OPSEC: Because Jail is for wuftpd
Ekoparty 2012
YouTube: https://www.youtube.com/watch?v=S8GPTvq1m-w
| Notes |
|---|
| wuftpd |
| OPSEC |
| Lulzsec |
| Lulzsec: lessons learned |
| freedom fighter |
| STFU |
| The Wire |
| you only have to fuck up once to ruin OPSEC |
| binary replacement rootkit |
| Solaris |
| grugq’s friend owned 2000+ machines with a faulty rootkit |
| rootkit was supposed to not log activity, but simply killed syslogd |
| was unable to go back and fix ~200 of them |
| admins installed Tripwire on compromised hosts |
| friend was raided two weeks later |
| moral of story: use a better rootkit (kernel rootkit!) |
| “The enemy is listening” |
| people will use what you say against you |
| OPSEC in a nutshell: STFU. dont tell people things |
| need to know basis; no one needs to know anything |
| keep it to yourself |
| guard your secrets |
| people will blackmail you if they have the opportunity |
| marijuana OPSEC cartoon |
| be proactively paranoid. paranoia doesn’t work retroactively. |
| be tidy. clean up after yourself. |
| don’t leave things around in plaintext |
| don’t leave equipment lying around |
| don’t leave evidence lying around |
| avoid being explicit |
| do not talk in code because people know what you’re talking about anyway |
| “two green sweaters and one mushroom pizza” is obvious |
| camouflage |
| preparation work; put in the plumbing first |
| create a cover identity: facebook page, twitter account, email, … |
| independent freedom fighters don’t have large organizational backing |
| independent freedom fighters have to do things themselves |
| work on your legend: the cover needs to be fleshed out |
| covers need to be believable |
| covers need to age |
| never contaminate your cover; when two covers interact with each other |
| Ten Crack Commandments - Biggie Smalls |
| Ten Freedom Fighting Commandments |
| 1. don’t reveal your operational details |
| 2. never reveal your plans |
| 3. never trust anyone |
| 4. never confuse recreation with freedom fighting; don’t hang out with those you are operating with |
| 5. never operate from your own house |
| 6. be proactively paranoid; it doesn’t work retroactively |
| 7. keep personal life and freedom fighting separate |
| 8. keep your personal environment contraband free |
| 9. don’t talk to the police (stfu) |
| 10. don’t give anyone power over you |
| it hurts to get fucked |
| no one is going to go to jail for you |
| operate from rented server instead of your house |
| your friends will betray you |
| #lulzsec lessons learned |
| indictment |
| Jeremy Jammond (Anarchaos, sup_g, yohoho) |
| Tor |
| Hammond had strong opsec until he mentioned he was on probation and gave up identifying information about himself |
| FBI conference call hacked and recorded |
| Donncha Carroll |
| website defacement |
| Fine Gael |
| Donncha Carroll used their personal Facebook account to send details about defacement |
| identities: polonium, anonsacco, palladium |
| logged in from the same IP for all of his identities |
| username was their real name |
| username should be “user” |
| Sabu |
| #sunnydays #babytech |
| “who is this?” was responded with one of their handles |
| freegan |
| anti-capitalism |
| Chicago |
| dumpster diving |
| Hammond revealed that he was a freegan, tying him to chat logs |
| Gmail |
| Hammond hacked a white supremacist website from home. |
| MAC address |
| Apple computer |
| use SIM cards and rotate them for internet access |
| FBI triangulated Hammond’s wifi signal |
| FBI broke into Hammond’s wifi |
| Hammond mentioned using a mac, FBI observed Apple MAC address on network |
| don’t use wifi; it can be eavesdropped from outside |
| FBI correlated when Hammond was in his house and online to prove it was him |
| Hammond mentioned using Tor. FBI correlated Tor activity at his residence |
| circumstantial evidence |
| Perfect Privacy |
| VPN |
| Sabu asked Carroll details about his IP and VPN service. Authorities used this against him. |
| VPNs do not provide anonymity; they provide privacy! |
| subpoena |
| Virus had good opsec and may have not been busted |
| doxxed |
| interrogation |
| w0rmer - Higinio Ocho |
| EXIF data; geotags |
| Pastebin |
| w0rmer doxxed and self-incriminated himself on PasteBin |
| interrogation tactic: interrogators will play with your ego to make you defensive and admit |
| SQL injection |
| sqlmap |
| you know that plumbing worked because nothing happens |
| Ben Nagy |
| defense in depth for freedom fighters |
| using personas takes practice. practice before freedom fighting! |
| use technological setups that have failsafes |
| Tor everything |
| revealing information about something as simple the weather can be used to dox you |
| amateurs practice until they get it right. professionals practice until they cant get it wrong |
| Roberts Rules of Order |
| don’t log things |
| it is a crime to delete logs if you think they will be used for a crime; its better not to have them to begin with |
| don’t reveal physical traits; gender, tattoos, physical appearance, … |
| stick to US keyboards if you are foreign |
| don’t use facebook or twitter because they can unmask you |
| avoid keeping regular hours |
| Robert Morris Jr - morris worm |
| buffer overflow |
| freedom fighters are no longer the apex predator |
| LEO - Law Enforcement Official/Officer |
| LEO are now the apex predators |
| tor -> VPN = good. vpn -> tor = go to jail! |
| Bitcoin |
| only safe currency is Bitcoin; you can mine it yourself |
| only purchase Bitcoin over tor |
| https://torrentfreak.com/best-vpn-anonymous-no-logging/ |
| tormail |
| Bitcoin is anonymous, not private |
| Bitcoin can be traced |
| Bitcoin mixer |
| The Hidden Wiki |
| PORTAL - Personal Onion Router To Assure Liberty |
| you can be famous. you can be a criminal, but you cannot be a famous criminal. |