 Hey everyone, thank you for joining me today. My presentation is called So You Want to Opset Gay. Before we start, just a little disclaimer, I'm not here on behalf of any organization and anything I say or my beliefs are not representative of the Canadian government. I'm here to talk about operational security from my perspective as an OSINT Investigator. So OSINT is open source intelligence, which is information that is collected from publicly available sources. The OSINT investigators will find a ton of digital breadcrumbs that help with our research, but I'm here to show you the privacy side of why this should matter to you. It doesn't mean that you have something to hide because you're a bad person, but it's sometimes about a bad actor having ill intentions, and you can be targeted for something like identity theft. So I hope by the end of this talk, the why you should care question should be answered. Let me introduce myself. My name is Ritu Gill. I'm an intelligence analyst with a total of 14 years with the Canadian government, specifically law enforcement. 12 of those years was with the Royal Canadian Mounted Police, which is Canada's national police force. I am an OSINT enthusiast. You can find me a lot of places online, including Twitter where I go by the handle OSINT techniques. I have a website, which is at OSINTTechniques.com. This is the overall agenda of my talk. I'll cover the definitions of OPSEC and threat modeling, then cover sharing content and how it can expose your information online. I'll cover poor OPSEC because these are learning opportunities for us. And then I'll move into ways on how you can stay secure and resources that may help with discovering your digital content. And then go into how we can remove some of this content as well. So what is OPSEC? It's a term from the US military that stands for operational security. The purpose of OPSEC is to deny an adversary information that can compromise a mission. So the objective is to prevent sensitive data from falling into the wrong hands. I want to introduce another concept here. People will sometimes say OPSEC when they actually mean PERSEC, which is personal security. And it is a way to identify control and protect information about your personal security and life. And for the purposes of this talk, I'm addressing behaviors that impact both OPSEC and PERSEC. So you don't need to be in the military to have OPSEC or PERSEC apply to you. It works both ways. Examples, someone could use the information you're sharing online and do something nefarious like break into your house when you're on vacation, or if you're part of military or law enforcement and you post things online, that could compromise the current location of your troop. So the sharing of this data in our online lives can have a huge impact. Some questions to think about when what we can ask ourselves is what can an adversary or a bad actor gain from looking at our online footprint? That's a great question. So where do we expose ourselves online or where do we expose ourselves too much? And then how can we minimize these risks? These are questions to help make our assessment. For you, having better OPSEC might mean preventing bad actors from identifying you online or knowing where you live and work. So what is your threat model? Well, a threat model first, it's a method of evaluating security and privacy risks in order to strategically mitigate them. So everyone's threat model will look different depending on who you are and what you do. But to define your threat model, you can answer questions such as what information you want to protect, what are your assets, what are you doing now that exposes you online, who might want to gain this access? So who is your adversary? Where is that information stored online and available? That's a good question. All those different platforms and apps and things we use. And then lastly, what can we do about this? So what are those mitigating factors like what can we change in our behavior to prevent leaks of data? So when you conduct an assessment like this, it's a good reminder of how our online activity can impact us. You may move into a new job role where you need to reassess your threat model. That's why it's important to think about this often and reassess as necessary. Just remember this, risk factors will include you and what you do online, but they also include your family members, your associates, your friends, colleagues that can inadvertently expose you online. So let's talk about sharing. It is easy to accidentally share information online at times. In this example on the left, you'll see Lisa Kudrow, who accidentally reveals her computer password that was written on a post-it note. She then takes the selfie and she posts it on Instagram where people identify that, hey, like you posted your password, that's really poor opsec. And then on the example on the right, you'll see a photo posted by LAPD, which shows in the background information, their login information for a software they were using at the time. So the moral of the story is think twice before you post. If you're considering posting images or photos, make sure it doesn't include sensitive information in that background. But we humans, we do make mistakes, but it's important that we can learn from others, like in these situations. So here's another example of how people will leak information about themselves. So these are those social media quizzes some people like to call them. I just call them social engineering questions. So keep answering and it's a prime example of oversharing. So answering questions where they'll say, hey, what are your siblings names? What's your favorite song? What's the first concert you went to? This is like way too much information. And sometimes some of the questions are answers to your security questions. So I know most people know not to post photos of like credit cards or disclose sensitive login information, but a surprising number of people will post phone numbers and home addresses on social media. And related to some of these questions posted out there, I've seen it and I was shocked. So again, you might ask, hey, what's the risk? Well, someone guessing your passwords that gives them access to pretty much everything. And then we talk about those social engineering attacks against you and physical harm maybe and whatnot. So those are things to think about. So the takeaway as mentioned in the slide here on the screenshot on the left is stop giving people your personal info to guess your password and security questions. Period. That is the lesson here. So sharing content, be mindful of what's in the background of your photos and video conference calls. This way you just have more control of the information you expose. Privacy settings don't always work on all platforms. Facebook is leaky. Privacy settings on Facebook are not black and white. Keep that in mind and don't let privacy settings be the be all end all of what you do and do not do on some of these platforms. Before posting, ask yourself, if what you posted was leaked, would it compromise you in any way? Would it compromise your location where you live, your family members, too many details just being put out there? Then proceed with your action. Before I post anything on social media, whether there's privacy settings on or not, I ask myself that question, then I proceed. I'm like, hmm, what I want people to see this? Maybe, maybe not. Then I determine the risk there. It is easy to overshare online and overlook those risks, but we have to ask ourselves what criminals or fraudsters might do with this information. And remember that everything that you are posting online is building your digital footprint. That's always key. And that's what this talk is about, right? Your digital footprint leads back to you and what it says about you and how to make it better, which we'll cover as well. So the last couple of years have been pretty bad for oversharing. And you'll see here in this example, I have some photos where you could see vaccine cards. So different countries, vaccine cards have different information. Some are just a name and the days that they had their vaccines. And some are date of birth included as well. So this is sensitive information. You'll also see oversharing like and not realizing, right? Buying all those Amazon packages and then leaving that label on and then throwing it in recycling. And people being able to find your name and your address, well, that's gold. So something to keep in mind. Airline tickets, people going on a flight to wherever and posting it online on Instagram or whatever platform. And then there's also this photo of a male wearing a work ID here. Well, he wore that work ID and then he stormed the capital in January. Well, that's a good way to get fired from your job. But these are all examples of what some some of that oversharing looks like. So there are tons of examples of poor opsec. But there are also your online habits of using the same username, say across platforms. So we, OSINT researchers know username aggregators are very helpful when we're looking for finding accounts belonging to the same individual or maybe blogging to the same individual. Well, don't be that person that uses the same username on all your platforms. So you're easy to find defeats the purpose. When you expose too many details about yourself, you can be targeted for spoofing crimes. So spoofing is where someone calls say my family with what looks like my phone number because they've spoofed it. So it says my phone number is calling. And then next they tell that my family members that hey, I'm kidnapped until they pay up a ransom. There's also sharing photos. So sharing photos with passports. And I know a lot of people use those hashtags. And there's a bunch up on the slide here. But there's also like hashtag passport or hashtag boarding pass, whichever interesting. Well, I had someone who didn't know that barcodes can have important information. So they shared a photo of their airline ticket. And they put their thumb over their name. Well, I know that barcodes do have information embedded in them. So I was able to snip the photo and able to reveal their real name by visiting online barcode reader. So these are the things that sometimes people aren't aware of. But you're still exposing yourself when you don't think you are. So I couldn't easily showed you Facebook or Google's apps. But we already know they collect so much information. I was reading an article written by Bellingcat related to tracking military positions. And there's an app called untapped. I wanted to highlight that even seemingly safe apps can be used against you or against us because not just the military uses this app. It's anybody that likes beer, because untapped is a beer drinking app. And it can be used to track habits, including a location of an individual. So I went to just a random user just to see what I found. Well, username, full name, locations they visited, and then not only that, how many times they visited the locations. So I could probably find out they probably live in the area, that kind of stuff. And again, just that's a lot of information out there. So the awareness here is just understanding that be aware of what you're signing up for with some of these apps, and you know, how much information is going to be put out there about you. So what can you do to protect yourself? Well, these are some general tips, and where you can start just for better privacy and security, using strong passwords, you know, don't use them. Don't use passwords based on your pet's name or your kid's name or your favorite vacation spot. Use a password manager. That's also helpful. But also think of things like your browsing habits. So using a secure search engine like Duck. Go. Duck. Go does not save your search history or your personal data. The next few slides are going to cover some things that can help with your searching habits. So let's first talk about Google Chrome. And also, there's other browsers, which will have this incognito mode. And they're called different things in different browsers, but this one, it's called incognito. And I noticed there's a lot of confusion about what incognito mode does. Well, using incognito mode, it doesn't really protect you. It the thing it does protect you from is if you have like a shared computer, and you don't want your searches to be found by the person that you share the computer with, well, it won't save that information on the computer you're using. But your internet service provider, your ISP, and other websites can still see your searches. So it's surely understanding like what what what it does versus what it does not do. So if you want to see what your browser appears like two other sites, use one or a couple of these free services to see the details of your IP address, the type of browser you use, the operating system, maybe other details. This information gives us some insight on how identifiable you are to other sites and people. And sometimes it is worth taking a look at more than one of these sites just to do a comparison of what they observe as your browser fingerprint. So after trying some of these sites, you might be thinking, well, what can I do to fix or change that? Well, we have something called browser extensions that you can use to adjust your privacy settings. There are many out there, but I only just mentioned three that I use at least. There's HTTPS everywhere. This encrypts your communications with many websites you might visit. It makes your browsing more secure. So what it does is it switches sites from the insecure use of HTTP to the secure site of HTTPS. And then we also have things like the privacy badger, which blocks advertisers and third party trackers from secretly tracking where you go and what pages you visit online. And lastly, we have user user agent switcher for Chrome. So this is an extension that changes the user agent, which is something that identifies what browsers being used the version and what operating system you're using. So when you activate this extension, it helps change your browser and operating system footprint. So I'm using the iOS operating system and say Chrome, but we can spoof these details with this extension. So it's kind of neat to take a look if you don't already use it. So what else can you do to secure yourself? What are some solutions? Well, we have security by absence. So not posting information out there in the first place. You can't get hacked through services and apps you don't have. Right? That's something I keep in mind. But one thing I do want to highlight here is it's just a good reminder that there's times where we used to use certain sites and apps and services. Well, if you don't use them anymore, if you stop using them, delete those accounts related to them. This is part of cleaning up your digital footprint. I've conducted security assessments where I often find users old accounts that were never deleted, but they contain tons of information like their old photos and everything and who they hung out with and what they did. So that's just something really important to do as well. There's also another technique used, which is called disinformation. So this is where you plant some fake information to mix up your digital footprint. You can create fake accounts, especially if you have a unique name. So if you have a common name like mine, Retugale, very common, this helps me kind of hide in some ways. But if your name isn't common, you'll have to put in more effort and disinformation is one way to do that. The goal here is to make attribution to your name difficult. And next, let's educate those around us. That's part of our job. Not only we want to educate ourselves, but the people that we're closest to our friends and family, they need to know this stuff too, letting them know how they could be impacting or compromising some of their privacy and security out there on the online world. There's a really cool video that might help with this just to give people an idea. It's called data to go, which shows you how easy it is to obtain information about people online. It's a fun little video and I created a short link, or you can just enter data to go and YouTube and you can find the video that way. Typically, I'd say don't click on short links, but you can trust me. On the open web, I would always use a URL expander to view any short links just to see where they take you before clicking on it. Data breaches. So have you checked if your accounts have been part of a data breach? Troy Hunt's website. Have I been polled? Let's use search email and phone number to find breaches associated to that email or phone number that you search. This site also allows you to set up notifications or when and if that phone number or email is part of a new breach. If you find there are breaches associated to an email or a phone number that you have, well, maybe go delete that account altogether or that app that you were using that got breached. Or you might want to go change. Well, you're going to want to go change your password for sure, but depending on the situation, you might want to do different things. It's all about minimizing the data about us out there. So breach data, breaches happen every day, but breach data can end up on the dark web. So it's important for us to stay on top of these things. And that's why you want to sign up for notifications, right, associated to your personal email addresses and whatnot. Other useful sites with descriptions of what they include are on this slide. I'll just go through a few of them. So the first one stands for terms of service didn't read. It's for all of us who didn't read the terms and services of websites for for clicking. I agree. This website will break down what the terms and conditions are for popular sites. Very helpful because lots of people don't want to read through the pages and pages of the terms and conditions of sites we sign up for. And then we have a website called privacytools.io, which provides a bunch of information to learn about tools again that can help you, right? Just get my data.com is helpful when you want to find out how to get your data from certain sites. Because sometimes some sites don't make it easy where I'm like, hey, how do I download my information or how do I find out where to delete my information. So there's some sites here that will help you with some of that as well. All right. So there's a documentary that is or was on Netflix called the social dilemma. It is a good awareness film and it shows the many ways that social media companies have influenced society. So I don't want to say too much about it, but it's interesting because the documentary features interviews with several former employees and executives of companies like Facebook, Google and Twitter. So it's interesting to see their perspective, but it's something go take a look at when you have time. All right. So an exercise. Well, this is one of the easiest ways that you can see what your digital footprint looks like or start with at least. Start with what you use online, your your name or user names or email addresses you've used and so on. So that's the first step in identifying like, hey, what's all the stuff out there out there about me and use a few different search engines, at least two I'd say. So Google and Bing. Those are some options. And then once you've identified what your online footprint looks like. Well, there's some of these services. Sorry. So there's a bunch of blog posts here that I have mentioned. Whether it's by Michael Hoffman, which is at Web Breacher or Josh Huff, which is learn all the things, his website. They provide useful tips to clean up your digital footprint. So check these out and see what and how you can remove some of that digital footprint. One of the caveats here is that there will be challenges due to the availability of public records in some countries, like the United States. But there are a lot of other places that include your digital footprint where you do have more control. So that's the second step of after you've looked at your digital footprint. Well, go ahead and remove some of that stuff that you can. And these are some of those resources that will assist you. Final thoughts. Well, if you could just go ahead and keep up second mind, that would be great. So the idea here is don't be a soft target. By exposing too much personal information or details about your life. Some of my contact information. I go by oscent techniques on Twitter. And my email is oscent.techniquesatprotonmail.com. Feel free to reach out if you have any comments or questions. And if you have any questions right now, I'm happy to answer those as well. Thank you so much for hearing my talk.