Zachary Adam-MacEwen - Freelancer's Guide to Operational Security

operational security given by the author of potential abs mr. Zachary said I work for tension labs which is going to sound a lot less oppressive in a second anyway collapses by night dog we do secure development mostly don't gain integrity tools but that's the time I work for SkillSoft with just around the corner doing tax work for them and I am easily least qualified at besides here you don't form all certifications and I shouldn't you know what I'm going to say today is mostly common sense if it's not common sense I'll encourage you maybe argue with me during the day and maybe I'll learn something new that about tells nicely if your standard boilerplate disclaimers so it's almost

obligatory these days you have to say that you know my employer didn't prove this talk here under my own sort of republicanism the other thing I really want to stress is that I'm neither and a lawyer nor an accountant I've studied law I've studied you know finance but I'm not a lawyer and not me I'm definitely your lawyer your accountant so some of what I talk about it's gonna sound a little bit like maybe it's legal advice or financial advice I would strongly encourage you to talk it over with a natural warrior or a natural academy operational students have a weird term of all people when they think of operational security they think of the operational theory of the way

criminals or spies would think of it you think of Jason Bourne with a safe full of fake passports and six different countries currency but for most people that's overkill that's actually ridiculous to use that much secrecy and deniability operations for a lot of other people it's also an excuse if you're going to do a security conference maybe not b-sides but if you're doing a lot of finger security conferences people tell you don't bring your real phone don't bring a real laptop bring a burner devices that you can discard that's also ridiculous a way better definition of operational security circular though it may be is operational Security's what you do to keep your operational secure it's what you do to make sure that your

business is going to work tomorrow in the same way it worked today in the same way it worked yesterday so on in both directions the reason secrecy doesn't work for most businesses is because most businesses aren't criminal so if you're that guy you don't want anybody to know who you are because that serves your purpose but if you're palo alto or your me or your Microsoft you want a reputation for doing your job well I'm doing it right you want the hype that comes when you say you're going to announce a new product seeing or servicing and if you're wasting all your time being too secretive you can't build that reputation freelancers are even more different than

actual business so an actual business if somebody messes something up badly no you can fire that person so if you are bidify and you came up and said you have this Hardware wallet for Bitcoin that's unhackable you got John McAfee a packet and did that whole mess and then you did a really bad job with your PR and made all the security researchers unhappy with you you can fire that PR person and maybe I'll survive but if you're me you can't fire at the other guy because you're your own camera guy additionally in the freelance world your competition behaves a little bit more like criminals behaved actual businesses big companies have these these really scary things called

lawyers and lawyers like - they're almost like the merchants mutually assured destruction of business if I have a big legal team you have a big legal team we're not going to cross each other same way to people who don't have lawyers with because lawyers are expensive and getting into that legal battle over something it's gonna waste a lot of time and resources the other side of that coin is in the freelance world freelancers themselves and often their clients as well don't have a lot of formal business training don't necessarily know what is it isn't an accepted practice or even is it as an illegal practice I know I got into freelance security research because I

like the security research perfect not because I like the finance part that's true of a lot of people in freelance maybe you're a really good Malheur therefore now a reverse engineer or something that's what you're trying to do you didn't get in it just to do TPS reports and so forth so now I know why freelancers are special the sort of zeroeth step of any security model is to come up with the actual threats you're facing because if you don't know what you're defending against you're gonna maybe put way too much effort into something you do need to worry about and not nearly enough effort into something you don't need to worry then I think I

said that but there's really a very limited threat model for businesses it sounds all of the bullets one that looks a little ridiculous and some of them will even sound ridiculous when I say them out loud like sabotage you don't probably think of sabotage as being like a huge risk to your business but it's there particularly in the two special cases so I'll talk about them in a second but patent trolls and what I call me 10 to the X point are both a special kind of sabotage that can be a really big impact to your business the same with identity theft everybody in this room has to worry about identity theft if you're alive and you have a social

insurance number in this country you have to but if you're in any kind of business whether you're a freelancer or an actual business you also have to worry about the identity of that business being stolen what I'll cover there and of course you have your competitors your competitors would love you to go to business they would love to steal your IP to get your client lists to get really any useful information you have because they want to sell more or less the same thing - more or less the same people so if they can avoid doing all the legwork so much the better for them last no it's not lastly anymore right I added the category there's also scams

toreano there are way too many scams that we could go into them in detail but if you're in a freelance there's three you're going to run up against all the time so they make sure they and then lastly I added this slide specifically for security people angry criminals and I'm going to talk a little bit more about what I mean by that but this is a very small risk but if you think it's in your threat model you need to start thinking about it right away because there's no do-overs and operational security there's no starting again what's that were completely burning your brand but again anything started over so sabotage I mentioned first there's the

obvious kind of sabotage the the Kitchen Nightmares have a time where somebody comes up and posts bad reviews on Yelp or Fiverr or Katie or whatever they're saying you're terrible at your job and there's no security on you - that the only real way to protect yourself against that's PR there are security solutions to these two though the first time the identity I squared is kind of an interesting one because I fell for it myself which in another setting where I was less nervous might make for a funny story but it would suffice here to just explain the exploit which is essentially it in Canada we have three varieties of law one which is a relevant to the

conversation want that civil law which is speeding tickets was introduced and that sort of thing and then another which is criminal law which is the kind of law where if you break this law and you go to jail so every freelancer who's been doing security work and maybe visited penetration testers that we're counting or anything like that you have in your standard agreement that you use at the beginning of each job an indemnity clause that protects you against liability the problem is it only protects you against civil liabilities so if you've been mapped the client system and it goes down because it's terribly managed and there are a bunch of money for the downtime that would be

on the client because of your indemnity clause but if you committed a criminal act you can't indemnify that that has been that stays with you so what happened to me was I enlisted myself you know doing this kind of work and I did affect my clients enough and it turned out they didn't have authorization to test on the system that I was hired to test against which meant if I had gone forward with the test and thankfully I didn't I kind of caught myself short and pulled up if I had committed that I would have been in violation of not even Canadian law but American law and I would have gone to jail probably for a really long time

because the maximum penalties for CFAA violations are absurd the good news is just because you would listen to that story you're already halfway insulated against that particularly for that there's some more general solutions to the indemnity problem which I'll talk about or at the end but just knowing that there's a difference between civil and criminal liability your swing anymore prepared to deal with that problem if it should arise the other kind of set of totus is a patent troll there are way funnier and more interesting talks about patent trolling specifically that I could possibly hope to cram into this particular one but a patent troll is going to do is he's going to come along he's going to find

some aspect of our process not necessarily your process because you're not Mike we don't make enough money to make only going after you worth his time but he's gonna find say yeah you have a software manifest and then he's going to say that any technology that uses this previously unpatented concept is in violation of his patent like WinZip so now he's gonna sue everybody who's using wins oh and usually they lose but they only lose because they're fought for a good long while before any patent troll case goes to trial people are just settling out of work there's defenses against that as well with identity theft you have you know the classic kind I steal your social

insurance number I get myself a mortgage now I own a house you don't own a house and buy a house because it looks on paper like you already own and I can walk away from the mortgage without any real fear of repercussion because it's not my credit score everybody needs to worry about that kind of identity theft but as a business you're exposed to a second kind which is somebody pretends to be kensho laughs or the fool a studio or McAfee for whatever purpose so the the simplest version of the scam I've seen is somebody literally sets up pretending to be your brand or you personally takes in a bunch of clients walks away with the money never

does any of the work that your reputation is just burned in the ground you'll never work again like not in the same industry anyway there's no technological solution to either problem both of these problems are solved by vigilance so in the in the case of your personal identity you can protect that the way you know your parents have always told me to protect it don't post your street address on Facebook keep your your digital presence minimal for a brand really all you can do is know your rights in terms of copyright rate what is legal and illegal isn't going to protect you but what you can do legally to protect yourself is worth doing in

case something does happen your competitors like I said before they want to steal your IBD that's everything right so that's client lists the proprietary way you came up with a replacement for MF that's illegal third thought illegal immune do say honey ports or your particular special way of doing things having the client list having your list of active pins if somebody knew every bid that I put out and just went around to all the same contract requests and put in another bid for 10% less I'd never work again so your clients you know the competitors may or may not always be that aggressive I would like to think that in the freelance world we also sort of see each

other as much as colleagues as competitors but this is still something you have to be worried about because goodwill doesn't actually protect you against anything you should still whether you trust your competitors in your field or not you should still take every active measure available to you to prevent that and there's quite a few that you can take to protect your information and we're going to talk about them after we're done red bottom also cons to worry about we have scams I don't have mentioned that there are way too many to talk about any full detail but there are free that sort of come up a lot in freelance the first and kind of the biggest because I feel like not

enough people realize it's and yet is the chargeback scam so if you use a payment platform like not to name names but like PayPal they're stripe or whatever you use a payment platform most of those platforms have a mechanism where the client in the transaction can file a charge back they can say that the work wasn't completed there's no proof the work was completed give me my money back and the payment platform will very hopefully just go and take that directly from with them and give it to the client and then eventually come after you for the difference the defense against that is weak in a lot of industries but in security we have an unfair advantage

that you know we're mostly providing a service it's also really easy to prove we've done something it's really easy to create say an entry in a program that you wrote for somebody that requires them to come to you after the fact and get an activation key which would prove they received the file and their their request for that activation key becomes your proof of work we also very much think then there's not as much as maybe full-size businesses do but there's a risk anytime to do business with anybody that you're actually doing business with you know one of those brand theft people who just wants to rip you off and take the money and has no interest and giving

you the shiny new switch or the new cloud service that you wanted or or what have you and of course we have the ordinary people on paying you type scam which it's apparently worth mentioning because that's a risk into any business but again if you have something like a activation key requirement or other forms of coffee protection on your work you can at least make sure that they don't have full access to what they pay for until it's paid for last of course we have knavery criminals this is as I said before a very very small front there's only a few people maybe in the whole world that actually have to worry a bad name of guns and it might not just

be criminals it might be any bad men of guns but if you're in a certain subset of the security industry if you're developing cryptocurrencies payment systems lottery systems if you're involved in privacy technology in any way if your favorite afternoon hobby is to shut down command and control systems for ransomware this there is a list you make mr. this gonna angry and have to answer to them there's really only two things to be said about angry criminals the first thing is if you really do feel like angry criminals are out to get you you need a better weapon in your arsenal than anything I could give you and the second thing to remember is the zeroth commandment which

is you will not avoid the Masson he was the most money who is the angriest will win every time so very little it's worth mentioning I was asked to mention it but very little can be done to protect against this threat besides the same things you would do to protect against identity theft which is fundamentally compartmentalization especially social compartmentalized Asian where you break everything up into little boxes so somebody might know you as in you the owner of food in the company but they don't know you is in you the son of this person that husband of that person you know best friends with this guy then you also have sort of legal and financial compartmentalization

which some people refer to as cut outs which has always bugged me because again this spy novel terminology were allergic to that and then of course technical comparable ization will help as well the other two big tools in our cabinet are our ability to verify things and prove things and I couldn't think of a better term for it the copy-protection the idea is that we can have control over a data asset so the first kind of compartmentalized about detail is the idea of social compartmentalization we live in an era where everything we do is online and especially if you're freelance it's really easy to fall in the trap of working in public for lack of a better term you want a strong

social media presence because and this end is really working for yourself that's how you get work so you know a lot of there's two conflicting ideas when it comes to social compartmentalization the first one is that your parents won't like and you shouldn't never lose your way but your real personality on the internet and the second is that you know all the Millennials are right and you can totally use your real personality on the internet as long as you do it in a sufficiently wise way it's the idea of having different accounts for different purposes so maybe I have a set of back account that you can find really easily on Twitter and Facebook and all the rest

that's gonna be kept really clean and personal professional and it'll look really nice but then maybe I also have another account under another name or a pseudonym and that's where I go to do all the things one does on the internet that might get you a bad reputation like arguing with people online or what-have-you it's useful for a few different reasons the first is that the harder it is to steal her identity the harder it is to do anything so if I have a professional account my real name on it but you can't use that to get my mailing address for any kind of banking make sure anything like that money the other thing is if

I've locked in all my political stuff to some pseudo anonymous sub account that only a few friends now I get to avoid what I like to call the Pogo problem so there was this this France position and Pogo that we used to go and do a lot of work but then he took some incredibly unpopular political opinions and his career just kind of evaporated because it turns out if you make enough people angry it doesn't member what service you provide they're just gonna stop working at you the same thing can happen in rivers I've seen especially recently people taking a popular political position and working for Comcast or AT&T or weather and then the people who they

annoy will go to Comcast ATT or whoever and demand the you know this person's head on a plate please and nine times out of ten and I've seen for so doing some of the compartmentalization makes sense if only from a from a protect yourself perspective but it's also useful in if you're in one of those sensitive fields and you feel that the bad men of guns are part of your threat model maybe make the professional account to handle as well and it's almost layers and layers of handles in a reciprocating kind of sight both nobody nobody who does compromise one account gets access to any of the others but of course we have fiduciary compartmentalization which is

you know legal and financial fertilization the idea that you should break things up and because I promised my buddy that there be a mention of fake IDs in this talk and this is what I meant if you have a few hundred dollars if you have less than the value of this machine right here you can go down as a service New Brunswick today and register it as a number of corporation the number corporations of corporations in general are this amazing financial liability tool because corporations are for a lot of intents and purposes they're people so you can have bank accounts in the corporate name you can have assets owned by the corporation itself and then in

the absolute worst case scenario if something happens to one of those counts something happens to the corporation itself and it's compromised and you have to walk away for one reason in another all that liability goes with the company now I'm not saying you should use that for nefarious purposes people actually have but in an absolute worst-case scenario if you can keep your business and your personal finances completely separated using you know a tool like a corporation then if you really do mess up and the money transfers that you're using to do business as control of zorda from these two if something about that goes wrong somebody gets a those credentials and drains that I can at least you're only

oh the business's assets you still have all your personal stuff locked up safely away from anything anyone cannot as I said it's super cheap I can't remember exactly how much it was but it was well less than $1,000 the last time I did it further even if you're not gonna cook rate you should think about payment platforms you should never well anything most of us in this industry invoice Oh enough that you should probably aren't going to be dealing in cash but use a payment platform use something like PayPal stripe what-have-you it's useful for couple reasons the first is the same policies that are letting your clients do charge backs there are additional problem policies in there

that are also protecting you and those policies like we would essentially steal the reputation of PayPal or whichever platform you're using as being reliable it adds a trustworthiness to you that randomly transferring money around might not alternatively if you're particularly concerned with privacy or you are for some reason allergic to the idea of using PayPal you could use cryptocurrencies I don't necessarily recommend it but it is an option a lot of freelancers do get paid pretty much exclusively in crypto it's something to think about and if anonymity is one of your concerns it's pretty much your only option lastly as first compartmentalized they should knows you do have technical compartments to consider this I know I

mentioned it at the top of the idea of a burner device a laptop that you only use for work that's kind of over again having a phone that you only use with one client and then you get rid of that SIM card you put in a new SIM card for the next plane that's absolutely ridiculous unless what you're doing is illegal but there's still good arguments to be made for breaking things up into smaller boxes from the technicals and point so it maybe if you have for example a presentation together maybe you spin up a presentation account on the laptop that only has access to the directory with the presentation in it and your software suite and then if you

leave your laptop lying around and the adventure hall hopefully nobody can get up - too much nonsense in the 5 minutes your hallway there are more extreme examples of that some people use an OS called cubes which is not really explaining it would be just a little bit too much to go into but it essentially for every application there is a VM for every purpose you could go about extreme you could have it so that you have a PM with a browser it that is how you do the banking for the business that's possible and then if the only thing that VM does is the banking and that's the only way the banking stun no amount of bad email

coming in from clients or vendors or even to spam compromising your main system is going to make too much of a problem for the banking VM I find personally the user group of separation you end up having like a work account and a play account on the computer I find that more useful especially if you combine that with a minimum privilege type model so your work account that you use to generate slide decks or you know it called together projects for for for what you do for living might not might or might not need route depending what you're doing you're goofing off account for the rest of the time when you're browsing YouTube videos that does not be free from any

reason and having it have route or have local admin it's just asking for trouble because if I have you know if I have my entire client list sitting on on this computer in one users directory and I click the wrong email sent to me from my competitor now my competitor has my entire client list assuming that you want to be that paranoid then of course we have authentication which is more of a Venn diagram than distinct categories but it's the idea that you can either identify something or at least verify it so we want to know who we're talking to I even if that person is anonymous if you're doing like say you do know a research or even if

everybody you're dealing with uses a handle you at least want to make sure that you're dealing with the person who properly uses that handle you don't want to be talking to some imposter or random person there's a few ways to do that PGP is the way everybody wants us to do it but I think I might be the only person who ever actually uses PGP so I find a better way to identify people is a little bit of Oh a sentence to get out there and shake the tree and see if their account actually looks like a live in that account a better way to do authentication especially if you're contracting is to verify somebody even

if I can't prove that you are John random hacker I can at least prove that you have control over the system you're asking me if I had asked the client in the story the indemnity story to place a file somewhere on the server that I could go get and get the half that would have stopped the whole scam right there he wouldn't have been able to do it and I will realize something about but of course we have copy protection which is sort of a bad term for it but it's data integrity so that there's two ways to go about data integrity the first is to use your legal tools with the legal tools are useful they are not absolutely if

laws were perfect protection none of us would here this would be a conference about something else but you should still be aware that you know copyright law a trademark law at law all exist and may be applicable to protect your things because if if you've gone ahead and patented your entire process not that would necessarily be patentable but if it was nobody would be able to come into packet rolling by pretending to patent some sub factor of it additionally a copyright and trademark law or having to protect yourself again it's grand theft the ability if kenshin allow this is more than just a main and it's a registered trademark you can go after people who are misusing it if it's just

a name your protection term is good additionally we have locks or sort of hard copy protection secrecy of method is a valid one although I personally have always felt that nothing remains secret nearly as long as you think it does so if you have a secret method maybe not rely exclusively on that actual copy protection obviously falls in the system so avoid encryption both during communication and data at rest that everything should be encrypted all the time for any reason or it's just sitting on a hard drive and last and probably most importantly for avoiding the turn effect scam you need proof of work proof of access you need a way whatever it is that you do for a

living whether it's penetration testing or software donors or it's something sort of in the mix otherwise you need a way to be able to prove some book prove the client and any interest that they're purged but work was actually done you need if all you're doing is delivering a report maybe you need to log the server the report is downloaded from to make sure you show that that file actually was accessed and the client actually did go get it because otherwise you're leaving yourself open to somebody scamming

really it massively helped skip nope I'm already on the slide but it's a lastly there is open source intelligence so for every security there is a security for every blue team or red team and an OP SEC it's the people who do open source intelligence that are our red team so if you have if you have OPSEC and you're really concerned that it's important maybe you are scared going to be angry bad men with guns or maybe you're just curious to see how well you're doing hire an OS n contractor get them to give the tree a shake go at your social media profiles and see if they can find the secret stuff you don't want them to

because if somebody you pay fines your social insurance number listed online so that's one problem but they figure out you know your mother's maiden name so they can long in your bank that's one problem a guy who does it deliciously isn't that a totem that you had that problem conversely it's also a useful tool for us so within reason as long as you stay within sort of like legal and ethical boundaries a little bit of open source intelligence can go a long way toward identifying or verifying a client if somebody comes to contract you for a major job but you can't find any trace of that person on the Internet maybe it's not worth your time to take that

particular job even if they do want to pay a deposit of eleven but unfortunately I know I'm considerably early but that's actually end up my death so thank you all for coming and if you have any question we'll be happy

yeah so I have a very limited amount of like ID that Commerce degree ten years ago so a few classes in kind of the business protections and the impression that I always had was that incorporating I mean it provides some protection but as kind of a single person behind a corporation if someone really wants to get at your assets there are way that they you know wanted to lawyer up so what are the protections that you're talking about that say it's starting a numbered corporation to act as a front for your business increases provide you so you're actually absolutely correct if somebody wanted to lawyer up they could crack that particular liability shield as long as you can

lawyer up better than Facebook but what incorporating does and with d'italia that has been a while since I've done any business training myself it's more sort of financial and civil liability protection if somebody is wronged by your corporation they're wronged by the corporation which means they can go after the corporation's assets and everything can be forfeit everything wrapped up in the business that the corporation earnings can go away the real classical example of this is a say a bar with a nice patio on the street and it freezes over the weather than some of the you know slips and breaks their leg if they sue the corporation that owns the bar and win they get

potentially everything that the corporation owns but the gentleman or gentleman who owns the corporation might be able to walk away as long as like as long as it's not ridiculous if you create the corporation in a way that like all the assets are tied up is like one color then a judge is going to look unfavorably on that but if you're genuinely functioning as an employee of this numbered corporation even if you're the only stakeholder so you're the owner and the implant-- and employee which is legal as long as you're not collecting dividends in a salary simultaneously there is little that can be done other than to take your ownership stake in economy okay so but if you didn't want

to do that as a form of protection sorry right yeah I sort of implied in that in that conversation that you could just walk down to see service New Brunswick and do it yourself and that's correct in and of this the sense that you can go down and register the number corporation today you should absolutely talk to at minimum a lawyer and a chartered accountant

[Music]

I mean ideally as with any any form of offset you would start the security process before you start the operation so I would like I I'm a bad example because I went into business and I'm trying to do this all retro actively but yeah ideally you wouldn't spin up these accounts if you incorporate even corporation you'd set everything up well before you take the first contract so that you don't end up accidentally handling business through a personal account and tying everything back together as long as it's tied together there's no audience questions [Applause]