5. February 2010 by Revelator.

While reading “Hour Game” by David Baldacci I came upon a narrative that screemed OPSEC better than anything I’ve read or seen on TV lately. Never under estimate the threat - in any situation…

He watched the old couple totter out of the supermarket and ease into their Mercedes station wagon. He wrote down the license plate number. He would run it later on the Internet and get their home address. They were doing their own shopping, so they probably had no live-in help or grown children nearby. The make of the care was relatively new, so they weren’t surviving solely on Social Security. The man wore a cap with the logo of the local country club. That was another potential gold mine of information he might later tap.

He went over his list. He had her name, home address and the fact that she had a least three kids and was married. The mailing block had been addressed to both Jean and Harold Robinson. He also had her home phone number, cell phone number and the names and numbers of a host of others important to her as well as impressions of her house keys.

She and her lovely family belong to me now.

Keep the Faith
Revelator

Who Wrote The Book Of Love - The Monotones

Posted in Risk, Critical Information, Awareness, Vulnerabilities, Threat, Family OPSEC, Analysis, General OPSEC | Print | No Comments »

3. February 2010 by Revelator.

And here it comes once again…Valentine’s Day. That one day a year we must visibly show our undying devotion to and appreciation for the one we love. So, off we go to the corner gas station/convenience store on February 13 looking for the card we almost forgot to purchase to show exactly how much we love our one true love. Finding only a card from a dog to its owner we rush off to Wal-Mart where the selection is only slightly better. But you find a card that sort of fits your current relationship and then you head over to the candy aisle to find that all that is left are $50 boxes of “Anatomically Correct Heart Shaped” Chocolate covered Canteloupe. Sure you love canteloupe - who doesn’t? But you’re put off by its anatomically correct shape so you are off to Target where, much to your chagrin all they have left is a 25 pound Hershey Kiss®. Now what?

Sure, I could go on but most of us guys have been there - done that, so I’ll leave the rest to your unfortunate memories of Valentine’s past. I’ll assume you’ve learned your lessons and now start planning your Valentine’s Day accordingly. Two weeks out you started searching and found the perfect Valentine’s gift for your lady. You were smart and passed on the “Jillian Michaels Biggest Loser Workout” for the Wii and instead opted for the Mani-Pedi-Spa-Massage package. Sure it ran you just over $400 bucks but come on, she’s worth it.

But the question remains - how do you pull this off without her finding out about this great gift ahead of time? You know she loves surprises so you want to make this all happen without her knowing…but how?
How can you make a major purchase ahead of time without her knowing?
How can you make sure she is available on Daytona 500 Sunday..I mean, Valentine’s Day for her appointment at the spa?
How can you make sure she doesn’t just go and waste money on a manicure or a pedicure (or both) on Friday in anticipation of you taking her out to dinner for Valentine’s Day?
And won’t she be suspicious if you haven’t made some sort of plans for Valentine’s Day?
Is some sort of deception plan required?
How can you pull this off and still watch the Great American Race?

All these questions and more can be answered by utilizing OPSEC in your planning. Just common sense and perhaps some deception and you can actually pull off a great Valentine’s Day surprise that will really show the one you love just how much you love them…until next Valentine’s Day when you will have to top this one. Good luck with that.

Keep the Faith!
Revelator

HeartBeat (It’s A Love Beat) - The DeFranco Family

Posted in BS, Planning, Family OPSEC | Print | No Comments »

30. October 2009 by Revelator.

At my current job as OPSEC Manager I have somehow become the go-to-guy when an employee feels they are being scammed in one way or another. About once a week an employee will forward me a suspected scam email or bring in a letter they received at their home. Having become quite familiar with this stuff over the past year or two I do the research, confirm it is a scam and then write up an email that goes to all employees alerting them to the latest scam.

I’m not complaining - this is a good thing; but it got me to thinking. Most of us work in environments that place a high importance on security. Also, many of us work in positions that require a security clearance. Because of this we are particularly security conscious. But what about the vast majority of people out there? What about those who aren’t, for whatever reason, as security conscious as we are? Might they be much more susceptible to scams than we are?

I think of my parents, I think of my housewife sister, I think of my many friends who work at what we might call regular jobs in any number of fields that don’t come in almost daily contact with the many threats facing us day in and day out.

I think we have a responsibility to these people. We are in the know - we know of Nigerian bank scams, charity scams, mystery shopper scams, phishing scams, missing child email hoaxes, email lottery scams, internet dating scams, inheritance scams, and a host of others. Sure, we’re (relatively) safe from these nefarious hoaxes and scams but what about your family and friends?

My recommendation to you is that you make this your personal responsibility. Let your friends and family know that if they receive a “too good to be true” email or letter to contact you and you’ll research it to verify it’s legitimacy or (as will be the case 99.9% of the time) determine that it is a scam. We are paranoid by definition but the vast majority of our friends a family aren’t and I think you owe it to them to be the go-to person if they have any security questions of concerns. Just a thought.

Keep the Faith!
Revelator

For What It’s Worth - Buffalo Springfield

Posted in Awareness, Family OPSEC | Print | No Comments »

31. August 2009 by Revelator.

From CNET News.com written by Elinor Mills:

“Here’s either a cautionary tale or an example of social-media paranoia. An Arizona man believes that his Twitter messages about going out of town led to a burglary at his home while he was away.

Personally, I don’t think it’s a good idea to advertise to the world that your home will be unoccupied for a period of time. I also don’t think it’s necessary to reveal too many other personal details on social media sites that could be used for identity fraud, like your birth date.”

A number of thoughts some to mind:
1. Yeah, that was stupid. People are putting waaaaaaaaaaaaaaay too much on social networking sites. But then we know that already don’t we? Which leads me to my second thought…

2. Most OPSEC professionals, even part-timers, have known this for quite some time now so I have to ask; are we just horrible at spreading the word or are people not listening? Personally, I think it’s both. Awareness is the key here and while some are doing a pretty decent job the majority of us are not. And yeah, I know, why waste the time when you just know people aren’t going to listen to you either way. That’s tough to overcome but you just have to Keep the Faith! and press on.

3. Was it just the tweets or did dude possibly not consider OPSEC and basic security prior to leaving on vacation? We’ve all done the “so you’re going on vacation for two weeks how do you protect your home while you’re away” exercise. (if you haven’t let me know - I’ll send it to you). I suspect he didn’t arrange to deal with his mail, newspaper, growing grass, lights, etc while he was away and just got nabbed by bad guys who know what to look for.

Your fellow employees are counting on us OPSEC and Security professionals to keep them informed and protected. Do your best to inform them and with any luck they can protect themselves.

Keep the Faith!
Revelator

Everything Is Broken - Bob Dylan

Posted in Awareness, Indicators, Countermeasures, Risk, WWW, Threat, Family OPSEC | Print | No Comments »

17. October 2008 by Revelator.

Try this on for size: Us OPSECers are a bunch of paranoid freaks who run around trying to convince the world that the sky would fall if it wasn’t for our magic potion.
Don’t laugh and don’t get defensive - people do say this about us. Don’t believe me? Let me give you a hint of what we sound like sometimes:

Protect this!
Secure this!
You can’t do that!
You must do this!
Listen to me!
Come to my briefing!
THINK OPSEC! THINK OPSEC! THINK OPSEC!

If you don’t use OPSEC the world will come to an end in a horrible way and the remaining survivors will blame you and then burn you alive and then trade your baseball card collection for the June 1975 issue of OUI Magazine .

If you don’t use OPSEC you will personally lose the war but you’ll be around right up till the end and then you’ll get your’s too - right in your grill - just like Kimbo Slice (except that you will actually be hit and will most likely die).

If you don’t use OPSEC the competition will beat you to the shelves and your company will go bankrupt and you will be out of a job, the heel on your new too-small-for-your-big-feet Manolo’s will break, your husband will leave you for a successful toy manufacturer and then the economy will crash because you are a weak and worthless person.

If you don’t use OPSEC your identity will be stolen and your personal life will come crashing down around you. Your wife will leave you and your kids will hate you with a white-hot passion that will drive them to become lawyers and sue you for abandonment.

If you don’t use OPSEC your house will be broken into while you are on that two-week vacation and while in your house bad guys will put fish and Cheez Whiz in places you won’t be able to find them until it is much too late and on that exact date your in-laws will arrive unexpectedly for a three-week stay.

If you don’t use OPSEC Freddy Krueger will haunt your dreams…”1,2, freddy’s coming for you.
3,4 you better lock your door. 5,6 grab your crucifix. 7,8, stay up late. 9, 10, never sleep again.”

If you don’t use OPSEC bad guys will steal your PIN and take all your money and spend it on loose women, MadDog 20/20 and gambling - and not that good gambling you see on TV but that bad degenerate gambling that has no respect for the viewing audience.

If you don’t attend annual OPSEC training your are destined to be a high security risk for your unit/company. Everyone will hate you and you will hiccup for 4 years straight.

You need to understand that this is exactly how some of us come off. You can’t scare people into using OPSEC. But you may be able to convince them that OPSEC can be a force multiplier, can raise survival rates and can be incorprated into an operations or business plan without hurting the operation itself.
And if you can convince someone that lives and/or money can be saved…well then - you won’t have to try to scare then with threats, voodoo or your magic potion.

Keep the Faith!
Revelator

Won’t Get Fooled Again - The Who

Posted in Family OPSEC, General OPSEC | Print | 3 Comments »

9. May 2008 by Revelator.

That’s right - Internet blogging is indeed the 9th revolution.  I’ve done all the research and historians have succinctly reported that out of all the revolutions throughout history blogging is the 9th.  That or I made all that up just so I could continue my recent habit of song titles as blog titles - you’re call.  Number nine.  Number nine.  Number nine.  Number nine…

From the Wikipedia Blog page:  A blog (an abridgment of the term web log) is a website, usually maintained by an individual, with regular entries of commentary, descriptions of events, or other material such as graphics or video. Entries are commonly displayed in reverse chronological order. “Blog” can also be used as a verb, meaning to maintain or add content to a blog.  Many blogs provide commentary or news on a particular subject; others function as more personal online diaries. A typical blog combines text, images, and links to other blogs, web pages, and other media related to its topic. The ability for readers to leave comments in an interactive format is an important part of many blogs.

Current estimates say there are in the neighborhood of 15 - 20 million blogs out there for your enjoyment.  Teenagers have created the majority of blogs.  Blogs are currently the province of the young, with 92.4% created by people under the age of 30.  Half of bloggers are between the ages of 13 and 19. Following this age group, 39.6% of bloggers are between the ages of 20 and 29.  (http://www.caslon.com.au/weblogprofile1.htm)

If you are even marginally in touch you’ve no doubt heard of the problems the military has had with military based, military support and personal blogs of military throughout the blogosphere.  Thousands of bloggers are putting information out there that from an OPSEC, or even a common sense perspective, should not be there.  On the plus side, the majority of these blogs are now espousing OPSEC and demanding that sensitive information not be put in comments on the blog.  Certainly this is a very good thing and while we’ve still got some problems out there it is good for an old OPSECer to see that the problem is correcting itself.  Here are some examples:

“The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops’ online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. “  By Noah Shachtman

Operational Security:  If you know where a soldier is deployed, the return date, or any other information, please never give this information out to anyone, ever. The enemy loves to search for pieces of the puzzle of how to hurt us any way they can. Never post last name, location, contact information, unit details, morale status or even rank of someone you know who’s deployed. In today’s world of terrorism, this is especially important.  http://www.honorguardbugler.com/2008/04/notes-on-opsec.html

I think it’s worth reminding OmniNerd users (many of whom have military affiliations through service, family or acquaintance) to be cognizant of the information posted.   OmniNerd received a news post on 5 August from the Army of the Mujahideen containing links to graphic videos depicting death and violence to US service members. This means OmniNerd’s content was profiled by terrorists either for the user base or the types of hosted discussions. While initially rejected, I posted the content here to serve as a reminder of who may be reading your posts and the threat still facing Western states.  http://www.omninerd.com/blogs/OPSEC_Awareness

OPSEC is the reason that organizations like Soldiers Angels or Anysoldier.com  don’t just post the addresses of deployed soldiers for everyone in the blogosphere to see. You have to join those organizations and be approved by them, to receive addresses.  OPSEC is the reason that I did not post the address of my fiancee’s son on this blog, when he deployed.  The people who wish to support him (and our unending Thanks! to all those great folks who have been sending him letters and care packages! are people I know, and feel comfortable giving his address.  OPSEC is the reason that Soldiers Angels says “Please do not post the name, etc. of your soldier, without his permission.” And it’s the reason that I usually redact the identifying information from any part of a note I receive that I do repost on here.  Http://journals.aol.com/kasee267/SupportingtheTroops/entries/2008/01/28/just-a-reminder…opsec/1542

And finally:  We’ve had quite a bit of OPSEC violation on the community recently. Just a reminder that you just can’t post dates, times, travels, discuss particulars about weapons, locations, etc. here. There ARE people out there who join communities like this to gather information. Don’t kid yourself.  Will it get someone killed? You don’t know. The safest bet is just don’t do it. If you’re not sure if you should say it, err on the side of caution and just don’t say it.                                                                                         So here’s a basic list of what not to say or do: 

DON’T post specific dates your SO goes on deployment, leaves for R&R, redeploys, PCS’s, or moves from one place to the next.

DON’T post specifics discussing weaponology, though that has not been an issue here, I’m just saying.

DON’T post where your husband is stationed if he is in a combat zone (i.e. what base he’s at in Iraq or Afghanistan).

DON’T post the times your husband will be in transit from base to base in a combat zone, or travel times, period.

DO black out or otherwise blur nameplace, unit and branch patches if posting pictures.

Those are the main infractions.

FROM HERE ON OUT I WILL DELETE WITHOUT WARNING ANY POST THAT VIOLATES OPSEC TERMS. 

I’m tired of reminding people. Call me bitchy, I don’t care. Read and follow the rules.   http://community.livejournal.com/militarylove/706293.html

Keep the Faith!

Revelator

Posted in Critical Information, WWW, Family OPSEC | Print | No Comments »

8. December 2007 by Revelator.

Why is it that people who own nice cars always refer to them by make and/or model?  “Lunch?  I would love to - we can take the Mercedes.”  “Why yes, this is good coffee.  I stopped there in my Beemer on the way to work.”  “What? We lose our contract in 8 days!?  You know, my Escalade seats 8.”  What you never hear is; “Lunch?  I would love to - we can take the Gremlin.”

Here are some more things I’m getting tired of hearing… “My daughter Epiphany goes to THE Ohio State.”  “My wife Honoria, the one who does IT security for IBM; I think she’s seeing someone else.”  I mean, if I had a dime for everytime I heard that one… 

And what’s with all the stickers on cars these days?  I really don’t care that Tad and Muffy play on the soccer team, are chartruese belts in sushi-do, go to Dolly Parton Middle School, play the clarinet in the fourth grade marching band and improvisational jazz quartet OR that you are a member of the Royal Order of Buffaloes, think that baby seals are depressed and/or socially repressed about global warming or that I can’t blame you cuz you voted for McGovern.  And by the way, if I was horny I doubt I would honk just to let you know.

Ok, now I must find the OPSEC in this… People these days are way too eager to share personal information.  They won’t give you their Social Security Account Number (that is readily available from, oh - I don’t know; 17, 505 sources) without a writ of habeas corpus but you can’t get them to shut up about everything else in their self-important lives.  Now, I’m no criminal nor do I portray one on TV, but I am a student of the threat and know that each bit of personal information collected can and will be used against you in a very bad way.

 I’ve raised four kids and each of them grew up just fine without covering my vehicle with stickers about their accomplishments.  And some people actually like me in spite of the fact that I’ve never offered to drive anyone to lunch in my dented eight year old Dodge Truck.  I did use my alarm combo/ATM Pin/code for work/birthdate/every password on every internet site I’ve ever registered for as my personalized liscense plate number - but we’ll just keep that between us friends.

Keep the Faith!

Revelator

Posted in Critical Information, Family OPSEC | Print | No Comments »

29. October 2007 by Revelator.

I saw something the other day that disturbed me. I live near a military post, and I saw a fellow parent dropping their child off at school. As they were in front of me, I was only able to see the two stickers that were in their back window:

The first was one of those stickers that you can buy in the PX (BX for you Air Force folks) showing their rank. 

The second was one of those “family stickers” that you can get just about anywhere, showing three stick figures labeled “Dad”, “Mom” and “Hannah” (name changed, of course)

Which brings up the oh-so-important point of family OPSEC. Without ever meeting the driver (believe me, I would love to), I know their branch, rank and child’s name and school. It would be a simple matter for a “bad guy” to fill in the blanks from there.

The sad fact is that family’s can be targets, too. Don’t let them be a soft target

Posted in Family OPSEC | Print | 2 Comments »

25. October 2007 by Revelator.

It’s a common misconception that OPSEC “belongs” to the military. In reality, the OPSEC, the process of denying an adversary critical information, saves lives in the battlefield, dollars and jobs in the corporate world, and safety and security on the personal level.

At the same time that I was creating an OPSEC plan at work, my wife was practicing OPSEC at home by leaving a light and the TV on.

OPSEC is for everybody, everywhere.

Posted in Family OPSEC, General OPSEC | Print | 3 Comments »