Presenting at DEF CON, Ryan Lackey and Marc Rogers, security researchers at CloudFlare, highlight various methods and helpful tools to avoid OPSEC failures.Ryan Lackey: Hello everyone! I’m Ryan Lackey, and this is Marc Rogers. Unfortunately, our third co-speaker The Grugq is not here, as you can tell. I think he had some serious travel difficulties, much more than were anticipated, and there are some sketchy details, so I’m not really too filled in on it. But we have worked with him on this project for the last year and I have been in contact with him.
I actually work for CloudFlare, a company that does CDN, DDoS stuff. Marc works for Lookout, working on this as a sort of side project, fun thing. And The Grugq is an OPSEC consultant and has worked on a variety of cool projects.
Marc Rogers: I’m also the Head of Security here at DEF CON, so I apologize in advance for shouting at all of you.Ryan Lackey: We are excited to be here and show off this cool stuff that we’re working on (see right-hand image). We are going to go over why you want to hide. We are using software to let you hide in network traffic. We are going to go over principles of operational security, which is really The Grugq’s main area of study, and he is pretty much the most interesting person in the field, taking how larger organizations learn about OPSEC and applying that OPSEC to the hacker community and to the activist community and also to other groups that don’t themselves have a huge intelligence potential. We are going to go over some serious OPSEC fails and what happens to people, and then how technical countermeasures are used against people; existing tools, countermeasures to those tools. And then we are going to bring in the exciting new technology, the travel routers, and how to use these things for safety. So, just to start, why would you actually ever want to hide? You are just doing normal stuff, we’re not really talking about helping people hide from doing all sorts of bad stuff – this is in your normal life. There’re a lot of reasons why you would actually want to hide (see left-hand image). A lot of this has become much more clear in the last couple of years, especially post-Snowden, but even before that it was fairly widely understood, at least within this community. Part of it is to avoid sort of a global dragnet. You want to make sure that if somebody is monitoring all the communications, you are not sort of swept up in that. Because the problem is, while you might be doing nothing at all wrong, somebody next to you, somebody you have a phone call from, somebody in any loosely connected way to you might do something – and due to how software works and scoring that plus another interaction plus something else, depending on where you live, could actually get you droned. Not just on a watch list, but signature strike or something like that. Really, it’s just none of your business. Why would you want to be monitored? It doesn’t benefit you in any way, so if you can avoid it you should possibly do it.
Marc Rogers: Or maybe you are doing something that you don’t want people to watch. Maybe it’s something illegal, maybe it’s just something that you want to ensure that you maintain OPSEC for your project, you want to maintain OPSEC for your company. People are actively trying to steal secrets, both for national security reasons and because they want to steal your secrets.
Ryan Lackey: And the crazy thing is people that were in various illegal activities knew this, people that were in the hacker community knew this. But now there’s a whole new realm of people that really need to worry about this kind of thing that you would never think of as spies or hackers or anything else. Journalists, people involved in any sort of activism in any sort of environment where their adversaries are well-resourced – these people have this as a serious concern now. And it’s kind of crazy and it’s sort of an asymmetric problem, where there are people that have problems now and don’t have the resources to defend themselves.
Marc Rogers: There are two very important takeaways that you can get from all of this. Number one, OPSEC is not new. We like to talk about OPSEC and information security as if this were a new thing that we have discovered. The reality is OPSEC is as old as mankind, and many of the techniques to protect OPSEC are just as old.
And the other one is that the tools and stuff we are talking about – there’s no rocket science here. We are talking about using existing tools, existing techniques. The difference is we’re packaging it together and showing you how you can use it in a seamless way so that you don’t have to think about it and you avoid that number one problem – human error.Ryan Lackey: So, The Grugq has sort of distilled OPSEC into some basic principles, which are listed here (see right-hand image). We are not going to really go over them, but he has done this many-many times. Biggie Smalls actually had a great song about how drug dealers apply OPSEC to selling crack. It’s been analyzed by law professors and everyone else as pretty good actionable advice for people that are involved in any sort of activity. And it’s not just crack dealers that need this these days; it’s people that are involved in complaining about spying systems being installed to their local port system in Oakland, or people that are worried about companies and potentially boycotting them due to human rights abuses or, really, anything. So it’s a pretty universal problem that a lot of people have. But, on the other hand, what happens when OPSEC goes wrong? This is a photo from Somalia (see left-hand image), where the U.S. Marines were going in during the Operation Gothic Serpent to intervene and try to distribute aid and food and stuff and get rid of warlords. They did an opposed beach landing, which they hadn’t really done since Normandy in World War II. It was a big opposed beach landing. Unfortunately, the media knew about it in advance. So they were doing this landing with a bunch of little rubber boats and everything else, with a bunch of journalists sitting there with cameras waiting for them on the beach, putting the thing live on satellite TV that all the warlords saw. That’s sort of an OPSEC failure. Nobody got hurt as a result of that directly, but it could definitely have gotten a lot worse.
Then we’ve got other examples of some basic OPSEC failures bringing down an organization that many people think was sort of a libertarian commercial market.Marc Rogers: When you look at many of the big bust issues that have happened recently, you will see that OPSEC failures behind them are basic, really-really basic (see right-hand image). Take, for example, Silk Road, the largest and most successful online contraband bazaar: over 957,000 user accounts, 9.5 Million Bitcoins ($1.2 Billion in transactions). The guy behind it, “allegedly” Ross Ulbricht, used his personal Gmail when setting up an account that he then used as the administrator, the “Altoid” account. He then used that “Altoid” account to post jobs advertising for people to come in and do coding for Silk Road and related projects. He also advertised Silk Road using the same account. He later on kind of caught up to this and he changed his Gmail to email@example.com. But once you’ve opened the door and you left information out there, the Internet doesn’t forget. It all becomes fruit of the poisonous tree, and everything you do from that point onwards is tainted. Next one, Sabu and LulzSec – even worse (see left-hand image). Sabu, skilled hacker, knew what he was doing, used Tor all the time, except every now and then he would forget and he would log into IRC. Just once is enough in this day and age. It used to be that you could get away with one mistake, but now in this world where it’s possible for people to wholesale, capture and store, just in case there’s something interesting, that one mistake will hang you. Perhaps even worse than that, he also used his home address to use stolen credit cards, to buy car parts and had them shipped to his home address. These kinds of OPSEC failures – really obvious. Not surprising he got busted. Mark Karpeles – allegedly, we don’t know exactly what’s going on, but what we do know is that around the time that Mark Karpeles and MtGox had completely run out of money, there were wallets that he had used previously when proving that MtGox still had liquidity and had moved money into (see right-hand image). Those accounts were still around and active, and so people started looking at them. And guess what, you follow the chain and look to them – they still had money in them, way more money than he allegedly had. And, unsurprisingly, when people started talking about it, he miraculously found another pile of Bitcoins that he “didn’t know about”.
Read next: Masquerade 2: The Verbose Metadata