Communications Security
DGTM article 2
Our highest responsibility is control over the flow of information. Nothing is gained by a fast response if the reason for it is announced to the world. Someone always wants to overhear you, and can often do so after the fact.
Compartmentalized security applies to your life. Do not use any personal electronic equipment when operating under an assumed identity. Do not attempt to access personal accounts for email, voicemail, or other services, unless absolutely necessary to avoid suspicion.
Pre-configured phones and computers can be provided to you, but speedy delivery is not guaranteed. Your own know-how is crucial to communications security, with or without special equipment. Operational necessity and plausible deniability will require your use of publicly available software and civilian infrastructure.
What are the risks of telephone use?
In all communication by phone, assume your phone number and hardware-unique identifiers, such as IMEI numbers, are logged and can be tied to your approximate location. An unlisted number does not protect you. Encryption will, at best, protect the content of your conversations if your phone is tapped remotely.
Multiple cellular service providers may share cell site infrastructure, which can be physically compromised. Your location is known to your service provider if your phone is on the grid, including on stand-by. Accurate triangulation of your location is possible, though it requires the interested party's attention.
How do I make secure phone calls?
You may be issued a secure phone. Instructions for its use will be provided as needed, but are rarely more complex than entering an additional PIN number or other form of authorization for encryption of voice content, securing the data link itself, or both. Do not use your personal SIM in the same device. Do not make personal calls from it.
If you are not issued a phone, you will purchase one. If you are not issued a SIM or R-UIM card, you will obtain one, exactly as directed by your cell leader. Remember the name of the service provider. Do not purchase cards from any other provider.
What about emergency phone calls?
In an emergency, use public pay phones, disposable cell phones or pre-paid cards, changing as often as possible. Do not shop where you can be recognized or would be expected. Always pay cash.
Always memorize the phone numbers of those in your cell and the external coordinator of the opera (if any), as well as emergency contact numbers. Destroy used equipment, such as by burning the circuitry, including SIM or R-UIM cards, hot enough for the metal to melt.
What are the risks of computer use?
In all Internet communication, assume IP and MAC addresses are logged and can be tied to your location through gateways and other infrastructure. For wireless Internet over WWAN modems, such as common USB dongles, observe security measures for telephone communication outlined above.
The majority of Internet traffic is unencrypted and can be overheard if the infrastructure is compromised. If your device has been identified and is connected, assume it can be hacked to monitor your activity and extract your files.
How can software improve security?
Use up-to-date open-source operating systems to avoid built-in mechanisms for data logging and reduce susceptibility to hacking. For convenience, consider carrying a USB stick of Lightweight Portable Security (LPS), an Air Force operating system built to boot on any machine and leave no trace.
Encrypt email with OpenPGP. Set up pre-boot authentication of your operating system and encrypt your internal storage medium, with TrueCrypt or equivalent software. Zerofill media when the information is no longer required.
To harden a system further, disable non-essential services and familiarize yourself with the firewall software. Ports left open in the firewall can be detected and used by malware. Reduce reliance on third-party services where your data is remotely stored.
What else can I do to harden a computer?
Expend the effort to make up long passwords resistant to brute-force attacks, including dictionary attacks with common character substitutions. Memorize them, and change them every few days at the opera.
Software will not protect your communications from social engineering or attacks made possible by physical access to your hardware. As one example of a threat that can result from physical access, a hardware keylogger can be installed to send your passwords to a third party.
Password-protect your BIOS or UEFI to prevent tampering, disable booting from external media, and discard all hardware you suspect has been physically accessed. Keep only the internal storage medium for later recovery of data or complete destruction.
How do I conceal my identity?
The Tor network can conceal your location from the point of view of a target, but does not protect the link from your machine to the first Tor node. If you are issued VPN credentials or other special resources, know that these are more secure, but may signal that you have something to hide.
Learn to alter your MAC address as needed to obstruct tracing of your hardware. For example, in most GNU/Linux distributions, the following terminal command will give your primary Wi-Fi interface a semi-random MAC address until rebooted.
sudo ifconfig wlan0 down hw ether $(printf "%s%04x" 0013741b $RANDOM | sed 's/([0-9a-f][0-9a-f])/\1:/g'); sudo ifconfig wlan0 up
The command may look cryptic, but learning why and how it works can save lives, including yours. The basics of secure computer use are not magic, nor secret. Resources available online apply to you. We do not offer tech support.