Giters

all-forks / Crypto-OpSec-SelfGuard-RoadMap

Here we collect and discuss the best DeFi, Blockchain and crypto-related OpSec researches and data terminals - contributions are welcome.

Home Page:https://t.me/officer_cia

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Here we collect and discuss the best DeFi, Blockchain and crypto-related OpSec researches and data terminals - contributions are welcome.

Feel free to submit a pull request, with anything from small fixes to translations, docs or tools you'd like to add.

  • Disclaimer: All information (tools, links, articles, text, images, etc.) is provided for educational purposes only! All information is also based on data from public sources. You are solely responsible for your actions, not the author ❗️

Support Project Supported by GitCoin Research Base Mail

_________                        __           ________          _________               .____    .__          __   
\_   ___ \_______ ___.__._______/  |_  ____   \_____  \ ______ /   _____/ ____   ____   |    |   |__| _______/  |_ 
/    \  \/\_  __ <   |  |\____ \   __\/  _ \   /   |   \\____ \\_____  \_/ __ \_/ ___\  |    |   |  |/  ___/\   __\
\     \____|  | \/\___  ||  |_> >  | (  <_> ) /    |    \  |_> >        \  ___/\  \___  |    |___|  |\___ \  |  |  
 \______  /|__|   / ____||   __/|__|  \____/  \_______  /   __/_______  /\___  >\___  > |_______ \__/____  > |__|  
        \/        \/     |__|                         \/|__|          \/     \/     \/          \/       \/

Note: OpSec is a term coming from the military, meaning operational security. It has been widely used to describe security precautions in various sensible activities, and more recently also in cryptocurrency management.

Translations:

OpSec SelfGuard RoadMap

Special Thanks:

| Special Notes:

To answer your questions beforehand...

Firstly, for an ideal OpSec I recommend either developing an own programming language (done by different remote & in-house teams) with your own semantics or becoming a developer yourself, or avoiding using ANY third-party software, implying that it can be compromised, and developing tools and apps in dependance on your needs completely on your own.

Try not to enable such a psychological phenomenon as the tunnel effect, which refers us to the aviation psychology and flight psychology, to emerge and expand. When experienced pilots get overly focused on one item while disregarding or ignoring all other warnings, they have an accident. I hope you understood my guide correctly and did not allow this to happen. Be cautious, don't rush, and stay calm. When you are hungry, unwell, or defenseless, do not act on emotion.

This is all correct, but nothing stops you from doing a fork or ordering an independent audit of the tools you are going to use, does it? With all said, it all depends on what you are going to get in result and against whom you are acting.

Let’s say we deal with a Duress tool. As such, it can be used wrong (e.g. weak password), or used to do bad things (e.g., exfiltrate intellectual property). On the opposite, we can just use Steganography and a small paper, without even touching the computer. Both attitudes have the right to exist, in my honest opinion! All of the above refers to the criticism of tools as such and their role in OpSec.

I highly recommend to purchase a hardware wallet directly from the manufacturer's website rather than online retailers like Amazon/eBay. It is also advised to use an alternative email address or a virtual office to protect your personal information in case of a data leak. I also don’t like trusting hardware. Therefore, we all should have physical ciphers! Once again, study Steganography!

Secondly, regarding big lists. Japan was the first country to invent the work that we do now in the form of SoKs or Awesome GitHub lists! If anyone is still around, browsers used to be sort of a table or database of websites, many of which were quite… uninspiring.

This manual was written by decades of safety experts who shared their knowledge in every word. Consider this manual as a collection of suggestions and routes.

«Antenna-websites» were created at that time. There, their authors gathered a variety of resources that were related by a common subject to make someone’s life easier! In some ways, the creators of Awesome Lists and start.me continue this idea now. And it's fantastically amazing!

Last but not least, everything you do is based on the outcomes you need to achieve! You should be able to select reliable and vetted sources instead of using all the tools and links. Through given routes, you ought to be able to construct your own journey! Following that, I will tell you about the ways that I deem safe and recommend to my clients!

Remember, you must manage your OpSec wall and literally take it through "be like water", tending not to overdo it! You construct your own security wall, which you must guard, repair, and develop, exactly like a real wall. Visit: this article!

The most important thing to understand here is the path of the cyber attack – its vector. Let's take a closer look at various problems associated with OpSec and its implementation to modern life!

Problem 1

Use a secure email provider like Protonmail or Tutanota. Also use trusted VPN like Mullvad or ProtonVPN. E2E (end-to-end) encryption is only as secure as the service you are sending the email to.

For example, if a Protonmail user sends an email to a Gmail user, the email is encrypted with TLS, but Google can still read and hand over any data that passes through their server. E2E can be re-established by using features such as the password-protected email feature from Protonmail.

Don't forget that the VDS/RDP + VM combination can replace all of this, but it is not available to everyone. If you know how to do it correctly - choose this way. Check out this article as well.

On the opposite:

Don’t use 3rd party VPN, rent a VPS and bootstrap open source VPN server!

Check out:

Use dedicated email address for each account, or use an alias eg. chortly534524twitter@gmail , if it leaks it will be isolated to the account!

You can also use something like private addresses feature from DuckDuckGo or simplelogin.io.

Problem 2

Use different emails and different strong passwords. Store them in one place like a password manager. Never reuse passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, AppleID, Twitter, banks/payments, crypto accounts).

Use passwords that are at least 8 characters in length, but a minimum of 12 is generally recommended for memorization. Along with that, if using memorization, ensure that a minimum complexity requirement is met: which means having an uppercase character, a lowercase character, a digit, and a non-alphabetic character.

For a perfect-level privacy, always generate complex passwords and write them down on a notebook. It takes time but saves headache. Somewhere along the line, the 'stop writing passwords on sticky notes' narrative got misinterpreted as 'never write them down'. There's nuance to it!

Using a string of unrelated words while still meeting the dictionary requirement makes it easy to have an extremely secure password while still being able to remember it. If fully relying on a password manager, a password of 20+ characters in length that is randomly generated can be used.

If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts.

KeePass or Keepassx or KeePassDX or KeePassXC or BitWarden are good options. I also found this tutorial for integrity check (and other checks) very helpful, be sure to check it out as well: link.

On the opposite:

For 2FA one can use KeePass + Yubikey as well. KeePass allows setting up TOTP to any entry in your .kdbx file. Yubikey could be used in company with KeePass to add a bit of entropy on each re-encryption when adding an entry in your db file: Ref No.1; Ref No.2; Ref No.3.

Problem 3

Never link phone numbers to crypto platforms. Use trusted multiple e-sims if you have to link the phone. To lock down your SIM, contact your mobile phone carrier.

That is a standard that has been tested by telecommunications operators in the US, the UK, Poland, and China - also check out this tweet and this article. You just need to insist on it or visit the head office, and I’m sure that the support manager on the phone mayn’t know about it!

Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification. This (should) prevent hackers from calling up AT&T or T-Mobile or Vodafone, claiming to be you, and asking them to port your phone number to a new phone.

SERM/ORMM and Counter-OSINT - do exist, and one of the most interesting areas of which is to work with adding fake or confusing information about yourself in "leakages" or, for example, attaching to your number 100+ names related to taxi services through various GetContact accounts, to confuse potential bad actors who will try to research data on you in the future, in preparation for an attack. Then, think up.

On the opposite:

Instead, require staff to verify via phone call to a secondary number because show ID is compromised or just use something like Efani. Or tend to use E-sim only!

Problem 4

Instead of SMS-based 2FA, use Authy or Aegis OTP for iOS or Android. Google Authenticator is generally not recommended anymore in order to stay out of the Google ecosystem, and Authy offers more robust account recovery options (Aegis does not offer the same level of account recovery options). Keep in mind that the codes generated by 2FA apps are device specific.

Learn MFA and 3FA! Check out this article.

If your account is not manually backed up to Google cloud or iCloud and you lose your phone, you’ll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle!

Hardware-based 2FA options are regarded as more secure than phone-based OTP options since the keys are stored on the YubiKey device itself, not on your phone, or in the cloud, or on your computer.

On the opposite:

Aegis Authenticator is open source (licensed under GPL v3) and the source code can be found here. The issue with Authy is that it depends on a phone number which can be changed through an email request, allowing anyone access to HOTP/TOTP after an approximate 4-day wait period. To avoid that, disable multi-device function in Authy's settings!

Problem 5

Cold storage, and separate “hot” wallet. Use multisig (gnosis-safe as example) or at least a hardware wallet. Never store your seed phrase digitally. Seed phrases are intended to be stored on the paper card included with hardware wallets! That means never type it up, store it online, or take a photo of the card. Store your key on hard device.

Great wallets (both hot and cold):

For Bitcoin:

Other Cryptocurrencies:

Problem 6

Offline (better - physical) backups. Store them in a safe. Can be written on paper, but recommended to be etched or laser-printed into metal. Always be sure to have a backup stored somewhere safe if your threat model allows for that.

Ask yourself, what happens if my house catches on fire? What temperature is my safe rated to? Some individuals find a safety deposit box handy.

Problem 7

Never do anything you do not understand. Always check which token you approve, transaction you sign, assets you send, etc - be extremely accurate while making any financial operation. Keep in mind that one of possible attack vectors is to put you in a situation that will encourage you to do smth (login or anything like that).

You can install Comodo or MalwareBytes antivirus but it won't help you if you do not understand them. Keep up your basic set of defending tools up to date.

Tip:

For ultra-secure comunications, run WhonixOS and use Jabber (Adium, Psi+ or Xabber or ChatSecure) over Tor with OTR plug-in. Or Matrix… Or, at least, configure telegram correctly…

OpSec isn't always a matter of survival! It manifests itself in a variety of ways: at work, in everyday life, in communication, in DAO work, in conferences, and so on. You may be surprised to learn that there is no perfect solution. The strategies and tactics differ greatly and are dependent on you and what you need to achieve.

I'm only offering you a set of tools and guidelines to hunt for information; the rest is up to you! No one can create your security wall better than you, and learning OpSec does not require you to become a hostile, distrustful cryptopunk and abuse it to the extreme: you might find something that works for you.

More about VPN

A VPN (Virtual Private Network) is an application that increases your online security and privacy. It creates an encrypted tunnel by redirecting your traffic and hides personal data, information and browsing history. Many of us do not know where to start when choosing a VPN, but I will help you in this, remember main key principles:

  • The VPN app must reliably encrypt data
  • The VPN app must have a kill-switch, AND lockdown modes!
  • It must not store a single byte of your sensitive data, including email address.

One helpful sheet created by someone comparing VPNs in detail is here!

Mullvad does a few things differently than most other VPNs, such as allowing cash payments and not requiring an email address to create an account. One may also wonder: Isn't WireGuard less safe than OpenVPN, since logs are kept for WireGuard (at least temporary? Well, If you have multiple users you have to make an additional gateway with additional IP address. Like in Nordlynx. But out of the box you cant say that OpenVPN is more safe. It's more difficult to configure it so misconfiguration may be an issue. With all said, I prefer mullvad.net + oVPN.

Another Option — Setting Up a Hardware VPN. If you area VPN enjoyer I’d strongly consider you look at affordable hardware options, for example, the gl-mt1300 is a cheap and very nice piece of kit, easy way to protect your home network from threats without relying on running software locally. It may seem overkill but the options of TOR or Mullvad and general WireGuard, and measures to stop DNS leakage make it quite a nice useful piece of kit!

It is important to note that you can achieve the same thing by installing oVPN Mullvad (or another service you trust / your own VPN) configuration on your home router! You should also keep in mind the basic rule: the VPN is your buddy and will keep you safe from a wide range of threats, including even several WiFi and physical attacks. I hope this short note helps you decide!

On the opposite:

Don't use 3rd party VPN, rent a VPS and bootstrap open source VPN server, it's 5 min!

At the same time, I believe that OpSec, in its broadest sense, does not function on half-measures, and it's critical to understand how to do things in a benchmark so you have something to fall back on.

After all, one key rule that almost never gets emphasized is "always be aware of what rule you're breaking, why, and how it may affect you in case of an assault or other problems. In any case, it is critical to understand where the boundaries of this "standard of OpSec & security" lie, which I will attempt to do via the lens of many approaches, which I will attempt to express in such a way that they are universal.

On the opposite:

Tend to use:

For mobile:

Problem 8

Be careful about using your real home address online for delivery purposes. Data breaches are now a daily occurrence, and many breaches include customer names and addresses. Your physical address is not as easily changeable as a phone number or email address, so be especially mindful about where you use it on the Internet.

If you’re ordering pizza with crypto, order it for pickup instead of delivery. When online shopping, use a different (and publicly available) address for package delivery. Options here include your workplace or drop boxes at delivery service providers like FedEx and your local postal service.

Problem 9

Remember: You Could Be a Target! We are a natural target for all sorts of attacks — from garden-variety cybercriminals to competitive spying (sounds dramatic, but it’s real!).

You may create honeypots on the working device (assuming you keep to this notion), such as CanaryToken or IpLogger. You can also create many wallet.dat files or just create a PDF document called, for example, Wallet Seed and hide traps inside. That way, you'll be notified if anything happens or bad actors trigger it! Check out as well: link1, link2, link3, link4. It will work out like a basic SIEM or DLP system. Same goes to your blockchain wallet - alerts are very important! Set them up properly!

That said, it doesn’t really matter what industry you’re in. If you have any sensitive, proprietary information at all (and let’s face it, most people in crypto do), then you could very well be a target. This is a good thing to always keep in mind.

Problem 10

Remain Vigilant - Create a culture of skepticism where they feel comfortable checking twice before clicking a link or responding to a request for sensitive information, and you’ll have a much more secure organization overall. Watch out physical attacks!

Problem 11

OpSec often comes into play in public settings. For example, if members of your team are discussing work-related matters at a nearby lunch spot, during a conference, or over a beer, odds are that someone could overhear. As they say, loose lips can sink ships, so make sure you don’t discuss any sensitive company information while out in public.

A lot of OpSec missteps can be avoided by being more aware of your surroundings and the context in which you are speaking: what you’re saying, where you are, who you’re speaking to, and who might overhear. It’s a good idea to go over the “no-no’s” for your specific company during onboarding and to remind employees of them periodically.

Problem 12

Identify your sensitive data, including your product research, passwords, intellectual property, financial statements, customer information, and employee information. This will be the data you will need to focus your resources on protecting.

Steganography and Cryptography can also be combined for this purpose. After all, cryptography hides information, whereas steganography masks the fact that it was transmitted. For example, if you stenographically double-encrypt your passwords and store them in a cloud-based password manager, hackers (even if the vault is decoded or hacked) will be unable to use them as they will need your stega-key for this. You would, however, have to decrypt each password each time you are using it, with a special note.

Problem 13

Identify possible threats. For each category of information that you deem sensitive, you should identify what kinds of threats are present. While you should be wary of third parties trying to steal your information, you should also watch out for insider threats, such as negligent employees and disgruntled workers.

Problem 14

Analyze security holes and other vulnerabilities. Assess your current safeguards and determine what, if any, loopholes or weaknesses exist that may be exploited to gain access to your sensitive data.

Also:

If you have confidential files you want to protect, store them in cipher text, using 256-bit AES encryption, not in plain text format.

If you want to sanitize the files, you can run a multi-pass wipe, shred or erase program. Glary Utilities includes a free file shredder tool where you can shred files or folders using Dept of Defense standard 5220.22-M. You can repeat the delete process up to 10 times.

Even if someone was able to recover remnants of old magnetic disk data after 10 shredding passes, they would still not see the plain text data, they would see scrambled cipher text data, and would have to decrypt the very strong 256-bit AES encryption.

Better yet, don’t store confidential or encrypted files on magnetic storage. Store the files on a removable flash drive that can be shredded with software and physically destroyed if desired. Unplug the flash drive when not in use.

Problem 15

Appraise the level of risk associated with each vulnerability. Rank your vulnerabilities using factors such as the likelihood of an attack happening, the extent of damage that you would suffer, and the amount of work and time you would need to recover. The more likely and damaging an attack is, the more you should prioritize mitigating the associated risk.

Problem 16

Get countermeasures in place. The last step of operational security is to create and implement a plan to eliminate threats and mitigate risks. This could include updating your hardware, creating new policies regarding sensitive data, or training employees on sound security practices and company policies. Countermeasures should be straightforward and simple.

If your job requires you to deal with various files (for example, CV), always ask to upload them to Google Drive in preview mode beforehand. Or open them via dangerzone.rocks. Even with all of the above, always do your work from a separate computer and VM!

Employees should be able to implement the measures required on their part with or without additional training.

Problem 17

Implement separation of duties. Make sure that those who work on your network are not the same people in charge of security.

Problem 18

Automate tasks to reduce the need for human intervention. Humans are the weakest link in any organization’s operational security initiatives because they make mistakes, overlook details, forget things, and bypass processes.

Problem 19

Incident response and disaster recovery planning are always crucial components of a sound security posture. Even when operational security measures are robust, you must have a plan to identify risks, respond to them, and mitigate potential damages.

Problem 20

Risk management: The process of identifying, assessing and controlling threats to an organization's capital and earnings. These risks stem from a variety of sources including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters.

Many individuals from an organization can be in charge of different parts of the risk management process. Through this process, they can discover potential areas for a data breach or other threats. Understanding potential threat vectors is central to this process, as it allows them to be seen before they can be exploited.

For example: A hacker delivered a RAT (remote access trojan) onto the computer of an employee. If the RAT has a variety of capabilities, it could steal the cookies from the web browser, sift through files on the computer, and then exfiltrate that data to be sold on a darkweb market at a later date. The operational security steps mentioned in problems 1 through 10 should help prevent this from happening.

Another potential attack is called "DNS Poisoning". It is a "highly deceptive cyber attack in which hackers redirect web traffic toward fake web servers and phishing websites". A web page could appear that looks like a normal login page for a business like GMail, Kraken, etc., but in reality it could be a phishing site made to steal your login information (email/username/password).

Separate machines on the same network will not prevent this, as the traffic passes through the router for both machines, so the solution is to have separate networks and to verify website certificates. Some VPN providers use their own DNS servers through the software package they provide, so this could prevent this type of attack as well.

Malware can also have the functionality to "attack" a computer's clipboard. The malware could check the clipboard at a set interval to see if any cryptocurrency addresses are detected in it. If they are, it would then replace the one in the clipboard with one of the hacker's cryptocurrency addresses, which means the cryptocurrency would then be sent to the hacker. The beginning and end may match, but this requires extra functionality on the part of the malware, as it would need to generate wallets on the fly and exfiltrate the keys to the hacker.

Problem 21

Your level of opsec usually depends on your threat model and which adversary you're up against. So it's hard to define how good your opsec is. But I'd say it sounds pretty okay. I recommend watching:

Check out:

Problem 22

If you use smartphone be extremely aware!

Your choice of smartphone can indicate how much you respect your privacy in the modern world, when protecting your privacy online is just as important as protecting it offline. Good thing is, these specialized smartphones that came into existence to protect your privacy, will make you sleep in peace at night.

But do they truly live up to their reputations? I believe that in general, three things are necessary:

  • The ability to physically disconnect the stubs to the camera (like in Purism Librem 5), GPS, microphone, speakers, and so on;
  • Next, ability to run GrapheneOS or LineageOS;
  • And third, it's root access, as follows.

One thing to keep in mind before we get started is that very few firms produce privacy and security-based smartphones, which means some of these devices are a little dated or use an earlier version of Android. As a result, do not anticipate the newest hardware or software to work with these devices.

Here’s a list of the most secure phones you can use today:

  • Bittium Tough Mobile 2C
  • K-iPhone – One of the most secure Phones IMHO
  • Solarin From Sirin Labs
  • Purism Librem 5 - Top-1 IMHO ❗️
  • Sirin Labs Finney U1
  • Latest iPhone (watch out iCloud & known attacks) or Android
  • BlackBerry Device - Let's respect the true Pioneers in this industry!
  • Google Pixel (4 and beyond) are good privacy friendly options if you reconfigure them to run GrapheneOS!
  • Buy an old Nexus, run divestos.org or LineageOS or Ubuntu!
  • ThinkPhone

On the opposite:

From a security standpoint, with a standard OS, most processes you start have at least all permissions for everything you are interacting with. Practical example: If you want to post nice pictures, telegram needs access to your pictures. No matter where it runs.

If your pc is comprised, your telegram can be used to exfiltrate your photos. In the end, user behavior is what's most important imho. Reckless behavior will lead to compromise sooner rather than later. Deploy a few simple security measures and review them regularly.

Problem 23

Only Interact with DeFi Protocols You Trust - Take your time to read up on some previous concepts we’ve covered such as staking, yield farming, NFT farming, and research any other new terms you may come across before depositing crypto into a DApp that deploys any of these investment strategies.

Don’t use Tornado and forget about it, but you can use:

Use a reliable RPC provide or run a light client or a full node:

Check out this awesome repo!

Problem 24

Use trusted services. Using a secure, easy-to-use crypto wallet to interact with DeFi applications is essential to a safe and user-friendly DeFi experience. Interacting with smart contracts can be tricky for first-time users, so using a beginner-friendly crypto wallet with DApp support is a smart way to mitigate risks stemming from accidental errors on the side of the user. Better do everything manually!

Problem 25

Be aware of most common attacks. Follow hacker websites, latest security standards, check out what Nitrokey and YubiKey do and why. As a conclusion - read what is OSINT and counterOSINT so possible criminals won't be able to collect needed data.

Check out this book & article!

My Articles:

Also check out:

Additional Resources

Watch
https://www.youtube.com/watch?v=hxHqE2W8scQy
https://www.youtube.com/watch?v=0aSQMeoz9ow
https://www.youtube.com/watch?v=pGcerfVqYyU
https://www.youtube.com/watch?v=9XaYdCdwiWU
https://www.youtube.com/watch?v=ixLuRvYlrlw
Read
https://blog.keys.casa/7-ways-to-level-up-your-bitcoin-opsec
https://medium.com/the-business-of-crypto/fundamentals-of-opsec-in-crypto-7844ba701b1d
https://www.threatstack.com/blog/five-opsec-best-practices-to-live-by
https://digitalguardian.com/blog/what-operational-security-five-step-process-best-practices-and-more
https://www.gocivilairpatrol.com/programs/emergency-services/operations-support/operational-security-opsec
https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817
https://www.cnbc.com/2017/11/02/heres-how-to-protect-your-bitcoin-and-ethereum-from-hacking.html
https://www.cnbc.com/2021/06/11/tips-to-help-keep-your-crypto-wallet-secure.html
https://www.ledger.com/academy/security/hack-wifi
https://datatracker.ietf.org/wg/opsec/documents/
https://www.lopp.net/bitcoin-information/security.html
https://www.reddit.com/r/opsec/
https://arxiv.org/abs/2106.10740
https://web.mit.edu/smadnick/www/wp/2019-05.pdf
https://airgapcomputer.com
https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817
https://assets.website-files.com/5ffef4c69be53b44bd10b438/6012f54022181b0d0a3a948c_CryptoCurrency%20Security%20Standards%20Checklist.pdf
https://blog.eduonix.com/cryptocurrency/cryptocurrency-security-checklist-investors-adopt/
https://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md
https://cryptosec.info/checklist/

Support is very important to me, with it I can do what I love - educating DeFi & Crypto users!

Sponsored:

The best thing is to support me directly by donating to any address from the list below:

Supported by GitCoin

If you want to support my work, you can also send me a donation to the address:

Much much thanks every single one of you!

Thank you! Stay safe!

About

Here we collect and discuss the best DeFi, Blockchain and crypto-related OpSec researches and data terminals - contributions are welcome.

https://t.me/officer_cia

License:The Unlicense