It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Intro To COMSEC/OPSEC

page: 1
3

log in

join
share:

posted on Dec, 28 2015 @ 04:16 PM
link   
So what is “COMSEC”
This acronym stands for “Communication Security” and is the basis for preserving privacy and anonymity when using any electronic device through encryption and other means. This is the most basic description.

Communications security (COMSEC) ensures the security of telecommunications confidentiality and integrity - two information assurance (IA) pillars. Generally, COMSEC may refer to the security of any information that is transmitted, transferred or communicated.
*Sourced from “techopedia”

“OPSEC” is also paramount when depending on COMSEC to matter, because with out the 2 working hand in hand you have no chance against a real adversary, say a nation state or a dedicated group.

“OPSEC” is an acronym for “Operational Security” meaning what are the procedures required to ensure both physical and perceived threats are maintained in a way that will not compromise your ability to preserve security on both your systems and location form were those systems are being operated from.

Operations Security “OPSEC” is a strategy used in risk management that enables a manager to view operations or projects from the perspective of competitors or enemies. The key concept of this approach is to look at one’s own activities from the outside and try to piece together readily observable or obtainable information. If you can easily piece together what you are trying to do from the information available, it's likely that others can too
*Sourced from “technopidia”

This may all seem to be impossible for the common person but in reality it is not. One must be ready to learn some new things in order to reach a safe environment in which to communicate.

BE AWARE: there is no silver bullet to security and anonymity there are many things that can compromise both. Being proactive is the beginning, and allowing your skills to evolve along the way is key.
Be ethical, be careful, and you should be fine depending on what country you are located in.

First one must seek an alternative to the common; let say the Windows OS.
Scrap it and go with an open source alternative (Linux, BSD, UNIX).

Linux is the OS for most because it facilitates the ability to have a learning environment with tones of tutorials on how to do almost anything it can offer. This makes it a great asset to the human race and to fight against tyranny. Most of us use Linux every day and don't even realize it.

For beginners it is suggested to use “Linux Mint” in a live environment say off USB.
Get to know the command line functions and package managers, and you will then have confidence to move on to new things. I will post and cover more on this in future. There are several people here on ATS that have posted guides on how to do so but I will be sure to add my form of going about it, there are many ways and never just one.
A guide from user “_BoneZ_” below



www.abovetopsecret.com...


Once you have selected your alternative OS and are comfortable using it the next step it getting used to encrypting everything.
Hard Drives(partitions), Hidden folders, USB if used and all Internet traffic.
The Use of VPN's or “Virtual Private Networks” is the first layer you should learn to use. There are many services and protocols to use. More on that in future posts.
Learning about PGP/GNUPG is very important when communicating securely.
These are all forms of encryption and are paramount for COMSEC. Many guides exist on the web and I will post links to relevant ones that are geared for the beginner to the advanced in time.

All of this work here on ATS will be done on my spare time so please be patient for post and replies for like many I am busy with family and friends as well as work.

Much of what has been said here is common/standard stuff to many but not all and that is why it is titled “intro to COMSEC”.
I will provide the best advices I can but never think for a second that there is a one size fits all to security and anonymity. There is not such a thing!

Peace and may all persons reading this have a happy New Year, More to come soon!

Secret_Citizen (no one special just sum guy who gives a sh1t)

edit on 28-12-2015 by SecretCitizen because: added the word "for" in one of the paragraphs



posted on Dec, 28 2015 @ 05:08 PM
link   
a reply to: SecretCitizen

UNSEC - posting stuff in a public forum.




posted on Dec, 28 2015 @ 05:50 PM
link   

originally posted by: chr0naut
a reply to: SecretCitizen

UNSEC - posting stuff in a public forum.





Yep.

Always assume every keystroke is publicly available and not anonymous.



posted on Dec, 28 2015 @ 06:06 PM
link   
a reply to: SecretCitizen

You have peaked my interest,

I do have one question, encryption is only as good as the key, are we living in an age were we can guarantee 256bit encryption is un-beatable?

Also, is this really a life online? Surly the best way to stay hidden is not to get online, too much encryption, means to much to make sure it all works, mess something up, it's gone, don't do one thing, they get you,

Interesting to see what your bringing to the table



posted on Dec, 28 2015 @ 06:10 PM
link   
COMSEC = use strong encryption.
OPSEC = make sure your password is not "password"



-dex



posted on Dec, 30 2015 @ 11:06 AM
link   
a reply to: Phatdamage

Excellent Question, The answer is part of a fierce debate among the security and hacking communities.
There are many ways encryption can fail.
*The first and most obvious is cipher weakness,key size and complexity of the passwords associated with them if used.
*Second comes the use or implementation of the technology in your setup. Meaning proper storage of private keys (asymmetric) and correct configuration of software that uses encryption.
*Third is the most aggressive, the usage of CNE or “Computer Network Exploration” and hacking the target system. If you are in need of protection from this level of adversary it is advised to use multiple layers of security in your OS (grsecurity/PaX), and even the more complicated Xen (Hypervisor) micro kernels. More on these in the near future.

So in conclusion about your question “is 256bit Encryption Secure”? It depends on what type of encryption you are using and who your adversary is. Sorry if thats a broad answer but this is a very complicated subject with lots of variables.
(Detailed explanation on attacking 256bit encryption, the long answer to your question)

Below are two good articles about how online security is compromised and how to work to defend against it. They are meant for information purpose only and can give you an edge at what were all dealing with here.
www.theguardian.com...
(2 years old but very relevant)
www.theguardian.com...
(same here but very good reading for beginner to advanced)
Many more articles to come.

Hope this helps everyone better understand this issue.

//SC//



posted on Dec, 30 2015 @ 01:42 PM
link   
a reply to: SecretCitizen

Thank you for the update, i use encryption alot in my line of work, and although you can setup the (what i believe) is the most secure network, and have Palo Alto encryption between switches, and other funky (secure!!!) stuff in between but.......

if your password isn't strong, this is a major issue. I kid you not, i know of engineers who will setup system and leave the default account active, with a simple log in of:

Username: admin
Password: admin

So you could have good encryption keys, secure, locked rooms and think you have all bases covered, and someone does this stupid trick,

of course, there is one more loop hole, manufacture back doors, most major switch developers have admitted to having them for NSA or other hidden entities LINK

so back to my original question, how secure is 256bit........... to 99% of the world, sending bytes between devices.... yes, its fine, to the 1% of people who really want the security, can they guarantee it? the answer is no, and developers know this, that is why if you know what you are doing, you will have multiple manufacturer devices doing the same job, stacked, with rules filtering through all,

Another good point, how much of the world is using IP6?

even though IP4 is not secure, and even a simple network sniffer, can log usernames and passwords in plain text in a windows environment!

thanks for this thread to let my true geekyness come out!

Peace!



posted on Dec, 30 2015 @ 05:47 PM
link   
a reply to: SecretCitizen

First let me say that I apologize for my flippant comment about COMSEC/OPSEC.



The first and most obvious is cipher weakness,key size and complexity of the passwords associated with them if used.
I think that cipher weakness and key size have to be taken into consideration during the cryptographic system implementation. As we've seen over the years 64bit DES encryption, and MD5 and SHA-1 hash algorithms have been successfully attacked and have been discontinued. For typical temporally-limited communications, like real-time web browsing, the cipher and keylen du jour are probably okay. However, for communications security that requires Perfect Forward Secrecy and the like, using ciphers and key lengths that might appear to be overkill today may be necessary to keep those data secret in the future.

Of course the easiest attack vector would be the password itself, if used. However a password is typically required at some point in the security chain. For instance a password may be required to access an asymmetric algorithm's certificate/private key pair to be used in a symmetric key negotiation for an IPSec session. And of course passwords are nearly always used for system authentication.

The true weakness is in the human element. I believe Snowden was able to access as much data as he was because he asked for, and was supplied with, the passwords of the users he was helping. The just gave it to him.

Weak and over-used passwords are typical of today's users. Sometimes the systems in which these passwords are used have requirements for mixed letter case, punctuation, numbers, and length. More secure systems may require the user to change their passwords on a regular basis. But tighter security makes it harder for the user to manage, however. And they may start writing their passwords on post-it notes stuck to their monitors. So, there has to be a happy median where system security is balanced with system usability.


Second comes the use or implementation of the technology in your setup. Meaning proper storage of private keys (asymmetric) and correct configuration of software that uses encryption.
As Phatdamage has shown, much of the software and hardware that we are using on a regular basis have hidden back doors or other intentional cryptographic weaknesses. And the NSA is not the only culprit in creating these access points. A recent example of this is Lenova's use of a CA certificate surreptitiously inserted into the Windows OS cert store to enable them to create a Man-in-the-Middle attack in SSL sessions, ostensibly to introduce advertising in the user's browser. Since Lenova is owned by the Chinese, I'm not buying that.

One of the problems with configuring security is the potential complexity involved. The probability of introducing new security vulnerabilities is directly proportional to the difficulty of configuring the security itself. And as I've previously indicated, as systems become more complex for users to navigate the less productive they become and their propensity to leak their passwords increases.



Third is the most aggressive, the usage of CNE or “Computer Network Exploration” and hacking the target system. If you are in need of protection from this level of adversary it is advised to use multiple layers of security in your OS (grsecurity/PaX), and even the more complicated Xen (Hypervisor) micro kernels.
It will be very interesting to see what you have to say about this. I haven't been active in COMMSEC for several years and it will be interesting for me to see how these options have matured.



Below are two good articles about how online security is compromised and how to work to defend against it.
Those were quite informative articles. I especially liked the one from Bruce Schneier. I remember reading this right after the first Snowden revelations. It is still sage advice. And it is still scary as ever to know what the NSA and GCHQ were capable of then and are capable of now.

If I'm not mistaken, the jist of what you are saying is that the security capability of any systems is relative to how it's implemented and used. Even the most secure ciphers are at the mercy of weak passwords and poor programming.

I look forward to reading more of what you have to say. Thanks.

-dex



posted on Dec, 30 2015 @ 06:15 PM
link   
a reply to: Phatdamage



if your password isn't strong, this is a major issue.
Yep. We use to call this the problem that occurs between the chair and the keyboard.




you will have multiple manufacturer devices doing the same job, stacked, with rules filtering through all,
That's another good example of the cost of doing security right. Not only is there a financial cost to purchasing and maintaining additional equipment, but there is a potential system performance hit as well. The performance hit might not be too bad where the network is connecting to the Internet because the Internet connection generally has less bandwidth than the Intranet. But where these active devices are deployed between Intranet segments the performance hit may become more of a factor.



Another good point, how much of the world is using IP6?
I have to admit that I hadn't looked at IPv6 very much. Like the rest of the world I've been putting it off because it's not been critical for everyday use. While IANA has purportedly now given out the entire set of IPv4 addresses, I believe it will still be a while before its use become commonplace.

It also looks like the implementation of IPv6 is non-trivial, especially with a lot of devices that are still deployed that aren't set up for, or capable of using the new protocol. And IPv6, if not implemented properly, can open up heretofore unknown security holes. A lot of users can barely comprehend IPv4, imagine their confusion trying to configure IPv6.

Until I read you response I wasn't aware that IPSec was directly implemented in the IPv6 stack. Of course making this work in itself could become a configuration nightmare. The IKE protocol needs to have a public-key infrastructure in place to effectively negotiate session specific secret keys. Otherwise preshared secret keys can be used, but that requires either a globally shared secret key, or individual SA's managed manually. Both of which could be captured if a single machine in the system is compromised.

Isn't computer security fun?




-dex



posted on Dec, 30 2015 @ 06:24 PM
link   
a reply to: DexterRiley

This is the kind of input I had hoped would occur, well written informative and right to the point posts; very good sir!
Yes 64bit DES encryption, and MD5 and SHA-1 hash algorithms have been successfully attacked and it is good to note. I sum instances it will do to verify files but not if they are mission critical.

Yes PFS is a great move ahead but unfortunately its name is a bit misleading as seen below
weakdh.org...
It is how ever no were near trivial to attack so for now its good for most.

Well said the issue is the human element for sure. I will post more about Xen in time to come, for now I will focus on creating beginner to novice tutorials and information post based on things regular ATS users can use.
As thing progress I will do my best to inform everyone on Advanced systems and procedures. For those who are interested in advanced information Pm me through Wickr, PGP or a simple que on the ATS message system and we can go from there.

Very well put together post and I thank you for that!


(post by SecretCitizenz removed for a serious terms and conditions violation)

posted on Dec, 31 2015 @ 01:58 PM
link   
a reply to: SecretCitizenz

Who are you?

ALERT: This SecretCitizenz user is not the same as the ATS Netizen SecretCitizen who created this thread!

-dex



posted on Dec, 31 2015 @ 02:19 PM
link   
a reply to: SecretCitizenz

Agree with DexterRiley,

Why have you jumped into this thread, with this ALERT???

Why do you have the (almost) same name as the OP's

please explain...



posted on Dec, 31 2015 @ 03:50 PM
link   
a reply to: Phatdamage

Because it is me and I have been banned from using this service for having real information though they claim it because i was advertising or trying to make money. This is simply not true though.



posted on Dec, 31 2015 @ 05:42 PM
link   
a reply to: SecretCitizenz

Well the SecretCitizenz ID is dead. But the SecretCitizen ID still appears to be active. I guess we'll find out soon enough.

-dex



posted on Dec, 31 2015 @ 10:36 PM
link   
Username and password are no longer secure. Period.

If you are looking for better security of your credentials, I'd suggest starting with multi-factor authentication...perhaps through a smart chip certificate, OTP, or even biometrics (especially randomized words as voice biometrics are nearly impossible to duplicate.) Then I would add a layer of privileged account security software on top of that.... Let's face it, if I'm going to hack a network, I'm going to target a super user like admin or the C-level as they have the keys to the kingdom.




top topics



 
3

log in

join