February 2012
S	M	T	W	T	F	S
« Dec
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29

Archive for the Risk Category

Who Wrote The Book Of Love

5. February 2010 by Revelator.

While reading “Hour Game” by David Baldacci I came upon a narrative that screemed OPSEC better than anything I’ve read or seen on TV lately. Never under estimate the threat - in any situation…

He watched the old couple totter out of the supermarket and ease into their Mercedes station wagon. He wrote down the license plate number. He would run it later on the Internet and get their home address. They were doing their own shopping, so they probably had no live-in help or grown children nearby. The make of the care was relatively new, so they weren’t surviving solely on Social Security. The man wore a cap with the logo of the local country club. That was another potential gold mine of information he might later tap.

He sat back and waited patiently. More prospects were sure to come in the busy shopping center. He could consume all he wanted without ever once taking out his wallet.

A few minutes later an attractive woman in her thirties came out of a pharmacy carrying a large bag. His gaze swung to her, his homicidal antennae twitching with interest. The woman stopped at the ATM next to the pharmacy, withdrew some cash and then committed what should have been classified as a mortal sin for the new century: she tossed the receipt into the trash before climbing into a bright red Chrysler Sebring convertible. Her vanity plate read “DEH JD.”

He quickly translated that to be her initials and the fact that she was a lawyer, the “JD” standing for Juris Doctor. Her clothes told him she was fastidious about her appearance. The tan on her arms, face and legs was deep. If she was a practicing lawyer, she probably had just come back from vacation or else had visited the tanning booth over the winter. She was very fit-looking, her calves particularly well developed. His gaze had fixed on the gold anklet she wore on her left leg as she climbed in her car. That was intriguing, he thought.

She had a current-year American Bar Association bumper sticker, so the odds were she was still practicing law. And she was also single - there was no wedding ring on her finger. And right next to the ABA bumper sticker was a parking permit for a very expensive gated residential development about two miles from here. He nodded appreciatively. These stickers were very informative.

He parked, got out of the Bug, walked over to the trash can, made a show of throwing something away and in the same motion plucked out the ATM receipt. The woman really should have known better. She might as well have tossed her personal tax return in the trash. She was now naked, completely open to any probing he wanted to do.

When he got back to his car, he looked a the name on the account: D. Hinson. He’d look her up in the phone book later. And she’d also be in the business listings, so he’d know which law firm in town she worked at. That would him two potential targets. Banks had started leaving off some of the numbers of the account because they knew their customers stupidly disposed of their receipts where they were easy picking for people like him.

He kept trolling under the warming sun. What a nice day it was shaping up to be. He reclined slightly in his seat only to perk up when off to his right a soccer mom started loading groceries in her van. He wasn’t guessing there: she wore a T-shirt that announced her status. An infant rode in the car seat in the rear. A green bumper sticker announced that the woman was the mom of an honor roll student at Wrightsburg Middle School for the current school year.

Good to know, he thought: seventh or eighth grader and an infant. He pulled into the space next to the van and waited. The woman took the cart back to the front of the store, leaving the baby completely unguarded.

He got out of the Bug, leaned into the van’s open driver’s side window and smiled at the baby, who grinned back, chortling. The interior of the van was messy. Probably so was the woman’s house. If they had an alarm system, they probably never turned it on. Probably forgot to lock all the doors and windows too. It was a wonder to him that the crime rate in the country wasn’t far higher what with millions of idiots like here staggering blindly through life.

An algebra book was in the backseat; the middle school child’s, no doubt. Next to it was a children’s picture book, so there was at least a third child. This deduction was confirmed by the presence of a pair of grass-stained tennis shoes in the rear floorboard; they looked to be those of a five- or six-year-old boy.

He glanced in the passenger seat. There is was: a People magazine. He looked up. The woman had just slammed the cart back into the rack and had now paused to talk to someone coming out of the store. He reached in and drew the magazine toward him. Name and home address were on the mailing label. He already had her home phone number. She’d helpfully put it on the For Sale sign on the window of her van.

Another bingo. Her keys were in the ignition. He placed a piece of soft putty over the ones that looked like house keys, taking quick impressions. It made the breaking in and entering part a lot easier when you didn’t have to “break” when you “entered.”

A final home run. Her cell phone was in its holder. He looked up. She was still gabbing away. Had he been so inclined he could have killed the kid, stolen all her groceries and torched the car, and the woman would never even know it until someone started screaming at the flames shooting into the sky. He glanced around. People were far too busy with their lives to notice him.

He snatched the phone, hit the main screen button and got her cell phone number. The he accessed her phone book, took a digital camera the size of his middle finger from his pocket and snapped pictures of screen after screen until he had all the names and phone numbers in her directory. He returned the phone, waved bye-bye to baby and slipped back into his car.

He went over his list. He had her name, home address and the fact that she had a least three kids and was married. The mailing block had been addressed to both Jean and Harold Robinson. He also had her home phone number, cell phone number and the names and numbers of a host of others important to her as well as impressions of her house keys.

She and her lovely family belong to me now.

Keep the Faith
Revelator

Who Wrote The Book Of Love - The Monotones

Posted in Risk, Critical Information, Awareness, Vulnerabilities, Threat, Family OPSEC, Analysis, General OPSEC | Print | No Comments »

Tell It Like It Is

18. December 2009 by Revelator.

This is just unfreakingbelievable!

Hackers steal SKorean-US military secrets By KWANG-TAE KIM, Associated Press Writer Kwang-tae Kim, Associated Press Writer Fri Dec 18, 7:19 am ET

SEOUL, South Korea – South Korea’s military said Friday it was investigating a hacking attack that netted secret defense plans with the United States and may have been carried out by North Korea.

The suspected hacking occurred late last month when a South Korean officer failed to remove a USB device when he switched a military computer from a restricted-access intranet to the Internet, Defense Ministry spokesman Won Tae-jae said.

The USB device contained a summary of plans for military operations by South Korean and U.S. troops in case of war on the Korean peninsula. Won said the stolen document was not a full text of the operational plans, but an 11-page file used to brief military officials. He said it did not contain critical information.

Pardon? Did I read that wrong? Let me check…”He said it did not contain critical information.” Nope - I read it right. Still can’t believe it. I mean, are you kidding me? An 11 page Executive Summary of our South Korean defense plans (OPLAN 5027) contains no sensitive information? Am I dead? Did I go to OPSEC hell and not get greeted by the demon of OPSEC? I’ve met this demon before - his name is Ignorance - so I’m pretty sure I would know him if he was greeting me at the gates of OPSEC hell. Perhaps this is a dream? Damn it people - just saying something isn’t so does not make it not so. Sure that’s a horrible sentence but let me show one that is far worse: “He said it did not contain critical information.” See? Much worse.

And don’t give me that nonsense that denying it had critical information is our way of not confirming to the North Koreans that it did indeed contain sensitive information. You know who says stuff like that? People who don’t understand the adversary. To be so blind as to think that North Korea doesn’t have a damn good idea of what is essentially contained in OPLAN 5027 is the height of ignorance. Especially since you can find older versions of OPLAN 5027 in all it’s classified glory on the internet.

I’ll grant that the 11 page summary may have been unclassified but there is no way I’m going to grant it didn’t contain critical information. Unless the only definition you have of critical information is anything that’s classified - and we know that’s just not true. Too bad not everybody understands that these days.

Thanks to my good friend Kirk for letting me know about this.

Keep the Faith!
Revelator

Tell It Like It Is - Aaron Neville

Posted in Risk, Critical Information, BS, Vulnerabilities, Threat, Media, WWW, Computer Intrusions | Print | No Comments »

Jail Bait

3. September 2009 by Revelator.

I’ll never forget the night - I think we were in Lubbock or was it Wentzville…either way. I remember that Miles - that’s Miles Anthony, the lead singer of Big Slick, was really hot for this babe in the fourth row and as his top roadie he expected me to make the deal with her. You know - get her backstage and well…you know. And this was unusual because normally he would choose three or four just in case one or two wouldn’t well…you know. So I watched her off and on during the concert just to see what I could see. Well, I could see quite a lot if you know what I mean and I suspect that is what made Miles want her so bad but that’s neither here nor there.

I word or two about me is in order I suspect: My name is Night Train. Actually my name is Lance but a long time ago outside of a little bar called The Cavern a drunken Ringo called me Night Train and the moniker just stuck with me over the years. At that time I had spent three years in college and was doing a summer vacation with the love of my life who’s name I just can’t seem to recall at the moment. One night we went to see this band at a bar in the red light district called the Cavern and while I was hanging out after the show this chap in a leather jacket asked if I could help them drag some equipment to their van. Turns out that chap was John Lennon and we struck up a friendship that lasted until that fateful night outside of the Dakota. But that is the short version of how I started at a roadie. The story about why I am still a roadie is much longer and not quite as enjoyable.

So - back to that night in Barstow…or was it Philly - either way. During the drum solo (I swear Smokestack was channeling Don Brewer of Grand Funk that night) Miles asked if I hooked it up yet and I had to tell him not yet. Miles really didn’t like that answer but it was the only one I had right then. After a quick line and a towel-off he was back on stage and I was back to my job - pimpin for rock stars. Not a job I recommend to young professionals but I’m pretty good at it by now and I’m pretty damn sure that at sixty-six years of age I won’t be going to truck drivers school if this doesn’t work out. But this was 17 years ago when I still thought I would get a real job when I grew up.

Back to LuAnn (her name as I was to find out later)…She had squeezed her way up to the second row by now and had just flashed her considerable attributes to Miles and he looked at me and gave me the signal - again. Rock stars and their roadies have a complicated series of signals that would make a third base coach proud. One signal means “she can come back stage but that’s all” another means “she can come back stage if she brings her friend/sister” another means “she can come back stage but only if she’ll ___________ (insert desire here)” and yet another meant “she can come backstage but make sure she’s not a dude first.” There are more but I’m sure you get the gist of it. The signal I had just received for the second time meant “if she’s willing she can come on tour with us for a week or two.” I didn’t get that signal too often so I took it seriously.

And so I watched her. I watched her because there is a level of trust between a roadie and a horny rock star and I have a solid reputation for never letting the rock star down - or getting him arrested. And that’s the key to this whole operation - keep the rock star safe from a multitude of potentially embarrassing situations. And so I watched her. I watched her on her cell numerous times - and not that happy about it. I watched her turn away dude after dude who hit on her. I watched her as her older friend brought her beer after beer. And I noticed she didn’t have any tattoos.

And I watched as she walked away after Miles sang the last lines to their hit at the time, “Big Leg Woman” (a decent version of the classic Muddy Waters tune). As she walked I chased. I didn’t expect her to bolt so fast. I figured she would stick around and slide toward the side of the stage to well…you know. But she didn’t. She was in a hurry and I knew I would be fired if I didn’t get her backstage to Miles.

I was about to catch up to her when she met her angry mother and father at the exit. And that is when all the indicators started springing to my mind. No tat’s for one. Sure you can get your parents to sign for you if you are under 18 but not many do. And all the text messages and phone calls that she wasn’t happy about. No doubt her mom or dad had sent those. And all those dudes she turned away - no sense hooking up when your angry mom is gonna meet you at the door. And finally, it was her older friend that was bringing her the beers. Something someone under 18 couldn’t have purchased without a fake ID.

And so I had to face a not too happy Miles backstage. I just had to tell him she was underage and we were good. No way he wants to mess with any jailbait - not again, at least. In the end he hooked up with a reporter for a local rag that was much more age appropriate for my aging rock star. I am happy to report some 17 years later that they have been married for 15 years now and have two kids. The boy is named Thor and the girls name is LuAnn. I guess even if you’ve had as many as Miles you never quite forget the one that got away.

OPSEC - keeping rock stars out of jail for 60 years.

Keep the Faith!
Revelator

Jail Bait - George Thorogood and The Delaware Destroyers

Posted in Indicators, BS, Risk | Print | No Comments »

Everything Is Broken

31. August 2009 by Revelator.

From CNET News.com written by Elinor Mills:

“Here’s either a cautionary tale or an example of social-media paranoia. An Arizona man believes that his Twitter messages about going out of town led to a burglary at his home while he was away.

Israel Hyman posted to approximately 2,000 followers on Twitter that he and his wife were “preparing to head out of town,” that they had “another 10 hours of driving ahead” and later, that they “made it to Kansas City.”

When he came home, he found that someone had broken into his house and stolen thousands of dollars worth of video equipment he used for his video business, IzzyVideo.com, which he uses for his Twitter account.

“My wife thinks it could be a random thing, but I just have my suspicions,” he told the Associated Press. “They didn’t take any of our normal consumer electronics.”

Personally, I don’t think it’s a good idea to advertise to the world that your home will be unoccupied for a period of time. I also don’t think it’s necessary to reveal too many other personal details on social media sites that could be used for identity fraud, like your birth date.”

A number of thoughts some to mind:
1. Yeah, that was stupid. People are putting waaaaaaaaaaaaaaay too much on social networking sites. But then we know that already don’t we? Which leads me to my second thought…

2. Most OPSEC professionals, even part-timers, have known this for quite some time now so I have to ask; are we just horrible at spreading the word or are people not listening? Personally, I think it’s both. Awareness is the key here and while some are doing a pretty decent job the majority of us are not. And yeah, I know, why waste the time when you just know people aren’t going to listen to you either way. That’s tough to overcome but you just have to Keep the Faith! and press on.

3. Was it just the tweets or did dude possibly not consider OPSEC and basic security prior to leaving on vacation? We’ve all done the “so you’re going on vacation for two weeks how do you protect your home while you’re away” exercise. (if you haven’t let me know - I’ll send it to you). I suspect he didn’t arrange to deal with his mail, newspaper, growing grass, lights, etc while he was away and just got nabbed by bad guys who know what to look for.

Your fellow employees are counting on us OPSEC and Security professionals to keep them informed and protected. Do your best to inform them and with any luck they can protect themselves.

Keep the Faith!
Revelator

Everything Is Broken - Bob Dylan

Posted in Awareness, Indicators, Countermeasures, Risk, WWW, Threat, Family OPSEC | Print | No Comments »

I Still Haven’t Found What I’m Looking For

19. September 2008 by Revelator.

2 = 4. Wait a minute - no it doesn’t; 2 + 2 = 4. Yeah, that’s better. See how that makes sense? We took one thing (2) and added it to another thing (2) to get the new thing (4). Now, I must be fair and say that while the above is true, so also is this; 4 = 4. But that is a given isn’t it? I mean, even if we can’t add we can see that one thing is always equal to itself. So where am I going with this? You can’t answer that question can you? No you can’t. So far all I’ve given you the first “2″ but I’ve yet to give you the other “2″ so there is no way you can deduce “4″ and know just what the hell I’m trying to say. Know what I mean? I didn’t think so…and I don’t blame you.

Perhaps this will help… Last week my wife asked me this question; “Do we have any plans for Saturday?” To which I replied; “Nope.” and went back to watching the Huntington Beach Bad Boy wail on some poor guy with more tattoo’s than skills. But not before I pondered for a brief moment the nature of her question. The possible answers were many and varied so without further thought I disregarded the question.

Saturday night came and my wife had thrown me a wonderful surprise party. When she asked her question earlier in the week I unknowingly had the first “2″ but I never knew there was another “2″ so there was no way of knowing that “4″ was coming on Saturday night.

Such is not the case with hostile intelligence collectors. When a bad guy sees the first “2″ his natural inclination is to ask himself; “2 + what = 4?” And so begins the collection effort that could very well determine the other “2″. Had I been the least bit curious about my wife’s question I could have asked her a series of questions that may have turned up the info required for me to deduce the “4″ - that she was throwing me a surprise party.

Likewise, when an intelligence collector sees the event calendar of an organization on their web site (2) and subsequently sees a military exercise schedule that ties the two together on yet another web site (2)…well, it’s easy to see how he determines that this organization will be participating in the exercise (4). Unfortunately for us this means that we have now revealed critical information about when and where we will be performing, testing or exercising our mission and we’ve also focused his future collection efforts against us. On the Good/Bad scale, this is what us old OPSEC pro’s call “bad.”

Always understand that we do not operate in vacuums. What we say as well as what we publish can have far reaching negative effects. Now, while we can’t always protect the other “2″ we can do our level best to make sure that our “2″ doesn’t get seen, read, or heard so that the bad guy doesn’t ever get the “4″ we’re ultimately trying to protect.

Keep the Faith!
Revelator

I Still Haven’t Found What I’m Looking For - U2

Posted in Critical Information, Risk, Vulnerabilities, Threat | Print | No Comments »

Welcome To The Jungle

30. May 2008 by Revelator.

Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks. Where will it all end? Since this is clearly our biggest security concern why can’t we fix it? Why aren’t we throwing all our money, manpower and technical abilities at this problem? Computer crimes cost us $32 million is 2006. Boy, I’ll tell you what - somebody better do something quick. Unless the computer isn’t our biggest security concern…

But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is? Here’s a clue - look above. Didn’t you read all that stuff in the first paragraph? Of course the computer is the biggest threat to the security of your organization/mission. Or is it…

Well, duh. The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day. It’s all over the news! Technology is killing security. Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere. What’s an OPSEC Program Manager to do? Hell, you’re not the IT Security dude. You know nothing of firewalls routers and DMZ’s. Face it partner - you’re screwed. Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…

And here we are again. What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast. Humans…whattaya gonna do?

I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better. And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes. You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…

The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization. The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat. They don’t mean to by the way. They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information. That’s your job - now get to it!

Keep the Faith!

Revelator

Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 2 Comments »

Purple Rain

15. May 2008 by Revelator.

Everything is affected by OPSEC. I say again, EVERYTHING is affected by OPSEC! Just think about it. The basic premise of OPSEC is that we’re trying to protect some…thing. Be that information, physical possessions, or ourselves. Whether we’re at work or at play. So we unconsciously fill our daily lives chock full of countermeasures to the myriad of threats constantly raining down on us. We wear sun block - we use unlisted telephone numbers - we lock our doors - we wear seat belts - we monitor our kids online activities - we wear girdles and butt-shapers - we have curfews for our children - we wear hairpieces and toupee’s and wigs and extensions - we make sure our hotel room isn’t on the ground floor - we dress our kids in full body armor so they can go ride their bikes, and we use industrial size shredders at home.

Countermeasures are everywhere! OPSEC is everywhere! For the next minute or so I want you to try to come up with an example of an area of your mission or your business that isn’t affected by OPSEC. At the risk of being redundant - everything in your organization is affected by OPSEC. Financial, personnel, admin, ops, logistics, maintenance, Human Resources, contracting, supply. From the Administrative Specialist you just hired to your CEO - from the lowest ranking enlisted member to your commander - from the number of cars in your parking lot to the sites you visit on the INTERNET - from your recall roster to that emergency supply order form - from contract rumors to merger scuttlebutt - it is all affected by OPSEC. Or more to the point - by a lack of OPSEC.

Go ahead - I dare you. Think of something right now that isn’t affected by OPSEC. When you think you’ve got one, click on the comments link and let the rest of us know.

Keep the Faith!

Revelator

Posted in Countermeasures, Risk | Print | 5 Comments »