You are currently browsing the archives for the Vulnerabilities category.
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Apr | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | ||
20 April 2012 by Revelator.
Pop Quiz time fellow OPSECers:
Q: Which of the following is the BEST example of an out-of-office statement for your work email?
A: I’m not in. Don’t know where I’m going. Don’t know how long I’ll be gone. Don’t know when I’m coming back - and neither do you. OPSEC Baby! I will be checking email daily.
B: I am currently out of the office for 14 glorious days. I finally got my vacation approved and I’m taking the little woman, Junior and baby girl to the Atlantis Resort (and casino!!). For any security issues don’t even think about contacting me! Instead, please contact Regional Security Manager Susie Smith at (555)-555-1234. BTW: she is also the SAP coordinator. Assuming I actually come back to work (ha-ha) all emails will be addressed on my return.
C: I am currently out of the office. If you need immediate assistance please contact Joe Smith at (555)-555-1234.
D: I am on travel until the first of next month. I’m attending a classified conference which means I won’t have my laptop during the conference (8am - 5pm each day). I can’t even check during lunch so I’ll be leaving my laptop in my hotel room but I promise to get back to you after 5pm. If you really need to contact me call the Springfield Marriott and ask for me (room 209), Steve Jones (room 426) or Joey Smith (room 427) and they’ll put you through. For those of you working on Project Nighttrain - I won’t have access to JWICS or SIPR until I get back so don’t bother sending anything to those accounts. Have a great day.
Assuming I don’t have to actually give you the correct answer I surely hope you get the point. What you put in your out-of-office statement - or your voicemail message - must be free of sensitive information. This also speaks to need-to-know. There are a multitude of reasons why this is important and a multitude of ways an adversary could exploit your information - suffice to say that you need to heed this advice. Keep your out-of-office email statements and your voicemail recordings short and to the point. Don’t include any information that doesn’t absolutely need to be there.
Keep the Faith!
Revelator
Vacation - The Go-Go’s
Posted in Critical Information, Awareness, Countermeasures, Vulnerabilities, Conferences, General OPSEC | Print | 2 Comments »
10 April 2012 by Revelator.
Ah yes, the Insider Threat rears it’s ugly head again. I just read that a Task Force is about to release a draft insider threat policy. The article goes on to talk about the WikiLeaks breach and protecting us from the myriad of hostile insiders who can, thanks to the technology boom, be very successful at causing us great harm. If further says: “…the insider threat is different today because people can more rapidly access and exploit large amounts of secret information.” I have no arguement with that statement and I have no argument that a Task Force has been convened to draft a far reaching policy to deal with these miscreants.
No; my problem deals with ignoring the unintentional theat. In my experience the insider threat is the greatest challenge we face when talking about the security of an organization. If we create a policy that only speaks to the malicious insider threat we are doing ourselves a great disservice by ignoring the unintentional insider. Clearly, I haven’t read the draft policy and I sincerly hope that there is verbiage dealing with the unintentional insider but I certainly didn’t hear it in the article and I suspect, unfortunately, that this threat will be ignored in the new policy.
To get my complete thoughts on the insider threat please see “Welcome to the Jungle” - 30May08, “Insider” - 09Oct08 and “Chain of Fools - 05Dec08.
The referenced article can be read at http://www.federaltimes.com/article/20120405/AGENCY03/204050304/1004/AGENCY03.
Keep the Faith!
Revelator
Dancing in the Dark - Bruce Springsteen and the E Street Band
Posted in Vulnerabilities, Threat | Print | No Comments »
5 February 2010 by Revelator.
While reading “Hour Game” by David Baldacci I came upon a narrative that screemed OPSEC better than anything I’ve read or seen on TV lately. Never under estimate the threat - in any situation…
He watched the old couple totter out of the supermarket and ease into their Mercedes station wagon. He wrote down the license plate number. He would run it later on the Internet and get their home address. They were doing their own shopping, so they probably had no live-in help or grown children nearby. The make of the care was relatively new, so they weren’t surviving solely on Social Security. The man wore a cap with the logo of the local country club. That was another potential gold mine of information he might later tap.
He sat back and waited patiently. More prospects were sure to come in the busy shopping center. He could consume all he wanted without ever once taking out his wallet.
A few minutes later an attractive woman in her thirties came out of a pharmacy carrying a large bag. His gaze swung to her, his homicidal antennae twitching with interest. The woman stopped at the ATM next to the pharmacy, withdrew some cash and then committed what should have been classified as a mortal sin for the new century: she tossed the receipt into the trash before climbing into a bright red Chrysler Sebring convertible. Her vanity plate read “DEH JD.”
He quickly translated that to be her initials and the fact that she was a lawyer, the “JD” standing for Juris Doctor. Her clothes told him she was fastidious about her appearance. The tan on her arms, face and legs was deep. If she was a practicing lawyer, she probably had just come back from vacation or else had visited the tanning booth over the winter. She was very fit-looking, her calves particularly well developed. His gaze had fixed on the gold anklet she wore on her left leg as she climbed in her car. That was intriguing, he thought.
She had a current-year American Bar Association bumper sticker, so the odds were she was still practicing law. And she was also single - there was no wedding ring on her finger. And right next to the ABA bumper sticker was a parking permit for a very expensive gated residential development about two miles from here. He nodded appreciatively. These stickers were very informative.
He parked, got out of the Bug, walked over to the trash can, made a show of throwing something away and in the same motion plucked out the ATM receipt. The woman really should have known better. She might as well have tossed her personal tax return in the trash. She was now naked, completely open to any probing he wanted to do.
When he got back to his car, he looked a the name on the account: D. Hinson. He’d look her up in the phone book later. And she’d also be in the business listings, so he’d know which law firm in town she worked at. That would him two potential targets. Banks had started leaving off some of the numbers of the account because they knew their customers stupidly disposed of their receipts where they were easy picking for people like him.
He kept trolling under the warming sun. What a nice day it was shaping up to be. He reclined slightly in his seat only to perk up when off to his right a soccer mom started loading groceries in her van. He wasn’t guessing there: she wore a T-shirt that announced her status. An infant rode in the car seat in the rear. A green bumper sticker announced that the woman was the mom of an honor roll student at Wrightsburg Middle School for the current school year.
Good to know, he thought: seventh or eighth grader and an infant. He pulled into the space next to the van and waited. The woman took the cart back to the front of the store, leaving the baby completely unguarded.
He got out of the Bug, leaned into the van’s open driver’s side window and smiled at the baby, who grinned back, chortling. The interior of the van was messy. Probably so was the woman’s house. If they had an alarm system, they probably never turned it on. Probably forgot to lock all the doors and windows too. It was a wonder to him that the crime rate in the country wasn’t far higher what with millions of idiots like here staggering blindly through life.
An algebra book was in the backseat; the middle school child’s, no doubt. Next to it was a children’s picture book, so there was at least a third child. This deduction was confirmed by the presence of a pair of grass-stained tennis shoes in the rear floorboard; they looked to be those of a five- or six-year-old boy.
He glanced in the passenger seat. There is was: a People magazine. He looked up. The woman had just slammed the cart back into the rack and had now paused to talk to someone coming out of the store. He reached in and drew the magazine toward him. Name and home address were on the mailing label. He already had her home phone number. She’d helpfully put it on the For Sale sign on the window of her van.
Another bingo. Her keys were in the ignition. He placed a piece of soft putty over the ones that looked like house keys, taking quick impressions. It made the breaking in and entering part a lot easier when you didn’t have to “break” when you “entered.”
A final home run. Her cell phone was in its holder. He looked up. She was still gabbing away. Had he been so inclined he could have killed the kid, stolen all her groceries and torched the car, and the woman would never even know it until someone started screaming at the flames shooting into the sky. He glanced around. People were far too busy with their lives to notice him.
He snatched the phone, hit the main screen button and got her cell phone number. The he accessed her phone book, took a digital camera the size of his middle finger from his pocket and snapped pictures of screen after screen until he had all the names and phone numbers in her directory. He returned the phone, waved bye-bye to baby and slipped back into his car.
He went over his list. He had her name, home address and the fact that she had a least three kids and was married. The mailing block had been addressed to both Jean and Harold Robinson. He also had her home phone number, cell phone number and the names and numbers of a host of others important to her as well as impressions of her house keys.
She and her lovely family belong to me now.
Keep the Faith
Revelator
Who Wrote The Book Of Love - The Monotones
Posted in Risk, Critical Information, Awareness, Vulnerabilities, Threat, Family OPSEC, Analysis, General OPSEC | Print | No Comments »
18 December 2009 by Revelator.
This is just unfreakingbelievable!
Hackers steal SKorean-US military secrets By KWANG-TAE KIM, Associated Press Writer Kwang-tae Kim, Associated Press Writer Fri Dec 18, 7:19 am ET
SEOUL, South Korea – South Korea’s military said Friday it was investigating a hacking attack that netted secret defense plans with the United States and may have been carried out by North Korea.
The suspected hacking occurred late last month when a South Korean officer failed to remove a USB device when he switched a military computer from a restricted-access intranet to the Internet, Defense Ministry spokesman Won Tae-jae said.
The USB device contained a summary of plans for military operations by South Korean and U.S. troops in case of war on the Korean peninsula. Won said the stolen document was not a full text of the operational plans, but an 11-page file used to brief military officials. He said it did not contain critical information.
Pardon? Did I read that wrong? Let me check…”He said it did not contain critical information.” Nope - I read it right. Still can’t believe it. I mean, are you kidding me? An 11 page Executive Summary of our South Korean defense plans (OPLAN 5027) contains no sensitive information? Am I dead? Did I go to OPSEC hell and not get greeted by the demon of OPSEC? I’ve met this demon before - his name is Ignorance - so I’m pretty sure I would know him if he was greeting me at the gates of OPSEC hell. Perhaps this is a dream? Damn it people - just saying something isn’t so does not make it not so. Sure that’s a horrible sentence but let me show one that is far worse: “He said it did not contain critical information.” See? Much worse.
And don’t give me that nonsense that denying it had critical information is our way of not confirming to the North Koreans that it did indeed contain sensitive information. You know who says stuff like that? People who don’t understand the adversary. To be so blind as to think that North Korea doesn’t have a damn good idea of what is essentially contained in OPLAN 5027 is the height of ignorance. Especially since you can find older versions of OPLAN 5027 in all it’s classified glory on the internet.
I’ll grant that the 11 page summary may have been unclassified but there is no way I’m going to grant it didn’t contain critical information. Unless the only definition you have of critical information is anything that’s classified - and we know that’s just not true. Too bad not everybody understands that these days.
Thanks to my good friend Kirk for letting me know about this.
Keep the Faith!
Revelator
Tell It Like It Is - Aaron Neville
Posted in Risk, Critical Information, BS, Vulnerabilities, Threat, Media, WWW, Computer Intrusions | Print | No Comments »
29 January 2009 by Layne.
I don’t get out much. I suspect this is why my friend Bob (actually his wife Krystal) has been trying for months to set me up on a blind date with (I’m told) a very special friend of theirs named Sally. I am basically a private person and being single certainly has it’s advantages but sharing your love with someone who loves you back is a special feeling and I guess I’ve been missing that feeling more and more lately. So, after careful consideration (and more than a couple of beers with Bob), I decided to man up and agree to the blind date.
Our shared Shrimp Cocktail is fantastic (she even insisted I eat the 5th and final shrimp) and then it happened. She asked me where I worked. I answered vaguely and could tell she wasn’t impressed. This seemed to add fuel to her inquisitor fire and she let loose with what seemed to me to be something akin to what the detainees at Gitmo must go through…
Have you ever been married? No.
Do you have any kids? Not that I’m aware of.
How many jobs have you had? Seven.
Have you always lived here? No, I’ve moved many times.
What TV shows do you watch? You mean, which don’t I watch.
Where do your parents live? Somewhere in Idaho - we don’t stay in touch.
Do you have any brothers and sisters? Five brothers - seven sisters.
Where do they live? Beats me.
What would you do if Scott Baio walked in right now? Not a damn thing.
Ever use illegal drugs? No, but I can tell you there is quite a profit in selling them.
Do you smoke? Not since you got here.
Do you travel much? None of your business.
Do you live in a house or an apartment? House.
Is that your second drink? I guess so.
Do you own the house? Do any of us really “own” anything?
Have you ever been to an IKEA? Not since the incident.
Boxers or briefs? Commando.
Do you use the snooze button in the morning? No, can’t quite figure it out.
Don’t you think cell phones are just a fad? That’s a pretty stupid question don’t you think?
Do you go to church? If by “church” you mean place of worship then no.
Do you own any real estate? Disneyland - but only the third parking spot in the “Goofy” section.
What are your hobbies? Does Obsessive/Compulsive Disorder count?
How long have you known Bob and Krystal? Since the accident.
Don’t you just love their triplets Bob Jr, Rob and Bobby? Who?
What kind of car do you drive? ‘71 Chevy Vega - only six payments left till it’s mine.
Isn’t that your third drink? No, I had one when you went to the can.
Are you close to your mother? You mean sexually?
What size shoes do you wear? 9 and 10 and a half.
Have you ever been to a foreign country? I spent a night in Paris, Texas once.
Can you cook? Do I look like a woman to you?
Do you go out to movies much? Does porn count?
Don’t you think Angie and Brad should adopt a baby from Darfur? Who are Angie and Brad?
How do you feel about plastic surgery? Only if you’re working your way through college.
Home school, private school or public school? Public - kids need to learn how to fight these days.
What is with the price of gas these days? How the hell would I know?
What is your favorite color? Plaid.
Which side of the bed do you like to sleep on? The clean side.
Don’t you think President Obama is the most handsome president ever? No. I’ve always felt Van Buren had a certain undeniable sexiness about him.
Do you think Elvis is really dead? Who cares. Hip hop rules!
Four! Are you an alcoholic? Actually five, you missed one remember. Also, this is a double so I guess it’s really six. You got a problem with that?
Do you dream in color? Only my violent ‘Nam flashbacks are in color.
Any history of heart attack in your family? Oh yeah, bunches.
Do you know any martial arts? No, but I’m packing heat if you need it.
Isn’t antique shopping fun? Again, do I look like a woman to you?
Why was Charles Manson so darn angry? Not sure…I’ll ask him when we’re IM’ing tonight.
This went right on through the main course (Filet for me, Grilled Snapper with Mango for her) and much to my chagrin rolled right into dessert.
$175 bucks (with tip) and no second date. I’ve replayed the evening over and over in my head and I can’t quite put my finger on exactly what went wrong. Maybe I should have protected certain information about myself. I mean, I totally underestimated her ability to exploit my weaknesses. I guess I never really thought about how vulnerable I was or the risk I was taking on this blind date. Next time I’m totally going to come up with some ways to protect myself and who knows…maybe I’ll even get a second date.
Keep the Faith!
Revelator
Long Tall Sally - Little Richard
Posted in Vulnerabilities | Print | No Comments »
5 December 2008 by Revelator.
SIGINT (n) - intelligence information gathered from communications intelligence or electronics intelligence or telemetry intelligence.
COMINT (n) - technical and intelligence information derived from foreign communications by other than the intended recipients.
IGNORINT (n) - intelligence gathered by the direct exploitation of stupid people.
If you will grant that the biggest threat to the information you are trying to protect is the unintentional insider then you have to agree that IGNORINT collection is the biggest threat to the security of your operations. And yes, I know there is a difference between ignorance and stupidity but in the final analysis INGORINT exploits both so I’m not going to split hairs.
Whether the information lost is because of one persons inability to think beyond a third grade level or because the person wasn’t properly briefed doesn’t matter to the IGNORINT collector. And when it comes right down to it many properly trained and briefed individuals will let stupid overide their training when put to the test. For example, otherwise intelligent and security savvy men seem to zoom right to stupid when confronted with a beautiful woman or large quantities of alcohol. And if you combine stupid inducing amounts of alcohol with a friendly female then you have the perfect storm for IGNORINT collectors.
But don’t let me mislead you - many of us can call up stupid at will even without the aid of alcohol or other stupid inducing products or situations and therein lies the problem. IGNORINT collectors know this and are available to exploit this known weakness at a moments notice. Whether it’s picking up our discarded trash, or collecting a ton or two of recycled whole white paper, or hanging out at the local watering hole, or listening to a speech at a professional symposium, or exploiting personal blogs, or…well, you get the point. We just give so much away that it blows my mind sometimes.
Humans as a species are designed to make mistakes and consistantly do things that are generally considered not that bright. But what are we to do about it? Well, if you’re looking for The Revelator to enlighten you then you just might be in for a long wait. About all you can do is acknowledge this vulnerability and fight against it in anyway you can. Good luck with that. And if you come up with a way to somehow defeat even a small amount of IGNORINT collection you let me know.
Keep the Faith!
Revelator
Chain of Fools - Aretha Franklin
Posted in Awareness, Vulnerabilities, Threat, General OPSEC | Print | No Comments »
19 September 2008 by Revelator.
2 = 4. Wait a minute - no it doesn’t; 2 + 2 = 4. Yeah, that’s better. See how that makes sense? We took one thing (2) and added it to another thing (2) to get the new thing (4). Now, I must be fair and say that while the above is true, so also is this; 4 = 4. But that is a given isn’t it? I mean, even if we can’t add we can see that one thing is always equal to itself. So where am I going with this? You can’t answer that question can you? No you can’t. So far all I’ve given you the first “2″ but I’ve yet to give you the other “2″ so there is no way you can deduce “4″ and know just what the hell I’m trying to say. Know what I mean? I didn’t think so…and I don’t blame you.
Perhaps this will help… Last week my wife asked me this question; “Do we have any plans for Saturday?” To which I replied; “Nope.” and went back to watching the Huntington Beach Bad Boy wail on some poor guy with more tattoo’s than skills. But not before I pondered for a brief moment the nature of her question. The possible answers were many and varied so without further thought I disregarded the question.
Saturday night came and my wife had thrown me a wonderful surprise party. When she asked her question earlier in the week I unknowingly had the first “2″ but I never knew there was another “2″ so there was no way of knowing that “4″ was coming on Saturday night.
Such is not the case with hostile intelligence collectors. When a bad guy sees the first “2″ his natural inclination is to ask himself; “2 + what = 4?” And so begins the collection effort that could very well determine the other “2″. Had I been the least bit curious about my wife’s question I could have asked her a series of questions that may have turned up the info required for me to deduce the “4″ - that she was throwing me a surprise party.
Likewise, when an intelligence collector sees the event calendar of an organization on their web site (2) and subsequently sees a military exercise schedule that ties the two together on yet another web site (2)…well, it’s easy to see how he determines that this organization will be participating in the exercise (4). Unfortunately for us this means that we have now revealed critical information about when and where we will be performing, testing or exercising our mission and we’ve also focused his future collection efforts against us. On the Good/Bad scale, this is what us old OPSEC pro’s call “bad.”
Always understand that we do not operate in vacuums. What we say as well as what we publish can have far reaching negative effects. Now, while we can’t always protect the other “2″ we can do our level best to make sure that our “2″ doesn’t get seen, read, or heard so that the bad guy doesn’t ever get the “4″ we’re ultimately trying to protect.
Keep the Faith!
Revelator
I Still Haven’t Found What I’m Looking For - U2
Posted in Critical Information, Risk, Vulnerabilities, Threat | Print | No Comments »
30 May 2008 by Revelator.
Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks. Where will it all end? Since this is clearly our biggest security concern why can’t we fix it? Why aren’t we throwing all our money, manpower and technical abilities at this problem? Computer crimes cost us $32 million is 2006. Boy, I’ll tell you what - somebody better do something quick. Unless the computer isn’t our biggest security concern…
But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is? Here’s a clue - look above. Didn’t you read all that stuff in the first paragraph? Of course the computer is the biggest threat to the security of your organization/mission. Or is it…
Well, duh. The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day. It’s all over the news! Technology is killing security. Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere. What’s an OPSEC Program Manager to do? Hell, you’re not the IT Security dude. You know nothing of firewalls, routers and DMZ’s. Face it partner - you’re screwed. Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…
And here we are again. What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow package that really isn’t sugar but will kill you just as fast. Humans…whattaya gonna do?
I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better. And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes. You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…
The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization. The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat. They don’t mean to by the way. They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information. That’s your job - now get to it!
Keep the Faith!
Revelator
Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 2 Comments »