A Guide to Computer Operational Security (OPSEC) by Bleach 1.0 Introduction The Higher Entities in the world today are becoming more active in the world of computers, or as referred to by the media, "The Information SuperHighway." The past decade proves that OPSEC is important for anyone in the computer world, even though you might not be in an organized computer "group". Such incidents as the Jackson Games situation in Texas and the Craig Neidorf trial proves that certain bad seeds in law enforcement will blatantly throw the Bill of Rights out the window and try to stop the information being spread over computers. The reasoning behind this article is that I have seen many articles that cover certain aspects of security on computers, but not always a full compilation of OPSEC on computers. I would also like to state that the views in this article are my views only and should not be looked upon as the views of the editor or any other writer at CYBERTEK. 2.0 Basic Security for the Computer User The Computer User who is looking for security from strangers and the higher entities would want to use certain personal security measures off and on the computer before even using a modem. This may not apply to the basic user, but more likely to a computer hacker, pirate or someone who the general public would not look upon as a friendly user. 2.1 Keeping a Low Profile Off The Computer This is probably the most simple, but probably the hardest measure to keep for some people. The only thing that you have to do is keep your mouth shut. I believe every computer hacker or just an average person has told someone else something that they regret saying for some reason. You must always believe that the person you are speaking to is your worst enemy when it comes to certain security aspects. You would not want to tell anyone about what you have done that was illegal (not that I am promoting illegal activity) or whom you are not positive is 100% trustworthy. The fall of many hackers in the past was saying something to someone who was not trustworthy. The person you told could either be an informant or just another person who might get busted and sing like a bird to the authorities Also, do not say anything incriminating over the phone. It would be the safest bet to assume that your phone is always tapped. The phone system today is not secure enough to feel safe and an average person could have the ability to tap a phone after reading one book. It is a frightening thought, but also a very true one. 2.2 The PC's Basic Security A computer user should take the basic precautions before even starting to get into anything the public would find questionable. It seems that everyone has different suggestions, but these are the basic necessities: (1) A Password Protection Program: This item is usually not on people's list due to it not being very secure to the intelligent computer user, but it is good for protection against people who pass through your residence and you do not want them just screwing around on your computer. (2) More than one Virus Scanner: Virus Scanners receive bad media in the computer world for not being very accurate, but they have saved me from certain virus programs that could have done large amounts of damage. The reason I recommend using more than one because using one will limit you to the virus programs that the one scanner looks for. When you use multiple scanners, you are less likely going to have a virus get past you. I recommend having one of your scanners made by McAfee, they have never given me any trouble. (3) Some Sort Of Cryptography: It is safe to say that the government does not look too kindly on Cryptography because it makes their life harder. I will get more into the Cryptography topic later on, but just for starters I recommend getting PGP (Pretty Good Privacy) Encryption (c) by Phillp Zimmerman. Encrypt everything that you would not enjoy having someone, who you are not acquainted with, to look at. Always encrypt your personal e-mail that you would not like System Administrators reading. (4) Backups: It is definitely recommended to backup your computer several times, preferably on floppy disks and tape backups. Backup your computer every month to two months to keep recent acquisitions safe from drive crashes and viral attacks. Once you have your own personal computer secure, you then are prepared to enter a world that simple backups and Password Protection, won't save you from. This is the online world. 3.0 Online Introduction The online world is full of many sorts of people. The main reason many people sign up for online services, or receive Internet access is to meet other people, as well as gaining further knowledge in other subjects. In this online world, a person can meet all types of people, good and evil. It sounds like an old medieval story of the dark warriors being fought off but the heroic knights, but it is not as "simple" as the good vs. evil story. The reason for this is that certain groups of people consider one group evil, while another group of people may consider the same group heroes. The online world is a never ending battle ground and that is why security is so important. The three main categories of the online world are Online Services, the Internet, and Bulletin Board Systems (BBS). 4.0 Online Services Online Services have been around for the past decade but have really bloomed into something rather large within the last five years. With Services such as The Prodigy Online Service, The America Online Service, CompuServe, and Genie, almost any person in North America with a modem can connect and talk to other people. The people on these services are not always the brightest people in the world, but there are many who you can speak to on a normal basis. Even though Online Services stress security by telling its customers to change their passwords often, you are really not safe from anyone on such services. I will give a brief explanation of the Prodigy Online Service and the America Online Service. Those are the only two Online Services I frequent, but if I get enough requests to investigate the CompuServe Service and/or the Genie service, I will due so promptly. SideNote: I do not consider the CRIS service or Delphi service as online services, I consider them as Internet Providers. 4.1 Prodigy When I received my own personal computer two years ago, when the community that I participate now in was unknown, all I wanted to do was get on Prodigy. When I entered the land of Prodigy, I thought it was a great place to communicate with other people across the country. This was until a few months later when I started meeting certain people in "clubs" that used to bash people for fun and set up fake accounts using fraudulent credit cards. I of course finding this interesting so I joined one of these "clubs". The Prodigy service did not take too kindly to those groups though and they later disbanded without a trace. There are still such organizations now full of people who think they are the greatest people to ever live and want to harass you and prove they are the "best". What I am stating is fact, they will stop at nothing to rip you off or just harass you away from their "club". The best way to keep secure on the Prodigy Online service is stay out of the way of certain clubs. Let the Board Managers do their job and take care of them. Secondly, do not post anything too radical that would gain too much attention from the wrong people. If you are interested in hacking or any type of Underground "scene", don't post on Prodigy about it. You would probably just be called a "lamer" and targeted for their next attack. I also recommend setting up the account in your name, but then go to the personal info section and changing your name to something else. Prodigy will not get upset unless you change it all the time, which is not recommended. The final major factor in for the Prodigy Online service as well as all of computer security is DO NOT TRUST ANYONE. If you do change your name, do not tell anyone anything about yourself, because it can all catch up to you at the end, even if you do not do anything illegal. In my own personal opinion, there are many people there with severe emotional problems that you would not want to get tangled up in. 4.2 America Online The America Online service is different security wise than Prodigy. AOL has a lot more determined people who claim to be hackers, but really are not. These types of people will stop at nothing to rip anyone off blindly, especially the service itself. These "wannabe hackers" use means of ripping people off by posing as a worker for AOL and ask for passwords for security reasons. Now many people reading this will probably think, "how stupid are the people handing out their passwords?". The answer to that question is not stupid at all. The "wannabe hackers" on AOL aim for the people in the "New Member Lounge" looking for someone who is not familiar with the system, and then uses certain techniques to trick the victim. My recommendations for the America Online System is to change your password monthly, as well as when you create your profile, put a lot of false information. You can keep your same occupation or something like that and even your first name, just do not put the real place you are from so they can track you down. The people on AOL love making harassing Telephone calls, and if some of them are reading this now, I am expecting to receive a few myself. Don't go looking for trouble either. On AOL, no one likes someone who talks a lot of shit. If you say something that upsets them, they will try to find you. Most of the time if you are secure, they will fail miserably, or just get bored and give up. The Trust factor plays a larger role on AOL. I recommend that even if you think you trust a person, still do not hand out anything that is too personal, because a lot of your "friends" will tell someone anything about you if they get something out of it. 4.3 Online Service Conclusion My personal opinion is if you must choose between these two online services, pick the Prodigy Online Service. A year ago I would not have said that, but Prodigy really cleaned up their act and are now providing a nice service. If you do subscribe to Prodigy though, receive the Prodigy software for Windows instead of DOS due to the fact that the Windows Version is the one that gives you most of the Internet Access. Also, if you run into anyone on Online Services that claims to be a hacker, they probably are not. In my research, I asked the so called hackers many technical questions which are easy in the eyes of hackers. They claim to be hackers because they can card (use of a fraudulent credit card) an account and that is NOT hacking. 5.0 The INTERNET The Internet is now becoming larger by the day and even though security specialists brag about their new methods of making it "safe" from hackers (even though that really isn't true), you are not safe from anyone. Since the Internet is so vast, the people on it are open for attacks. Even if the System Administrators claim that the system you are running off of is safe, you still may want to do some investigating. 5.1 The Legit User Seeking Operational Security A person seeking an account, in his name, for his own personal use, and wants enough privacy and security to not be hassled, then he should look into this. If you are a cracker, then you might not care about this section, but it is still information in which you may want to know anyways. 5.1.1 The Finger Command and Password Files The Finger Command is one of the least secure things about the Internet. If your system is not secure enough, the Finger command could give valuable information about you, such as your name, address, and phone number. If a system even has one that gives your address or phone number, stay away from it. Password Files however are different. Many Password Files have your real name and sometimes your phone number. On several University Systems, if you are a worker there, the password file states the person's name, phone number, and Department the person works at. You are more secure as a student though, since from what I have seen at those systems, the students have random accounts, such as s154862. These are more secure, but also possibly has your full name. A person needs to investigate these two aspects of any system running UNIX. 5.1.2 Commercial Internet Services One part of the Internet that is growing rapidly is the Commercial Internet Services, such as Delphi, CRIS, and Netcom. I have had my own personal interactions with such services and they were not too pleasant. Many legit users will be happy with these types of systems, as I was in the beginning, but there seems to be catches. (NOTE: This is not true with all services, so I do not want to receive complaint letters explaining to me how I am just someone with a grudge. I also do not want to receive any libel suits.) The first thing you would want to do with these services is to find a nice commercial service with a nice, low cost, flat fee with suitable features. If you find one of these services, you may like to keep everything you receive about the service before you sign up (data or hard copy). It may seem to be a pain, but in the end you would like to show that it was a flat rate in the beginning so they do not change it without notifying you. The second thing is not to say or do anything suspicious, incriminating or just plain out odd. (NOTE: This should go for all legit users.) My own personal case shows that even being on #hack often was suspicious, which is ridiculous, but that is how some System Administrators are. Also, keep in your head that the service you are on is not a nice system that lets you maintain your privacy. Many services log your IRC sessions or just your sessions period. I was called once from that certain service I was a member of and they said that I was doing suspicious activity and they read off everything I did from login to when I logged off. The suspicious activity turned out to be me being on IRC in #hack, #Phreak, #2600, and #virus all at the same time and then doing some FTPing. I still cannot believe what was so suspicious as that. I was chatting (no illegal subjects), and downloaded a back issue of Phrack Magazine (c), if I remember correctly. Another tip is if your service goes through a Packet Switch Network, which many don't anymore, only call the same number everytime. There are many 1-800 packet switch networks, but if you call several different ones, every time you log in to your system, it shows a different Network address. Many of the addresses start off with the area code of the state it is located, but on the 1-800 networks, they are all different. The system believes that people are logging into that account from different states, which makes them believe it is hacked and then deletes it. So if you just stick with one number, it will save you a lot of hassles. 5.2 The Hacker Seeking OPSEC On The Internet Being a hacker on the Internet seems to be safer than being a legit user in recent times. Some hackers do get caught for Internet Hacking, but the fact is out of the thousands of "hackers" out there, few busts are made, and even fewer convictions. My major recommendation in the beginning is if you think you are going to hack the Internet or anything in general, do not direct dial from your house. A laptop computer comes in handy often. (***IMPORTANT NOTE***: Using the term "Hacker" in my case does not mean computer criminal. The media seems to be using the term in a wrongful manner which is not fair to the real hackers. The "Dark Side" hackers, who just use their skills to rip off other people are not hackers, they are criminals.) 5.2.1 Targeting Systems A solo hacker or a group of hackers looking for a system for their own personal use should look for a UNIX system with the major security holes, ie. defaults, holes, few users or administrators on often, and of course have all the services you want in an Internet Provider. If a person dedicated enough wants to find a system with little security, that will provide for them a suitable place to explore and use, they should find services with unpassworded accounts. Looking around for myself, more foreign computer systems have unpassworded accounts. The one flaw with having unpassworded accounts is that they may not have a home directory, which would not be good for the hacker looking for an address where he can keep stuff online, such as texts, scripts, tools, etc.. 5.2.2 Spoofing Spoofing is an excellent way of keeping yourself and your group secure. Basically Spoofing is just covering up your tracks. If a hacker wanted to use basic spoofing, he would just Telnet to several hacked accounts ending at the account he wanted to play around with. Spoofing gives System Administrators large headaches since if they really want to try to catch you they have to try to get back to the original account you were on, and if your first account was not legit, then the worse that could happen is that you lose most of the accounts that you were using for that hack. It could be a hassle for you, but things could be worse. 5.2.3 Cryptography Cryptography is a major resource for a group on the Internet due to possibly being watched. Unlike the legit user, I would not recommend using PGP(c) or another sort of a shareware or freeware cryptography. If your group of hackers should have at least one programmer in the group, and if you do, then you should program your own type of Cryptography in which only the members of your group know. That should cut back on the surveillance of your group's interaction with each other. If you are a solo hacker or if you or any other member of your group wishes to have outside contact with other people in the community and do not want to be read by the System Administrators, I recommend also having a copy of PGP or another type of cryptography. 5.2.4 Outdials Many hackers love playing around with outdials. Outdials are used by hackers to call out via modem and not pay for it. They telnet to a remote sight owned by a company to use their modem. Many hackers use these to call boards that are long distance to them. That is not a smart idea due to company computers logging everything that happens on them, including what happens on the outdial. If they log an Underground BBS number, they could have the feds investigate and possibly shut down the BBS. You would not like your favorite BBS being brought down due to your own stupidity. Outdials are fun to fool around with, but they are against the law so I would not recommend using them. 6.0 Bulletin Board Systems (BBS) BBSes are the glue that holds the Modeming Community together. Almost every person who owns a modem is on at least one Bulletin Board. Many users have a false sense of security about BBSes. A good example of what could happen is a BBS that used to be local to me was raided by the FBI for child pornography. The Sysop's computer, which included all of the logs and User data files on it, was confiscated. All of the Users' e-mail and file transfers were on the logs and read by the Feds. Any user who had anything suspicious written on it could have been watched by the feds. My recommendations for BBSes are as follows: (1) Sysop is Not Your Best Friend: Sysops are normal people, but they all have different personalities. I have met some of the coolest Sysops and some real asshole ones. I cannot really judge any of them due to the fact that I don't know them personally; although I feel that it is admirable of them to take the time to set up a nice board. (2) Encrypt Your E-mail: I sound like a broken record, but you need to know how important that one concept is. It will save you from a lot of hassles, and that is what every computer user is looking for. (3) Watch What You Say: Since there is no tone of voice or body language, people can interpret what you say on BBSes any way they want it. That is just a way for people to dislike you which could lead to things not in your best interest. Also, do not talk about what you have done that is not law abiding on the message bases or in e-mail, (NOTE: This is not always the case on H/P boards, since the spreading of hacks and other information goes on there.). 7.0 Language This only really pertains to H/P groups or any type of Underground Group. If your group is participating in activities that you wish to talk about between each other but do not want anyone else to know what you are talking about, then I suggest you make your own personal type of language. I do not mean make another Spanish or Latin or something of that sort, just take your homeland language words and change the definition to something else that only you and your group knows. It may sound childish, but in the end it may save you from Outside Interaction. You can speak freely over the phones without anyone knowing what you are talking about. To them it could be a common discussion of gardening, when you are actually speaking of cellular phreaking, it is just that simple. 8.0 Conclusion Operational Security seems to be the only means to protect yourself from the bad seeds of our country or strangers invading the privacy of you or your group. If you follow my recommendations, I believe that you should not have any problems. Once again, I am not promoting illegal activity, just the means of making you feel more secure. I hope this file helps get you started on your Computer and Operational Security. I would be happy to hear any suggestions or questions on OPSEC.