opsec and personal security and privacy 101

This post is about basic personal and operational security (opsec) for the non-technical person.

Security is for everyone, not just information systems. Depending on the need, threat surface, etc.,  security measures may be all-encompassing or sparse. For example, an investigative journalist on the ground in a hostile area may require more security than a girlfriend trying to hide information from her abusive boyfriend.

In this post, I will cover some basic personal measures anyone seeking privacy and security can take. Reminder - this is just a primer and will only cover the basics.

$ use a password manager

A lot of people have poor password “hygiene” because it’s hard to balance password complexity and remembering all passwords. That’s why password managers can help. It’s actually better to use very good, complex, and diverse passwords stored in a password manager rather than easy or repeated passwords that have the convenience of being remembered.

Some recommendations are:

• Bitwarden
  
• KeePassXC
  

$ use multi-factor authentication

Lock down all your accounts with multi-factor authentication. Having this mechanism in place will make it harder for adversaries to hack your accounts.

$ what is end-to-end encryption (E2EE)?

End-to-end encryption refers to the quality that a message is kept secret between the sender and receiver and only the sender and receiver. This ultimately means no middle-person can read any message sent between them. This quality ensures parties in communication can be trusted, and the integrity of the messages remains intact.

Encryption is a mathematical process, and the technical know-hows behind it is beyond this post. Only high-level or general concepts will be covered.

You want to ensure information is encrypted both “in transit” and “at rest.” Information “in transit” refers to the state that it is moving in the network from one place to another, and information “at rest” refers to the state that it is stored somewhere. Information “at rest” can be encrypted in combination - for example, file encryption and disk encryption.

$ using E2EE comms

My Recommendation: Signal

This section will briefly summarize security and privacy in popular messaging services.

Why Good?

• E2EE using the Signal protocol designed by Open Whisper Systems - more info on WhatsApp encryption here

Why Bad?

• WhatsApp collects metadata, which are not encrypted; Facebook collects even more detailed metadeta
• Owned by Meta, which capitalizes user data for advertisement purposes
  

Why Good?

• E2EE between iMessage users
• iMessage is a native app for Apple iPhone, and Apple iPhone is encrypted by default when locked with a passcode, Face ID, or Touch ID
  

Why Bad?

• Messages sent between an iMessage user and non-iMessage user are not secure and private  - SMS is not encrypted, and carriers can see SMS message content
  
• iMessage messages contain some metadata
  

Why Good?

• Convenient
  

Why Bad?

• Not encrypted at all - carriers can see all content - abandon as much as possible !!!

Why Good?

• E2EE using the Signal protocol designed by Open Whisper Systems
• Open source, and well peer-reviewed
  
• Doesn’t collect any informative metadata - government requests to Signal can be viewed here
  

Why Bad?

• Not perfect - currently requires a phone number to register for spam prevention
  
• Desktop apps have known security issues and are currently not recommended for use
  
• Low adoption by “the regular phone user” demographic
  

As summarized, one of the best tools to use for security and privacy is Signal. In 2021, Forbes published an article on WhatsApp security and privacy and included this visual summarizing the detailed metadata popular apps collect:

Right now, Signal is the best “mainstream” security-focused and privacy-focused messaging app; however, there are still other alternatives. I would look into other solutions like Briar and Session and figure out what works best with your threat model.

$ securing signal settings on mobile

So you’re using Signal? Signal settings will still need to be updated if you want maximum security and privacy.

Safety numbers are cryptographic fingerprints and allow parties to confirm the session is happening between trusted members. Although cumbersome, verifying safety numbers are the same for both the sender and recipient ensures sensitive information can safely be exchanged between parties. 

To view safety numbers: press the name in the chat at the top of the screen > View Safety Number

If you are not within physical distance of the person you are communicating with, I would recommend verifying safety numbers through audio or an image in real-time or over a different communication channel.

More info on safety numbers:

• Safety number updates
• What is a safety number and why do I see it changed?
  

For spam prevention, Signal currently has it so that a phone number is required to register an account. For maximum privacy, the suggestion is to use a software phone number on a phone that uses a privacy-focused SIM card - but more on that later. After registration, you should use usernames and hide the phone number attached to your device.

To enable a username: Settings > Profile > Username

To make your number inaccessible: Settings > Privacy > Who can find me by number > Nobody

To hide your number: Settings > Privacy > Who can see my phone number > Nobody

Registration lock with an alphanumeric PIN can prevent your number from being used to re-register on a different device. I would advise you to take note of your PIN in a password management tool or a secret notebook.

To enable Registration Lock: Settings > Account > Registration Lock > Enabled

To create an alphanumeric PIN: Settings > Account > Change your PIN > Create alphanumeric PIN

Metadata in link previews can be a cause of leaks and privacy concerns.

To disable link previews: Settings > Chats > Generate link previews > Disabled

For iPhone users, iCloud is enabled by default, and E2EE must be enabled. For this reason, I would consider disabling showing calls in recent calls, which can be included in an iCloud backup.

To disable calls in recents: Settings > Privacy > Show Calls in Recent > Disabled

DUH !!! It’s the low hanging fruits!! Don’t even try arguing with me on this.

To set a default disappearing time: Settings > Privacy > Default timer for new chats

To set disappearing time for a conversation: ***open settings for the conversation*** > Disappearing Messages

Somebody might be watching you over your shoulders *side eyes emoji*

To enable screen lock: Settings > Privacy > Screen Lock

My Recommendation: DO NOT USE SIGNAL DESKTOP APP

There are current and known issues with how encryption keys are being handled with the desktop app. More info can be viewed here:

• Signal downplays encryption key flaw, fixes it after X drama
  
• X user @mysk_co details security flaw experiments
  

$ using virtual private networks (VPNs)

My Recommendation: Use an anonymous VPN

First, it’s important to note that VPNs do not offer bullet-proof security. For many situations, it’s a better tool for networking (such as network censorship) rather than privacy and security. Even some encrypted Tor traffic can be de-anonymized using modern techniques. VPNs are also not designed to protect users from global adversaries/surveillance. Proceed with caution.

With that being said, I still recommend using a VPN - the best scenario being to use an anonymous VPN that cannot be tracked back to a financial system. 

VPNs work by hiding a user’s real IP address and rerouting internet traffic through the VPN server, and then forwarding it to websites. VPNs can still keep logs of your traffic on their servers even if they try to protect your identity and activity from other sites, so it’s important to choose a trustworthy VPN service. 

I will not recommend a specific service but can list a few that accept cash payments:

• Mullvad
  
• iVPN
  
• Proton VPN
  

For more info, here is an article on VPNs.

$ what are cookies?

Cookies are pieces of data that track session information, browser activity, and other information and are stored in the browser or computer. 

There are three different types of cookies: session, persistent, and third-party - each differing in functional purpose. They all, however, follow these general steps in how they are created and exchanged:

1. A user attempts to visit a site
   
2. The browser the user is using makes a request to the web server
   
3. The web server processes the request and creates a cookie that may contain login information or other information that both parties may want to remember short-term or long-term
   
4. The web server sends back the requested page or data, along with the cookie
   
5. The browser stores the cookie in memory or storage depending on the type of cookie
   
6. The cookie is sent with each request between the browser and web server
   
7. The cookie is terminated either when the session ends or when its expiration timer is up

Cookies can be pervasive and a privacy concern.

$ using privacy-focused browsers

My Recommendation: Tor or Brave

Privacy-focused browsers offer a suite of tools that help their users achieve privacy and anonymity online. A few recommended browsers are:

• Tor
  
• Brave
  
• Firefox by Mozilla
  
• DuckDuckGo
  

PrivacyTests.org provides a summary of audit results of browsers’ privacy properties.

$ credit freezes

For US residents, freezing your credit when you don’t plan on applying for an additional line of credit anytime soon is generally a smart way to prevent identity theft and accounts being made under your name. To freeze your credit, you must freeze your credit report with all three credit bureaus:

• Equifax
  
• TransUnion
  
• Experian

$ using a faraday cage (bag)

This is not necessary for the “average” person but could be a point of consideration if the need arises.

Faraday cages/bags are named after the scientist Michael Faraday. The material of the bag is designed to block a variety of radio emissions that smartphones can receive/send, such as: 2G, 3G, 5G, wifi, Bluetooth, NFC, GSM, CDMA, GPS, and more. Faraday bags are not foolproof but can offer a layer of security if you are in situations where you must keep your phone on and within your reach at all times.

Be mindful, however, that faraday bags do not protect you from other vulnerabilities such as a hot-mic attack (your microphone picking up audio).

$ other mobile security best practices

• Turn off/disable Bluetooth when not in use
  
• Turn off/disable location services when not in use
• Turn off/disable cellular whenever the need arises
  
• Cover cameras whenever the need to block cameras arises
  
• Use a protective phone cover that can drown out noise feeding the mic
  
• If you are using a burner phone, be wary of creating a pattern of user activity between the phones that can correlate to the user (i.e. stopping use of phone A and immediately using phone B)
  
• Update software/apps often
  
• Do not use public USBs
• Do not download/use apps from unofficial vendors/marketplaces
  
• Do not use a jailbroken phone
  
• Do not bring the phone to sensitive locations

$ physcial security best practices

• Cover identifying markers such as tattoos, visible piercings, unique/noticeable hairstyles, scars, birthmarks, etc.
  
• Underdress and wear neutral colors as much as possible
  
• Know your exits - have an exit plan wherever you are
  
• Keep your phone on you as much as possible - or know where it’s at at all times
  

---

Written: July 21, 2024