OPSEC tool lineup
I find myself recommending a lot of these tools & practices to friends and colleagues so I thought I would share some of my insight on the best tools and practices to use for good OPSEC.
I’ll go over some of the tools that I personally use, then briefly describe how some of them can be used together to make your OPSEC practices a little easier and more streamlined.
If you don’t use a password manager you may find yourself recycling passwords that you have already used, or in general using insecure passwords just because they are easy to remember. Password management tools such as LastPass and Passpack have proven useful for many, but introduces risks such as man-in-the-middle attacks which could allow malicious actors to gain access to your passwords stored online. KeePass is an offline password manager which closes that risk while providing some nifty little security features that I will discuss a little later on. To get KeePass simply goto the KeePass downloads page and look for the Professional Edition installer. If you are on Linux simply install keepass2 with your favorite package manager.
GNUPG & Kleopatra
GNUPG is a great way to encrypt & sign messages or singular files for yourself and others, but by itself can be a little complicated or intimidating. Kleopatra fills that gap by offering a graphical manager for your personal keypair, as well as managing, signing and searching other public keys. Honestly, the stuff that you could do with this and other tools could fill a whole other blog post by itself. These tools are available on Linux & Windows alike (not sure about Kleopatra for Mac, but GNUPG should definitely be available). For Windows simply download the bundle called gpg4win. Once setup, Kleopatra will allow you to encrypt/decrypt & sign your clipboard by just right-clicking the icon in the notification tray. The bundle for Windows also includes GPGEx which allows you to right-click files to encrypt/decrypt/sign as well. This is can be useful for encrypting files to send to others, or even just to encrypt files for yourself later down the road, such as backups or sensitive data that you need to move and temporarily store on an unencrypted volume. To start encrypting messages/files for others, you will need their public key. Likewise for them to send encrypted data to you, they will need your public key. You can share your public key to keyservers such as pgpkeys.mit.edu, and others can download your key from the server. Your friends should also verify your key fingerprint from you, and sign your public key, as well as upload it back to the keyserver, to verify your key to others who are searching for it.
Pidgin + Off-the-record messaging
Pidgin is an instant messaging client which allows you to connect to various protocols such as Facebook & Google messengers, XMPP, Yahoo IM, AIM, ICQ, and even IRC. Cypherpunks offers a plugin for off-the-record messaging providing secure communication between you and your buddies given that they are also using it. These tools are available for Windows, Mac, and Linux alike, so you have absolutely no excuse not to be using them. Always be sure to verify your fingerprint, as well as the other parties fingerprint when using this plugin, to make sure that your friend is who they say they are, and that there is no man-in-the-middle going on.
Veracrypt picks up where TrueCrypt left off and allows you to create encrypted volumes in files, and physical drive partitions. You can also use Veracrypt to encrypt your entire system drive, and even perform file-in-place encryption which will create an encrypted volume where files already exist, and encrypt those files on disk.
This is really good for securely storing sensitive data such as work, financial, or otherwise personally identifiable information. This encryption tool is available for Windows, Mac and Linux so there is no excuse not to be using it to store your sensitive information.
Destroy Windows 10 Spying
If you are running Windows 10, you should check out Destroy Windows 10 Spying which promises to remove spy applications from Windows 10, as well as adding spying domains to the firewall (though the latter is probably best off left to your network firewall). This tool is available in both source and binary forms, and from my own personal checks the binaries that are made available are safe to run, but for the truly paranoid just pick up a copy of Visual Studio and compile it for yourself.
Bluetooth Proximity Lock
The tool that you would want to use for this sort of thing varies depending on your platform, but the functionality is similar across the board. Essentially you will want a tool which runs in the background, pairs with a Bluetooth device, and locks your computer when that device goes out of range.
The following list of tools should suffice for this operation:
- BTProx for Windows – This tool has been discontinued, but unfortunately it seems to be the only one that will get the job done for Windows users, that being said, I still use it.
- BlueProximity for Linux/BSD
- Proximity & AppleScript for Macintosh – I’m not sure how this one comes together, Proximity just runs AppleScripts, and you will need an AppleScript which locks your computer. I have no personal experience with this tool since I am not a Mac user.
How this tool comes together with other tools
Okay, so the Bluetooth proximity locking tool is actually going to be useful when pulled in together with your other tools. Veracrypt and Keepass can both be setup to lock and wipe keys/passwords from memory once your desktop is locked. Naturally if you step away from your computer with your paired Bluetooth device, your computer + these other tools will be locked along with it if configured to do so. The best device to pair with your computer is going to be one that is on you at all times. I would recommend a smart watch or your smart phone since these are items that are going to typically leave the house with you. Even older cell phones have Bluetooth capabilities, so there is a lot of wiggle room here for those on a tight budget. If your computer does not have Bluetooth capabilities, you can pick up a nice USB Bluetooth adapter pretty cheap as well, so there is no excuse not to be using one of these Bluetooth locking tools. These tools can also be configured to run other scripts which could be setup to delete temporary files, or to close out other programs that you might not want to leave up such as your web browser or instant messaging programs.
I hope this post helps you practice better OPSEC, or has opened your eyes to different risks associated with your current OPSEC practices. If you have any questions or feel that I have left something out please leave a comment below.