Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

OPSEC, The NSA, and You

It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.

If you have any understanding of the intelligence community, all of this should come as absolutely no surprise whatsoever.

For me, it has served as a reminder of the importance of OPSEC in anything you’re doing. The NSA is collecting metadata, and lots of it – they repeatedly assure people that it’s harmless. And it is – if you’re a technophobic OPSEC master living in a cave. Where metadata is so valuable, is in cases where you are looking at people that leak little bits of personal data everywhere they go, then you use the metadata to connect the dots. Very soon, you have a great picture of what they are doing and who is involved – without needing access to voice recordings or other, more protected information.

Knowing Where Your Weakness Is #

Many people are talking about tools and technologies now to defeat this kind of data collection – from Tor to Cryptocat, yet, there are issues; it sounds so simple, but it’s not. Tor for example, how easy would it be for someone with a large budget to put the network at risk? The approximate answer, is easy. How about Cryptocat or other encrypted communication tools? Last year was painful for Cryptocat – the last audit may have been clean, but who knows what else may be found.

Encryption is hard, and it’s very easy to write something that looks secure but falls apart when placed in the right hands – accidentally or otherwise.

The question is, is it effective against an actor with a massive budget? I would say it is, but not for the reason you might be thinking. Encryption is hard, both for those that implement and those that attack. But why spend the time and money on breaking encryption when you can take advantage of bad OPSEC to achieve the same goal?

People leak data constantly – how, when, and where they use their phone, who they email, how they use social networks – all of these things provide useful information for an attacker. Individually, they may seem to have no value, but it’s the connections they add to the overall picture that makes them so damaging.

Photo EXIF data, time of day trends in social media (or IRC), comments about the weather – all seem so innocent, but when combined can help to narrow down the list of candidates, and start building a picture of a person and their habits. Simple, innocuous, meaningless – until assembled.

No tool can fix this; using Tor doesn’t eliminate habits, encrypting email doesn’t hide social connections. Everything you do leaks data.

Your Software Isn’t The Big Risk #

You are. Your friends are.

All the encryption software in the world won’t protect you from posting a picture with GPS data embedded in it; no 0day will put you at more risk than you are from your own mouth. No major actor needs to crack encryption, when they can collect massive amounts of metadata, and play connect the dots with the data you give them for free.

It’s even worse when you start talking to friends, what they know, they’ll leak. When you speak to anyone, assume that a link between you and them has been documented by somebody, somewhere – now that person is a target to see what little bits of data they leak about you. Or you are now a target because of them.

Trust no one, not even yourself.

Know Your Enemy #

As Sun Tzu pointed out, if you know your enemy – war is easy. The problem is, you don’t. Nobody knows just how much data groups like the NSA have – if you believe them, not even the NSA knows. Nor does anyone know what they are capable of collecting should the need arise. Large groups of very intelligent people with a secret budget and access to a secret court that grants almost everything they ask for – my guess is that they’re capable of a lot.

You know what tools are available – but how can you protect yourself, if you don’t know what works and what doesn’t? What networks are monitored? What agencies or companies are sharing data?

Having good tools is a start, but that must be part of a larger plan to control what you expose publicly. You must be very cautious about every bit of data that could be collected – no matter how insignificant it seems. Who you associate with and how needs to be carefully controlled to avoid both unwanted leaks and attention. Every action feeds data in a picture, how useful that picture is, is completely up to you.

Want to learn more, start with grugq’s HITB OPSEC talk if you’ve not seen it yet. If you’d like the short version, I’ll sum it up: STFU.

Adam Caudill

Related Posts

  • Crypto, the NSA, and Broken Trust

    Even as a child I was fascinated by cryptography – and often left the local librarians with puzzled looks thanks to the books I would check out. It’s so elegantly simple, and yet massively complex. There is one very unusual property of crypto though – it’s not about math or modes, it’s about trust. Cryptography, especially as used today, has the most wonderful dichotomy of trust; on one hand crypto, by its very nature, is used in situations lacking trust.

  • Is moving offshore really crazy?

    Today ZDNet published an article titled “The lunacy of trying to avoid NSA spying by moving e-mail and cloud out of the US” – I’m still trying to figure out if the position is naive, or intentionally ignores important facts. In short, the author (Steven J. Vaughan-Nichols) states that your data is safer in the US because outside of the US, the NSA has much less restrictive rules to operate under.

  • Worried about the NSA? Try AES-512!

    …or, The Cost of Wild Speculation. “We need to boost our security – I think the NSA has broken everything we use. AES-256 is too weak, I don’t trust it. Find a way to implement AES-512.” Double-AES-256! It’d be easy, and double encrypting has never bitten us before. So, let’s write some code! def encrypt(msg, iv, key) return e(e(msg, iv, key.slice(0..31)), iv, key.slice(32..63)) end def decrypt(cipher, iv, key) return d(d(cipher, iv, key.

  • The Evolution of Paranoia

    That researchers from Kaspersky Lab uncovered malware that uses hard-drive firmware has now been throughly discussed — perhaps too much for some people. It’s not exactly Earth-shattering news either, the idea has been discussed for years, and has been publicly demonstrated. Brandon Wilson and I were even working proof of concept for SSD controllers to demonstrate this based on our BadUSB work. This isn’t about that story, exactly. This is about paranoia, and how it has changed over the last few years — and even the last few months.

  • Making Android NSA-Proof

    As it turns out, it’s quite easy to make your Android phone NSA-proof. It’s a simple method, and anyone can do it – all you need is a few ounces of thermite! Too extreme? Tools & Tips Let’s shoot for something a little more attainable – spy resistant. We can’t stop every attack, but we can reduce the attack surface a bit. Here are a few tools that I’ve been using recently to do just that.