Practice Good OPSEC [Part 3]

Posted on by admin_fBTr8D3ct
03
Jun
Join Cashoutgod On Telegram

Practice Good OPSEC [Part 3] covers:

– BROWSING THE CLEARNET SAFELY & ANONYMOUSLY
– ABOUT EMERGENCY DATA REQUESTS
– HOW YOUR PHONE GETS TRACKED
– BEST WAYS TO BUY CRYPTO
– HOW TO CLEAN YOUR CRYPTO

BROWSING THE CLEARNET SAFELY & ANONYMOUSLY

This is a little bit more advanced,but it’s still worth reading

Using Tor for clearnet sites works, but sometimes it’s just too slow and gets blocked way too often

You are more than free to continue using Tor for the clearnet and hidden services. But I’ve listed alternative ways to explore with less blocks and faster speed (which you can also combine while browsing with Tor browser and further secure your environment)

If you don’t want to deal with the speed + blocking headache, your daily anonymous browsing setup should consist of:
– Anti-Fingerprinting Browsers (part 2 covers recommended browsers)
– VPNs + VPN routers (part 2 covers recommended vpns)
– VMs (to compartmentalize our data in an event of a zero-day taking control of our system) (optional, but recommended)

I have explained all of these things below.

RISK MITIGATION #1: VPN routers

Let’s start by talking about your IP, VPN routers and VPNs.

You might think having a standalone VPN client on your host OS is enough to protect your IP, but that’s not true

Having a VPN router / hotspot with a killswitch is a lot more secure than using a VPN client on your OS

Why? Because no type of software exploit can leak your real IP, not even if WebRTC is ON.

Having a VPN router is really similar to how Whonix works.

This is Whonix. Whonix is a hardened debian-based distro which forces all your traffic through Tor:
https://www.whonix.org/

Let’s talk about Whonix for a second so you can understand what I mean by “you’re more secure with a VPN router / hotspot”.

Whonix forces all of your apps in the OS through Tor, but the way they do it is very creative.

When you set up Whonix, it gives you 2 VMs:
1. The Whonix-Gateway (the “vpn router” in a sense, which is left untouched unless an update is available)
2. The Whonix-Workstation (the one you do all your work inside)

The Whonix-Workstation gets internet access ONLY VIA the Whonix-Gateway

Now here’s the cool part:
If you use Whonix and you SOMEHOW get compromised with some malicious script or exploit or etc, and the exploit gains full access to your Whonix Workstation, it still can’t expose your real IP

Because the exploit would need to first escape the VM sandbox itself, and THEN get to your network VM (where your IP lives basically)

And the Whonix-Gateway is purposefully developed to have as little amounts of lines of code as possible, and that that heavily reduces your attack surface, due to how little code there is involved in that Whonix-Gateway VM.

On top of that, if you booted both the Whonix-Gateway and the Whonix-Workstation in live mode, one simple restart is all it takes to remove that exploit because if they’re ran in live mode, they are running from your RAM, which clears on each reboot, no change remain persistent because nothing can be written to the disk

Unfortunately, FOR NOW, using Whonix limits us to using the Tor network. This is by design, but in the future I’m sure there will either be a way to modify the Whonix Gateway to use a VPN instead of forcing Tor, or maybe there will be better alternatives.

(In the future I will experiment on configuring the Gateway to use a VPN instead of Tor so I can get the Whonix-Gateway to act as a network “router”, which you can route any OS to.)

But as you can imagine, having a VPN router with proper killswitch is more secure, because you’re not emulating a router through VMs or any kind of software, it’s now at a hardware level, running outside of your device memory.

So, I recommend you to invest in one.

If you’re planning to get one, make sure it’s not a weak router with just a VPN feature on, do your research, killswitches are important.

Also make sure to try and get it fully anonymously without tying it to your identity. (i’ve explained why down below)

Now, for some people, buying a good VPN router could be expensive, so a cheaper alternative VPN router idea I have for you is using Lineage OS’s native built-in VPN hotspot sharing, which allows you to share the active VPN connection either through hotspot or USB tethering. On Lineage, go to Settings -> Network & Internet -> Hotspot -> Turn on the VPN setting at the bottom. Then set up your VPN to be always-on and etc in the VPN settings, and you are all set.

See if your device is compatible to flash Lineage OS:
https://wiki.lineageos.org/devices/

If you don’t have a compatible device, you can just buy some cheap second hand device from the compatible list.

Just make sure it has good Wi-Fi antenna specs, you don’t want an old and slow ass wi-fi hotspot/tethering.

But of course, some people may not even have any money for them to buy even that, so let’s continue on how you should proceed.

If you don’t have a VPN router / hotspot, here are the next best things you can do to protect your IP.

Now that we are using Mullvad browser’s antidetect capabilities, which mask our unique identifiers and make us look like everyone else using the browser…

And since we are not using any VPN routers / hotspots, we need to try our best to prevent IP leaks or DNS leaks.

So if you don’t have a VPN router, the main culprit for IP deanonymization through JavaScript seems to be with WebRTC.

Disable WebRTC and make sure you’re not getting your DNS hijacked by your OS.

Prevent DNS leaks:
https://mullvad.net/en/help/dns-leaks

Prevent WebRTC leaks:
https://mullvad.net/en/help/webrtc

RISK MITIGATION #2: NoScript.

Now, let’s talk about JavaScript.

As you’ve noticed: Everyone on Dread completely shits their pants when they hear about sites using javascript

Why? Well it’s really not without a reason.

Javascript has proven itself over and over that it’s a security nightmare in the wrong hands.

Now…

Does it massively reduce our attack surface if we completely disable JS?

Yes, but unfortunately we can’t avoid it fully for most clearnet forums and sites.

That is why we analyze and mitigate the risks with a couple of things.

In ⚠️Practice Good OPSEC [Part 2]⚠️ I told you to set Mullvad’s security slider to Medium.

The reason I didn’t tell you to turn it on to the option “Safest”, is because the Safest version disables Javascript.

Setting it to “Medium” just further restricts elements within a website, which for example try to get your WebGL hash, canvas or etc.

While it becomes a lot more secure to browse with javascript off, as I said above, it becomes a hassle to turn it on and off again and again.

That’s why we will rely on an extension such as NoScript.

NoScript is basically like putting on a condom for JavaScript.

If some malicious JS script or XSS vulnerability attempts to execute in your browser and NoScript detects it, it simply gives you a pop-up and warns you about it.

Inside that pop-up, you have the ability to either deny or approve the action.

For example if you clicked on a video, it will ask you if it’s ok to play media, in cases like those, you allow it.

BUT, if you DIDN’T initiate the action which prompted you to run some scripts, and you’re unsure, simply deny that request or click off the site.

It’s simple as that.

RISK MITIGATION #3: VMs in live-mode (advanced, but recommended)

(You would understand this section a lot better if you have already read  OPSEC bible from ⚠️Practice Good OPSEC [Part 1]⚠️, it’s linked there.)

Unfortunately, there COULD be scenarios where NoScript isn’t perfect, and can be circumvented and dodged by advanced devs, pentesters, cybersecurity expert or by other advanced cyber niggas.

The reasons you should use a VM is because:
1. You can compartmentalize your data in a bunch of VMs, so in the rare event of you potentially getting a zero-day, you would NOT leak any sensitive files.
2. You spoof your real hardware identifiers, like Wi-Fi router MAC address, network card MAC, CPU, GPU, etc (not carding related)

But first, you need to understand what zero-day exploits are. I won’t get technical, I’ll just scratch the surface.

It’s called a 0-day exploit because it DOESN’T require any further actions by the victim. Which means that a victim could be 1 click (or 0 clicks) away to get his shit hacked.

0-day exploits are exploits are known to be super expensive, rare, and they are often kept in secret. We have seen them be developed by major cybersecurity sectors. For example: FBI, North Korean CIA and other intelligence agencies. But really experienced and advanced devs have also developed zero-days, so it’s not really limited to the intelligence agencies. And with what we’ve seen Claude’s Mythos can do, I wouldn’t be surprised if some dude just uses AI to help himself. In reality it depends on who and what the target is.

Here is a quick TL;DR scenario:
– You have multiple VMs: One where you store your passwords / PGP key management (with NO internet access), one for Telegram, one for browsing

– Without you knowing, you get compromised within your browsing VM, and the exploit gains full system-wide file access in the background

– If you booted that VM without any SUDO permissions AND in live-mode (like Whonix / Kicksecure allows you to), the exploit would stop there and it would be erased upon boot, since live-mode feeds the OS into your RAM. The RAM like we said is wiped on each reboot, and live-mode does not allow persistent saving to the disk. So always make sure to boot in live-mode for daily tasks.

– But let’s say you didn’t boot into live-mode and you also had sudo permissions ON.

– First, your IP will be safe, because your VM gets its network access from either from the VPN router (more secure), or from your Whonix-Gateway VM (less secure, like I explained above)

– Second, all of your sensitive files will be safe, because they live OUTSIDE of your browsing VM. They live in another VM.

– The only downside would be that your VM is now infected without you knowing. And since the exploit’s whole goal is to SURVIVE and remain running in the system, you may or may not get remote code executed in the future.

– Now, in EXTREMELY UNLIKELY scenario cases where the exploit is SPECIFICALLY TARGETED AND DEVELOPED to escape the VM sandbox so it can then get to your Whonix-Gateway, since everything is running on the same device and memory, it can get your IP (that’s only if you’re using Whonix-Gateway, so to get your IP from a VPN router, they would also need to develop or exploit your ROUTER which again, this is extremely unlikely, the most they can get is your VPN router’s MAC address, which is why I warned you to buy the router anonymously so they can’t trace who bough it from the supply chain), and other things.

But I promise you, if it gets to this point, you are at fucking Edward Snowden level type of OPSEC threat level and you have MUCH bigger concerns than these, so take a breather……. chill out…… everything is going to be OK =)

Qubes is the PERFECT OS which does all of this in the most secure way. VM templates, disposable VMs, and etc.
https://www.qubes-os.org/

Unfortunately, I do not recommend Qubes to beginners, because the learning curve is huge.

If you are a beginner, stick to what I’ve already told you in ⚠️Practice Good OPSEC [Part 2]⚠️

RISK MITIGATION #4: VPNs before Tor

*needs finishing*

As I clarified above, by using VPN routers OR Whonix’s dual-VM design to avoid IP leaks and such, even in the event of a zero-day infiltrating your system, your IP won’t leak

But if the censorship in your country is very high and you can’t use Tor because it’s illegal, or your ISP snoops on you and actively builds a fingerprint profile on your activities and you don’t want that to happen…

You can use a VPN before Tor.

You can use Tor bridges, but

Whoever said that running a VPN before connecting to Tor is dangerous, it’s just not true.

ABOUT EMERGENCY DATA REQUESTS

What are they?

The difference between a subpoena and an EDR (emergency data request) is that the EDR takes a lot less time.

An EDR can be requested from almost every company / service which complies with the laws inside the country the service/company is hosted in.

Depending on each company/service’s privacy policies, they can give out the info they store about you, which you agreed to get collected by agreeing to their lengthy terms of service & privacy policies

It’s a bit more complicated, but here’s what you need to know

A subpoena/EDR can only be requested by sending an e-mail from a government official e-mail, which has a government domain in their @ email handle

Some examples (not real e-mails):
david@fbi.gov | MayorFreud@gov.uk | InvestigatorKyle@intelligence.gov | office@president.gov.ru | franceExample@info.gouvr.fr

Unfortunately, since not every government official is technically literate, their e-mails can be often compromised and taken over temporarily in various ways by hackers or skids, such as: phishing e-mails, social-engineering, suspicious .PDF files which they open, cookie stealer softwares, rarely some zero-days, and other stuff

After the hackers gain access to a government e-mail which they temporarily have full control over, they have 2 options:
– they can either use it on their own
– or they can sell them on various greyhat/blackhat marketplaces from anywhere between $50 and $1000 depending on how serious the e-mail gov handle is

They can also monetize them by offering people in suspicious communities subpoena / EDR as a service

What happens after that is, for example, I read Discord’s EDR policies, file out a fake request that complies with their requirements, then they give me all the information that they’ve promised to store about you and promised that they can give to law enforcement upon request.

What’s important to know is HOW a company responds to those EDRs and what data they give out exactly, which can be done by looking at their transparency report (if they even have it).

A transparency report is basically when a company publicly announces what requests they’ve gotten and how they’ve responded to them. Now, some companies share very little as to what they’ve shared inside the EDR. But some may or may not redact some sensitive details.

To give you an example, Signal has transparency reports at: https://signal.org/bigbrother
Telegram has transparency reports at: https://t.me/transparency (but they are not exactly the full story)

An EDR becomes obsolete if you’ve taken the proper OPSEC measures to hide your unique identifiers online.

*more details will be added in the future*

———————————-

HOW YOUR PHONE GETS TRACKED

Having a phone is usually the biggest attack vector someone could have on you.

If you are interested in the ways you get tracked through your phone, software and hardware wise

This FAQ section written by the GrapheneOS team is a really good place to start learning:

https://grapheneos.org/faq

About “anonymous” e-sims on your phone:

Buying an anonymous ESIM is not enough.

For your phone to successfully connenct to a cellular tower, it needs a valid IMEI.

If you bought your phone online with your real name, that phone IMEI is now attached to your name inside some database.

Since mobile data is coming from cellular towers, when you use your mobile data to use the internet, you are not only sending your DNS requests through the cellular tower, your phone is also constantly repeating to the cellular tower, basically saying this:
“Hi, this request was sent on <current date & year> at <current exact timestamp>. I am <IMEI number> and this my provider <IMSI number>, I am requesting a DNS lookup for <site>.”

If you’re using mobile data, using a VPN covers those DNS requests but it doesn’t stop the fact that your phone still needs to ping that tower and tell it its IMSI and IMEI.

Leave a Reply

Your email address will not be published. Required fields are marked *