pages/txt/ig-opsec.txt (view raw)
1 02 December, 2019
2
3Instagram OPSEC
4
5Operational security for the average zoomer
6
7 Which I am not, of course. But seeing as most of my peers are, I am
8 compelled to write this post. Using a social platform like Instagram
9 automatically implies that the user understands (to some level) that
10 their personally identifiable information is exposed publicly, and they
11 sign up for the service understanding this risk -- or I think they do,
12 anyway. But that's about it, they go ham after that. Sharing every
13 nitty gritty detail of their private lives without understanding the
14 potential risks of doing so.
15
16 The fundamentals of OPSEC dictacte that you develop a threat model, and
17 Instgrammers are obviously incapable of doing that -- so I'll do it for
18 them.
19
20Your average Instagrammer's threat model
21
22 I stress on the word "average", as in this doesn't apply to those with
23 more than a couple thousand followers. Those type of accounts
24 inherently face different kinds of threats -- those that come with
25 having a celebrity status, and are not in scope of this analysis.
26 * State actors: This doesn't really fit into our threat model, since
27 our target demographic is simply not important enough. That said,
28 there are select groups of individuals that operate on
29 Instagram^[1]1, and they can potentially be targetted by a state
30 actor.
31
32 * OSINT: This is probably the biggest threat vector, simply because
33 of the amount of visual information shared on the platform. A lot
34 can be gleaned from one simple picture in a nondescript alleyway.
35 We'll get into this in the DOs and DON'Ts in a bit.
36 * Facebook & LE: Instagram is the last place you want to be doing an
37 illegal, because well, it's logged and more importantly -- not
38 end-to-end encrypted. Law enforcement can subpoena any and all
39 account information. Quoting Instagram's [2]page on this:
40
41 a search warrant issued under the procedures described in the
42 Federal Rules of Criminal Procedure or equivalent state warrant
43 procedures upon a showing of probable cause is required to compel
44 the disclosure of the stored contents of any account, which may
45 include messages, photos, comments, and location information.
46
47 That out of the way, here's a list of DOs and DON'Ts to keep in mind
48 while posting on Instagram.
49
50DON'Ts
51
52 * Use Instagram for planning and orchestrating illegal shit! I've
53 explained why this is a terrible idea above. Use secure comms --
54 even WhatsApp is a better choice, if you have nothing else. In
55 fact, try avoiding IG DMs altogether, use alternatives that
56 implement E2EE.
57 * Film live videos outside. Or try not to, if you can. You might
58 unknowingly include information about your location: street signs,
59 shops etc. These can be used to ascertain your current location.
60 * Film live videos in places you visit often. This compromises your
61 security at places you're bound to be at.
62 * Share your flight ticket in your story! I can't stress this
63 enough!!! Summer/winter break? "Look guys, I'm going home! Here's
64 where I live, and here's my flight number -- feel free to track
65 me!". This scenario is especially worrisome because the start and
66 end points are known to the threat actor, and your arrival time can
67 be trivially looked up -- thanks to the flight number on your
68 ticket. So, just don't.
69 * Post screenshots with OS specific details. This might border on
70 pendantic, but better safe than sorry. Your phone's statusbar and
71 navbar are better cropped out of pictures. They reveal the time,
72 notifications (apps that you use), and can be used to identify your
73 phone's operating system. Besides, the status/nav bar isn't very
74 useful to your screenshot anyway.
75 * Share your voice. In general, reduce your footprint on the platform
76 that can be used to identify you elsewhere.
77 * Think you're safe if your account is set to private. It doesn't
78 take much to get someone who follows you, to show show your profile
79 on their device.
80
81DOs
82
83 * Post pictures that pertain to a specific location, once you've
84 moved out of the location. Also applies to stories. It can wait.
85 * Post pictures that have been shot indoors. Or try to; reasons
86 above. Who woulda thunk I'd advocate bathroom selfies?
87 * Delete old posts that are irrelevant to your current audience. Your
88 friends at work don't need to know about where you went to high
89 school.
90
91 More DON'Ts than DOs, that's very telling. Here are a few more points
92 that are good OPSEC practices in general:
93 * Think before you share. Does it conform to the rules mentioned
94 above?
95 * Compartmentalize. Separate as much as you can from what you share
96 online, from what you do IRL. Limit information exposure.
97 * Assess your risks: Do this often. People change, your environments
98 change, and consequentially the risks do too.
99
100Fin
101
102 Instagram is -- much to my dismay---far too popular for it to die any
103 time soon. There are plenty of good reasons to stop using the platform
104 altogether (hint: Facebook), but that's a discussion for another day.
105
106 Or be like me:
107
108 0 posts lul
109
110 And that pretty much wraps it up, with a neat little bow.
111 __________________________________________________________________
112
113 1. [3]https://darknetdiaries.com/episode/51/ -- Jack talks about
114 Indian hackers who operate on Instagram.
115
116References
117
118 1. https://icyphox.sh/home/icy/leet/site/build/blog/ig-opsec/temp.html#fn:ddepisode
119 2. https://help.instagram.com/494561080557017
120 3. https://darknetdiaries.com/episode/51/