Where does operational security begin? - ShadowDragon.io

Where does operational security begin?

where does operational security

Over the course of the last few months, we’ve blogged about finding bad guys by guessing emails, mapping friends, understanding emotional behavior, and leveraging laziness and poor password habits.  All of these open source techniques are based on predictable human behavior and loose/lazy security precautions when doing things online. It’s wonderful for a hunter, but what if we are the prey?

Last year, I was asked in an interview a question that I’ve spent quite a lot of time thinking about but haven’t really shared much of the information publicly.  Since being asked, it’s come up probably another 10 times in general conversations:

“How do I keep my kids safe online?”

I’m a dad, and this type of thing is something I’ve obviously dumped some brain power into.  What’s interesting about this question and how it pertains to this blog isn’t surprising, but instead something we can teach the ones we care about.  A while back, I had the opportunity to talk to an investigator looking into a target that was illegally shipping some goods. He’d been hunting the guy for a while, and after getting his hands on SocialNet, he made a very interesting discovery.

You see, the target’s operational security was very high, and all of the attempts to figure out who he was were failing.  The target had used a variety of phone numbers for a number of different transactions. However, after plugging the digits into SocialNet, the investigator was able to get a FourSquare account off of one of the numbers.  While the account hadn’t been active in years and years, the last check-in was “Mom’s house” pinned nicely to a map.

Our target here wasn’t a “bad” guy when he was using that FourSquare account. Instead, he was just some teenager in junior high school playing with a cool new app on his phone.  This is the interesting question: Where does all of our online operational security begin? For many reading this, online spaces didn’t exist when we were goofy teens.  So it began somewhere around when we made our first Yahoo! account or registered that silly domain name.

This leads me back to the oft-repeated question of our children’s safety online.  While we’ve all heard the stories of extreme bullying, human trafficking, and general evil kids can get involved in, many times we don’t think about some of the good habits we can instill in them to not create a giant target on themselves in the future.

Seriously, how important is it for a 13-year-old to tag where they are vs. the possibilities of that target on them in the future?  I’m going to go over a few of my thoughts on this as it pertains to kids specifically, but this is something for everyone. Maybe it might motivate you to get out there and nuke that old Deviant Art page where you’ve stored all your vampire race car pictures.

First of all, the one thing I see with many guardians is a total disregard for the value of you and your family’s personal data.  Android tablets filled to the brim with “games” overloading their little brains with dopamine, and in our case here, creating a huge marketing/online footprint for them.  

If the product is free, YOU are the product.

When you are the product, there’s a very good chance that there’s some fat juicy public data available about you.  Kids can learn this and ask that question when they come across an app or service that is “free.”

Secondly, EVERYTHING you do online is stored somewhere.  That somewhere could become public and the ramifications for that could be devastating.  Yelling that “hilarious” racial slur you just discovered when you were 12 in a Fortnite game using the same ID you use everywhere is stored on Twitch for the day your potential employer discovers your wonderful personality.

It’s never too early to teach that to kids or anyone, really, for that matter.  “What we do online echoes in eternity.” – Marcus Aurelius (probably) 

Lastly, as we’ve talked about before in this blog,  it’s not hard to teach password security to kids. While it’s not everyone’s cup of tea, I showed my kids how easy it is to crack passwords using some very easy to use tools when the password is stupid and easy.  We also played games, seeing if they could “sneak” into other email accounts by understanding that people will reuse the same passwords. When a grade schooler can “hack” into that second email address you’ve got, it’s a subject they can start to understand early on.  Take a minute to teach them how to make a good password or what a password manager is.

While I’m barely scratching the surface on this today, online operational security starts the minute a parent puts a kid online.  So, when that question inevitably comes up, there’s 3 nice starting bullet points:

  1. If the product is free, YOU are the product.
  2. What we do online echoes in eternity.
  3. Making good passwords isn’t hard.

Happy Hunting.


Elliott Anderson

Scroll to Top