Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Media Operational Security OPSEC

Published byБлаговест Сапунджиев Modified over 5 years ago

Similar presentations

Presentation on theme: "Social Media Operational Security OPSEC"— Presentation transcript:

1 Social Media Operational Security OPSEC
CryptoParty London Tuesday 29th January 2019 @CryptoPartyLDN @SpyBlog

2 Social Media OPSEC Social Media is wonderful ! Billions of people use “free” online web Accounts & mobile phone Apps e.g. Twitter FaceBook InstaGram SnapChat Encrypted Messengers Signal Messenger WhatsApp

3 Social Media OPSEC Tips on hardening your Social Media accounts from being taken over, or revealing too much. Some Threats to be addressed: Social Media companies exploit inertia and deliberately hard to find default Privacy Settings, in their favour, not yours. Meta Data collection and analysis is arguably more important than Encryption, except for Log Ins. Characteristic WiFi Probe Requests to Out of Range Networks are fed into Social Graph Profiles including dark ones not yet linked to identifiable people. Attackers try to hijack your Social Media account(s) often via Forgotten Password workflows involving mobile phones, SMS text messages or recovery accounts.

4 Social Media OPSEC Social Media Pros & Cons Social Media Encryption
Social Media Meta Data Detox your Social Media Privacy Settings Web Browsers FaceBook Twitter InstaGram SnapChat

5 Social Media OPSEC Smart Phone Privacy Settings
Apple iOS Android Turn Off WiFi when Out of Range Forgetting WiFi Networks on Android Forgetting WiFi Networks on iOS WiFi MAC Address Randomisation

6 Social Media OPSEC Signal Messenger - Disappearing Messages
WhatsApp - Disappearing Status Messages Signal Messenger - Registration Lock PIN WhatsApp 2 Step Verification Multi Factor Authentication

7 Social Media OPSEC U2F Security Key - Universal 2nd Factor Authentication Facebook InstaGram Twitter Demonstrate Login to Twitter via U2F Security Key Google Advanced Protection Programme

8 Social Media Pros & Cons
Social Media is an important communications or propaganda or self promotion tool for Celebrities, Politicians or Political Activists or Journalists or Individuals. But N.B. the “free” Social Media business model: If you are not paying for it, your data is the product being sold to advertisers or handed over to governments Social Graph Profiles – even of people who are not (yet) directly the customers of the Social Media companies e.g. FaceBook doing Facial Recognition on *everyone* in the photos their users share, regardless.

9 Social Media Encryption
Web site TLS Encryption over the internet wire or over the air mobile data / WiFi, is now universal for the main Social Media websites and Apps – this was not so in the recent past. End to End Encryption (E2E) is vital for Mobile Device privacy and security, especially for e-commerce. E2E means that strong Cryptographic Keys are generated and stored on the local device not centrally = less risk of being illegally hacked or legally seized.

10 Social Media Encryption
Encryption usually denotes Privacy or Secrecy but not Anonymity – even GCHQ get confused by this.

11 Social Media Meta Data Meta Data is information about a Social Media Account in general, or about a specific posting / publication, rather than the user written / clicked Content itself. Who contacts whom, when, where & how often is as, or more revealing than, the often bland Content itself. Often Automatically generated by the client Web Browser or App or Operating System software and / or Internet Infrastructure.

12 Social Media Meta Data You have limited control over exactly what Meta Data is generated, stored, sold or shared with other companies or government agencies. For UK Authorities access to Content needs an Intercept Warrant (signed by Secretary of State, audited afterwards by Investigatory Powers Commissioner) but Meta Data does not (self authorised by Police or Intelligence Agencies, little auditing) Most big Social Media companies are in USA or China i.e. *not* under effective UK legal jurisdiction. N.B. UK distinction under Investigatory Powers Act 2016 regarding Content versus self authorised Meta Data grabbing

13 Social Media Meta Data IP Address of computer used for initial set up the SM account and for every subsequent Login Actual / inferred physical Location of computer used for initial set up the SM account and for every subsequent Login Date & Time and Account Credentials (e.g. username and password) for every SM account Login. Web Browser characteristics (Language settings, screen resolution, Operating System etc.) of every Connection made to the SM account None of these definitely *prove* a particular person used a Social Media account, but they are strong circumstantial evidence.

14 Social Media Meta Data Extra Meta Data is associated with Social Media Account Creation (partially to combat spam bot scripts) e.g. Verification Code number sent via SMS text message to a Mobile Phone Social Media Account Forgotten Password contact details Mobile Phone Number for SMS Text Message Another address e.g. Google gmail These can reveal the True Identity of “Anonymous” Social Media accounts to advertisers or government investigators

15 Detox your Social Media Privacy Settings
Social Media Accounts do have some Privacy Settings, but by default, these favour the Social Media companies’ Advertisers and Government snoops or stalkers or online harassers. Change some or all of these depending on your own Privacy Threat Assessment. Useful infographic: How to Be Invisible on the Internet

16 Detox your Social Media Privacy Settings
If you have brought along your Smart Phone or Laptop computer, have a go at Detoxing i.e. reviewing the default the Privacy Settings of: Web Browsers FaceBook Twitter InstaGram SnapChat Apple iOS Android

17

18 c.f. the AdBlock lightning talk later on

19 HTTPS Everywhere is configured by default in the Tor Browser
HTTPS Everywhere is configured by default in the Tor Browser. Modern Browsers also recognise HSTS header on websites, switching over to even when you only clicked on or typed in an unencrypted http URL

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40 Review need for Apple iCloud Backup
Backup is Good But Apple iCloud Backup is invariably the way in which legal subpoenas or Password Recovery Question Hackers gain access to Celebrities’ nude photos or other private data For high risk Apple iOS users under Apple ID / iCloud - disable Photos, Mail, Contacts, Messages, Keychain (passwords & biometrics), iCloud Backup and Encrypted Messaging Apps like Signal Messenger and WhatsApp

41

42

43

44 Turn Off WiFi when Out of Range
Home, Work or “Free” public WiFi is great & very convenient. When your mobile device is Out Of Range, it very often still sends characteristic Probe Requests with Network Name / SSID of the Home, Work or “Free” public WiFi Access Points it has connected to, uniquely identifying you and your Travel Location Patterns to Advertisers, Criminals or Government or Corporate Spies e.g. that your Home or Office is now unguarded Both FaceBook and Google do now, or could easily in the future, make use of these WiFi Probe Requests to help compile their Social Graph Profile databases, without anyone’s explicit prior consent e.g. FaceBook’s creepy People You May Know patent

45 Turn Off WiFi when Out of Range

46 Turn Off WiFi when Out of Range
Recent Apple iOS and Android mobile devices include various levels of Automatically turning On WiFi or keeping it on whilst in Sleep Mode for Convenience rather than Off for Privacy, Security and Battery Power Saving.

47 Turn Off WiFi when Out of Range

48 Turn Off WiFi when Out of Range
If WiFi is switched off via the Control Center (swipe up) panel, Apple iOS will switch WiFi & Bluetooth back on again the next morning ! Need to go into Settings / General / WiFi & Bluetooth to turn it off properly

49 Turn Off WiFi when Out of Range
If WiFi is switched off via the Control Center (swipe up) panel, Apple iOS will switch WiFi & Bluetooth back on again the next morning ! Need to go into Settings / General / WiFi & Bluetooth to turn it off properly

50 Turn Off WiFi when Out of Range
Switch off Ask to Join Networks

51 Forgetting WiFi Networks on Android
On Android this is relatively straightforward and can be done selectively per Network whether it is currently in range or not.

52 Forgetting WiFi Networks on Android

53 Forgetting WiFi Networks on Android

54 Forgetting WiFi Networks on Android

55 Forgetting WiFi Networks on iOS
On Apple iOS you can selectively forget a Network but only when it is In Range and is displayed in the Networks list.

56 Forgetting WiFi Networks on iOS

57 Forgetting WiFi Networks on iOS
On Apple iOS to Forget all the stored Networks which may send Probe Requests, you have to Reset Network Settings overall (which also resets Mobile Cell Networks, VPN and APN settings). Hence Apple iPhones often blab half a dozen or more WiFi Probe Requests (effectively a unique fingerprint) when Out of Range

58 Forgetting WiFi Networks on iOS

59 Forgetting WiFi Networks on iOS
N.B. Reset Network Settings also resets Mobile Cell Networks, VPN and APN settings).

60 WiFi MAC Address Randomisation
WiFi Probe Requests also contain your device’s unique Media Access Control (MAC) address / serial number which is used to track your physical Location patterns WiFi MAC Address Randomisation (hardware dependent) obscures the “real” unique device MAC address / serial number of the WiFi or Bluetooth device (often handled by the same chip on a phone and differing by only 1 digit) This only works until a Stored WiFi network or a fresh WiFi connection is made, when the real WiFi MAC address is transmitted and can be sniffed by Kismet etc.

61 Signal Messenger Disappearing Messages
Use the Disappearing Messages option copied from e.g. SnapChat etc. but vital if your sensitive mobile phone etc. is seized as evidence or lost or stolen. The Disappearing Message timeout is configurable to seconds, days, weeks or months, which is more flexible than the WhatsApp 24 hour Status disappearing messages.

62 Signal Messenger Disappearing Messages

63 Signal Messenger Disappearing Messages

64 WhatsApp Disappearing Status Messages

65 WhatsApp Disappearing Status Messages

66 Signal Messenger Registration Lock PIN
Make SIM hijacking via social engineering or bribery or coercion of Mobile Phone shop or call centre staff less likely to disrupt your Signal Messenger account by setting a long (4 to 20 numeric digits) Registration Lock PIN

67 Signal Messenger Registration Lock PIN

68 Signal Messenger Registration Lock PIN

69 Signal Messenger Registration Lock PIN

70 WhatsApp 2 Step Verification
Six digit PIN PIN Recovery Address (not verified) Does allow porting of messages and groups and contacts to another mobile phone (pros & cons)

71

72 WhatsApp 2 Step Verification

73 WhatsApp 2 Step Verification

74 WhatsApp 2 Step Verification

75 Multi Factor Authentication
Something you know (a strong long pass phrase) plus Something you have (a physical hardware token or USB security Key) ideally not something non-secret like fingerprint or facial recognition biometrics This is can be very strong against phishing and social engineering attacks, especially those exploiting easy to guess Social Media Account Password Reset “security” questions. Can also help against Mobile Phone SIM card hijack / mobile phone number porting social engineering attacks

76 Multi Factor Authentication
Something you know (a strong long pass phrase) plus Something you have (a physical hardware token or USB security Key) ideally not something non-secret like fingerprint or facial recognition biometrics This is can be very strong against phishing and social engineering attacks, especially those exploiting easy to guess Social Media Account Password Reset “security” questions. Can also help against Mobile Phone SIM card hijack / mobile phone number porting social engineering attacks

77 U2F Security Key Universal 2nd Factor Authentication
FaceBook

78 U2F Security Key Universal 2nd Factor Authentication
Twitter Important: You must also have either the Text message or Mobile security app options enabled for login verification. You cannot enable the Security key option alone (which only works on Chrome Desktop not on Android !) You can set up a Mobile phone but still have to provide an address during the 2F process

79 U2F Security Key Universal 2nd Factor Authentication
InstaGram

80 U2F Security Key Universal 2nd Factor Authentication
Demonstrate Log In to a Twitter account which has been set up for U2F Security USB Key Authentication

81 Google Advanced Protection Programme
High Risk people e.g. Journalists or Activists Remove the normal Mobile Phone & Recovery Password recovery options, replace with U2F Security Key & a backup Security Key Use this for dedicated Forgotten Password Recovery with other social media or etc. systems e.g. to secure your 6 digit WhatsApp PIN

82 Summary: 6 Social Media OPSEC hints
Detox the default Privacy Settings on your Social Media Accounts. Trade off the default Convenience settings for more Privacy and Security according to your Threat Model. Meta Data - Who contacts whom, when, where & how often is as, or more revealing than, Social Media Content Turn off or Forget WiFi networks when Out of Range. Use Disappearing Messages for Signal Messenger or WhatsApp Status. Set PIN codes to make verification phone number hijacking harder. Use U2F Security Key hardware if possible e.g. on your dedicated Password Recovery gmail account.

83 Questions ? Contact: Twitter: @SpyBlog
GPG key: 4C7F2E878638F21F Signal Messenger: on request

84 Anonymity SwapShop Now Swap or Barter or Commission :
spare Social Media Accounts , Sock Puppets and online Legends random DiceWare passphrases or other Pre -Shared Secrets GPG Public Encryption Keys pre verified Encrypted Messenger accounts pre-paid SIM Cards burner mobile phone handsets burner Voice Over IP accounts Public WiFi logins pre-paid Oyster Travel Cards U2F FIDO USB security keys USB condom for malware free device electrical power charging Mic-Lock audio port microphone disabler Radio Frequency Faraday Cage shielding CryptoCoins and Cold Wallets Hawala money transfers Dead Drop locations Horcruxes DNA anti-forensic tools Anonymous Postal Mail Forwarding These Anonymity and Privacy tools (honest guv, got it from some bloke in a bar) can help break the financial and CCTV physical purchase data trails, when you need to Comparmentalise your online life.

Download ppt "Social Media Operational Security OPSEC"

Similar presentations

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Tracking, Privacy, You & The 21 st Century When you talk online the internet listens.

Tracking, Privacy, You & The 21 st Century When you talk online the internet listens.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
 An electrical device that sends or receives radio or television signals through electromagnetic waves.

 An electrical device that sends or receives radio or television signals through electromagnetic waves.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Cyber Crimes.

Cyber Crimes.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
IT security By Tilly Gerlack.

IT security By Tilly Gerlack.
Internet and Social Media Security. Outline Statistics Facebook Hacking and Security Data Encryption Cell Phone Hacking.

Internet and Social Media Security. Outline Statistics Facebook Hacking and Security Data Encryption Cell Phone Hacking.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.

Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.
FriendFinder Location-aware social networking on mobile phones.

FriendFinder Location-aware social networking on mobile phones.
FriendFinder Location-aware social networking on mobile phones.

FriendFinder Location-aware social networking on mobile phones.
Internet Safety and Productivity Tips Presented by ITS Kerri Sorenson and Sean Hernandez December 11, 8:30-9:00 am.

Internet Safety and Productivity Tips Presented by ITS Kerri Sorenson and Sean Hernandez December 11, 8:30-9:00 am.
Don’t Log in!. Recap on the previous units I’ve tried to make it as concise as possible but there is a bit of writing, to ensure that you have some notes.

Don’t Log in!. Recap on the previous units I’ve tried to make it as concise as possible but there is a bit of writing, to ensure that you have some notes.
Computer Networks. Computer Network ► A computer network is a group of computers that are linked together.

Computer Networks. Computer Network ► A computer network is a group of computers that are linked together.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.

Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.

Similar presentations

Ads by Google