OPsec for Gamers - especially in EVE Online
Condensed version of tips for OPSec for Gamers from r/eve - if it wasn't for your great answers I would't edit it again but what can I do - msg me if I forgot something.
Why OPsec for EVE-Online players? As EVE Online has a lot of out-of-game tools it is important for capsuleers not only to secure their in-game assets but also to be careful with out-of-game systems that might compromise their accounts...
CDSEChris: Hi, I'm Chris. I founded the Operations Security (OPSEC) Professional's Association. I also teach cybersecurity for the federal government and contractors under the National Industrial Security Program. I'm also working on presentation about OPSEC in EVE Online that I'll be presenting at the National OPSEC Symposium in June. (...) I'll be posting them here before the conference, and hopefully I'll be able to record the actual presentation and share it as well.
What you're talking about is probably better referred to as information security, cybersecurity, or the depreciated term "information assurance." Those disciplines are concerned with protecting information systems like computers, servers, etc. Operations Security, or OPSEC, is actually focused on protecting critical information that can give away friendly plans, intentions, capabilities, things like that. Both have their place here, and they actually work well together. While the terms are often used interchangeably, I think it's important to look at the concepts individually and see how they can each benefit us.
[Mad Librarian]: For a slightly different take on OPsec you can also watch the OPsec for Hackers talk by Grugq.
CDSEChris: As far as protecting your computer, which is the core question here, there's a few important things to remember: (I'm not going to repeat the advice already given in this thread, because those are all GREAT points. Especially about passwords and ad-blockers)
1. Update everything. Everything installed on your computer is a potential point of entry into it and into your network. Install updates and patches for your operating system, your browser, your office suite. Patch all your software, especially the internet-facing ones like flash, java, and adobe. Some of the most damaging recent hacks and breaches were caused by out of date software, when patches were already available.
2. Watch where you go online. There's something called a Watering Hole Attack where certain sites are compromised and the targets are encouraged to visit them. This may be done by compromising already popular sites, or it may be done by creating a new site and then trying to encourage people to visit. I talk a little bit about that here, if it helps. For the same reason, don't follow unsolicited links or click on untrusted attachments.
3. Consider using a virtual machine for anything... risky. A virtual machine is basically a computer session that runs on your computer, but in a "sandbox" mode that doesn't normally interface with the rest of your computer. I feel like this is a good place for the "yo dawg" meme... So if your virtual machine gets a virus, you can just delete it and start over. I like to use virtualbox, but that's just a matter of preference.
4. Use an antivirus program, but don't trust it. Antivirus programs primarily rely on signatures- that is, known code that flags software as a virus- or heuristics, which is virus-like behavior. They're good, although some of us don't like the resource hit. All the same, use one, keep it updated, and scan your computer regularly. However, know that they're not perfect. They can get infected, too, or sometimes they can miss things. If you suspect that's the case, use an online virus scanner from any of the major providers.
5. Configure your firewall. Your computer most likely has one built in, and your probably have one on your router, too. Use 'em. You can configure them to be as restrictive as you want, but the one on your computer can be configured to let you know when new programs try to connect to the internet. That's pretty handy to know! At a minimum, make sure that you're protecting your inbound connections so that an attacker has a harder time getting in. And make sure to block icmp echo requests- that should be a specific option available. "Pinging" (that is, sending such a request to) your computer is often the first step in an attack; it shows that your computer's online and responding to connection requests. Blocking pings can stop casual attacks before they start.
6. BACK UP YOUR COMPUTER! All your data, or at least the stuff you want back. Seriously, copy your files to google. Get dropbox. Buy an external drive. I think I have some old floppy discs lying around I can send you. Whatever it is, back up your files. Ransomeware's on the rise, and it's only getting worse. If you're infected, you might be able to pay the ransom and get your data back... maybe. But if that happens, you want to be in control of your data. Back up whatever you want to back up, but please back up something. And call your mother, she wants to hear from you.
7. Uninstall programs you're not using anymore. That saves space, but it also helps to reduce potential attack vectors.
8. Do your normal computer browsing as a regular user; use your admin account only for adminstrative tasks. That helps reduce the impact of a compromise or infection.
The agency I work for has a publicly available cybersecurity course that really gets into the meat of that. Some of you already know this course well, and I apologize for the fact that you have to take it every year. Not my call. Maybe if you try chasing down the phone thief they'll be so impressed with your tenacity that they'll give you a year off, I dunno.
CDSEChris: I'd like to talk for a moment about OPSEC and how it can actually support your information security efforts. As I mentioned, OPSEC is a lot more than INFOSEC, but they go hand-in-hand in a lot of ways. If I could convey just one thing, it would be to make yourself less interesting to a potential attacker.
Try to avoid standing out, at least in a way that pairs your online persona with your real one. Think about the information that you're giving away when you post online, and what that might give to a hacker or other potential adversary. We're often not as anonymous as we like to think we are, and it's not difficult for an attacker to build a useful profile about us to allow them to spear phish us (that is, send us a phishing email that's highly tailored to us, specifically).
Here's a little bit more information on OPSEC in general.
1. Secure your browser:
2. Secure your network
3. Secure your Operating System
4. Secure your Passwords and information
I will extend the guide from the comments (thx for the great posts so far) and also post it on our blog so the info remains there if it does get de.listed again...
Why OPsec for EVE-Online players? As EVE Online has a lot of out-of-game tools it is important for capsuleers not only to secure their in-game assets but also to be careful with out-of-game systems that might compromise their accounts...
What is OPsec for Gamers?
CDSEChris: Hi, I'm Chris. I founded the Operations Security (OPSEC) Professional's Association. I also teach cybersecurity for the federal government and contractors under the National Industrial Security Program. I'm also working on presentation about OPSEC in EVE Online that I'll be presenting at the National OPSEC Symposium in June. (...) I'll be posting them here before the conference, and hopefully I'll be able to record the actual presentation and share it as well.
What you're talking about is probably better referred to as information security, cybersecurity, or the depreciated term "information assurance." Those disciplines are concerned with protecting information systems like computers, servers, etc. Operations Security, or OPSEC, is actually focused on protecting critical information that can give away friendly plans, intentions, capabilities, things like that. Both have their place here, and they actually work well together. While the terms are often used interchangeably, I think it's important to look at the concepts individually and see how they can each benefit us.
[Mad Librarian]: For a slightly different take on OPsec you can also watch the OPsec for Hackers talk by Grugq.
INFOSEC: Information Security Tips (protecting your machine)
CDSEChris: As far as protecting your computer, which is the core question here, there's a few important things to remember: (I'm not going to repeat the advice already given in this thread, because those are all GREAT points. Especially about passwords and ad-blockers)
1. Update everything. Everything installed on your computer is a potential point of entry into it and into your network. Install updates and patches for your operating system, your browser, your office suite. Patch all your software, especially the internet-facing ones like flash, java, and adobe. Some of the most damaging recent hacks and breaches were caused by out of date software, when patches were already available.
2. Watch where you go online. There's something called a Watering Hole Attack where certain sites are compromised and the targets are encouraged to visit them. This may be done by compromising already popular sites, or it may be done by creating a new site and then trying to encourage people to visit. I talk a little bit about that here, if it helps. For the same reason, don't follow unsolicited links or click on untrusted attachments.
3. Consider using a virtual machine for anything... risky. A virtual machine is basically a computer session that runs on your computer, but in a "sandbox" mode that doesn't normally interface with the rest of your computer. I feel like this is a good place for the "yo dawg" meme... So if your virtual machine gets a virus, you can just delete it and start over. I like to use virtualbox, but that's just a matter of preference.
4. Use an antivirus program, but don't trust it. Antivirus programs primarily rely on signatures- that is, known code that flags software as a virus- or heuristics, which is virus-like behavior. They're good, although some of us don't like the resource hit. All the same, use one, keep it updated, and scan your computer regularly. However, know that they're not perfect. They can get infected, too, or sometimes they can miss things. If you suspect that's the case, use an online virus scanner from any of the major providers.
5. Configure your firewall. Your computer most likely has one built in, and your probably have one on your router, too. Use 'em. You can configure them to be as restrictive as you want, but the one on your computer can be configured to let you know when new programs try to connect to the internet. That's pretty handy to know! At a minimum, make sure that you're protecting your inbound connections so that an attacker has a harder time getting in. And make sure to block icmp echo requests- that should be a specific option available. "Pinging" (that is, sending such a request to) your computer is often the first step in an attack; it shows that your computer's online and responding to connection requests. Blocking pings can stop casual attacks before they start.
6. BACK UP YOUR COMPUTER! All your data, or at least the stuff you want back. Seriously, copy your files to google. Get dropbox. Buy an external drive. I think I have some old floppy discs lying around I can send you. Whatever it is, back up your files. Ransomeware's on the rise, and it's only getting worse. If you're infected, you might be able to pay the ransom and get your data back... maybe. But if that happens, you want to be in control of your data. Back up whatever you want to back up, but please back up something. And call your mother, she wants to hear from you.
7. Uninstall programs you're not using anymore. That saves space, but it also helps to reduce potential attack vectors.
8. Do your normal computer browsing as a regular user; use your admin account only for adminstrative tasks. That helps reduce the impact of a compromise or infection.
The agency I work for has a publicly available cybersecurity course that really gets into the meat of that. Some of you already know this course well, and I apologize for the fact that you have to take it every year. Not my call. Maybe if you try chasing down the phone thief they'll be so impressed with your tenacity that they'll give you a year off, I dunno.
OPSEC: Protecting your information
CDSEChris: I'd like to talk for a moment about OPSEC and how it can actually support your information security efforts. As I mentioned, OPSEC is a lot more than INFOSEC, but they go hand-in-hand in a lot of ways. If I could convey just one thing, it would be to make yourself less interesting to a potential attacker.
Try to avoid standing out, at least in a way that pairs your online persona with your real one. Think about the information that you're giving away when you post online, and what that might give to a hacker or other potential adversary. We're often not as anonymous as we like to think we are, and it's not difficult for an attacker to build a useful profile about us to allow them to spear phish us (that is, send us a phishing email that's highly tailored to us, specifically).
Here's a little bit more information on OPSEC in general.
Tools for INFOSEC
1. Secure your browser:
- Use the [latest version of your browser - check here!](https://updatemybrowser.org/).
- Try only to use HTTPS - secure connections to a website - there are adons that can force secure connections, if any are available.
- Use Ad blockers - they remove or alter advertising content from a webpage, website, or a mobile app. Ads can contain phishing links, malware, pornographic images, irritations such as flashing colours and sound, stealing data and draining data allowances... some background. Examples are uBlock Origin Plugins, Privacy Badger Plugins; Mustasade and Key Lime mentioned also NoScript for Firefox.
- Niraia: For more control, at the expense of more hassle while you figure out what a site needs in order to function, I love uMatrix ( Chrome - Firefox. Works happily alongside uBlock Origin.
- And finally - configure your browsers for security as far as that is possible: Browser Security Settings for Chrome, Firefox and Internet Explorer: Cybersecurity 101.
2. Secure your network
- jhhnl: If you really want to block all ads and trackers you should give PiHole a look. It blocks the internet addresses on a DNS level. This together with a VPN and a reverse proxy of the PiHole gives you a lot more security on your data and internet behavior.
3. Secure your Operating System
- Swift On Security has a basic guide for securing Windows 7 and higher, that is a good starting point.
- Batolemaeus: Use a secure operating system like Gentoo Linux.
- There are also Linux Distros that are optimised for gaming, like Steam OS, SparkyLinux and others.
4. Secure your Passwords and information
- Funkmaster_Plex: you forgot the most important ones: never use the same password (and username if possible) on multiple sites/services; use 2-factor where available.
- Fuzzmiester: Use password managing software like Keepass, KeepassX or Pass.
I will extend the guide from the comments (thx for the great posts so far) and also post it on our blog so the info remains there if it does get de.listed again...
Comments
Post a Comment