Opsec examples: 6 spectacular operational security failures

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Every day, most of us leave trails of online breadcrumbs behind us, disconnected pieces of data that a determined sleuth could connect to learn about our activities and perhaps break through our veil of anonymity. The struggle to prevent attackers from putting these puzzle pieces together is known as operational security (opsec).

Most of us don’t think too much about all this: nobody’s trying to track us down, and if they did, the consequences wouldn’t be too worrisome. But there are those for whom the stakes are much higher. Would it be so bad if someone recognized the handles of your anonymous social media accounts as the name one of your big work projects or the subject of your senior thesis? It might be if you were the director of the FBI. Does it matter if the selfies you upload to social media have location data embedded in them, or if your fitness tracker sends anonymized data about your jogging route to its manufacturer? It might if you’re a soldier on a secret military base or in a country where your government swears it hasn’t sent any troops.

Hackers and cybercriminals—of both the freelance and state-sponsored variety—are generally quick to exploit any failures in opsec made by potential victims. That’s why it’s perhaps surprising that these malicious actors often themselves fail to cover their online tracks, whether due to arrogance, incompetence, or some combination of the two. You can view these incidents as morality plays in which the bad guys get their comeuppance, but maybe it’s better to think about them as cautionary tales: you might not be spying for the Chinese government or running an online drug market, but you could fall into the same mistakes that these cybercriminals did, to your peril.

All roads lead back to Dread Pirate Roberts

For a few years in the early 2010s, the Silk Road was source of fascination and frustration for computer security researchers and law enforcement alike. An underground marketplace where users could trade cryptocurrency for drugs, weapons, and other illegal goods and services, it brought the idea of the “dark web,” along with knowledge about Tor and bitcoin, into the consciousness of regular people….