18. December 2009 by Revelator.

This is just unfreakingbelievable!

Hackers steal SKorean-US military secrets By KWANG-TAE KIM, Associated Press Writer Kwang-tae Kim, Associated Press Writer Fri Dec 18, 7:19 am ET

The USB device contained a summary of plans for military operations by South Korean and U.S. troops in case of war on the Korean peninsula. Won said the stolen document was not a full text of the operational plans, but an 11-page file used to brief military officials. He said it did not contain critical information.

Pardon? Did I read that wrong? Let me check…”He said it did not contain critical information.” Nope - I read it right. Still can’t believe it. I mean, are you kidding me? An 11 page Executive Summary of our South Korean defense plans (OPLAN 5027) contains no sensitive information? Am I dead? Did I go to OPSEC hell and not get greeted by the demon of OPSEC? I’ve met this demon before - his name is Ignorance - so I’m pretty sure I would know him if he was greeting me at the gates of OPSEC hell. Perhaps this is a dream? Damn it people - just saying something isn’t so does not make it not so. Sure that’s a horrible sentence but let me show one that is far worse: “He said it did not contain critical information.” See? Much worse.

And don’t give me that nonsense that denying it had critical information is our way of not confirming to the North Koreans that it did indeed contain sensitive information. You know who says stuff like that? People who don’t understand the adversary. To be so blind as to think that North Korea doesn’t have a damn good idea of what is essentially contained in OPLAN 5027 is the height of ignorance. Especially since you can find older versions of OPLAN 5027 in all it’s classified glory on the internet.

I’ll grant that the 11 page summary may have been unclassified but there is no way I’m going to grant it didn’t contain critical information. Unless the only definition you have of critical information is anything that’s classified - and we know that’s just not true. Too bad not everybody understands that these days.

Thanks to my good friend Kirk for letting me know about this.

Keep the Faith!
Revelator

Tell It Like It Is - Aaron Neville

Posted in Risk, Critical Information, BS, Vulnerabilities, Threat, Media, WWW, Computer Intrusions | Print | No Comments »

8. October 2009 by Revelator.

So I’m searching “OPSEC” on YouTube yesterday, as I am wont to do from time to time, and I ran across a new video titled “Atomic OPSEC Part 1.” I noticed that it was from the Department of Energy’s Nevada Site Office and I took this as a good sign. I liked what they did with their “OPSEC Hunters” video so I thought I would check it out.

Well, I gotta tell you this new video is even…

Ok, I can’t do this anymore. Let the BS end right here…

We made the video. That’s right; I wrote it and acted in it - my fellow DOG of OPSEC directed it and the new guy plays the scientist. We think it’s pretty good and think y’all might like it also so go to YouTube and search “Atomic OPSEC” and watch parts 1 and 2. Total time is around 13 minutes. We hope you like it.

Keep the Faith!
Revelator

Posted in BS, Awareness, WWW, Media, Movies | Print | 1 Comment »

31. August 2009 by Revelator.

From CNET News.com written by Elinor Mills:

“Here’s either a cautionary tale or an example of social-media paranoia. An Arizona man believes that his Twitter messages about going out of town led to a burglary at his home while he was away.

Personally, I don’t think it’s a good idea to advertise to the world that your home will be unoccupied for a period of time. I also don’t think it’s necessary to reveal too many other personal details on social media sites that could be used for identity fraud, like your birth date.”

A number of thoughts some to mind:
1. Yeah, that was stupid. People are putting waaaaaaaaaaaaaaay too much on social networking sites. But then we know that already don’t we? Which leads me to my second thought…

2. Most OPSEC professionals, even part-timers, have known this for quite some time now so I have to ask; are we just horrible at spreading the word or are people not listening? Personally, I think it’s both. Awareness is the key here and while some are doing a pretty decent job the majority of us are not. And yeah, I know, why waste the time when you just know people aren’t going to listen to you either way. That’s tough to overcome but you just have to Keep the Faith! and press on.

3. Was it just the tweets or did dude possibly not consider OPSEC and basic security prior to leaving on vacation? We’ve all done the “so you’re going on vacation for two weeks how do you protect your home while you’re away” exercise. (if you haven’t let me know - I’ll send it to you). I suspect he didn’t arrange to deal with his mail, newspaper, growing grass, lights, etc while he was away and just got nabbed by bad guys who know what to look for.

Your fellow employees are counting on us OPSEC and Security professionals to keep them informed and protected. Do your best to inform them and with any luck they can protect themselves.

Keep the Faith!
Revelator

Everything Is Broken - Bob Dylan

Posted in Awareness, Indicators, Countermeasures, Risk, WWW, Threat, Family OPSEC | Print | No Comments »

9. October 2008 by Revelator.

Here are the titles of some articles I’ve come across lately. I haven’t included the full content of the articles but I think that, just based on the titles, you’ll see why I’m a bit concerned…

“Internet Flaw Could Let Hackers Take Over The Web” - I think that if this is true they might not want to detail how this could actually happen - which they did. Yeah, the article spoke very specifically about exactly what the flaw was and how to exploit it. Cool, huh?

“Airports Vulnerable to Attack” - While I suspect we all agree that yes, there are still some vulnerabilities that reality and budget constrains won’t allow us to directly address but this article explained how our airports were vulnerable and how bad guys could exploit these vulnerabilites.

“Billions More Needed to Secure U.S. Embassies” - Well then, please tell me what we need to spend this money on exactly and further I would like to know how not having these things can immediately put these embassies at risk. And while you’re at it go ahead and tell me which embassies are the most vulnerable so I don’t waste my time trying to blow up the wrong one. Anybody want to guess if the article actually did this?

“Research Reveals Patterns of Terrorist Preparation” - While, as a citizen, I am very happy that our law enforcement agencies have found patterns that may tip them off to terrorist activities, I am not real happy that we told the terrorists this. Seems to me that Terry Terrorist might begin to change his/her tactics and prepare for their activities in a whole new way thereby negating the intelligence advantage we had until this article came out.

Folks, I’m no arbiter of what is right or wrong to put into print and I have no educational background to argure the public’s “right to know” but as an OPSEC Professional it just seems to me that we are making waaaaaaaaaaaaaaaaaaaaaaaaaaaaay too much sensitive information available. For those of you out there actively practicing OPSEC, this is just one of the reasons you need to do Open Source searches on your own organization. It’s always good to know what the bad guy already knows about you - then you can focus your protection efforts on what is not known and you can also be proactive about dealing with what is known about your organization, mission or specific activities.

Keep the Faith!
Revelator

Bring The Noise - Public Enemy

Posted in WWW, Media | Print | No Comments »

30. May 2008 by Revelator.

     Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks.  Where will it all end?  Since this is clearly our biggest security concern why can’t we fix it?  Why aren’t we throwing all our money, manpower and technical abilities at this problem?  Computer crimes cost us $32 million is 2006.  Boy, I’ll tell you what - somebody better do something quick.  Unless the computer isn’t our biggest security concern…

     But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is?  Here’s a clue - look above.  Didn’t you read all that stuff in the first paragraph?  Of course the computer is the biggest threat to the security of your organization/mission.  Or is it…

     Well, duh.  The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day.  It’s all over the news!  Technology is killing security.  Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere.  What’s an OPSEC Program Manager to do?  Hell, you’re not the IT Security dude.  You know nothing of firewalls routers and DMZ’s.  Face it partner - you’re screwed.  Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…

    And here we are again.  What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast.  Humans…whattaya gonna do?

     I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better.  And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes.  You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…

     The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization.  The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat.  They don’t mean to by the way.  They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information.  That’s your job - now get to it!

Keep the Faith!

Revelator

Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 2 Comments »

9. May 2008 by Revelator.

That’s right - Internet blogging is indeed the 9th revolution.  I’ve done all the research and historians have succinctly reported that out of all the revolutions throughout history blogging is the 9th.  That or I made all that up just so I could continue my recent habit of song titles as blog titles - you’re call.  Number nine.  Number nine.  Number nine.  Number nine…

From the Wikipedia Blog page:  A blog (an abridgment of the term web log) is a website, usually maintained by an individual, with regular entries of commentary, descriptions of events, or other material such as graphics or video. Entries are commonly displayed in reverse chronological order. “Blog” can also be used as a verb, meaning to maintain or add content to a blog.  Many blogs provide commentary or news on a particular subject; others function as more personal online diaries. A typical blog combines text, images, and links to other blogs, web pages, and other media related to its topic. The ability for readers to leave comments in an interactive format is an important part of many blogs.

Current estimates say there are in the neighborhood of 15 - 20 million blogs out there for your enjoyment.  Teenagers have created the majority of blogs.  Blogs are currently the province of the young, with 92.4% created by people under the age of 30.  Half of bloggers are between the ages of 13 and 19. Following this age group, 39.6% of bloggers are between the ages of 20 and 29.  (http://www.caslon.com.au/weblogprofile1.htm)

If you are even marginally in touch you’ve no doubt heard of the problems the military has had with military based, military support and personal blogs of military throughout the blogosphere.  Thousands of bloggers are putting information out there that from an OPSEC, or even a common sense perspective, should not be there.  On the plus side, the majority of these blogs are now espousing OPSEC and demanding that sensitive information not be put in comments on the blog.  Certainly this is a very good thing and while we’ve still got some problems out there it is good for an old OPSECer to see that the problem is correcting itself.  Here are some examples:

“The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops’ online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. “  By Noah Shachtman

Operational Security:  If you know where a soldier is deployed, the return date, or any other information, please never give this information out to anyone, ever. The enemy loves to search for pieces of the puzzle of how to hurt us any way they can. Never post last name, location, contact information, unit details, morale status or even rank of someone you know who’s deployed. In today’s world of terrorism, this is especially important.  http://www.honorguardbugler.com/2008/04/notes-on-opsec.html

I think it’s worth reminding OmniNerd users (many of whom have military affiliations through service, family or acquaintance) to be cognizant of the information posted.   OmniNerd received a news post on 5 August from the Army of the Mujahideen containing links to graphic videos depicting death and violence to US service members. This means OmniNerd’s content was profiled by terrorists either for the user base or the types of hosted discussions. While initially rejected, I posted the content here to serve as a reminder of who may be reading your posts and the threat still facing Western states.  http://www.omninerd.com/blogs/OPSEC_Awareness

OPSEC is the reason that organizations like Soldiers Angels or Anysoldier.com  don’t just post the addresses of deployed soldiers for everyone in the blogosphere to see. You have to join those organizations and be approved by them, to receive addresses.  OPSEC is the reason that I did not post the address of my fiancee’s son on this blog, when he deployed.  The people who wish to support him (and our unending Thanks! to all those great folks who have been sending him letters and care packages! are people I know, and feel comfortable giving his address.  OPSEC is the reason that Soldiers Angels says “Please do not post the name, etc. of your soldier, without his permission.” And it’s the reason that I usually redact the identifying information from any part of a note I receive that I do repost on here.  Http://journals.aol.com/kasee267/SupportingtheTroops/entries/2008/01/28/just-a-reminder…opsec/1542

And finally:  We’ve had quite a bit of OPSEC violation on the community recently. Just a reminder that you just can’t post dates, times, travels, discuss particulars about weapons, locations, etc. here. There ARE people out there who join communities like this to gather information. Don’t kid yourself.  Will it get someone killed? You don’t know. The safest bet is just don’t do it. If you’re not sure if you should say it, err on the side of caution and just don’t say it.                                                                                         So here’s a basic list of what not to say or do: 

DON’T post specific dates your SO goes on deployment, leaves for R&R, redeploys, PCS’s, or moves from one place to the next.

DON’T post specifics discussing weaponology, though that has not been an issue here, I’m just saying.

DON’T post where your husband is stationed if he is in a combat zone (i.e. what base he’s at in Iraq or Afghanistan).

DON’T post the times your husband will be in transit from base to base in a combat zone, or travel times, period.

DO black out or otherwise blur nameplace, unit and branch patches if posting pictures.

Those are the main infractions.

FROM HERE ON OUT I WILL DELETE WITHOUT WARNING ANY POST THAT VIOLATES OPSEC TERMS. 

I’m tired of reminding people. Call me bitchy, I don’t care. Read and follow the rules.   http://community.livejournal.com/militarylove/706293.html

Keep the Faith!

Revelator

Posted in Critical Information, WWW, Family OPSEC | Print | No Comments »

22. January 2008 by Revelator.

Folks, it’s all OPSEC. I just couldn’t resist a quote from an old co-worker of mine. Our friend and frequent contributor Kirk Dunaway has some great guidance for you here. Having sat next to Kirk for over two years I can tell you that I personally have averted many a disaster by taking his advice. Read and heed!

Tips from a guy who has been asked to look at a lot of peoples computer problems…

OPSEC? Well, ish. I can throw words like vulnerability, intent, survey and OPSEC measures at this, to justify the fact that I am submitting something on the fringe of OPSEC to this blog, but I just thought I would pass along some free advice.

1. Cannot stress the importance of anti-virus software. There are many offered, at various costs (from free to $$$), just make sure you have it on there. The major differences are some offer better protection but are slower, some are faster but protect less and some fall in the middle. My advice is to stay with recognizable name brands if you are not sure.

2. Firewalls really do work! A computer, by default, listens and accepts all kinds of traffic, regardless whether you are using that type of traffic or not. Bad guys use these typically unused traffic types to attack your system. A firewall shuts down that vulnerability. Of course, there is some pain at first (yes, let me check my email, and remember!!! Yes, please, I want to access the internet!!!), but once set up it is relatively invisible. The protection it provides is very valuable. There are hardware firewalls, but I still recommend loading a software firewall on your system (free or $$$).

3. There are adware identifying software programs available, if you are concerned with someone tracking your surfing habits. Load up and scan away.

4. Currency is huge. Anti-virus, operating system, firewall, etc, are of little use against the latest badware if your system software is not up to date. By all means set up whatever you can to automatically update. If you do not automatically update, at least manually update once a week. If you do automatically update, perform a manual update once a month to make sure automatic update picks up everything.

5. Spend a few bucks, buy an external USB hard drive at least as large as your computer hard drive, and copy off important stuff once a month. You can export your browser favorites and email contacts (and emails, if you know where to look), then copy everything over manually. Or you can buy backup software to do it all for you. But regardless, bad viruses do disable computers, and hard drives fail, so keep that 2nd copy in case you have to start over.

6. Put an entry in your email contact list that contains your own email address. Like “ZZZZME”, so it can be ignored at the end. But then if you are infected, and some virus is sending itself out using the contact list in your email, you will know.

7. Turn off your computer when not in use. Most bad guys know we do not use our computers at night, so that’s when they use them. Shut it down, and reduce your window of vulnerability.

8. If you think you have been infected, and you have current virus software, shut down your system. Disable your network connection (unplug or turn off wireless access point). Now power up, and keep pressing the “F8” key while booting up. This will eventually give you a boot menu. Select “Safe Mode”, and when it comes up run a thorough virus scan. Your virus software should be able to clean any bad stuff in Safe Mode. If not, call in the cavalry.

9. If you think you have been infected, and you do not have current virus software, try an online virus scanner (like the free one from TrendMicro) to see if you can repair it.

Anyway, these tips could save you from a couple hundred bucks getting your computer cleaned to losing your hard drive (and how many years worth of digital pictures?). Oh yea, critical information, risk, and threats.

Kirk out.

Posted in WWW | Print | No Comments »

18. January 2008 by Revelator.

Fellow OPSECers, time has come for another computer related guest entry from our most prolific guest writer and good friend Kirk Dunaway.  Enjoy…

Computer down again? Might as well go home for the day. We’ve come to a point in our rapidly evolving world where no one can accomplish anything without email and internet access.  But when your computer is up and running and you’re toiling away, how much OPSEC-sense do you actually apply to your work habits?

OK, first the basics; you should know by now that the only secure computer is one that is not connected to ANYTHING! Once you have email and internet access - all bets are off. Sure, folks get paid to harden you system - to introduce a level of pain to the bad guys knocking on the door.  And they’re usually successful in keeping out 95% of the boneheads out there.  But those same boneheads know something you probably don’t think about; why attack you at your desktop, when they can just see what you do when your traffic enters the ‘net?

Think folks don’t pay attention?  Wow, you really DO need to read this blog more often!  Just think of the “cookie wars” raging on the ‘net.  Advertisers track where you go and what you look at, so they can place targeted ads on sites you visit.  Whether that’s good or bad is up to you, but personally I’d rather look at an ad for a computer company than for women’s clothing.  But the point is that if it is easy enough for advertisers to do it, think how easy it is for the bad guys.  And they track using more than just cookies.  It’s easy for them to sit passively by and just watch the traffic flow - seeing what comes and seeing what goes.  And there you are sitting at your desk in the Pentagon surfing sites that specialize in cold weather gear…in July.  Indicator?

The point is that traffic is in fact watched.  And if the watchers can put together the sites that everyone in your unit is surfing to, plus read all the un-encrypted emails, then there’s a good chance you’ve given them a costly glimpse into your future.  On the other hand, odds are good that no one is scrutinizing your computer at home.  If you think and apply OPSEC at work maybe, just maybe you’ll decide to surf the iffy sites from home.

Side note:  Concerned with cookies, pop ups, and other bad stuff that could be on an internet site?  Try downloading and using Opera, Safari, Netscape Mozilla FireFox or some other browser.  MS Internet Explorer, as the most popular, is the most targeted.  Also, the other browsers (such as FireFox)  do a better job of cleaning up your tracks once you exit.

Surf clean bruddah,

Kirk out.

Posted in WWW | Print | No Comments »

7. January 2008 by Revelator.

If it’s computer related then it must be guest blogger Kirk Dunaway again.  Enjoy…

OK, so you fire up the computer, crank up the email - and here they come.  The 37 forwarded emails from your friends.  I know…some of these are actually pretty cool.  Some are actually pretty good jokes or an unbelievable video.  You know the one - the one you just have to show your buddies!  But then there are the “warm fuzzy” or “blessings” or “cutsie” emails that always end with “for good luck (or blessings), pass this on to 10 friends.” Or the ever popular “send this to 10 people and see what great things happen in your life!”  Or how about the “don’t break the chain and receive bad luck!  Send to 10 people and then back to the sender” emails.  And then for no reason whatsoever…you do!

So now, without even raising your right hand you have enlisted in the army of a spammer.  Estimates place spam as high as 70% of emails entering corporate email servers.  The majority of these are inert ads, but not all.  How safe are those emails you pass on?  Spam emails can (and do!) contain embedded malware.  Do you actually think everyone’s anti-virus software is current, or even looks for the newest mutations?  Would you be willing to wager money on that?

The spam emails sent by strangers to you typically do not work well on you.  Most folks (fortunately) just delete them unread.  But get one from your bud and you’ve just got to see what he sent!  The last joke he sent you was awesome!  Oh, but this time it is a sickly sweet poem; with Papal blessings no less.  And you’re thinking “Nice; thanks bud.  Wait.  I know - I’ll pass this on to my friends from church.”  Well, lo and behold, in a couple of days your virus software performs its automatic update and what is that?  A virus alert?!  Oh man; now you have a virus.  Where did that come from?  And then come Sunday you find that a lot of your friends from church have the same virus and they’re greeting you not with blessings on their breath but accusations in their eyes.  

The solution is so simple.  Resist the urge!  Don’t forward it - just delete it.  These things only work with our ignorant facilitation.

Side Note:  Get a spam ad from someone you don’t know?  Does is have an “unsubscribe” link?  DONT CLICK IT.  Simply block the sender in your email program and delete the original email.  Spam gets generated and sent to random strings of email addresses and by “unsubscribing”  you have not only verified a good address, you just placed yourself on a couple of hundred spam lists.  Of course, if you actually signed up on a web site with a company you know and trust and provided them with your email address and they are hitting you with too many ads then, by all means, use the “unsubscribe” link with confidence.

Other Side Note:  The best address to give out online is a disposable one.  Make a Yahoo or GMail or Hotmail or whomever account online and then use that for online business.  Leave your home based personal address just that; give it only to friends and family.  Once the online disposable account starts getting too much spam (and you know it will), just abandon it and make a new one.  Then change your email at the businesses you still deal with.  Life is so much better without 257 new useless emails every day (enlarge my WHAT?!?)

Aloha - Kirk out

Posted in WWW | Print | 4 Comments »

19. December 2007 by Revelator.

Time for another guest entry. The author is Kirk Dunaway; killer OPSEC trainer, bonafide IT professional, one of those shirt-off-his-back all-around good guys and someone I am proud to call friend. Kirk will grace this page from time to time with his insight into OPSEC and the Web. Enjoy…

     Figure you’re smarter than the average Third World teenager? Of course you are! Why then are they so successful at ripping us off? Forget about the “send me money and I’ll send you a check” scam. If you are still falling for that one, perhaps you should just unplug your computer and weld it into modern art.
     Put a classified ad online or in a newspaper? Get ready for the “please let me know what condition it is in - do you accept cashiers checks” scam. You’ll get a bogus check; send off your stuff, then get the privilege of paying the bank back for the bad check. Fun stuff, eh?

     Your email is an open door into your attention span. And if you share email at home, your spouse or kids can (and will) receive and reply before you have a chance to filter.

     Get emails saying your credit card is suspended? What the?!? Well, you’ve just gotta click that link and send your account info to get that fixed.  I mean, this is a no-brainer - right?  Or maybe you got an email saying that your account may have been exposed and your identity may have been stolen. How the ?!? Shaking from the thought of it you follow the instructions, faxing personal and account information to the phone number listed. And wasn’t it nice of them to include instructions on what to do in case your identity gets stolen? How thoughtful.
     In either case, you just gave away the farm. NO financial company will EVER ask you for your account number, PIN number, etc from you. If you do have an account there - they already know! Try this next time; hover your mouse over a link in an email and look at where it goes (at the bottom of the window) but NEVER CLICK IT!!! And never call a number listed in the email! Just open a new browser window and go directly to that institution. Usually the first thing you’ll see is a warning about the scam email you just got. At the very least get the good phone number to call from the “real” website.

     And please, please, please, teach this to your spouse, kids, parents, aunts, uncles, cousins, neighbors and furnace repairmen. The less successful these scams are the less we will be bothered by them.

Aloha,
Kirk out

Posted in WWW | Print | No Comments »