18. December 2009 by Revelator.

This is just unfreakingbelievable!

Hackers steal SKorean-US military secrets By KWANG-TAE KIM, Associated Press Writer Kwang-tae Kim, Associated Press Writer Fri Dec 18, 7:19 am ET

The USB device contained a summary of plans for military operations by South Korean and U.S. troops in case of war on the Korean peninsula. Won said the stolen document was not a full text of the operational plans, but an 11-page file used to brief military officials. He said it did not contain critical information.

Pardon? Did I read that wrong? Let me check…”He said it did not contain critical information.” Nope - I read it right. Still can’t believe it. I mean, are you kidding me? An 11 page Executive Summary of our South Korean defense plans (OPLAN 5027) contains no sensitive information? Am I dead? Did I go to OPSEC hell and not get greeted by the demon of OPSEC? I’ve met this demon before - his name is Ignorance - so I’m pretty sure I would know him if he was greeting me at the gates of OPSEC hell. Perhaps this is a dream? Damn it people - just saying something isn’t so does not make it not so. Sure that’s a horrible sentence but let me show one that is far worse: “He said it did not contain critical information.” See? Much worse.

And don’t give me that nonsense that denying it had critical information is our way of not confirming to the North Koreans that it did indeed contain sensitive information. You know who says stuff like that? People who don’t understand the adversary. To be so blind as to think that North Korea doesn’t have a damn good idea of what is essentially contained in OPLAN 5027 is the height of ignorance. Especially since you can find older versions of OPLAN 5027 in all it’s classified glory on the internet.

I’ll grant that the 11 page summary may have been unclassified but there is no way I’m going to grant it didn’t contain critical information. Unless the only definition you have of critical information is anything that’s classified - and we know that’s just not true. Too bad not everybody understands that these days.

Thanks to my good friend Kirk for letting me know about this.

Keep the Faith!
Revelator

Tell It Like It Is - Aaron Neville

Posted in Risk, Critical Information, BS, Vulnerabilities, Threat, Media, WWW, Computer Intrusions | Print | No Comments »

30. May 2008 by Revelator.

     Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks.  Where will it all end?  Since this is clearly our biggest security concern why can’t we fix it?  Why aren’t we throwing all our money, manpower and technical abilities at this problem?  Computer crimes cost us $32 million is 2006.  Boy, I’ll tell you what - somebody better do something quick.  Unless the computer isn’t our biggest security concern…

     But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is?  Here’s a clue - look above.  Didn’t you read all that stuff in the first paragraph?  Of course the computer is the biggest threat to the security of your organization/mission.  Or is it…

     Well, duh.  The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day.  It’s all over the news!  Technology is killing security.  Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere.  What’s an OPSEC Program Manager to do?  Hell, you’re not the IT Security dude.  You know nothing of firewalls routers and DMZ’s.  Face it partner - you’re screwed.  Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…

    And here we are again.  What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast.  Humans…whattaya gonna do?

     I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better.  And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes.  You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…

     The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization.  The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat.  They don’t mean to by the way.  They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information.  That’s your job - now get to it!

Keep the Faith!

Revelator

Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 2 Comments »

31. October 2007 by Revelator.

Once upon a time, in a land not-so-far-away, A small group of individuals walked to the doors of a multinational corporation, and walked out with Millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow. 

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? We’re all on the same team, right?

No matter how strong a castle’s walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: “Shredder out of order. Put materials in this box to be picked up by security”. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (”No one would ever know that this is my password, even if they do look in the drawer!”)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

Posted in Computer Intrusions, General OPSEC | Print | No Comments »