Operational security (OPSEC) is a security and risk management process that prevents sensitive information from getting into the wrong hands.
“If you have nothing to hide, you have nothing to fear.” This argument is commonly used in privacy discussions. Why does it matter? “The government is protecting us,” you say.
Well, governments change. Governments can shift from one policy to another. And why is this a problem? Well maybe the current government doesn’t pose a threat. Nor the next one. But once they document information on you, every government after has access to it.What happens if they decide to make a change and crack down on us? What happens if a select few decide to abuse their power?
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” – Edward Snowden
Attackers probe for potential weaknesses in OPSEC. If found they can then use Open Source Intelligence (OSINT) techniques. These are to find information about their target such as
- Full Name
- Location
- Aadhar Card Number
- Date of Birth
- Email Accounts and Passwords
- Online Digital Footprint
- Employment Information
- Financial Information
- Mobile/Work Telephone Numbers
- Social Media Information/Posts
- Family/Friends/Colleagues
A motivated attacker could use the above to do damage against you.
For example let’s take a look at one of the most infamous cybercriminals of this generation, ‘Dread Pirate Roberts’.
Who is Dread Pirate Roberts?
Ross William Ulbricht better known by his alias ‘Dread Pirate Roberts’ was the owner of Silk Road, an underground market selling many illegal products and services. To access the Silk Road, one needed to install the Tor Client and visit the site.
Tor
Now I guess most of you are thinking, what is Tor?
Tor short for The Onion Router is an open-source software used to enable anonymous communication. It directs traffic through many relays, which conceals a user’s location and usage and prevents network traffic analysis.
Tor is NOT meant to solve the issue of anonymity. It is to reduce the likelihood of being tracked.
The transactions over Silk road are made using escrow accounts, buyer feedback and also using cryptocurrency. The product ships through mail from the seller to the buyer, and keeping the Dread Pirate Roberts’ hands clean and maintain OPSEC. The only trace was money, and a process called tumbling used to make the cryptocurrency harder to trace. Tumbling is a service that mixes cryptocurrency funds with others, so as to obscure the trail back to the fund’s original source. The FBI trace the money and the servers were all cloaked and could be migrated in minutes. So how could they catch this criminal?
Well, they did that by ‘looking into the past’. The FBI conducted searches into the earliest mentions of the name ‘Silk Road’. They ended up finding a single post by a user named ‘altoid’ which redirected to a wordpress page and upon subpoenaing them they received other crucial finds such as a post by altoid which gave away his email, the FBI found the name of the man they were chasing.
By using his email, they saw a picture on his google+ account at the Mises Institute.”
What can we learn from this?
And then it was just a matter of weeks before he was caught and arrested. He is now serving a double life sentence plus forty years without the possibility of parole.
This one mistake started the fall of one of the most wanted men on the dark net.
Being aware of the information you spread online will drastically reduce the risk of your OPSEC being broken. Because it’s not one “breadcrumb” of information that causes the damage; it’s the accumulated data over time.
Part of a series on OPSEC, with the next part describing how to maintain OPSEC
For more blogs, click this