Have you ever thought that the government is hiding something from you? Or had a gut feeling that your employer is possibly controlling the flow of information in your direction? Even closer home, do you have little dark secrets that you would not let anyone living anywhere on this planet to catch a glimpse?
Welcome to the world of Operations Security (OPSEC).
Basics of OPSEC
OPSEC is a risk management endeavor that controls data use within defined boundaries – to prevent information from falling into the wrong hands.
This concept started with military institutions in which armies prevented the access and application of sensitive information by unauthorized people.
Today, OPSEC has become common fodder for private establishments that regulate the activities of company employees as far as internet use is concerned.
This importance of OPSEC is tied to the fact that as our lives continue to be tied around the internet environment, anonymity becomes a necessary ticket to online safety. OPSEC without a consideration of anonymity would be useless when we are all facing various kinds of actors that are possibly targeting our valuable data.
Who Needs It?
Truth is, every digital layer constituting a communication framework provides a potential point of entry for cyber insecurity agents – from computer companies, software, applications, network access points, internet providers, websites, government institutions and private sector players that receive shared data.
Well, you might be wondering, what exactly happens when people have poor OPSEC?
Armed with a user’s personal data, a determined attacker can inflict a great deal of damage on you – especially if you become careless about your usernames and passwords. The attacker may also take advantage of the fact that you use the same email address to visit several internet applications to harvest critical information about you.
These seemingly harmless mistakes have been reported quite often in mainstream media, in which cyber criminals have exploited user carelessness at OPSEC to cause serious harm to targets.
On the positive side, the occurrence of poor OPSEC among criminal rings tend to create loopholes that would allow the entry of law enforcement agencies to bust the offenders. A very good example is the 2017 case involving the takedown of AlphaBay admin, which was made possible by the fact that the admin left pieces of digital information that linked him to his pseudo account.
In the events leading to the takedown, law enforcement agents had exploited little OPSEC mistakes that the darknet mastermind had made. For instance, initial emails from the platform’s admin [email protected] bore information about Alexandre Cazes, the AlphaBay creator. Cazes’ personal data included his year of birth as well as information that would later reveal his real identity.
Another critical OPSEC mistake that Cazes made was that he failed to prevent his Bitcoin account from being identifiable with his real name. Until then, AlphaBay had become a massive dark web marketplace dealing in illicit wares.
All in all, if you are keen on shielding yourself from organized criminal gangs, a distinct kind of OPSEC will be needed than if you are simply trying to avoid stalkers. You can be certain that poor OPSEC is something that you would not want to suffer. Being constantly wary of the adversaries lurking in the shadows is a sure way to stay clear of trouble online.
Lucky for you, this e-book will help you digest the fundamental workings of OPSEC from a risk and threat analysis standpoint. This is because, well, having great OPSEC empowers a system user with the ability to understand the potential enemies that they may be facing, evaluate his/her communication targets and judge the capabilities of said enemies.
Clearnet Vs Darknet
Simply defined, the clearnet is the regular online ecosystem that us non-TOR reliant. It is in the clearnet that a majority of online users thrive by conducting communications and trade without the need of anonymity.
From the organizational perspective, companies monitor the clearnet to regulate online behaviours that typify employees. Still, it is important to note that clearnet users can still seek online privacy through the applications of Virtual Private Networks (VPNs).
The darknet, on the other hand, is the hidden corridors of the online world. Darknet websites can only be accessed through tailored tools, the most popular being the Tor browser. I2P is also another option applicable in darknet browsing and has been known to appeal to more tech-savvy users. Otherwise, to simplify this subject, the darknet occurs as a hidden digital layer on the clearnet.
The basic difference between the clearnet and the darknet is the function of anonymity. Clearnet browsing presents a critical challenge to users that desire to be anonymous. The exposure of your IP and MAC addresses means that you stand to be easily identifiable among other systems and networks. A host of clearnet websites have the ability to profile their users by applying the principles of machine learning to judge your tastes and preferences as far as browsing trends are concerned.
In the darknet perspective, anonymity is given first priority with the intention to empower users with the ability to communicate from deep within the online shadows.
When you access the dark web through Tor, your connection is routed through a number of other computer systems in order to cover your digital footprints. Take note that in the modern age of internet browsing, governments have learnt the trick of breaking such barriers to unravel the activities of the online underworld. Thus, it is almost entirely necessary that you, the darknet user, reinforce your online anonymity by using VPNs and the TAILS operating system to conceal your IP address.
Threat and Risk Analysis
OPSEC vulnerabilities occur whenever an enemy becomes capable of harvesting OPSEC indicators for the purpose of analysis, which they would the use to make certain detrimental decisions. Vulnerabilities entail weaknesses that expose a user’s critical details to possible attackers.
Moving on, threats refer to events where digital assets become endangered through loss or damage. Also, this term describes a potential attacker’s motive to cause harm to user assets. Examples of threats include terrorist, criminal and political intentions that would otherwise undermine a user’s OPSEC.
Having touched on the above definitions, threat assessment becomes the identification of potential enemies and the powers that accompany their existence, including their weaknesses and motives to harvest OPSEC indicators. On the other hand, risk assessment lays focus on the harm and impact caused by vulnerabilities or sets of vulnerabilities.
The success or failure of vulnerabilities are dependent on the aggression of adversaries. An attacker that uses maximum force in exploiting system loopholes may inflict untold damage to a user’s assets. Cybersecurity experts may judge the likelihood of adversary success by weighing the existing vulnerabilities in terms of potency.
Case Example: Threats and Risks Facing Public Wi-Fi Users
Picture this. It’s Friday afternoon and you are spending spare time at your local pizza bar while making use of the available free Wi-Fi to run through a few work-related tasks. Can you relate? This is a common routine among city dwellers, but did you stop to think for a second about the existing cybersecurity threats staring you down while you navigate your online banking platform and bite on cheese-stuffed junk?
The issue with using public Wi-Fi is the scary statistics of security risks that ride on these kind of networks. While a large number of businesses may be confident about the quality of services to their customers, most establishments seem oblivious about the weaknesses of their networks as far as cyber risks and threats are concerned.
Just to focus on the specific risks involved, this section will provide brief explanations of the major risks of using public Wi-Fi followed by recommendation about how to stay safe on these networks.
First, man-in-the-middle attacks are common risks in the usage of public Wi-Fi. Essentially, such an attack is seen as a form of eavesdropping in which an attacker may undermine user privacy to “read” communications occurring between the user and a third party.
Public Wi-Fi also provide ample environments for the distribution of malware between computer systems. An adversary may easily take advantage of the network security loopholes and transmit malware into your computer without your knowledge. This aspect can be blamed on the occurrence of software vulnerabilities that serve as weak points with which the attacker exploits. In a typical scenario, a hacker may inject malware into your system by simply writing invasive codes.
Wi-Fi snooping and sniffing happen when hackers use specialized equipment to access your sensitive data whenever you go online. They may view webpages that you browse using the free Wi-Fi in order to harvest login credentials or literally take over your online accounts.
Another risk is malicious hotspots, which impersonate legitimate public Wi-Fi hotspots. Ideally, this happens when attackers set network baits to trap users into thin king that they are logging in to an actual network. Once a user connects to such a rogue network, cybercriminals may now access your private data illegally.
By now, you are probably wondering about How Can You Use Public Wi-Fi Safely
Regardless of the threats faced by a user, the only sure way to protect your information during episodes of public Wi-Fi connection is by using a VPN when surfing on your device.
A close look at the different kinds of network users is important in reiterating on the importance of VPN usage by all browsers. Thus;
The regular employee, who bears a number of responsibilities as far as their workplace is concerned, needs a VPN whenever they are on travelling mode. In most cases, companies provide VPNs to their workers as a cyber-safety precaution to protect sensitive data from landing in the wrong hands.
The downloader, whether they are browsing the clearnet or darknet, needs a VPN to stay clear of possible future incriminating incidents that would be tied to their online behaviour. You wouldn’t want to pay a hefty fine for something you did online in the past.
The privacy-centric user applies VPN in their daily online undertaking to ensure that their sensitive data is secure. This is important to journalists who may want to disagree with oppressive regimes through articles that, if traced back to them, may spell deep trouble.
Otherwise, even if you don’t fall in the categories mentioned above, you still need to seek VPN services. Such a decision would be critical to your online safety, which traverses all levels of sensitivity in terms of what exactly makes you pen your internet browser in the first place.
Username and Password
Account management can be tricky to some users. In a classic social scenario, many people would want to walk into their favourite joint and be noticed immediately, and often by their nickname. Think about walking into a bar and everyone shouts your name – sounds cool, right?
Well, the internet is not a place where you would want people to identify you by your real name. This aspect is not brought about by sheer antisocial behaviour but by the obvious dangers that lurk in the shadows of clearnet and darknet browsing.
From the outside, you may think that the exposure of your username is harmless but, truth is, it can lead into a cascade of security issues that would open into the brutal world of identity theft and financial crime.
If a username is not selected wisely, criminals may guess the user’s real name and use the resultant information to obtain critical information about their target. This aspect also extends to a user’s online activities as far as texts are concerned – the government may even study your texting patterns online to correlate it with your real identity. Take the example of the Silk Road founder Ross Ulbricht’s case in which the feds managed to connect his online persona to his real crimes based on his messaging behaviour on online platforms.
Otherwise, to the cybercriminal, knowing your username can be just enough to help them piece up information and execute a password-recovery process. Once they obtain your password, you become particularly vulnerable to cybercrime.
The secret to protecting your online credentials is by using the power of randomness. Attackers try to guess passwords based on sets of information provided by “dictionaries”. Additionally, they employ random guessing to try their luck at harvesting your sensitive online credentials.
As a user, it is important that you ensure that your passwords become as long and as randomly-created as possible. It is also critical that you always utilize different passwords from one website to another. This would cripple a possible pattern to be followed by a potential attacker in unravelling your personal information.
Furthermore, the other thing is to employ the benefits of the available password managers. This is because most people are unable to generate complex kinds of passwords to safeguard their online accounts.
Password managers like 1Password and Keeper will certainly create good passwords for you, memorize them and automatically feed them into websites on demand.
In general, stay away from weak or “recycled” passwords.
Quite recently, sharing email addresses was not a big issue. No one seemed bothered about any cyber threats that would arise from being a little bit free with personal information – but that was before the disturbing revelations by Edward Snowden.
Now, for most people, the desire to go full anonymous is obvious. Internet users have grown to appreciate the benefits if keeping email addresses that are secret and impossible to link their online personas with their real selves.
The worst case scenario of failing to safeguard one’s email address is connected to username and password management. Once a cybercriminal gets hold of your email address, they may employ a cascade of steps to reset your account’s password or, even worse, access copies of messages to and from your contacts. This becomes scary when the hacker decides to stay incognito while snooping on what dirty secrets you pass to your friends in your daily email communications.
Otherwise, cybercriminals would prefer to use your exposed email address to enter various websites or mobile applications to try and steal data or buy stuff online. It is very possible for an attacker to hijack every other account that you created using a compromised email address and inflict untold damage on your identity and finances.
In a classic example of an email-backed fraud case, a user’s friends may receive emails stating that their contact has been attacked by thugs and therefore needs money sent to him as soon as possible. Additionally, an affected user’s Twitter feed may send out links to malicious websites, which would predispose their contacts to cybercriminal attacks.
It is for this reason that the application of encrypted messaging services is important for all categories of users. Luckily, there exists a number of great alternatives to choose from in 2021.
Virtual Private Network (VPN)
A VPN is a privacy and security mechanism that reinforces private and public networks, including the internet and otherwise-risky Wi-Fi hotspots. VPNs are a favourite among corporate entities as they are used to guard important company data.
Additionally, personal usage of VPNs is becoming a common trend in today’s internet age. This aspect is true to the fact that an increasing number of human interactions have been moved to the numerous online platforms in existence.
A VPN provides the much-needed privacy by replacing a user’s original IP address with either of the addresses held by a VPN service. A VPN subscriber can get an IP address from wherever they are, as long as their specific service provider operates in their new locations. For example, you may be a New Yorker, but with a VPN, appear to be localized in some gateway city in faraway Europe.
What Are the Pros of Using VPN?
First, VPNs provide user safety. Whether you’re are accessing your online banking platform or chatting your friends online, you do not want to be spied upon. Additionally, owing to the risks of using public Wi-Fi that we discussed, every user wants to browse the internet safely.
A VPN becomes your answer in meeting this need because it encrypts your data to ensure privacy at all times. This would allow you to partake in your online activities without having to worry that your government or a group of hackers are hawking you down.
A VPN saves you money. The world of e-commerce is such that pricing varies from one location to another. Your favourite product may attract high prices in a location, say Monaco, but happen to be affordable if sourced from another location in the world. Having looked at the role of gate way cities and the fact that VPNs replace a user’s IP address, using the tool in this manner can save you lots of dollars.
Finally, VPNs are inexpensive. Premium VPN services usually cost less than other forms of cybersecurity methods. A good VPN can maintain the anonymity and security that you require on your network, even with money-back guarantee.
The Cons of Using VPN
A VPN can affect your connection speed negatively. The encryption used in VPN mechanisms is a culprit in slowing down your connection speed. However, a VPN technology like Hotspot Shield offers online security and privacy without undermining connection speeds.
VPN connections tend to be unstable. Even with reliable VPN options, stability stands to be a prevailing issue. The main downside to your VPN-secured network instability is the fact that your real IP address becomes revealed whenever the connection drops. This would undermine your anonymity apart from causing you untold inconveniences. The antidote to this issue is for users to obtain VPNs that have a kill switch, A VPN like CyberGhost.
The other challenge experienced with VPNs is configuration difficulties. Improper VPN configuration exposes a user to frequent IP leaks, which would expose them to attackers.
Bottom Line – VPN Matters
To sum up, the pros of using VPNs far outweigh their disadvantages. Apart from the fact that a VPN allows you to protect your online activities from prying eyes, it also goes a long way to keep your private information under the radar.
To select a VPN of choice, it is critical that a user evaluates their own specific needs before choosing a service. A proper way to focus on this aspect is to consider the needs of Clearnet and darknet users. For Clearnet users, networks such as public Wi-Fi demand the importance of VPNs for protection.
Darknet users, on the other hand, need to combine VPN with Tor for utmost safety and privacy. This importance is owed to the differences in the operational mechanisms of both Tor and VPN. A VPN works by concealing your IP address while Tor helps to keep your activities anonymous. Put simply, VPNs were created for privacy while the Tor network is meant to provide anonymity.
Darknet Usage – Combining VPN with Tor
In order to browse the dark web satisfactorily, this eBook advises that you combine the use of both Tor and VPN.
The challenge of using only Tor is that your Internet Service Provider (ISP) has the ability to track and record your browsing activities. Once they notice that you are using Tor, they may decide to either alter your connection speeds or cut you off.
At this point, we can’t really tell whether our ISPs can aid government agencies in spying on internet users – but who knows?
Fact is, the authorities would easily suspect a Tor user of wrongdoing despite their innocence. It is therefore necessary that Tor users acknowledge the need to use a VPN service to conceal Tor usage from their ISP.
What Are the Best VPN Options Available to Tor Users?
In choosing an appropriate VPN to hide your Tor usage, there exists some standard rules to be followed.
The most important rule is to consider the features of a VPN service and avoid free VPNs. VPNs that don’t charge users money have been found to do more harm than good – undermining your online privacy and security while potentially selling your sensitive data in unscrupulous deals.
Free VPNs tend to collaborate with malicious third-parties to harvest your sensitive data or sometimes allow outside actors to use your internet connection to conduct illicit businesses online.
A classic example is the popular Hola Free VPN that is currently installed in millions of devices across the world. Its working principle alone is a factor to watch out for. Not many people understand that Hola Free VPN does not route its users’ online traffic through their servers – but instead through networks and systems that belong to other Hola users.
This means that for those users that conduct illegal business online, they may involve your IP address and thus land you in trouble with authorities.
If you are currently using a free VPN, consider discontinuing its use and subscribe to a premium service.
Tor is a network that applies a multi-proxy mechanism to hide users’ IP. This network eliminates the reliance on specific proxy serves needed in processing data. While Tor bears similar limitations as other proxy connections, it boasts of its 3 million user database that works to clean up the IP tracks of browsers.
The term Tor originates from the acronym “The Onion Router”, which was first created by the U.S. Navy to safeguard mission data. The original idea was to hide military IP addresses in a bid to prevent the leaking of sensitive information during military expeditions. The subsequent release of Tor into public domain occurred after the U.S. military shifted to using specialized in-house VPN systems – Tor became an open source free software that would be downloaded via the TOR website.
How It Works
When a customer uses Tor, their internet traffic is directed through the Tor network. The traffic moves through a series of relays, usually operated by volunteers, before leaving the network and reaching the intended destination.
This data flow rules out the possibility of ISPs or external actors from checking your local network with the intention of uncovering the websites that a user visits. In addition, this mechanism keeps websites in the dark as far as user location is concerned – including visitors’ IP addresses. Instead, exit nodes happen to be the only traces available for advising the sites on location and IP address.
The fact that even the aforementioned relays do not have the ability to compute traffic components adds to the whole anonymity that Tor provides (See image below).
As an example, consider that you accessed a common search engine, such as Bing, via Tor. Your ISP and network operator would not realize that you accessed Bing, but they will only discern the encrypted traffic running through Tor.
In this particular case, Tor will relay your traffic up to the exit node after which Bing would be “contacted”. As this process takes place, Bing will notice that their site is being accessed by an exit node. The exit node would then send traffic back along they relays, which would have no knowledge about the termination points of such traffic.
Tor is ideal for persons living in countries with internet censorship laws, people facing dictatorial governments and also those that exist in global locations that prevent free speech. This network would enable such categories of internet users to access the web without fear of detection. Additionally, in regular democratic ecosystems, Tor helps whistleblowers to share information while sealing their digital tracks for personal safety.
Nonetheless, despite the benefits of using Tor, the network is not suitable for Clearnet browsing. While anonymity happens to be desirable to a surprisingly large number of people, using Tor to browse the surface web presents slow connections, including other technical challenges.
The Big Question – Is Tor 100% Secure?
Most people think that Tor provides complete online anonymity and security – but is this true?
Well, online anonymity and privacy cannot be achieved that easily.
Making reference to the above topical sections covered in this eBook, it should be quite obvious that Tor lacks full capacity to guarantee anonymity and privacy on its own.
Let’s take a quick look at the following key limitations of Tor:
Importantly, advanced attackers may sniff exit nodes. The access of unencrypted sites using Tor allows exit nodes to monitor user internet traffic – including the spying on your web pages and communication texts. In fact, it is known that some government agencies have taken advantage of this Tor weakness to track users.
Take the example of a 2007 case in which a security expert harvested email communications for a number of email accounts using a Tor exit node. The users in the case had failed to encrypt their email framework, thinking that Tor would do all the work for them. Therefore, it is advisable that all Tor users browse encrypted sites when handling sensitive content.
The practice of communicating sensitive information online is a complicated affair. What if someone else take a peek at the critical bank details that you are sending? Or even those “inappropriate jokes” that should never be associated with your public image?
Fortunately, Pretty Good Privacy (PGP) happens to be among the most effective solutions available to today’s users.
PGP was created back in 1991 by Phil Zimmermann, an anti-nuclear activist that sought to solve the timeless challenge of secure mail transmission.
How Does This Work?
PGP happens to be a very simple concept, at least on the surface.
Picture this – you intend to send your bank credentials, say your credit card number, to a comrade. The first instinct would be to write it on paper before mailing it to your friend’s address.
What you don’t realize is that the information on transit faces a mountain of risks. A criminal may impound the mail and access its contents – stealing your credit card information to be used without your consent. Certainly, this would not end well.
Next, you may consider sending the information via a locked mailbox. The only thing that you did not consider beforehand is the new challenge – you have to send the locked mailbox along with its key. Well, this is too much hassle.
Now, let’s consider that you met your contact beforehand in order to share the key in advance. That seems reasonable, right?
While that step seems to be a solution to our initial problem, we realize that a new vulnerability becomes created. The fact that both you, the sender, and your recipient have keys to the mailbox creates a security loophole – the sender should not bother to open the mailbox after sealing it.
Finally, to solve the problem, two keys would be needed in this particular case. The first key would be used lock the mailbox shut. The second key would allow the mail recipient to unlock the box to reveal its contents. In this manner, the only existing recipient of the message will have express authorization to unlock the mailbox to access your bank credentials as recorded on the piece of paper.
PGP operates this was. Two keys are used to transmit information from point A to B. The first key, the public key, is used to encrypt the message. The second key is referred to as the private key as it is used to decrypt the message.
In order to communicate, a user send the public key to all their intended message recipients. This would enable them to lock sensitive information that they may want to transmit to the user.
Finally, on receiving encrypted messages, a user would simply apply their private key in unlocking messages sent by their contacts. (Study the illustration below)
To use our free PGP key creation, encryption & decryption tool, click on the following link: /pgp/
To wrap up, all forms of online activity should take particular OPSEC measures to ensure that users are cushioned against data theft. An important point to note is that all manner of internet browsing attracts unique challenges as far as privacy and operational security is concerned.
An advisable way to stay clear of anti-OPSEC elements is to adopt a number of good habits under this subject.
In general, restricting access to network devices is critical to ensuring that information is shared within controllable limits. As a business owner, you may want to provide the “least privilege” to your workers to ensure that they perform their tasks with utmost exactness – unrestricted social media access, for example, may predispose into cases of employees exposing company networks to attacks.