Hrm...

A new menber with 25 posts, posting in the activisim section with a post suggesting free access to identity protection schemes or information about such of some sort or another.

The forum is known to be trolled by all kinds of anti gun and government law enforcement types. They say it isn't paranoia if they really are out to get you.

If you so work in 'infosec' then you already realize that this post appears to be a scam and that anyone here would be ill served by following a suggestion from an unknown person online.

I've never met a real security guru that uses the term 'infosec'...

Let me adjust my tinfoil hat...

Yeah we will trust you know more than us who actually live in this country. You picked the member name on purpose, didn't you Hans?

Nothing is free

It's best to treat everything with some skepticism. So I'll stand to defend my future advice, but I won't continue if it's not wanted.

1. I haven't posted on here because I'm young. I'm sure if you looked into a few posts I've made here, as well as my email address, you could de-anonymize me pretty easily. I do live here in CA, but as any person in security, we just don't like to give out details about ourselves less it's necessary. That goes without saying, I still like to obfuscate details about my personal life.

2. Troll. They exist everywhere. I don't want to waste anyone's time, the same as I don't want you to waste mine. Anything I say can be backed up by supporting documents, whitepapers, and any other technical documents you'd like to see. Obviously if you're doing something that requires complete anonymity, you probably already ****ed up by registering on this site with your personal email address, or you connected here without a vpn and/or tor. I'm willing to provide some info on how to register and contact me anonymously for your sake and mine, but I don't want to write out a doc on how-to, if it will just be taken as un-credited work from a low-number poster, again, it's healthy to have that skepticism.

3. Information Security or InfoSec is a term largely used in corporate settings. If you speak with any CISO about it, they will confirm this. If you know it as "Cyber Security", than you probably speak with only in government about security, which is another way to de-anonymize people. Terminology.

4. I promise you my tinfoil hat is usually always on.

Thanks for your reply.

Yes. I picked the name when I was...16?
Thought it was funny at the time, and I still do.

35_?

Many of us are not wise to OPSEC or infosec techniques or what you might have to offer us due to our ignorance.

Could you put together a list or a paragraph or 2 IRT what things you think we ought to be aware of and watch out for in our daily endeavors?

To me your post is a bit confusing just because you are going public, which seems to fly in the face of all things secure.

Learn me please, I expect we have many lurkers also scratching their heads.

Vick

Tor.

ProtonMail.

Wickr.

Signal.

Yes of course!

I suppose I'll start with the level of transparency in the security industry. Many of us view Information Security as a progressive science. The only way we can progress our computers and out security is to keep pushing forward. Not by just creating system and servers that are secure, but also by breaking them. Only by breaking them, are we able to find and discover ways to secure them. It's a never-ending game of cat and mouse. I personally stopped playing most videos games because learning to penetrate servers (legally) is always more fun. (I'll go into how researchers do this.)
Back to transparency:

Governments: Governments typically keep all their exploits to themselves for surveillance purposes, whether internal or external. They'll hire Security firms to provide them what are called "0days" which are live/current holes in applications/programs that they can use for exploitation. One of the most incidents of this was a security firm named "The Hacking Team" who was providing 0days to the US government. Though they operated and did everything legally, they were ALSO supplying Russia with 0days. From a business perspective, it's a smart decision, but you can't be aiding American's Enemies if you have contracts with the US. I won't say I know the terms of their contract, but I would assume they agreed not to supply other governments with 0days.




Corporations: There are some security firms who engage in Red Team's or Penetration Testing, which is contracting with companies, typically big ones like Cisco, Lenovo, Amazon, etc. and hack them to find the holes. These holes can be anything from user databases, to internal production source. The engagement is written out in contract before is should be VERY precise. Included in the contracts will be the legal rules of engagement. "Is my team allowed to run physical security tests on your office, such as you lockpicks? Can them impersonate or Social Engineer your employees to gain access? Are they allowed to physically enter the premises? Can they attack the web servers? etc" These security teams sometimes have a whole team who are their Research Teams, who look for bugs in code that they can use for engagements. Finding a bug that hasn't been patched, 0day, and the company uses that software, such as Skype or something, then they can get into all the computers in the company. It's really easy to install a keylogger and get every single password of all the employees of the company. But in regards to the exploits they find. If Security Company A finds an exploit in Skype, they're not that likely to tell Skype so they can fix it, because they can use it for work. Governments do the same, if not explicitly ask companies to provide them (Apple vs. FBI).



Hackers: Without going TOO deep into the ethicals of hackers, (same ethics us firearm users), some hackers who discover bugs will contact the vendor of the bug, notify them so the vendor can patch the bug. This also boosts the career of the Security Researcher/hacker who found it. And of course, there are black markets for selling them.





Okay, kinda going off my main post of how to protect yourself from mass surveillance and malicious hackers.

I'm sure there are many people on here who hard strong feelings about Snowden, but irrespective of how you feel about him, he did provide insight on what and how the government uses surveillance. Let's start with the #1 tracking device, your phone.

All phones use GSM networks to communicate all their calls. The SIGNIANT program passively collects all phone calls and text messages sent in the US. They're fake cell towers that do Man-in-the-Middle attack where they listen to all your messages before passing it onto a legitimate network. Anyone can set these up, government or your neighbor. Obviously the government ones are a bit more scale-able. One of the best messaging applications that counters this is called "Signal." https://whispersystems.org/
It's a texting application that you can use to text anyone, just like your default one, but if the other user has Signal as well, your text messages are encrypted. It uses what's called Asymmetric encryption so all messages sent are encrypted end-to-end. No server has a decrypted version of your text. This does not mean that they're not collected, simply that it's encrypted. The level of encryption is high enough that the amount of computing power to decrypt your messages would require more than trillion of guesses to decrypt. As the government does have resources to decrypt your messages, you probably aren't worth the cost to use them. Not even people like the Orlando shooter are worth it, financially speaking.

Phone calls. Signal also allows encrypted phone calls, but the quality of the calls aren't that great. If you NEED to call someone, that's your best bet. Otherwise just meet with them in person.

Wireless Cards. Your phone and laptop both have Wifi Cards. Problems with the 802.11 standard is a big one. Everytime your phone looks for wifi, it sends out ALL of the networks your device has EVER connected to. So that "2WIRE384" network you connected to 2 years ago and the "Dont Tread on Me" you connect to at home broadcast every place you go. This can be bad, but what's even worse is if you connect to a network like "Xfinity" that is open, a hacker can create a fake access point and have you auto-connect to it. Tip: Turn off your Wifi if you're not using it.

Emails/Files. Assume all your emails are read because they probably are. To encrypt your emails, files, etc, you can use what's called GPG. It can be a little difficult to setup, but it allows you to encrypt your messages with 4096-bits.
Windows: https://www.gpg4win.org/
Mac: https://gpgtools.org/

Traffic:
[Public Wifi]: Okay you connected your laptop to a local hotspot. If the network is Open Wifi, all of your traffic can be "sniffed" by anyone on that network. This means that anyone can see all your unencrypted passwords, and all the websites you visit.

[Password Public Wifi]: This is better, but whoever owns the router, owns your traffic and everything you look at. They can, again, steal your passwords and such.

[Work Wifi]: Your work IT staff can see anything and everything you're looking at. They probably won't be able to see your passwords, but they can see all the sites you're looking at.

[Home Network]: You're at home and you believe you're safe. Yes and no. What wasn't said previously with these other three, is the person who's providing your internet can see all your traffic and what sites you go to. Comcast, AT&T, etc. they can all see you stream and download your illegal content. I have heard stories where they email or contact users and tell them to pay. I have a VERY hard time believing these emails are legitimate simply because ISPs, even Comcast, don't have the legal resources to prosecute you if they find that you're downloading illegal content on your network. They only know SOMEONE on your network did it, they don't know if it was you, or possibly someone else. In all likeness, it could be a spammer from a 3rd world country who's banking on unsuspecting Comcast Customers who are afraid of losing their internet or being sued. So they pay. It's easy for someone to just rent out a botnet of a few thousand computers, and email all the Comcast owners and tell them to pay. Most spamming crimes capitalize on people's ignorance. They know 90% of people won't pay. But if they ask for $200 from 2 Million people, that's still a fat check. I digress.

How do you surf the internet with freedom?
You can use a VPN to encrypt all your traffic and everything you view. You can even tell all website you connect to, you're from a different country. This might be desirable if you'd like to read some news articles about the US from another country. Or maybe some content is blocked in the US, like a documentary (real life example), and you want to watch it so you VPN into another country like Germany. VPNs also encrypt end-to-end so the ONLY thing your ISP knows is that you're connecting to that company. Now, IF you are a VERY special person of interest, the US gov CAN subpoena that VPN Provider and tell them to provide their logs. This is where selecting a VPN provider comes critical. Selecting one inside the US is not desirable if you're avoiding US Survalliance. No US VPN provider will protect you over their business. But a VPN Provider that is outside the US IS more likely, as they might not obey US law. https://thatoneprivacysite.net/

Tor:
I'm sure you've all heard of Tor, so I'll start by what you might not know, (or by now you've caught on). Your ISP is logging every time you connect to Tor. While tor is "anonymous", there are ways to de-anonymize users by their connection patterns. These are called coloration attacks, and without going TOO much into detail (as I'm getting tired of typing. Another day, if people are interested, I can provide more details.


If you stay on .onion sites, you won't leave the tor network, and therefore, can't be subject to these types of attacks, (so long as the server isn't owned/pwned by the government of Five Eyes/Fourteen Eyes).
BE CAUTIOUS about website that look like woiejfoiejisdnfa.onion.com
You see the ".com" part? This means it's NOT a tor website. It's probably a site that's used to collect who's going onto that site, etc.

I think that covers most levels of communication.
- Phone Calls
- Texts
- Internet traffic
- Emails
- Files
- VPNs
- Tor

Anything else? This was way longer than I thought.
Many questions and "How-to"s can be found by YouTubing "Defcon talks"

And password managers.
Get one. I use https://play.google.com/store/apps/d...wordsafe&hl=en because it saves all my passwords ON my phone and NOT online somewhere.

Every account, different password. One master password, and I'm able to backup an encrypted version of my passwords. Biggest problem is everyone uses same 2-3 passwords. Big problem with this is when a website or something gets hacked, and they get your password. Because if you use the same one in your email as this site, you might already be compromised.

Here's a way to check.

Wow, I feel so naked after reading all that

I have been pwned, a breach through LinkedIn, emails and passwords.
Hmm, and I'm only a T-shirt guy shopping and selling.

So whomever has my passwords can get into the company's servers I deal with and have full access to all their computer stuff, correct?

Well it was not on today's to do list but I have work to do. I'm assuming I need ALL new passwords now, crap.

Thanks for the lesson and insight,

Vick

Karl, if you are serious about this you need to realize the majority of people are at a basic computer skills level. Most would not be able to set up the things you have mentioned, GPG, VPN, etc.

Most people don't understand that security and convenience are inversely proportional.

They want more security, but when you get down to it, they don't want to sacrifice convenience to do it. The real battle is to get them to learn/understand how important it is in the along run.

If you want to help anyone with only basic computer skills to increase their security practices you need to be an expert at setting their expectations on this and SLOWLY introducing new security practices. Most people can't even be bothered to use different passwords on different sites. I harped on my wife for ages to not use the same password at every site. It ended up taking her email account getting hacked for her to understand that our bank accounts are now exposed because of her. They simply don't believe how real and close to home the threat is. We now all use a password manager and she sees the value in it's protection.

I think your biggest asset to offer people here is to educate them on why security is so important and how it relates to their day to day lives.

Karl, This is a perfect, real world example.

Vick, Look into these:

1password
LastPass

This is one thread I would like to see removed.