An "OPSEC" or operations security manual originally intended to guide journalists and activists on how to protect their identities was reportedly being used by the self-proclaimed Islamic State. One of its most interesting recommendations involves the use of Apple's encrypted iMessage service.
According to a recent report from Wired, the OPSEC manual was discovered by researchers at the West Point military academy's Combating Terrorism Center and found that it is uploaded in various online forums used by ISIS followers. The document was initially written in Arabic by Cyberkov, a security firm based in Kuwait. The manual's original purpose is to help media personnel, and political activists in Gaza evade Israeli cyber-intelligence probes.
The 34-page document, which is translated into English and embedded below, was apparently being utilized by ISIS to advise its supporters on how to avoid cyber-espionage by its opponents. The booklet is used by the group as a way to teach insurgents how to keep their online communication and location private.
It contains several recommendations on how to ensure privacy including the use of certain messaging applications. The OPSEC manual advises users to avoid Facebook as it can be intercepted. While the Facebook-owned WhatsApp messaging service is encrypted, the manual also suggested that users should avoid it citing reports that the US government have already been scrutinizing it following reports that ISIS have used it in the past.
The manual suggests the use of a handful of instant messaging clients whose servers are not based in the United States such as Telegram, Wickr and CryptoCat among others. A notable recommendation is Apple's iMessage, despite the fact that it is a service by a prominent American company. The OPSEC guide mentioned that iMessage is protected by encryption protocols that government agencies or even Apple cannot spy upon.
Other suggestions provided by the document included the use of strong passwords and a warning against clicking suspicious links that might enable intelligence agencies to breach online security measures. It also demonstrated how to set up customized WiFi networks that will enable users to share text messages and multimedia message without the need for Internet access.The manual endorses the use of ultra-secure, encryption-focused devices such as the BlackPhone.
The majority of the advice and recommendations in the OPSEC booklet mostly reflects the general advice given to people to avoid being hacked. Aaron Brantly of West Point's Combating Terrorism Center mentioned in the Wired report that the OPSEC manual was "about as good at OPSEC as you can get without being formally trained by a government." Brantly pointed out that its recommendations were probably what he would also give to human rights activists and journalists to evade surveillance in other countries. "If they do it right, then they can become pretty secure. [But] there's a difference between telling somebody how to do it and then [them] doing it right," he added.