September 14, 2017

Equifax Incident Summary and Timeline

Just made summary about Equifax's incident in Thai. This note will be constantly updated.

September 6, 2017

Interesting points on hidden site's OPSEC

Source from Crime market uses a lot of OPSEC. These are interesting points I found from source, on both security and privacy perspective.
  • Application-layer
    • On application-layer, they rely their system only on open source software, which was recompiled and hardened
  • Network-layer
    • Only Tor protocol is allow to connect with, managed by firewall rules
    • Service's public information has been minimized
    • They deploy their own guard nodes when entering Tor network to protect against coordinated attacks and others. By deploying their guard nodes, they can monitor and do early respond if the attacks is significant, by triggering the bitcoin release mechanism, shut then wipe all sites and data
  • Data
    • Data at rest encryption, including messages, user credentials and databases
    • Passwords are independently salted and hashed by bcrypt
    • Key rotating happened every 5 months, old key will be permanently destroyed
  • Process
    • They have developed their own IDS which has been used to detect and trigger self-destruction process when suspicious behaviors have been found. The self-destruction process are including:
      • Locking down the site
      • Encrypting critical database part
      • Removing critical data from memory
      • Denying access to login, register page and ending all current logged in sessions
      • Full memory wiping
    • Their servers are located in the country that will not neither co-operate nor sharing information with EU or US authorities
    • Server has been regularly migrated with scripts
    • Does not make use of light bitcoin wallets
    • Isolating the onion key
  • People (and OPSEC tips)
    • All communication from staffs will be encrypted with GPG. They are also strongly suggest users to do the same
    • Staffs never meet and will not know each other
    • Do not tell anyone about what you have done and what you are going to do
    • Destroy any evidence
    • Do not be the last person to talk to the victim
    • Do not be caught anywhere near the scene
    • If you are arrested always request a lawyer before talking to law enforcement and invoke all your rights. Do not talk to law enforcement without a lawyer and do not self-incriminate.
    • Never reveal personal information about yourself
    • Use Tails, with disk encryption and bitcoin, avoid doing anything that may leave any evidence on HDD. Optionally, use Bleachbit and implement full-disk encryption.
    • Keep your software up-to-date
    • Bitcoin tumbling and untainted address
    • Disable JavaScript and set Tor browser security level to high
And unclear points:
  • Isolation between service and server (a virtual box)