infosec Archives - Page 2 of 5 - Social Engineering Blogs

The Security Dialogue Blog August 7, 2013

Ten OPSEC Lessons Learned From The Good Guys, Bad Guys, and People-in-Between

If you’ve been in the security world long enough, you’ve heard of a term called “OPSEC” or operational security. This is a security discipline in which organizations or individual operators conduct their business in a manner that does not jeopardize their true mission. If you’re a police officer who is staking out a house, it would be bad OPSEC to sit outside the house in a marked police vehicle. I think it’s prudent we discuss this discipline so we can better analyze our own processes by which we protect ourselves and our operations. Reviewing the OPSEC process is a great place to start. The following come from Wikipedia (I know – it’s super-scholarly):
Identification of Critical Information: Identifying information needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.Analysis of Threats: the research and analysis of intelligence, counterintelligence, and open source information to identify likely adversaries to a planned operation.Analysis of Vulnerabilities: examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans.Assessment of Insider Knowledge: Assessing and ensuring employees, contractors, and key personnel having access to critical or sensitive information practice and maintain proper OPSEC measures by organizational security elements; whether by open assessment or covert assessment in order to evaluate the information being processed and/or handled on all levels of operatability (employees/mid-level/senior management) and prevent unintended/intentional disclosure.We should also recognize good guys aren’t the only ones who practice this discipline. As a matter of fact, the bad guys do as well and many are quite good at it. The lessons we could learn from them, our fellow security professionals, and others are almost immeasurable.
NEVER trust a big butt and a smile. Yup. I started off with that. Bear with me. Many intelligence agencies and law enforcement organizations use sex as a means to get close to a target or person of interest. Most bad guys realize this. However, many do not to their own detriment. When involved with people in a relationship or sexual encounter, they get very close to you and your secrets. I liken these people to “trusted agents” who you allow close enough to you that can get more information than you’re willing or able to share publicly. Poor OPSEC practitioners often forget this. Most of their security failures stem from this fatal flaw. I’m not saying to not be in a relationship or to eschew intimacy. If you’re in a job that requires you adhere to sound OPSEC principles, what I’m advising you to do is to exercise due diligence and conduct a risk analysis before you do. Think Marion Barry, Anthony Weiner, and Elliott Spitzer.Immortal words spoken during an EPIC fail.Always have a thoroughly vetted back-story for your cover. This is commonly referred to as “legend” in the intelligence community. This is an identity in line with your established, synthetic cover. For example, I previously mentioned the hacker known as the The Jester in a previous blog post. Depending on which side you’re on, he’s either a bad guy or a good guy. However, the lessons he teaches us about cover are insightful. Whenever someone “doxes” him, he has a prepared and detailed analysis as to how he created that cover identity. Many times he’ll use a name that does exist with a person who either does not exist or who he has cleverly manufactured using a multitude of identity generators. He’ll use disposable credit cards, email, LinkedIn profiles, VPNs which show logins from his cover location, etc. He even engages in cyber-deception with other actors to establish various cover stories for operations that require them. Whether you like him or not, he’s certainly good at one thing we know for sure – cover discipline.NEVER trust anyone you just met. I see you laughing. Many people mistakenly believe they can and should trust everyone they meet. They will often claim they don’t but their behavior says otherwise. As Ronald Reagan is often quoted is saying, “In God we trust, all others we verify” I firmly believe this to be the most crucial aspect of operational security. Proper trust is needed in any environment for the mission to be accomplished. However, blind trust can and will kill any hopes of a successful mission. Whether you’re checking identification at an entry control point or planning cybersecurity for an online bank, you should always treat every introduction you don’t initiate as suspect. Then triage people and their level of access according to risk acceptance. This is a lesson we learned with Edward Snowden. He’d only been at Booze Hamilton a few months before he began siphoning massive amounts of classified information he had no direct access or need-to-know. Another saying I’m fond of is “Keep your enemies close, but your friends closer.” I’m not saying everyone you meet is going to steal from you or betray your trust. Like my momma always says, “Not everyone that smiles at you is your friend and not every frown comes from an enemy.”Shut the hell up! No. Seriously. Shut up. If you hang around the special operations community, you’ll hear a term used to describe the work they do as “quiet professionals”. Most successful bad guys realize the best way to ensure longevity to shut the hell up. Bragging about or giving “pre-game commentary” before an operation are guaranteed ways to get caught or killed. The truly dangerous people are the one’s who never say a word and just do their work. Sometimes, lethality is best expressed with silence.

Watch what you leak. While we can keep our mouths shut, it is more difficult in the information age to keep everything connected to us quiet. In order to properly protect ourselves, we have to begin this process by conducting proper risk analysis. Is what I’m doing right now giving away something I don’t want the public to know? Is the the device or medium I’m talking on able to give away information I’m not comfortable with sharing? Does my enemy have the ability to intercept or analyze what I’m doing in order to gain sensitive information? What “tells” am I projecting? These are a few of many questions you should be asking in order to ensure you’re limiting “noise litter”.

In the information age, do I need to say more?If you’re doing secret stuff, NEVER EVER EVER EVER EVER, talk on the wire. Look at the Mafia as a perfect example of what not to do. As an OPSEC practitioner, you should never communicate on any medium that can give away your secrets or be intercepted. John Gotti got busted talking on the wire. A person rule of thumb: If it can receive messages, it can transmit messages without you knowing. Treat every computer like an informant – feed it what you’re willing to share with your adversary.NEVER ever touch or be in the same place as the “product”. For the uninitiated, that is one of first rules of the dope game. Every successfully, elusive drug dealer knows to keep away from the “product” (read “drugs). Whatever the “product” in your “game”, ensure you put enough distance between you and it. If you have to be close to it, then have a good reason to be with it.Recognize “the lion in the tall grass”. When practicing OPSEC, if there is one thing you should never forget is why you’re doing it. The reason you’re practicing it is simple – there are people out there that oppose you. Ignore them at your detriment.NEVER say something you can’t backup or prove immediately. Nothing says you’re a person needing to be checked out better than saying things you can backup or prove. People who are trying to vet you will require you backup what you say for a reason. Be ready for this. A great example of this is demonstrated by people who claim to be connected to someone of stature in order to gain access. In this case, they’re found out because the target asked the other party who could not confirm this.Treat your real intentions and identity as that gold ring from Lord of the Rings. I’m not saying put your driver’s license on a necklace so a troll who think it’s his “precious” won’t take it. First of all, that’s too cool to happen in real life. Second, you’ll look like an idiot. Finally, there are more practical ways of protecting your identity. For starters, never have anything that connects your identity to your operation. Next, if you have to use your real identity in connection with an operation, give yourself some ability to deny the connection. Lastly, NEVER trust your identity, intentions, or operations to anyone or anything other than yourself.I’ve decided to include the more practical list from the “Notorious B.I.G.” to drive home some of these principles:
TEN CRACK COMMANDMENTSRule number uno, never let no one know
How much, dough you hold, ’cause you know
The cheddar breed jealousy ‘specially
If that man *** up, get your *** stuck upNumber two, never let ’em know your next move
Don’t you know Bad Boys move in silence or violence
Take it from your highness
I done squeezed mad clips at these cats for they bricks and chipsNumber three, never trust nobody
Your moms’ll set that *** up, properly gassed up
Hoodie to mask up, s***, for that fast buck
She be layin’ in the bushes to light that *** upNumber four, know you heard this before
Never get high on your own supplyNumber five, never sell no *** where you rest at
I don’t care if they want a ounce, tell ’em bounceNumber six, that God*** credit, dig it
You think a *** head payin’ you back, *** forget itSeven, this rule is so underrated
Keep your family and business completely separated
Money and blood don’t mix like two *** and no ***
Find yourself in serious s***Number eight, never keep no weight on you
Them cats that squeeze your *** can hold jobs tooNumber nine, shoulda been number one to me
If you ain’t gettin’ bags stay the f*** from police
If niggaz think you snitchin’ ain’t tryin’ listen
They be sittin’ in your kitchen, waitin’ to start hittin’Number ten, a strong word called consignment
Strictly for live men, not for freshmen
If you ain’t got the clientele say hell no
‘Cause they gon’ want they money rain, sleet, hail, snowDon’t forget the admonition from Notorious B.IG. gives that should never be diminished:
Follow these rules, you’ll have mad bread to break up
If not, twenty-four years, on the wake up
Slug hit your temple, watch your frame shake up
Caretaker did your makeup, when you pass
An information security professional known as “The Grugq” gave a very interesting talk on OPSEC, I think it is worth taking a glance at (try to contain all laughter and bafoonery at the preview image – we’re running a family show here, folks):

The Security Dialogue Blog June 6, 2013

Terrorism and Intelligence Legislation You Should Know About But Don’t

Now that this NSA story has spawned the insane amount of nonsensical and baseless conjecture on my Twitter feed, I thought I’d take a moment and educate everyone on intelligence and terrorism legislation they should already know about but don’t for various reasons.

Terrorism:
Biological Weapons Anti-Terrorism Act of 1989Executive Order 12947 signed by President Bill Clinton Jan. 23, 1995, Prohibiting Transactions With Terrorists Who Threaten To Disrupt the Middle East Peace Process, and later expanded to include freezing the assets of Osama bin Laden and others.Omnibus Counterterrorism Act of 1995US Antiterrorism and Effective Death Penalty Act of 1996 (see also the LaGrand case which opposed in 1999-2001 Germany to the US in the International Court of Justice concerning a German citizen convicted of armed robbery and murder, and sentenced to death)Executive Order 13224, signed by President George W. Bush Sept. 23, 2001, among other things, authorizes the seizure of assets of organizations or individuals designated by the Secretary of the Treasury to assist, sponsor, or provide material or financial support or who are otherwise associated with terrorists. 66 Fed. Reg. 49,079 (Sept. 23, 2001).2001 Uniting and Strengthening America by Providing Appropriate Tools for Intercepting and Obstructing Terrorism Act (USA PATRIOT Act)(amended March 2006) (the Financial Anti-Terrorism Act was integrated to it) – I don’t have enough energy to discuss the Patriot Act. All you need to know is that it gives the US government very broad powers in order to combat terrorism.Homeland Security Act of 2002, Pub. L. 107-296.Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002REAL ID Act of 2005 – Perhaps one of the most controversial pieces of legislation from the Bush era, it set forth certain requirements for state driver’s licenses and ID cards to be accepted by the federal government for “official purposes”, as defined by the Secretary of Homeland Security. It also outlines the following: Title II of the act establishes new federal standards for state-issued driver licenses and non-driver identification cards.Changing visa limits for temporary workers, nurses, and Australian citizens.Funding some reports and pilot projects related to border security.Introducing rules covering “delivery bonds” (similar to bail bonds but for aliens who have been released pending hearings).Updating and tightening the laws on application for asylum and deportation of aliens for terrorist activity.Waiving laws that interfere with construction of physical barriers at the bordersAnimal Enterprise Terrorism Act of 2006 – The Animal Enterprise Terrorism Act (AETA) prohibits any person from engaging in certain conduct “for the purpose of damaging or interfering with the operations of an animal enterprise.” and extends to any act that either “damages or causes the loss of any real or personal property” or “places a person in reasonable fear” of injury. Military Commissions Act of 2006 – The United States Military Commissions Act of 2006, also known as HR-6166, was an Act of Congress signed by President George W. Bush on October 17, 2006. The Act’s stated purpose was “To authorize trial by military commission for violations of the law of war, and for other purposes.” It was declared unconstitutional by the Supreme Court in 2008 but parts remain in order to use commissions to prosecute war crimes.National Defense Authorization Act of 2012 – The second most controversial piece of legislation from the War on Terror authorizes “the President to use all necessary and appropriate force pursuant to the Authorization for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) includes the authority for the Armed Forces of the United States to detain covered persons (as defined in subsection (b)) pending disposition under the law of war.
(b) Covered Persons- A covered person under this section is any person as follows:
(1) A person who planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored those responsible for those attacks.
(2) A person who was a part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners, including any person who has committed a belligerent act or has directly supported such hostilities in aid of such enemy forces.
(c) Disposition Under Law of War- The disposition of a person under the law of war as described in subsection (a) may include the following:
(1) Detention under the law of war without trial until the end of the hostilities authorized by the Authorization for Use of Military Force.
(2) Trial under chapter 47A of title 10, United States Code (as amended by the Military Commissions Act of 2009 (title XVIII of Public Law 111-84)).
(3) Transfer for trial by an alternative court or competent tribunal having lawful jurisdiction.
(4) Transfer to the custody or control of the person’s country of origin, any other foreign country, or any other foreign entity.
(d) Construction- Nothing in this section is intended to limit or expand the authority of the President or the scope of the Authorization for Use of Military Force.
(e) Authorities- Nothing in this section shall be construed to affect existing law or authorities relating to the detention of United States citizens, lawful resident aliens of the United States, or any other persons who are captured or arrested in the United States.
(f) Requirement for Briefings of Congress- The Secretary of Defense shall regularly brief Congress regarding the application of the authority described in this section, including the organizations, entities, and individuals considered to be ‘covered persons’ for purposes of subsection (b)(2).Homeland Security Presidential Directive/HSPD-5 requires all federal and state agencies establish response protocols for critical domestic incidents in line with the National Incident Management System.
Intelligence
Foreign Intelligence Surveillance Act is perhaps the most interesting and secretive of laws we have. It was enacted to combat the threat of foreign intelligence services through surveillance activities abroad and at home. It allows these broad surveillance powers to be used against foreign and domestic agents. In other words, it authorizes our government to spy on its citizens if it believes they present a credible national security threat. FISA warrants are granted by secret courts that exist solely for approving FISA warrants. Note: I said “approving” as in for every warrant the DoJ has ever applied for, they have gotten it. Nowhere else in our judicial system do such powers exist.Intelligence Reform and Terrorism Prevention Act of 2004 enacted several of the 9/11 Commission’s recommendations. It established the the Office of the Director of National Intelligence.18 USC § 798 – Disclosure of classified information – Criminalizes the unauthorized disclosure of classified information.50 USC § 421 – Protection of identities of certain United States undercover intelligence officers, agents, informants, and sources – Think Valerie Plame.

The Security Dialogue Blog May 25, 2013

Loose Lips Just Don’t Sink Ships – How Leaks Compromise More Than Just Secrets

This is how the Taliban handles spies.
I’ll preface this piece by saying for the record “I am NOT a spy nor have I EVER been a spy. I have NEVER worked inside the intelligence community. What you read here is my opinion backed up by historically factual information.” Whew! Now that I’ve gotten that out of the way, we can discuss a topic I’ve been meaning to cover – why unauthorized disclosure of sensitive information should remain illegal without legal protections for anyone.

Most people have no clue how the United States and other countries obtain their human intelligence. They assume we send American spies into foreign lands who sneak around embassies and high-end hotels and casinos battling terrorists and criminal kingpins. Most students of modern US intelligence will tell you that is NOT the case. In fact, how we get that intelligence is by sending American intelligence officers who are trained to be clandestine but who do not steal information themselves. That’s right. Most human intelligence officers are highly-trained salesmen and recruiters who work diligently to get citizens from target countries to spy on their respective countries. In other words, our HUMINT officers convince other people to betray target states and organizations. We can also get that information by using third-party human intelligence from another country who may be more ethnically credible to penetrate certain denied areas. We’ll touch on that later.

This week you have no doubt heard about the Associated Press debacle with the Department of Justice. What you may not be aware of is the “leak” in question is about the alleged penetration of our government and the Saudi government into the terrorist organization al Qaeda of the Arab Peninsula (AQAP). This was a highly classified operation which I can only assume involved undercover assets who were willing to betray this very dangerous organization. Someone in the Obama administration took it upon themselves to reveal this operation to the Associated Press. This, of course, is VERY illegal and for good reason. Remember those undercover assets I mentioned previously? What do you think would happen to those assets who were operating without the expectation their involvement would be made public to the largest news source in the world? Take a wild guess.

Do you remember Aldrich Ames? He’s the guy who betrayed his country and sold secrets to the USSR. What you may not know is that through his leak, he inadvertently killed 10 Russian citizens who fed the Central Intelligence Agency information. How about Valerie Plame? She’s another asset who was “burned” (her covert identity revealed publicly) for very political reasons allegedly. I can assure the target country she worked in, Iraq, deployed several counterintelligence agents to contacts she had in that country. Once an operation has been “burned”, all of the assets involved are compromised and can no longer conduct their missions.

Given what you watched above, take a few things into consideration:

The very real danger they pose throughout the region they operate in. How recluse and difficult such organizations can be and the difficulty to get someone to betray this organization. The operations we were able to stop because of this operation. One of which was the latest plane plot by AQAP. The potential for further penetration and more insightful intelligence disappearing because a bureaucrat in D.C. took it upon themselves to deliver to the Associated Press information about the success of this ongoing operation. The likelihood the assets were compromised and the likelihood of their survival and those with whom they had contact.
So you can imagine my surprise to learn of the AP’s outrage that the DoJ was investigating their contacts with various people who had knowledge of this operation. You’ve heard, no doubt, the DoJ subpoenaed the AP’s call records for over two months and then those of reporters who may have been the source’s contact. I have 11 years of criminal investigations experience and will be the first to attest that this is very customary when you’re looking to connect people from one area to another. Whether or not, the DoJ should have subpoenaed the AP’s phone company is a different story and “way above my pay grade”.

As you can guess, unauthorized disclosure of classified information is a crime. It’s actually a very serious crime. Don’t believe me. Here’s the statute. You’ll do good to note there is zero accommodation or exemption for releases to the press.

(a) Whoever knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes, or uses in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified information—(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government; or
(2) concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or
(3) concerning the communication intelligence activities of the United States or any foreign government; or
(4) obtained by the processes of communication intelligence from the communications of any foreign government, knowing the same to have been obtained by such processes—
Shall be fined under this title or imprisoned not more than ten years, or both.
(b) As used in subsection (a) of this section—
The term “classified information” means information which, at the time of a violation of this section, is, for reasons of national security, specifically designated by a United States Government Agency for limited or restricted dissemination or distribution;
The terms “code,” “cipher,” and “cryptographic system” include in their meanings, in addition to their usual meanings, any method of secret writing and any mechanical or electrical device or method used for the purpose of disguising or concealing the contents, significance, or meanings of communications;
The term “foreign government” includes in its meaning any person or persons acting or purporting to act for or on behalf of any faction, party, department, agency, bureau, or military force of or within a foreign country, or for or on behalf of any government or any person or persons purporting to act as a government within a foreign country, whether or not such government is recognized by the United States;
The term “communication intelligence” means all procedures and methods used in the interception of communications and the obtaining of information from such communications by other than the intended recipients;
The term “unauthorized person” means any person who, or agency which, is not authorized to receive information of the categories set forth in subsection (a) of this section, by the President, or by the head of a department or agency of the United States Government which is expressly designated by the President to engage in communication intelligence activities for the United States.
(c) Nothing in this section shall prohibit the furnishing, upon lawful demand, of information to any regularly constituted committee of the Senate or House of Representatives of the United States of America, or joint committee thereof.
(d)
(1) Any person convicted of a violation of this section shall forfeit to the United States irrespective of any provision of State law—
(A) any property constituting, or derived from, any proceeds the person obtained, directly or indirectly, as the result of such violation; and
(B) any of the person’s property used, or intended to be used, in any manner or part, to commit, or to facilitate the commission of, such violation.
(2) The court, in imposing sentence on a defendant for a conviction of a violation of this section, shall order that the defendant forfeit to the United States all property described in paragraph (1).
(3) Except as provided in paragraph (4), the provisions of subsections (b), (c), and (e) through (p) ofsection 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853 (b), (c), and (e)–(p)), shall apply to—
(A) property subject to forfeiture under this subsection;
(B) any seizure or disposition of such property; and
(C) any administrative or judicial proceeding in relation to such property,
if not inconsistent with this subsection.
(4) Notwithstanding section 524 (c) of title 28, there shall be deposited in the Crime Victims Fund established under section 1402 of the Victims of Crime Act of 1984 (42U.S.C. 10601) all amounts from the forfeiture of property under this subsection remaining after the payment of expenses for forfeiture and sale authorized by law.(5)As used in this subsection, the term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States.As you can tell, the law is very specific and for good reason, as I outlined before. The business of deriving the intelligence we need from terrorist organization and rogue states requires secrecy. The best way I can describe the importance of keeping clandestine operations secret is to have you watch my child and I play “hide-and-go seek”. Children love to tell you where they’re going to hide because it makes it easier for you to catch them. Imagine if your child was very clever and never told you where they were hiding. Better yet, what if you never knew they were playing the game. Then, imagine if the stakes were higher – much higher than preempting a really good game. The same could be said of the modern spy game were exponentially more lives are at risk.