March 2010
S	M	T	W	T	F	S
« Feb
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Archive for the Threat Category

Who Wrote The Book Of Love

5. February 2010 by Revelator.

While reading “Hour Game” by David Baldacci I came upon a narrative that screemed OPSEC better than anything I’ve read or seen on TV lately. Never under estimate the threat - in any situation…

He watched the old couple totter out of the supermarket and ease into their Mercedes station wagon. He wrote down the license plate number. He would run it later on the Internet and get their home address. They were doing their own shopping, so they probably had no live-in help or grown children nearby. The make of the care was relatively new, so they weren’t surviving solely on Social Security. The man wore a cap with the logo of the local country club. That was another potential gold mine of information he might later tap.

He sat back and waited patiently. More prospects were sure to come in the busy shopping center. He could consume all he wanted without ever once taking out his wallet.

A few minutes later an attractive woman in her thirties came out of a pharmacy carrying a large bag. His gaze swung to her, his homicidal antennae twitching with interest. The woman stopped at the ATM next to the pharmacy, withdrew some cash and then committed what should have been classified as a mortal sin for the new century: she tossed the receipt into the trash before climbing into a bright red Chrysler Sebring convertible. Her vanity plate read “DEH JD.”

He quickly translated that to be her initials and the fact that she was a lawyer, the “JD” standing for Juris Doctor. Her clothes told him she was fastidious about her appearance. The tan on her arms, face and legs was deep. If she was a practicing lawyer, she probably had just come back from vacation or else had visited the tanning booth over the winter. She was very fit-looking, her calves particularly well developed. His gaze had fixed on the gold anklet she wore on her left leg as she climbed in her car. That was intriguing, he thought.

She had a current-year American Bar Association bumper sticker, so the odds were she was still practicing law. And she was also single - there was no wedding ring on her finger. And right next to the ABA bumper sticker was a parking permit for a very expensive gated residential development about two miles from here. He nodded appreciatively. These stickers were very informative.

He parked, got out of the Bug, walked over to the trash can, made a show of throwing something away and in the same motion plucked out the ATM receipt. The woman really should have known better. She might as well have tossed her personal tax return in the trash. She was now naked, completely open to any probing he wanted to do.

When he got back to his car, he looked a the name on the account: D. Hinson. He’d look her up in the phone book later. And she’d also be in the business listings, so he’d know which law firm in town she worked at. That would him two potential targets. Banks had started leaving off some of the numbers of the account because they knew their customers stupidly disposed of their receipts where they were easy picking for people like him.

He kept trolling under the warming sun. What a nice day it was shaping up to be. He reclined slightly in his seat only to perk up when off to his right a soccer mom started loading groceries in her van. He wasn’t guessing there: she wore a T-shirt that announced her status. An infant rode in the car seat in the rear. A green bumper sticker announced that the woman was the mom of an honor roll student at Wrightsburg Middle School for the current school year.

Good to know, he thought: seventh or eighth grader and an infant. He pulled into the space next to the van and waited. The woman took the cart back to the front of the store, leaving the baby completely unguarded.

He got out of the Bug, leaned into the van’s open driver’s side window and smiled at the baby, who grinned back, chortling. The interior of the van was messy. Probably so was the woman’s house. If they had an alarm system, they probably never turned it on. Probably forgot to lock all the doors and windows too. It was a wonder to him that the crime rate in the country wasn’t far higher what with millions of idiots like here staggering blindly through life.

An algebra book was in the backseat; the middle school child’s, no doubt. Next to it was a children’s picture book, so there was at least a third child. This deduction was confirmed by the presence of a pair of grass-stained tennis shoes in the rear floorboard; they looked to be those of a five- or six-year-old boy.

He glanced in the passenger seat. There is was: a People magazine. He looked up. The woman had just slammed the cart back into the rack and had now paused to talk to someone coming out of the store. He reached in and drew the magazine toward him. Name and home address were on the mailing label. He already had her home phone number. She’d helpfully put it on the For Sale sign on the window of her van.

Another bingo. Her keys were in the ignition. He placed a piece of soft putty over the ones that looked like house keys, taking quick impressions. It made the breaking in and entering part a lot easier when you didn’t have to “break” when you “entered.”

A final home run. Her cell phone was in its holder. He looked up. She was still gabbing away. Had he been so inclined he could have killed the kid, stolen all her groceries and torched the car, and the woman would never even know it until someone started screaming at the flames shooting into the sky. He glanced around. People were far too busy with their lives to notice him.

He snatched the phone, hit the main screen button and got her cell phone number. The he accessed her phone book, took a digital camera the size of his middle finger from his pocket and snapped pictures of screen after screen until he had all the names and phone numbers in her directory. He returned the phone, waved bye-bye to baby and slipped back into his car.

He went over his list. He had her name, home address and the fact that she had a least three kids and was married. The mailing block had been addressed to both Jean and Harold Robinson. He also had her home phone number, cell phone number and the names and numbers of a host of others important to her as well as impressions of her house keys.

She and her lovely family belong to me now.

Keep the Faith
Revelator

Who Wrote The Book Of Love - The Monotones

Posted in Risk, Critical Information, Awareness, Vulnerabilities, Threat, Family OPSEC, Analysis, General OPSEC | Print | No Comments »

Tell It Like It Is

18. December 2009 by Revelator.

This is just unfreakingbelievable!

Hackers steal SKorean-US military secrets By KWANG-TAE KIM, Associated Press Writer Kwang-tae Kim, Associated Press Writer Fri Dec 18, 7:19 am ET

SEOUL, South Korea – South Korea’s military said Friday it was investigating a hacking attack that netted secret defense plans with the United States and may have been carried out by North Korea.

The suspected hacking occurred late last month when a South Korean officer failed to remove a USB device when he switched a military computer from a restricted-access intranet to the Internet, Defense Ministry spokesman Won Tae-jae said.

The USB device contained a summary of plans for military operations by South Korean and U.S. troops in case of war on the Korean peninsula. Won said the stolen document was not a full text of the operational plans, but an 11-page file used to brief military officials. He said it did not contain critical information.

Pardon? Did I read that wrong? Let me check…”He said it did not contain critical information.” Nope - I read it right. Still can’t believe it. I mean, are you kidding me? An 11 page Executive Summary of our South Korean defense plans (OPLAN 5027) contains no sensitive information? Am I dead? Did I go to OPSEC hell and not get greeted by the demon of OPSEC? I’ve met this demon before - his name is Ignorance - so I’m pretty sure I would know him if he was greeting me at the gates of OPSEC hell. Perhaps this is a dream? Damn it people - just saying something isn’t so does not make it not so. Sure that’s a horrible sentence but let me show one that is far worse: “He said it did not contain critical information.” See? Much worse.

And don’t give me that nonsense that denying it had critical information is our way of not confirming to the North Koreans that it did indeed contain sensitive information. You know who says stuff like that? People who don’t understand the adversary. To be so blind as to think that North Korea doesn’t have a damn good idea of what is essentially contained in OPLAN 5027 is the height of ignorance. Especially since you can find older versions of OPLAN 5027 in all it’s classified glory on the internet.

I’ll grant that the 11 page summary may have been unclassified but there is no way I’m going to grant it didn’t contain critical information. Unless the only definition you have of critical information is anything that’s classified - and we know that’s just not true. Too bad not everybody understands that these days.

Thanks to my good friend Kirk for letting me know about this.

Keep the Faith!
Revelator

Tell It Like It Is - Aaron Neville

Posted in Risk, Critical Information, BS, Vulnerabilities, Threat, Media, WWW, Computer Intrusions | Print | No Comments »

Everything Is Broken

31. August 2009 by Revelator.

From CNET News.com written by Elinor Mills:

“Here’s either a cautionary tale or an example of social-media paranoia. An Arizona man believes that his Twitter messages about going out of town led to a burglary at his home while he was away.

Israel Hyman posted to approximately 2,000 followers on Twitter that he and his wife were “preparing to head out of town,” that they had “another 10 hours of driving ahead” and later, that they “made it to Kansas City.”

When he came home, he found that someone had broken into his house and stolen thousands of dollars worth of video equipment he used for his video business, IzzyVideo.com, which he uses for his Twitter account.

“My wife thinks it could be a random thing, but I just have my suspicions,” he told the Associated Press. “They didn’t take any of our normal consumer electronics.”

Personally, I don’t think it’s a good idea to advertise to the world that your home will be unoccupied for a period of time. I also don’t think it’s necessary to reveal too many other personal details on social media sites that could be used for identity fraud, like your birth date.”

A number of thoughts some to mind:
1. Yeah, that was stupid. People are putting waaaaaaaaaaaaaaay too much on social networking sites. But then we know that already don’t we? Which leads me to my second thought…

2. Most OPSEC professionals, even part-timers, have known this for quite some time now so I have to ask; are we just horrible at spreading the word or are people not listening? Personally, I think it’s both. Awareness is the key here and while some are doing a pretty decent job the majority of us are not. And yeah, I know, why waste the time when you just know people aren’t going to listen to you either way. That’s tough to overcome but you just have to Keep the Faith! and press on.

3. Was it just the tweets or did dude possibly not consider OPSEC and basic security prior to leaving on vacation? We’ve all done the “so you’re going on vacation for two weeks how do you protect your home while you’re away” exercise. (if you haven’t let me know - I’ll send it to you). I suspect he didn’t arrange to deal with his mail, newspaper, growing grass, lights, etc while he was away and just got nabbed by bad guys who know what to look for.

Your fellow employees are counting on us OPSEC and Security professionals to keep them informed and protected. Do your best to inform them and with any luck they can protect themselves.

Keep the Faith!
Revelator

Everything Is Broken - Bob Dylan

Posted in Awareness, Indicators, Countermeasures, Risk, WWW, Threat, Family OPSEC | Print | No Comments »

Chain of Fools

5. December 2008 by Revelator.

SIGINT (n) - intelligence information gathered from communications intelligence or electronics intelligence or telemetry intelligence.
COMINT (n) - technical and intelligence information derived from foreign communications by other than the intended recipients.
IGNORINT (n) - intelligence gathered by the direct exploitation of stupid people.

If you will grant that the biggest threat to the information you are trying to protect is the unintentional insider then you have to agree that IGNORINT collection is the biggest threat to the security of your operations. And yes, I know there is a difference between ignorance and stupidity but in the final analysis INGORINT exploits both so I’m not going to split hairs.

Whether the information lost is because of one persons inability to think beyond a third grade level or because the person wasn’t properly briefed doesn’t matter to the IGNORINT collector. And when it comes right down to it many properly trained and briefed individuals will let stupid overide their training when put to the test. For example, otherwise intelligent and security savvy men seem to zoom right to stupid when confronted with a beautiful woman or large quantities of alcohol. And if you combine stupid inducing amounts of alcohol with a friendly female then you have the perfect storm for IGNORINT collectors.

But don’t let me mislead you - many of us can call up stupid at will even without the aid of alcohol or other stupid inducing products or situations and therein lies the problem. IGNORINT collectors know this and are available to exploit this known weakness at a moments notice. Whether it’s picking up our discarded trash, or collecting a ton or two of recycled whole white paper, or hanging out at the local watering hole, or listening to a speech at a professional symposium, or exploiting personal blogs, or…well, you get the point. We just give so much away that it blows my mind sometimes.

Humans as a species are designed to make mistakes and consistantly do things that are generally considered not that bright. But what are we to do about it? Well, if you’re looking for The Revelator to enlighten you then you just might be in for a long wait. About all you can do is acknowledge this vulnerability and fight against it in anyway you can. Good luck with that. And if you come up with a way to somehow defeat even a small amount of IGNORINT collection you let me know.

Keep the Faith!
Revelator

Chain of Fools - Aretha Franklin

Posted in Awareness, Vulnerabilities, Threat, General OPSEC | Print | No Comments »

I Still Haven’t Found What I’m Looking For

19. September 2008 by Revelator.

2 = 4. Wait a minute - no it doesn’t; 2 + 2 = 4. Yeah, that’s better. See how that makes sense? We took one thing (2) and added it to another thing (2) to get the new thing (4). Now, I must be fair and say that while the above is true, so also is this; 4 = 4. But that is a given isn’t it? I mean, even if we can’t add we can see that one thing is always equal to itself. So where am I going with this? You can’t answer that question can you? No you can’t. So far all I’ve given you the first “2″ but I’ve yet to give you the other “2″ so there is no way you can deduce “4″ and know just what the hell I’m trying to say. Know what I mean? I didn’t think so…and I don’t blame you.

Perhaps this will help… Last week my wife asked me this question; “Do we have any plans for Saturday?” To which I replied; “Nope.” and went back to watching the Huntington Beach Bad Boy wail on some poor guy with more tattoo’s than skills. But not before I pondered for a brief moment the nature of her question. The possible answers were many and varied so without further thought I disregarded the question.

Saturday night came and my wife had thrown me a wonderful surprise party. When she asked her question earlier in the week I unknowingly had the first “2″ but I never knew there was another “2″ so there was no way of knowing that “4″ was coming on Saturday night.

Such is not the case with hostile intelligence collectors. When a bad guy sees the first “2″ his natural inclination is to ask himself; “2 + what = 4?” And so begins the collection effort that could very well determine the other “2″. Had I been the least bit curious about my wife’s question I could have asked her a series of questions that may have turned up the info required for me to deduce the “4″ - that she was throwing me a surprise party.

Likewise, when an intelligence collector sees the event calendar of an organization on their web site (2) and subsequently sees a military exercise schedule that ties the two together on yet another web site (2)…well, it’s easy to see how he determines that this organization will be participating in the exercise (4). Unfortunately for us this means that we have now revealed critical information about when and where we will be performing, testing or exercising our mission and we’ve also focused his future collection efforts against us. On the Good/Bad scale, this is what us old OPSEC pro’s call “bad.”

Always understand that we do not operate in vacuums. What we say as well as what we publish can have far reaching negative effects. Now, while we can’t always protect the other “2″ we can do our level best to make sure that our “2″ doesn’t get seen, read, or heard so that the bad guy doesn’t ever get the “4″ we’re ultimately trying to protect.

Keep the Faith!
Revelator

I Still Haven’t Found What I’m Looking For - U2

Posted in Critical Information, Risk, Vulnerabilities, Threat | Print | No Comments »

Welcome To The Jungle

30. May 2008 by Revelator.

Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks. Where will it all end? Since this is clearly our biggest security concern why can’t we fix it? Why aren’t we throwing all our money, manpower and technical abilities at this problem? Computer crimes cost us $32 million is 2006. Boy, I’ll tell you what - somebody better do something quick. Unless the computer isn’t our biggest security concern…

But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is? Here’s a clue - look above. Didn’t you read all that stuff in the first paragraph? Of course the computer is the biggest threat to the security of your organization/mission. Or is it…

Well, duh. The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day. It’s all over the news! Technology is killing security. Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere. What’s an OPSEC Program Manager to do? Hell, you’re not the IT Security dude. You know nothing of firewalls routers and DMZ’s. Face it partner - you’re screwed. Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…

And here we are again. What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast. Humans…whattaya gonna do?

I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better. And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes. You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…

The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization. The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat. They don’t mean to by the way. They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information. That’s your job - now get to it!

Keep the Faith!

Revelator

Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 2 Comments »

OPSEC FAQ’s

20. May 2008 by Revelator.

Q: How much money does a full-time OPSEC manager make annually?

A: It’s not about the money you self-serving SOB.

Q: Which really comes first; Critical Information Identification or Threat Analysis?

A: Some say OPSEC is an iterative process and you can do whatever step in the process whenever the hell it feels right. Others would argue that if you don’t have a threat then who cares what your critical information is. But for me - Saint Ron (Pres Reagan) listed CI identification first and that’s good enough for me.

Q: What is the best way to get leadership support for my OPSEC program?

A: There is no “best” way but here are some suggestions: begging, bribery, coercion, blackmail, threats, acid filled water pistol, doctored photos, water-boarding, repeated viewing of Molly Shannon skits from Saturday Night Live. Folks, I really don’t have a solid answer for this one. Some times you just get lucky and have leadership that understands OPSEC and its importance to the mission. Other OPSEC Managers are just real good salesmen who convince management of the need for OPSEC. If any of you out there have a good idea or war story please click the comment link and I’ll get it to the masses.

Q: OPSEC says to avoid stereotyped activities but there is validity in the thought that if it worked once it will work again. So isn’t OPSEC really saying that even though it worked once we really want you to try something different that may or may not work? And isn’t this harmful to the potential success of the mission?

A: Helluva question. I’ll leave this one to the readers to respond to - come on folks - send me your responses.

Q: Why do all the posters tell me to “Think” OPSEC? Wouldn’t it better if I “Acted” OPSEC?

A: Clearly. “Thinking” something is great only of there is an action tied to the thought. Why just the other day I “thought” drive the speed limit - but I didn’t actually drive the speed limit so what good was thinking it? This morning I “thought” diet and then had four biscuits with about a quart of gravy. And come Friday evening I’m pretty sure I’m gonna “think” about not having that next beer - I think y’all can tell where this is going. Thinking OPSEC must be followed by performing some act of OPSEC.

Now I know that many of you have serious OPSEC questions. This entry is just my way of getting the ball rolling. If you have ANY questions about OPSEC that you would like answered please send them to me. We’ll treat them seriously and try to get some good answers for you. Of course we’ll also accept those sent in a humorous vain and do our best to respond in kind.

Keep the Faith!

Revelator

Posted in Awareness, Leadership Support, Countermeasures, Threat, Critical Information Lists | Print | 2 Comments »