DEF CON 29 Recon Village - Ritu Gil - So You Want to OPSEC, Eh

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone thank you for joining me today my presentation is called so you wanna opsec before we start just a little disclaimer i'm not here on behalf of any organization and anything i say are my beliefs and not represented about the canadian government i'm here to talk about operational security from my perspective as an austin investigator so osun is open source intelligence which is information that is collected from publicly available sources we ocean investigators will find a ton of digital breadcrumbs that help with our research but i'm here to show you the privacy side of why this should matter to you it doesn't mean that you have something to hide because you're a bad person but it's sometimes about a bad actor having ill intentions and you could be targeted for something like identity theft so i hope by the end of this talk the why you should care question should be answered let me introduce myself my name is ritu gill i'm an intelligence analyst with a total of 14 years with the canadian government specifically law enforcement 12 of those years was with the royal canadian mounted police which is canada's national police force i am an uh ocean enthusiast you can find me a lot of places online including twitter where i go by the handle oh scent techniques i have a website which is at oceantechniques.com this is the overall agenda of my talk i'll cover the definitions of opsec and threat modeling then cover sharing content and how it can expose your information online i'll cover poor opsec because these are learning opportunities for us and then i'll move into ways on how you can stay secure and resources that may help with discovering your digital content and then go into how we can remove some of this content as well so what is opsec it's a term from the us military that stands for operational security the purpose of opsec is to deny adversary information that can compromise emission so the objective is to prevent sensitive data from falling into the wrong hands i want to introduce another concept here people will sometimes say opsec when they actually mean persec which is personal security and it is a way to identify control and protect information about your personal security and life and for the purposes of this talk i'm addressing behaviors that impact both opsec and persec so you don't need to be in the military to have opsec or per sec apply to you it works both ways examples someone could use the information you're sharing online and do something nefarious like break into your house when you're on vacation or if you're part of military or law enforcement and you post things online that could compromise the current location of your troop so the sharing of this data in our online lives can have a huge impact some questions to think about when what we can ask ourselves is what can an adversary or a bad actor gain from looking at our online footprint that's a great question so where do we expose ourselves online or where do we expose ourselves too much and then how can we minimize these risks these are questions to help make our assessment for you having better opt sex might mean preventing bad actors from identifying you online or knowing where you live and work so what is your threat model well a threat model first it's a method of evaluating security and privacy risks in order to strategically mitigate them so everyone's threat model will look different depending on who you are and what you do but to define your threat model you can answer questions such as what information you want to protect what are your assets what are you doing now that expresses exposes you online who might want to gain this access uh so who is your adversary where is that information stored online and available that's a good question all those different platforms and apps and things we use and then lastly what can we do about this so what are those mitigating factors like what can we change in our behavior to prevent leaks of data so when you conduct an assessment like this it's a good reminder of how our online activity can impact us you may move into a new job role where you need to reassess your threat model that's why it's important to think about this often and reassess as necessary just remember this risk factors will include you and what you do online but they also include your family members your associates your friends colleagues that can inadvertently expose you online so let's talk about sharing it is easy to accidentally share information online at times in this example on the left you'll see lisa kudrow who accidentally reveals her computer password that was written on a post-it note she then takes a selfie and she posts it on instagram where people um identify that hey like you posted your password that's that's really poor opsec um and then on the example on the right you'll see a photo posted by lapd which shows in the background information um their login information for a software they were using at the time so the moral of the story is think twice before you post if you're considering posting images or photos make sure it doesn't include sensitive information in that background but we humans we do make mistakes but it's important that we can learn from others like in these situations so here's another example of how people will leak information about themselves um so these are those social media quizzes some people like to call them i just call them social engineering questions people keep answering and it's a prime example of over sharing so answering questions where they'll say hey what are your siblings names what's your favorite song what's the first concert you went to um this is like way too much information and sometimes some of the questions are answers to your security questions so i know most people know not to post photos of like credit cards or disclose sensitive login information but a surprising number of people will post phone numbers and home addresses on social media and related to some of these questions posted out there i've seen it and i was shocked so again you might ask hey what's the risk well someone guessing your passwords that gives them access to pretty much everything and then we talk about those social engineering attacks against you and physical harm maybe and whatnot so those are things to think about so the takeaway as mentioned in the slide here uh on the screenshot on the left is stop giving people your personal info to guess your password and security questions period that is the lesson here so sharing content be mindful of what's in the background your photos and video conference calls this way you just have more control of the information you expose privacy settings don't always work on all platforms facebook is leaky privacy settings on facebook are not black and white keep that in mind and don't let privacy settings be the be-all end-all of what you do and do not do on some of these platforms before posting ask yourself if what you posted was leaked would it compromise you in any way would it compromise your location where you live your family members too many details just being put out there then proceed with your action before i post anything on social media whether those privacy settings on or not i ask myself that question then i proceed i'm like would i want people to see this maybe maybe not then i determine the risk there it is easy to overshare online and overlook those risks but we have to ask ourselves what criminals or fraudsters might do with this information and remember that everything that you are posting online is building your digital footprint that's always key and that's what this uh talk is about right um your digital footprint leads back to you and what it says about you and how to make it better which we'll cover as well so the last couple years pretty bad for over sharing and you'll see here in this example i have some photos where you could see vaccine cards so different countries vaccine cards have different information some are just a name and the days that they had their vaccines and some are date of birth included as well so this is sensitive information um you'll also see over sharing like and not realizing right buying all those amazon packages and then leaving that label on and then throwing it and recycling and people you being able to find your name and your address well that's gold so something to keep in mind airline tickets people going on a flight to wherever and posting it online um on on instagram or whatever platform and then there's also this photo of a male wearing a work id here well he wore that work id and then he stormed the capitol in january well that's a good way to get fired from your job but these are all examples of what some some of that over sharing looks like so there are tons of examples of poor opsec but there are also your online habits of using the same username say across platforms so we ocean researchers know username aggregators are very helpful when we're looking for finding accounts belonging to the same individual or maybe belonging to the same individual well don't be that person that uses the same username on all your platforms so you're easy to find defeats the purpose when you expose too many details about yourself you can be targeted for spoofing crimes so spoofing is where someone calls say my family with what looks like my phone number because they've spoofed it so it says my phone number is calling and then next they tell that my family members that hey i'm kidnapped until they pay up a ransom um there's also sharing photos so sharing photos with passports and i know a lot of people use those hashtags and there's a bunch up on the slide here but there's also like hashtag passport or hashtag boardingpass which are interesting well i had someone who didn't know that barcodes can have important information so they shared a photo of their airline ticket and they put their thumb over their name well i know that barcodes do have information embedded in them so i was able to snip the photo and able to reveal their real name by visiting a online bar barcode reader so these are the things that sometimes people aren't aware of but you're still exposing yourself when you don't think you are so i could have easily showed you facebook or google's apps but we already know they collect so much information um i was reading an article written by bellingcat related to tracking military positions and there's an app called untapped i wanted to highlight that even seemingly safe apps can be used against you or against us because not just the military uses this app it's anybody that likes beer because untapped is a beer drinking app and it can be used to track habits um including a location of an individual so i went to a regular just a random user just to see like what i found well username full name locations they visited and then not only that how many times they've visited the locations so i could probably find out they probably live in the area that kind of stuff and again just that's a lot of information out there so the awareness here is just understanding that be aware of what you're signing up for um with some of these apps and you know how much information is going to be put out there about you so what can you do to protect yourself well these are some general tips and where you could start just for better privacy and security using strong passwords um you know don't use them uh don't use passwords based on your pet's name or your kid's name or your favorite vacation spot use a password manager that's also helpful but also think of things like your browsing habits so using a secure search engine like duckduckgo duckduckgo does not save your search history or your personal data the next few slides are going to cover some things that can help with your searching habits so let's first talk about google chrome um and also there's other uh browsers which will have this incognito mode um and they're called different things in different browsers but this one it's called incognito and i notice there's a lot of confusion about what incognito mode does well using incognito mode it doesn't really protect you it it the thing it does protect you from is if you have like a shared computer and you don't want your searches uh to be found by the person that you share the computer with well it won't save that information on the computer you're using but your internet service provider your isp and other websites can still see your searches so it's really understanding like what what what it does versus what it does not do so if you want to see what your browser appears like to other sites use one or a couple of these free services to see the details of your ip address the type of browser you use the operating system maybe other details this information gives us some insight in how identifiable you are to other sites and people and sometimes it is worth taking a look at more than one of these sites just to do a comparison of what they observe as your browser fingerprint so after trying some of these sites you might be thinking well what can i do to fix or change that well we have something called browser extensions that you can use to adjust your privacy settings there are many out there but i only just mentioned three that i use at least there's https everywhere this encrypts your communications with many websites you might visit it makes your browsing more secure so what it does is it switches sites from the insecure use of http to the secure site of https and then we also have things like the privacy badger which blocks advertisers and third-party trackers from secretly tracking where you go and what pages you visit online and lastly we have user user agent switcher for chrome so this is an extension that changes the user agent which is something that identifies what browser is being used the version and what operating system you're using so when you activate this extension it helps change your browser and operating system footprint so i'm using an ios operating system and say chrome but we can spoof these details with this extension so it's kind of neat take a look if you don't already use it so what else can you do to secure yourself what are some solutions well we have security by absence so not posting information out there in the first place you can't get hacked through services and apps you don't have right that's something to keep in mind but one thing i do want to highlight here is it's just a good reminder that there's times where we used to use certain sites and apps and services well if you don't use them anymore if you stop using them delete those accounts related to them this is part of cleaning up your digital footprint i've conducted security assessments where i often find users old accounts that were never deleted but they contained tons of information like their old photos and everything and who they hung out with and what they did so that's just something really important to do as well there's also another technique used which is called disinformation so this is where you plant some fake information to mix up your digital footprint you can create fake accounts especially if you have a unique name so if you have a common name like mine ritu gill very common this helps me kind of hide in some ways but if your name isn't common you'll have to put in more effort and disinformation is one way to do that the goal here is to make attribution to your name difficult and next let's educate those around us that's part of our job not only we want to educate ourselves but the people that we're closest to our friends and family they need to know this stuff too letting them know how they could be impacting or compromising some of their privacy and security out there on the online world there's a really cool video that might help with this just to give people an idea it's called data to go which show it shows you how easy it is to obtain information about people online it's a fun little video and i created a short link or you can just enter data to go in youtube and you can find the video that way um typically i'd say don't click on short links but you can trust me on the open web i would always use a url expander to view any short links just to see where they take you before clicking on it data breaches so have you checked if your accounts have been part of a data breach troy hunt's website have i been pulling let's use search email and phone number to find breaches associated to that email or phone number that you search this site also allows you to set up notifications or when and if that phone number or email is part of a new breach if you find there are breaches uh associated to an email or a phone number that you have well maybe go delete that account altogether or that app that you were using that got breached or you might want to go change well you're going to want to go change your password for sure but depending on the situation you might want to do different things it's all about minimizing the data about us out there so breach data breaches happen every day but breach data can end up on the dark web so it's important for us to stay on top of these things and that's why you want to sign up for notifications right associated to your personal email addresses and whatnot other useful sites with descriptions of what they include are on this slide um i'll just go through a few of them so the first one stands for terms of service didn't read it's for all of us who didn't read the terms and services of websites before clicking i agree this website will break down what the terms and conditions are for popular sites very helpful um because lots of people don't want to read through the pages and pages of the terms and conditions of sites we sign up for and then we have a website called privacytools.io which provides a bunch of information to learn about tools again that can help you right justgetmydata.com is helpful when you want to find out how to get your data from certain sites because sometimes some sites don't make it easy where i'm like hey how do i download my information or how do i find out where to delete my information so there's some sites here that will help you with some of that as well all right so there's a documentary that is or was on netflix called the social dilemma it is a good awareness film and it shows the many ways that social media companies have influenced society so i don't want to say too much about it but it's interesting because the documentary features interviews with several former employees and executives of companies like facebook google and twitter so it's interesting to see their perspective but it's something go take a look at um when you have time all right so an exercise well this is one of the easiest ways that you can see what your digital footprint looks like or start with at least start with what you use online your your name or usernames or email addresses you've used and so on so that's the first step in identifying like hey what's all the stuff out there out there about me um and use a few different search engines at least two i'd say so google and bing those are some options and then once you've identified what your online footprint looks like well there's some of these services sorry so there's a bunch of blog posts here that i have mentioned um whether it's by micah hoffman which is at webreacher or josh huff which is learn all the things his website they provide useful tips to clean up your digital footprint so check these out and see what and how you can remove some of that digital footprint one of the caveats here is that there will be challenges due to the availability of public records in some countries like the united states but there are a lot of other places that include your digital footprint where you do have more control so that's the second step of after you've looked at your digital footprint well go go ahead and remove some of that stuff that you can and these are some of those resources that will assist you final thoughts well if you could just go ahead and keep upset in mind that would be great so the idea here is don't be a soft target by exposing too much personal information or details about your life some of my contact information i go by ocean techniques on twitter and my email is osen.techniques oscent.techniques protonmail.com feel free to reach out if you have any comments or questions and if you have any questions right now i'm happy to answer those as well thank you so much for hearing my talk

Info

Channel: DEFCONConference

Views: 493

Rating: 4.2941175 out of 5

Keywords: DEF, CON, DEFCON, DEF CON, hacker conference, security conference, information security conference, information security, conference speakers, hackers, hacking, hacking videos, security research, DEF CON 29, DEF CON 2021, DC29, OSINT, Recon Village, Ritu Gil, OPSEC

Id: daXNSvb_S3w

Channel Id: undefined

Length: 23min 10sec (1390 seconds)

Published: Sat Sep 25 2021