Larry’s Operational Security Manual

01Overview

text

1Friendly Larry’s Operational Security Manual :2*Hat APT-Adversary edition3--- Bhavesh M. Dhake4======================================================5Index :-6Category 1 : Physical layer7Category 2 : Hardware layer8Category 3 : Operating System Layer9Category 4 : Network layer10Category 5 : Browser layer11Category 6 : Identity layer12Category 7 : Infrastructure layer13Category 8 : Side Channel layer14Category 9 : Radio Frequency layer15======================================================16Category 1 : Physical17______________________________________________________________181. Residential physical opsec :19• Keep ur devices such that they are out of direct visibility from window etc.20• Lock doors, windows and any other entry points regularly21• Verify unexpected visitors before even letting them have a glance inside22• Do not allow unscheduled deliveries or handy man23• Seperate work area from guest view24• Use curtains at night25• stay aware of repeated people from sign of residence262. Movement and Daily routine opsec :27• Slightly vary departure timings28• Avoid using same seating places in public spaces29• Keep awareness of surroundings with paranoia30• Do not leave ur devices unattended anywhere else313. Device custody discipline :32• Shutdown devices when travelling or leaving them33• Use full disk encryption34• Lock screens immediately when stepping away35• Avoid public space screen exposure364. Peripheral and accessory safety :37• use ur own chargers and cables38• Avoid unknown usb drivers39• Avoid borrowed docks and adapters40• Prefer wall power over public charging ports415. Supply chain :42• Avoid unknown refurbished hardware43• Modified OS images from certs446. Wireless and signal awareness45• Turn off bluetooth when not in use46• Disable auto join wifi networks47• Limit unneccessary Iot devices48• Power off devices when extreme privacy is needed497. Sensory and environment awareness50• Use shutter webcam or cover51• Restrict microphone permissions52• Disable always listening assistants53• Avoid discussing sensitive info near devices548. Vechile and travel opsec55• Dont leave electronics in vechiles56• Avoid pradictable parking habits57• Occassionaly check belongings for unknown trackers58• Seperate sensitive work from travel environments599. Social and behavioural opsec60• Oversharing technical capability61• Public boasting about offensive skills62• Unncessary online attention63• Revealing routines or infrastructure64======================================================65Category 2 : Hardware layer66______________________________________________________________671. Trusted hardware procuremt :68• Buy directly from manufacturer or authorized retailer69• Avoid unknown refurbished devices for sensitive works70• Prefer sealed hardware712. Clean re installation of OS72• Download OS only from official sources73• Do not use modified os even from institutions74• Verify cryptographic signatures753. FIrmware security :76• Update BIOS/UEFI regularly77• Set BIOS administrator password78• Disable external boot devices79• Disable unused hardware interfaces804. Maintain full disk encryption815. Physical device control82• never leave laptop unattended or atleast shutdown or locked83• Shut down during travel84• Carry devices urself856. DMA attack protection :86• Enable kernel DMA protection87• Enable IOMMU887. Wireless hardware opsec :89• Disable bluetooth90• Disable auto connect91• Turn off unused radios92• Limit iot devices938. Sensor protection94• Webcam cover95• Microphone permissions96• Disable voice assistants979. Storage hardware protection98• cryptographic erase99• secure erase tools10010. Tamper awareness101• Loose screws102• Casing gaps103• Unexpected adapters104• New devices appearing in OS105====================================================106Category 3 : Operating System layer107____________________________________________________________1081. Secure OS chain and trust chain109• Verify checksum of iso files110• Verify developer signatures111• Fingerprint independently112• Use official resources only not even institure altered mods1132. Secure boot and boot chain protection114• In BIOS enable secure boot115• In BIOS enable TPM116• In BIOS enable measured boot117• Verify boot integrity1183. Use full device encryption1194. Minimal os installation120• Remove unused services121• Remove unneccessary packages122• Remove unused default apps1235. User privilege seperation124• Create standard user account125• Seperate admin account126• Use privilege escalation only when required1276. Application isolation / sandboxing1287. Software source integrity129• Install software from official repositories130• Use only signed packages131• Get from trusted vendors1328. Update discipline133• Enable auto update134• Stay aware of latest cve patches1359. Process and persistence monitoring136• Use tools to monitor of active and persistent instances137• Process privileges138• Check regularly for all startup apps139• Check for privileges for apps140• Use native AV and EDR’s141====================================================142Category 4 : Network layer143___________________________________________________________1441. Router / home network hardening145• Change default admin password146• Update router firmware147• Disable remote administration148• Disable WPS149• Usa WPA3 or WPA2-AES150• Segmentation in network for main , lab , iot , guest1512. Firewall control :152• Modify iptables / nftables153• Monitor and restrict open ports154• Use encrypted DNS over HTTPS155• Use encrypted DNS over TLS156• Enable secure DNS1573. Traffic encryption discipline158• Use https , ssh , tls , encrypted messaging159• Avoid ftp , telnet etc. Insecure protocols1604. Public wifi opsec161• Use VPN on trusted networks162• Disable file sharing163• Disable auto connect164• Firewall enabled before connecting165• Disable discovery1665. VPN167• Use zero knowledge vpn’s168• Trusted brands and non controversial169• Using anonymous accounts and payement methods1706. Network segmentation171• Separate networks for guest , Iot , family and work1727. Outbound traffic awareness173• Disable unnecessary services174• Close unused ports175• Check listening services176• Restrict and monitor outbound traffic flow1778. Enable MAC randomization and private address feature1789. Remote access hardening179• Key authentication only180• Disable only password login181• Restrict ip address18210. Recon monitoring ur own network18311. Keep logs when possible18412. Use TOR and DNS proxy such as cloudflare 1.1.1.1185======================================================186Category 5 : Browser layer187______________________________________________________________1881. Right choice :189• Firefox browser190• Brave browser191• Mullvad browser192• Tor browser1932. Seperate browsing identities194• Use different account on different browsers195• Based on intensity of privacy required196• Adjusted browser configurations1973. Harden browser198• Disable telemetry199• Disable third party cookies200• Partition storage201• Restrict tracking202• Bridges for tor203• And all other configurable features available for the browser2044. Essential security extensions205• Block trackers206• Block ads207• Block cookies208• Block malicious domain redirections2095. Javascript risk210• Disble javascript wherever possible211• Use hardened browser modes212• Restrict weird sites213• Open suspicious links in isolated or defense testing env such as214virustotal/anyrun2156. Browser isolation216• Use browser via os in virtual machine217• Use browser via os in live usb boot218• Sandbox execution2197. Prevent browser fingerprinting220• Prevent fingerprinting signals leak such as screensize ,221font , GPU , timezon , extesions , canvas rendering222• Keep browser default appearance223• Dont use too many fancy extensions224• Avoid manual tweaking presenting as unique identity225• Browser fingerprinting websites testing and refinement2268. Cookie and session hygine227• Auto delete cookies on close228• Isolate login229• Logout unused accounts2309. Download safety231• download from official sources only232• Verify signatures when possible233• Scan for suspicious files before interacting and execution23410. Phishing safety235• Check domains and urls carefully before interacting236• Avoid login link and content links from emails etc.237• Allow https only mode23811. Disable dangerous features239• Disable Webrtc ip leakage240• Disable automatic download241• Set always ask location before downloading242• Disable notification permissions243• Disable background synchronization244• Avoid copying sensitive data to clipboard245• Restrict camera and microphone access246=====================================================247Category 6 : Idenity Layer248_____________________________________________________________2491. Identity Compartmentalization250• Real identity251• Professional identity252• Research identity253• Public identity254• Disposable idenity2552. Implementation256• Email accounts257• Browser profiles258• Devices259• VMs260• Phone numbers261• Username etc.2623. Email opsec263• Seperate email per identity264• Never use recovery email from another identity265• Disable unnecessary recovery options2664. Username opsec267• Avoid reusing usrnames268• Avoid similar naming patterns269• Avoid using similar avatars2705. Phone number opsec271• Avoid linking phone number wherever possible272• Use seperate phone numbers for different identities273• Have disposable bought numbers based on pseudo identity274• Use app based auth instead of sms2756. Authentication hygine276• Use privacy focused and reputed password managers277• Use unique and strong password278• Enable multi factor authentication279• Use USB stick auth wherever possible2807. Social media opsec281• Restrict personal details282• Avoid posting routine locations or any283• Remove unnecessart biography data284• Limit friends and visibility2858. OSINT self audit2869. HUMINT self audit28710. Data broker exposure reduction288• Avoid unnecessary registrations289• Avoid oversharing on forums290• Opt out of requests wherever possible291• Restrict data access by third party apps29211. Document and files matadata hygine293• Strip metadata or alter with false metadata294• Avoid platforms which use original metadata29512. Reputation and visibility control296===================================================297Category 7 : Infrastructure layer298___________________________________________________________2991. Separate Infrastructure300• Different administrative accounts301• Dedicated management environments302• Role seperation between personal accout and infrastructure usage3032. Secure account access to infrastructure304• Strong unique passwords305• MFA everywhere306• Hardware security keys wherever possible3073. Harden cloud and server access308• Restrict administrative access309• Disable unused services310• Minimize exosed ports311• Firewall rules312• Ip allow lists313• Vpn base admin acess3144. Network segmentation315• Production316• Testing317• Research318• Management319• VLAN segmentation3205. Domain and DNS opsec321• Eliminate risk for Ownership and lookup exposure,322• Infrastrucure mapping ,323• Targetting through DNS records324• Enable resgister account protection325• Use registry lock when possible326• Protect dns management account with mfa3276. Logging and monitoring328• Monitor authentication attempts329• Log configuration changes330• Check for unusual traffic3317. Patch and update infrastructure maintenance for332• OS updates333• Container update334• Dependency updates335• Service patches3368. Backup infra337• Encrypted backups338• Offline and cloud backup copies and mirrors339• Recovery testing3409. Infra metadata awareness341• Restrict instance permissions342• Apply least privilege access roles34310. Secure remote administration344• Vpn based management access345• Key based authentication346• Restrict admin end points34711. Supply chain protection348• Compromised libraries349• Malicious updates350• Verify packages351• Monitor dependancies352• Restrict trust of external code35312. Provider trust awareness354• Provider can see metadata355• Infra actions are recorder356======================================================357Category 8 : Side channel layer358_______________________________________________________________3591. Physical proximity control :360• Control who can physically approach ur device361• Avoid sensitive work in public environment362• Keep unknown electronics away363• Avoid shared desks for sensitive tasks3642. Electromagnetic emission reduction365• Keep systems away from windows facing public areas366• Avoid placing laptops near external walls367• Reduce using unnecessary cables as antennas368• Use shielded rooms369• Use grounded equipments370• Use filtered power lines3713. Power analysis risk reduction372• Use quality power supplies373• Avoid shared unknown power sources374• Prefer battery operation for sensitive tasks375• Use surge-protected grounded outlets.3764. Acoustic leakage reduction377• Avoid sensitive work near recording devices.378• Disable always-listening smart assistants.379• Reduce nearby microphones or IoT speakers.380• Maintain moderate ambient noise.3815. Wireless emission discipline382• disable Bluetooth383• disable Wi-Fi if unnecessary384• disconnect unused radios.385======================================================386Category 9 : Radio Frequency layer387_______________________________________________________________3881. Common RF sources:389• Wi-Fi390• Bluetooth391• Cellular392• NFC393• GPS receivers394• IoT radios (Zigbee / Thread / proprietary)395• Wireless peripherals3962. Control radio emissions397• Turn off Bluetooth, wifi , nfc, hotspot sharing , unused wireless adapters3983. Prevent device tracking via identifiers399• Enable MAC address randomization400• Disable auto connect networks401• Forget networks not in use4024. Secure wifi usage403• Avoid connecting automatically.404• Prefer trusted networks.405• Disable probe broadcasting where possible.406• Remove saved networks periodically.4075. Bluetooth opsec408• Keep Bluetooth off by default409• Disable device discoverability410• Remove old paired devices411• Avoid persistent wearable pairing when unnecessary.4126. Cellular radio discipline413• Disable unused SIM/eSIM profiles.414• Disable location sharing apps.415• Power off device when true radio silence is required.4167. Reduce RF leakage from workspace417• Workstation away from windows418• Router centrally placed419• No unnecessary transmitters nearby4208. Control iot radio surface421• Reduce or isolate smart speakers , cameras , wireless sensors etc. Smart IoTs4229. Rogue access point awareness423• manually select networks424• verify network names425• disable automatic joining.42610. Wireless peripheral safety427• prefer encrypted wireless peripherals428• avoid unknown dongles429• remove unused receivers.43011. RF environment awareness431• SDR receivers (for learning RF environment)432• spectrum visualization software433• Wi-Fi scanning tools.43412. GPS and location signal opsec435• disable unnecessary location permissions436• restrict background location access437• remove geotags from photos.43813. Reduce continuous beacon devices439• smartwatches440• earbuds441• trackers442• fitness devices.443======================================================

1Friendly Larry’s Operational Security Manual :2*Hat APT-Adversary edition3--- Bhavesh M. Dhake4======================================================5Index :-6Category 1 : Physical layer7Category 2 : Hardware layer8Category 3 : Operating System Layer9Category 4 : Network layer10Category 5 : Browser layer11Category 6 : Identity layer12Category 7 : Infrastructure layer13Category 8 : Side Channel layer14Category 9 : Radio Frequency layer15======================================================16Category 1 : Physical17______________________________________________________________181. Residential physical opsec :19• Keep ur devices such that they are out of direct visibility from window etc.20• Lock doors, windows and any other entry points regularly21• Verify unexpected visitors before even letting them have a glance inside22• Do not allow unscheduled deliveries or handy man23• Seperate work area from guest view24• Use curtains at night25• stay aware of repeated people from sign of residence262. Movement and Daily routine opsec :27• Slightly vary departure timings28• Avoid using same seating places in public spaces29• Keep awareness of surroundings with paranoia30• Do not leave ur devices unattended anywhere else313. Device custody discipline :32• Shutdown devices when travelling or leaving them33• Use full disk encryption34• Lock screens immediately when stepping away35• Avoid public space screen exposure364. Peripheral and accessory safety :37• use ur own chargers and cables38• Avoid unknown usb drivers39• Avoid borrowed docks and adapters40• Prefer wall power over public charging ports415. Supply chain :42• Avoid unknown refurbished hardware43• Modified OS images from certs446. Wireless and signal awareness45• Turn off bluetooth when not in use46• Disable auto join wifi networks47• Limit unneccessary Iot devices48• Power off devices when extreme privacy is needed497. Sensory and environment awareness50• Use shutter webcam or cover51• Restrict microphone permissions52• Disable always listening assistants53• Avoid discussing sensitive info near devices548. Vechile and travel opsec55• Dont leave electronics in vechiles56• Avoid pradictable parking habits57• Occassionaly check belongings for unknown trackers58• Seperate sensitive work from travel environments599. Social and behavioural opsec60• Oversharing technical capability61• Public boasting about offensive skills62• Unncessary online attention63• Revealing routines or infrastructure64======================================================65Category 2 : Hardware layer66______________________________________________________________671. Trusted hardware procuremt :68• Buy directly from manufacturer or authorized retailer69• Avoid unknown refurbished devices for sensitive works70• Prefer sealed hardware712. Clean re installation of OS72• Download OS only from official sources73• Do not use modified os even from institutions74• Verify cryptographic signatures753. FIrmware security :76• Update BIOS/UEFI regularly77• Set BIOS administrator password78• Disable external boot devices79• Disable unused hardware interfaces804. Maintain full disk encryption815. Physical device control82• never leave laptop unattended or atleast shutdown or locked83• Shut down during travel84• Carry devices urself856. DMA attack protection :86• Enable kernel DMA protection87• Enable IOMMU887. Wireless hardware opsec :89• Disable bluetooth90• Disable auto connect91• Turn off unused radios92• Limit iot devices938. Sensor protection94• Webcam cover95• Microphone permissions96• Disable voice assistants979. Storage hardware protection98• cryptographic erase99• secure erase tools10010. Tamper awareness101• Loose screws102• Casing gaps103• Unexpected adapters104• New devices appearing in OS105====================================================106Category 3 : Operating System layer107____________________________________________________________1081. Secure OS chain and trust chain109• Verify checksum of iso files110• Verify developer signatures111• Fingerprint independently112• Use official resources only not even institure altered mods1132. Secure boot and boot chain protection114• In BIOS enable secure boot115• In BIOS enable TPM116• In BIOS enable measured boot117• Verify boot integrity1183. Use full device encryption1194. Minimal os installation120• Remove unused services121• Remove unneccessary packages122• Remove unused default apps1235. User privilege seperation124• Create standard user account125• Seperate admin account126• Use privilege escalation only when required1276. Application isolation / sandboxing1287. Software source integrity129• Install software from official repositories130• Use only signed packages131• Get from trusted vendors1328. Update discipline133• Enable auto update134• Stay aware of latest cve patches1359. Process and persistence monitoring136• Use tools to monitor of active and persistent instances137• Process privileges138• Check regularly for all startup apps139• Check for privileges for apps140• Use native AV and EDR’s141====================================================142Category 4 : Network layer143___________________________________________________________1441. Router / home network hardening145• Change default admin password146• Update router firmware147• Disable remote administration148• Disable WPS149• Usa WPA3 or WPA2-AES150• Segmentation in network for main , lab , iot , guest1512. Firewall control :152• Modify iptables / nftables153• Monitor and restrict open ports154• Use encrypted DNS over HTTPS155• Use encrypted DNS over TLS156• Enable secure DNS1573. Traffic encryption discipline158• Use https , ssh , tls , encrypted messaging159• Avoid ftp , telnet etc. Insecure protocols1604. Public wifi opsec161• Use VPN on trusted networks162• Disable file sharing163• Disable auto connect164• Firewall enabled before connecting165• Disable discovery1665. VPN167• Use zero knowledge vpn’s168• Trusted brands and non controversial169• Using anonymous accounts and payement methods1706. Network segmentation171• Separate networks for guest , Iot , family and work1727. Outbound traffic awareness173• Disable unnecessary services174• Close unused ports175• Check listening services176• Restrict and monitor outbound traffic flow1778. Enable MAC randomization and private address feature1789. Remote access hardening179• Key authentication only180• Disable only password login181• Restrict ip address18210. Recon monitoring ur own network18311. Keep logs when possible18412. Use TOR and DNS proxy such as cloudflare 1.1.1.1185======================================================186Category 5 : Browser layer187______________________________________________________________1881. Right choice :189• Firefox browser190• Brave browser191• Mullvad browser192• Tor browser1932. Seperate browsing identities194• Use different account on different browsers195• Based on intensity of privacy required196• Adjusted browser configurations1973. Harden browser198• Disable telemetry199• Disable third party cookies200• Partition storage201• Restrict tracking202• Bridges for tor203• And all other configurable features available for the browser2044. Essential security extensions205• Block trackers206• Block ads207• Block cookies208• Block malicious domain redirections2095. Javascript risk210• Disble javascript wherever possible211• Use hardened browser modes212• Restrict weird sites213• Open suspicious links in isolated or defense testing env such as214virustotal/anyrun2156. Browser isolation216• Use browser via os in virtual machine217• Use browser via os in live usb boot218• Sandbox execution2197. Prevent browser fingerprinting220• Prevent fingerprinting signals leak such as screensize ,221font , GPU , timezon , extesions , canvas rendering222• Keep browser default appearance223• Dont use too many fancy extensions224• Avoid manual tweaking presenting as unique identity225• Browser fingerprinting websites testing and refinement2268. Cookie and session hygine227• Auto delete cookies on close228• Isolate login229• Logout unused accounts2309. Download safety231• download from official sources only232• Verify signatures when possible233• Scan for suspicious files before interacting and execution23410. Phishing safety235• Check domains and urls carefully before interacting236• Avoid login link and content links from emails etc.237• Allow https only mode23811. Disable dangerous features239• Disable Webrtc ip leakage240• Disable automatic download241• Set always ask location before downloading242• Disable notification permissions243• Disable background synchronization244• Avoid copying sensitive data to clipboard245• Restrict camera and microphone access246=====================================================247Category 6 : Idenity Layer248_____________________________________________________________2491. Identity Compartmentalization250• Real identity251• Professional identity252• Research identity253• Public identity254• Disposable idenity2552. Implementation256• Email accounts257• Browser profiles258• Devices259• VMs260• Phone numbers261• Username etc.2623. Email opsec263• Seperate email per identity264• Never use recovery email from another identity265• Disable unnecessary recovery options2664. Username opsec267• Avoid reusing usrnames268• Avoid similar naming patterns269• Avoid using similar avatars2705. Phone number opsec271• Avoid linking phone number wherever possible272• Use seperate phone numbers for different identities273• Have disposable bought numbers based on pseudo identity274• Use app based auth instead of sms2756. Authentication hygine276• Use privacy focused and reputed password managers277• Use unique and strong password278• Enable multi factor authentication279• Use USB stick auth wherever possible2807. Social media opsec281• Restrict personal details282• Avoid posting routine locations or any283• Remove unnecessart biography data284• Limit friends and visibility2858. OSINT self audit2869. HUMINT self audit28710. Data broker exposure reduction288• Avoid unnecessary registrations289• Avoid oversharing on forums290• Opt out of requests wherever possible291• Restrict data access by third party apps29211. Document and files matadata hygine293• Strip metadata or alter with false metadata294• Avoid platforms which use original metadata29512. Reputation and visibility control296===================================================297Category 7 : Infrastructure layer298___________________________________________________________2991. Separate Infrastructure300• Different administrative accounts301• Dedicated management environments302• Role seperation between personal accout and infrastructure usage3032. Secure account access to infrastructure304• Strong unique passwords305• MFA everywhere306• Hardware security keys wherever possible3073. Harden cloud and server access308• Restrict administrative access309• Disable unused services310• Minimize exosed ports311• Firewall rules312• Ip allow lists313• Vpn base admin acess3144. Network segmentation315• Production316• Testing317• Research318• Management319• VLAN segmentation3205. Domain and DNS opsec321• Eliminate risk for Ownership and lookup exposure,322• Infrastrucure mapping ,323• Targetting through DNS records324• Enable resgister account protection325• Use registry lock when possible326• Protect dns management account with mfa3276. Logging and monitoring328• Monitor authentication attempts329• Log configuration changes330• Check for unusual traffic3317. Patch and update infrastructure maintenance for332• OS updates333• Container update334• Dependency updates335• Service patches3368. Backup infra337• Encrypted backups338• Offline and cloud backup copies and mirrors339• Recovery testing3409. Infra metadata awareness341• Restrict instance permissions342• Apply least privilege access roles34310. Secure remote administration344• Vpn based management access345• Key based authentication346• Restrict admin end points34711. Supply chain protection348• Compromised libraries349• Malicious updates350• Verify packages351• Monitor dependancies352• Restrict trust of external code35312. Provider trust awareness354• Provider can see metadata355• Infra actions are recorder356======================================================357Category 8 : Side channel layer358_______________________________________________________________3591. Physical proximity control :360• Control who can physically approach ur device361• Avoid sensitive work in public environment362• Keep unknown electronics away363• Avoid shared desks for sensitive tasks3642. Electromagnetic emission reduction365• Keep systems away from windows facing public areas366• Avoid placing laptops near external walls367• Reduce using unnecessary cables as antennas368• Use shielded rooms369• Use grounded equipments370• Use filtered power lines3713. Power analysis risk reduction372• Use quality power supplies373• Avoid shared unknown power sources374• Prefer battery operation for sensitive tasks375• Use surge-protected grounded outlets.3764. Acoustic leakage reduction377• Avoid sensitive work near recording devices.378• Disable always-listening smart assistants.379• Reduce nearby microphones or IoT speakers.380• Maintain moderate ambient noise.3815. Wireless emission discipline382• disable Bluetooth383• disable Wi-Fi if unnecessary384• disconnect unused radios.385======================================================386Category 9 : Radio Frequency layer387_______________________________________________________________3881. Common RF sources:389• Wi-Fi390• Bluetooth391• Cellular392• NFC393• GPS receivers394• IoT radios (Zigbee / Thread / proprietary)395• Wireless peripherals3962. Control radio emissions397• Turn off Bluetooth, wifi , nfc, hotspot sharing , unused wireless adapters3983. Prevent device tracking via identifiers399• Enable MAC address randomization400• Disable auto connect networks401• Forget networks not in use4024. Secure wifi usage403• Avoid connecting automatically.404• Prefer trusted networks.405• Disable probe broadcasting where possible.406• Remove saved networks periodically.4075. Bluetooth opsec408• Keep Bluetooth off by default409• Disable device discoverability410• Remove old paired devices411• Avoid persistent wearable pairing when unnecessary.4126. Cellular radio discipline413• Disable unused SIM/eSIM profiles.414• Disable location sharing apps.415• Power off device when true radio silence is required.4167. Reduce RF leakage from workspace417• Workstation away from windows418• Router centrally placed419• No unnecessary transmitters nearby4208. Control iot radio surface421• Reduce or isolate smart speakers , cameras , wireless sensors etc. Smart IoTs4229. Rogue access point awareness423• manually select networks424• verify network names425• disable automatic joining.42610. Wireless peripheral safety427• prefer encrypted wireless peripherals428• avoid unknown dongles429• remove unused receivers.43011. RF environment awareness431• SDR receivers (for learning RF environment)432• spectrum visualization software433• Wi-Fi scanning tools.43412. GPS and location signal opsec435• disable unnecessary location permissions436• restrict background location access437• remove geotags from photos.43813. Reduce continuous beacon devices439• smartwatches440• earbuds441• trackers442• fitness devices.443======================================================