Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

OPINION: Who You Callin’ An “Expert?!

Recently, someone called me an “expert”. While I was extremely flattered, it made me think a lot about my initial reaction to that label. If you’ve been in this field, you will note there are several people who go around calling themselves “experts”. A few of them are and a lot of them aren’t. Most of my introspection was with where I saw myself and how I allowed others to see me.  Am I an “expert” or a guy who likes to talk a lot about security?

The answer to both of those is a paradox of sorts, as they are equally complicated and simple. According to some, being an “expert” means knowing a lot of stuff about security and sounding half-way intelligent about that stuff. Some would argue I fit into that category. While I hope I’m not, I certainly can understand how people can see me that way. Many people know a lot of stuff about a lot of stuff and “talk a good game” but lack real depth in their knowledge or experience. So, I can help but wonder, with 10 years of doing various jobs in security, a blog, and some above-basic knowledge, where does that place me? I’m also very passionate about security. Does passion, knowledge, and an audience make someone an “expert” and should I even want to be considered one?

When I first decided to start this blog, I did it with the intention of sharing security news and information with my audience. It soon became an opportunity to share my opinions and insight. While all that was very important, I always felt I needed something more constructive. There are tons of people all over social media and the rest of the Net who believe the “smarter” you sound, the greater your expertise. I have found a great deal of those people lack expertise and oftentimes, real knowledge of the subject matter. Don’t get me wrong. I’m guilty of this as well at times. Very guilty, as a matter of fact.

So what am I? I’m a student of security in both the literal sense and the rhetorical as well. I’m eager and willing to learn from anywhere. I’m not afraid to test an idea or hypothesis in the field or be reviewed by my peers. Sometimes, what I say and do sucks. I get stuff wrong – A LOT. My ideas may not be preferred or have any chance of success. Occasionally, I don’t stay in my lane. Okay. I can hear you laughing. I don’t stay in my lane enough at times.

So how do I go about fixing this? I decided to start changing how I viewed my interactions with people and the objectives I set for them. In other words, I felt it was less important to demonstrate knowledge than it was to receive and learn from others. I had been afforded an opportunity to label myself as an “expert” many times. It always felt hollow and empty, as if it was undeserved. After all, I was a security guard not too long ago and I had very average experiences in the military. I wasn’t Special Forces or with a federal agency doing anything “special”. My resume is a reflection of being very lucky and being at the right place at the right time. I did a lot of cool things and saw some cool places in this world. But was I an “expert”? No, I am not.

Too many “experts” are not willing to admit they are in fact still learning. Too many believe it is more important to demonstrate knowledge than to receive it. Too many believe the best analysis of a problem is the one that is more conducive to a “solution” they’ve created. Instead of more people willing to tell us about security, we need more people willing to sit down, shut up, and listen to what others have to share. From now on, I’ll be sharing my knowledge in an attempt to learn more than I teach. The only question left to ask is “Will I be alone?”

OPINION: Why Crime Prevention Fails

I have a pet-peeve with the current spate of “anti-theft” apps for mobile devices. My problem doesn’t lie with their technology. Nope, my issue is with their marketing. There are a plethora of these apps that are being called “crime prevention tools”. I know what you’re thinking, “But if someone takes my cell phone, this app will use the GPS to track my phone and send me an email so I can tell the police where to get my phone.” True, but answer this question – What crime did it stop? Seriously, what crime did your app stop? And therein lies the problem with the app and with how we view crime prevention.

Part of the reason we have such a high rate of crime in this country resides mostly in our definition of “crime prevention”. Many times, we mistakenly believe “prevention” relies on the response to the crime. A faster recovery means we’ve sent a message to the bad guys that they can’t take our stuff without the cops coming to get them. Stop laughing. That’s the message the creative marketing teams behind these apps and other products will have you believe. Remember Nancy Reagan’s “just say no” campaign and the “war on drugs/crime”. Those sent a clear message to the bad guys – we have no clue how to stop you.

Stopping crime is a noble objective but no crime is totally preventable. As a matter of fact, it’s a safe bet that at some point in your life, you will be a victim of a crime. After 10 years of doing law enforcement in the military and my current job, I have an idea as to why this is. Simply put, the reason you will be a victim of crime at some point in your life rests in two places and neither of which needs the other for the crime to take place.

The first place where the crime onset takes place is with the criminal. Remember what I said a few posts ago about how the attacker will ultimately attack you regardless of what you do? The same idea applies here. You can’t control what an attacker will do. If he/she is motivated and skilled enough, which are two things you can’t always plan on, there is very little you can do beforehand to stop them. That’s not a defeatist attitude. This is me directing you to the second place where the crime onset occurs – the victim.

Victims, typically, do a lot of things good before an attack occurs but they also do some things terribly wrong. Where things go wrong for them is in their attitude – “I never thought it would happen to me…..But I lock my doors….Why me?” There are loads of reasons you were selected to be a victim. None of which you may have had any control over. It is for this reason I think we need a new crime strategy – crime mitigation.

As we’ve discussed before, your attitude towards crime mitigation has to be proactive. You have to be thinking about the best way to lower your chances of being a victim and lessening the damage from an attack. Whether you purchase a smart phone or sports car, you should have a proactive attitude towards engaging the threat. Buying an alarm or an app won’t stop theft but planning on it to happen at some point may not only mitigate the damage but provide more creative solutions to prevent the loss from happening in the first place.

Terrorism and Intelligence Legislation You Should Know About But Don’t

Now that this NSA story has spawned the insane amount of nonsensical and baseless conjecture on my Twitter feed, I thought I’d take a moment and educate everyone on intelligence and terrorism legislation they should already know about but don’t for various reasons.

Terrorism:
Biological Weapons Anti-Terrorism Act of 1989Executive Order 12947 signed by President Bill Clinton Jan. 23, 1995, Prohibiting Transactions With Terrorists Who Threaten To Disrupt the Middle East Peace Process, and later expanded to include freezing the assets of Osama bin Laden and others.Omnibus Counterterrorism Act of 1995US Antiterrorism and Effective Death Penalty Act of 1996 (see also the LaGrand case which opposed in 1999-2001 Germany to the US in the International Court of Justice concerning a German citizen convicted of armed robbery and murder, and sentenced to death)Executive Order 13224, signed by President George W. Bush Sept. 23, 2001, among other things, authorizes the seizure of assets of organizations or individuals designated by the Secretary of the Treasury to assist, sponsor, or provide material or financial support or who are otherwise associated with terrorists. 66 Fed. Reg. 49,079 (Sept. 23, 2001).2001 Uniting and Strengthening America by Providing Appropriate Tools for Intercepting and Obstructing Terrorism Act (USA PATRIOT Act)(amended March 2006) (the Financial Anti-Terrorism Act was integrated to it) – I don’t have enough energy to discuss the Patriot Act. All you need to know is that it gives the US government very broad powers in order to combat terrorism.Homeland Security Act of 2002, Pub. L. 107-296.Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002REAL ID Act of 2005 – Perhaps one of the most controversial pieces of legislation from the Bush era, it set forth certain requirements for state driver’s licenses and ID cards to be accepted by the federal government for “official purposes”, as defined by the Secretary of Homeland Security. It also outlines the following: Title II of the act establishes new federal standards for state-issued driver licenses and non-driver identification cards.Changing visa limits for temporary workers, nurses, and Australian citizens.Funding some reports and pilot projects related to border security.Introducing rules covering “delivery bonds” (similar to bail bonds but for aliens who have been released pending hearings).Updating and tightening the laws on application for asylum and deportation of aliens for terrorist activity.Waiving laws that interfere with construction of physical barriers at the bordersAnimal Enterprise Terrorism Act of 2006 – The Animal Enterprise Terrorism Act (AETA) prohibits any person from engaging in certain conduct “for the purpose of damaging or interfering with the operations of an animal enterprise.” and extends to any act that either “damages or causes the loss of any real or personal property” or “places a person in reasonable fear” of injury. Military Commissions Act of 2006 – The United States Military Commissions Act of 2006, also known as HR-6166, was an Act of Congress signed by President George W. Bush on October 17, 2006. The Act’s stated purpose was “To authorize trial by military commission for violations of the law of war, and for other purposes.” It was declared unconstitutional by the Supreme Court in 2008 but parts remain in order to use commissions to prosecute war crimes.National Defense Authorization Act of 2012 – The second most controversial piece of legislation from the War on Terror authorizes “the President to use all necessary and appropriate force pursuant to the Authorization for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) includes the authority for the Armed Forces of the United States to detain covered persons (as defined in subsection (b)) pending disposition under the law of war.
(b) Covered Persons- A covered person under this section is any person as follows:
(1) A person who planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored those responsible for those attacks.
(2) A person who was a part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners, including any person who has committed a belligerent act or has directly supported such hostilities in aid of such enemy forces.
(c) Disposition Under Law of War- The disposition of a person under the law of war as described in subsection (a) may include the following:
(1) Detention under the law of war without trial until the end of the hostilities authorized by the Authorization for Use of Military Force.
(2) Trial under chapter 47A of title 10, United States Code (as amended by the Military Commissions Act of 2009 (title XVIII of Public Law 111-84)).
(3) Transfer for trial by an alternative court or competent tribunal having lawful jurisdiction.
(4) Transfer to the custody or control of the person’s country of origin, any other foreign country, or any other foreign entity.
(d) Construction- Nothing in this section is intended to limit or expand the authority of the President or the scope of the Authorization for Use of Military Force.
(e) Authorities- Nothing in this section shall be construed to affect existing law or authorities relating to the detention of United States citizens, lawful resident aliens of the United States, or any other persons who are captured or arrested in the United States.
(f) Requirement for Briefings of Congress- The Secretary of Defense shall regularly brief Congress regarding the application of the authority described in this section, including the organizations, entities, and individuals considered to be ‘covered persons’ for purposes of subsection (b)(2).Homeland Security Presidential Directive/HSPD-5 requires all federal and state agencies establish response protocols for critical domestic incidents in line with the National Incident Management System.
Intelligence
Foreign Intelligence Surveillance Act is perhaps the most interesting and secretive of laws we have. It was enacted to combat the threat of foreign intelligence services through surveillance activities abroad and at home. It allows these broad surveillance powers to be used against foreign and domestic agents. In other words, it authorizes our government to spy on its citizens if it believes they present a credible national security threat. FISA warrants are granted by secret courts that exist solely for approving FISA warrants. Note: I said “approving” as in for every warrant the DoJ has ever applied for, they have gotten it. Nowhere else in our judicial system do such powers exist.Intelligence Reform and Terrorism Prevention Act of 2004 enacted several of the 9/11 Commission’s recommendations. It established the the Office of the Director of National Intelligence.18 USC § 798 – Disclosure of classified information – Criminalizes the unauthorized disclosure of classified information.50 USC § 421 – Protection of identities of certain United States undercover intelligence officers, agents, informants, and sources – Think Valerie Plame.