or your threats will use and that leads us to the next question of a real threat assessment and that is what does the adversary already know

about the mission and what is already exposed there may be a police or army presence at uh at a protest because the date and location was leaked ahead of time or maybe you've got this hold of this presentation late and some vital information about how your organization runs and functions maybe who's who in your leadership you have to plan around what your adversary already knows and the level and the extent and the tactics of your threats change between who you associated through as a threat in the united states for example being arrested as a protester is pretty benign compared to being a hong kong protesting protester against the chinese government for example so you really need to focus in on and

adjust your strategy not only based on the tactics of your threats but your actual threats themselves now we go into the analysis of vulnerabilities now here a vulnerability is just the absence of or a weakness in an asset safeguard or counter measure flaws errors or limitations within your organization or tech stack are vulnerabilities and your adversary is going to be collecting critical information examining it and then acting on it so you have to take advantage so you have to take inventory of your organization and the technology that you used to communicate we could take the active the hacktivist attacks on gab and parlor for example and i wouldn't call parlor hack simply because everything that was

grabbed in that in that attack was public information there wasn't any rate limiting on the platform so when attackers got on they just simply scraped all the public posts gab was actually malicious it was sqli but the reason why the attacker got in was because the source code for the platform was publicly available so you've got to now analyze your platforms you also got to analyze your people assets as well the interconnectedness of an activist community both online and off is an asset and a vulnerability navy has a phrase loose lips sink ships and this is true for activists as well so my advice here is make sure that sensitive communications and plannings of the

inner workings aren't out on the open internet you use the social use social media and the public forum to get the word out but you don't have any critical information out there and you don't show your hand immediately one thing i would like to add is you may not have an immediate vulnerability but you may have some leakage of opsec indicators and what upset indicators are it's not critical information in and of itself but if your adversary gets this piece of information maybe secondary piece of information and a third piece and they tie it together then all of a sudden they get have critical information so a vulnerability could leak not just critical information but those little side channel bits of

information that can be collected together now we go into risk assessment the risk is the probability of a threat will exploit a vulnerability to cause harm in information security we have this famous formula threat equals not threat risk equals threat times vulnerability and so if you want to reduce your risks you either address your threats or you address your vulnerabilities now as a protester you are not going to eliminate your threats but you can mitigate them and you do that by denying access to opsec indicators or denying access to critical information for vulnerabilities every vulnerability within your organization that you identify and address also reduces your risk so blocking information and addressing vulnerabilities this could be as simple as just patching

your system if you've got if you haven't been keeping up with patches and the operating systems or the devices you use zero days expo then well there wouldn't be zero day exploits anymore but new fresh exploits can be used to identify your information can be used against you so now we're cooking now we're on the final step which is applying the appropriate countermeasures by all hopefully you've identified all your all vulnerabilities that you can in the beginning and now you can start to rate which vulnerabilities you you address by the risk now the risk again is the probability that a threat can and uh expo can exploit a vulnerability so from there you can have a priority of okay

this is absolutely critical it's a high chance that it will be exploited therefore we need to address this first because it's game over if the adversary gets a hold of this and the lower risk we can keep be aware of them but we really need to allocate our resources to the things that are more critical again we can start address these risks in priority and the i and the opsec steps aren't ironclad in a specific order but any thought and processing that we do in previous steps will apply to later steps so when we're applying counter measures we need to assess what is a good counter measure any good countermeasure would actually lower the risk duh

the second thing that we need to know about a good countermeasure is that the countermeasure itself should not lead to a leakage of opsec indicators or critical information then it's not an effective countermeasure and then finally and this is where it all ties in the cost of the counter measure must be less than the cause the risk of the threat exposing or exploiting a vulnerability and we'll take it and we'll take an example now that you're armed with this information we go with burner phones right burner phones are actually pretty useful in staying anonymous in large crowds but they have their own cost associated first of all did you buy that burner phone with a credit or debit card

are you using it at home are you using that burner phone in proximity to your real phone um brian o'connor and parties of def co and as part of his defcon talk as sees that how shows you how you can associate those bits of information and then expose you so every security control is like that you really need to work on configuration with it to make sure that you're implementing it properly tools that are so you don't have to throw away your phone instantly tools that are useful that are pretty easy to implement are the same sort of security hygiene tools so password managers making sure that your password isn't um isn't a 20 20 catchphrase that you use

constantly 2020 with an exclamation mark making sure that you use vpns multi-factor authentication on all your online accounts and setting things up on your device so that you use encryption and rest you've got to be calm and you've got to think through uh how best to address the risk by priority also join infosec we we have cookies and uh we have a lot to teach you on how to be paranoid and so in the beginning of the talk i promised you the how and we would explore the why as we went through the how is opsec it is using the five steps identifying critical information analyzing your threats and vulnerabilities addressing your risks and applying

appropriate countermeasures now that's the how and that leaves us with the y and i can't give you your why but i can give you mine i'm here because someone made a pull request it took planning it took ingenuity it took caution and i want to empower you to make your own you can change the world for the better thank you

all right thank you thank you so much for besides san antonio really appreciate it oshan all right um for those of you in the audience you can submit questions to the crowd clack cast platform you can also submit questions to the discord channels we're in track 2 in the beginning uh if we don't have any questions come in we'll transition over to the track breakout track two breakout uh where ocean will be available oh sean i really appreciated uh this this talk i loved the context of like civic responsibility and how offset kind of relates uh for giving an op sex perspective to like a a mandate or like an innate uh an innate need to change society for the

better so i really appreciate that thanks yeah thank you thank you and thank everybody who attended we've got uh great presentation thank you oshan from sa radio club thank you all right um i'm going to end the broadcast here we'll transition over to track 2 breakout thanks again hoshan all [Music]

right

[Music]

[Music]

[Music] you