Check Out This Old School Intelligence Community Surveillance Detection Video

Note: Dude, again, I am not an intel dude. NOT my lane.

A few days ago, I wrote an article about how political parties could deal with a hostile foreign intelligence service actively targeting them for exploitation. One of the techniques I recommended revolved around avoiding physical surveillance. The video below goes into a lot of detail regarding surveillance detection routes. It appears to have been a declassified intelligence community video from the 1970s(?). This is for purely entertainment purposes. If you think you need to add this to your repertoire, then I suggest doing two things:

1. Hire a professional to teach you. A video is no substitute for actual training. That said, the materials in this are dated and I would imagine any serious surveillance would have a suitable counter to any SDR. However; this sets a nice introduction into the topic.
2. If you need this and you're going against any significant intelligence threat, you might be already screwed. Seriously.

Resource

This guy seems to know a lot more than I do on this stuff.

• https://protectioncircle.org/2016/12/04/lets-talk-about-surveillance-detection/

Some Sage Counterintelligence Advice For Political Parties and Their Candidates

NOTE:

I am NOT an intel dude. I have never been an intel dude. I have never been a counterintelligence dude. Never. These are my OPINIONS. 

If the adage that "all politics is war" is true, then this past election could certainly be proof of that. I won't get into specifics about candidates, their positions, or even their actions or culpability. This advice specifically for the Democratic National Committee is nonpartisan and exactly the same counsel I would give the Republican National Committee. In fact, the reason I wrote this post was in response to the DNC leaks/hacks. Also, there will be ZERO discussion about attribution and motives. To me, answering why something happens doesn't always help you mitigate how it happened in the first place. These "rules" apply to anyone who is a target of espionage by any actor, state or otherwise.

You're the active target of an intelligence apparatus. Given the result of this election, we can assume they achieved their objective and will see their success to continue their activities against you. So it is imperative that you and your staff operate as such. Knowing this, let's be clear - these agencies have a great many resources directed at you and will see any and all information as potential actionable intelligence. This means they'll be seeking out any vulnerabilities you have and will exploit them to get that information and will encompass both physical and virtual realms. Ultimately, assume you've been compromised on all of these fronts. For the foreseeable future, your survival in the political arena will be dependent on your acknowledgement of this.

Let's get to what you came here for - the "rules".

Physical Security

1. Assume every room you felt was "secure" is not. This may sound a bit paranoid but we already know the DNC suspected their offices were bugged by an unknown entity and sent a TCSM team in to investigate. Though, no active bugs were found, we know electronic surveillance is an ongoing tool used by intelligence agencies against targets especially political ones. If you haven't already, have a TCSM team inspect every office, bathroom, closet, etc. regularly. When they're done, assume you're still being bugged and be careful when discussing confidential information.
2. Assume your cars, homes, and hotels are also compromised. Yeah, I'm paranoid. I know this. That said, if I were to compromise you, I'd hit the places where most people engage or discuss things that make exploitation possible. These are also places you can't sweep every day for bugs. Don't take work home and don't discuss work at home. Also, assume whatever "dirt" you do in these places is being photographed, videoed, and audibly recorded. I shouldn't have to say this but....STOP DOING "DIRT".
3. You're being followed everywhere. Conduct surveillance detection routes regularly and pay attention to new vehicles in your neighborhood. Talk to your neighbors. Notice vehicles which you can never seem to shake. I have a rule I follow when inspecting vehicles for contraband - anything new and shiny in a sea of filth is not normal. If you're one of those people who use Uber or some other service, think about having the driver drop you off a block or two away from your destination and look to see who gets out when you do.
4. Consider every potential or new "intimate" encounter to possibly be a "catfish" or a honeypot until proven otherwise. Yeah, it sucks to say this but sex is still a proven way to gain secrets and access. I'm not saying you don't have "game" but you should be very suspicious of something that "sounds too good to be true". I'm not telling you to shun relationships but just be wary of new people wanting more access and information than they should have. Also, imagine these contacts suddenly being blared across social media for the world to judge. Foreign Intelligence Services have a long history of exploiting these encounters. 'Nuff said (Note: In case, I didn't make it clear enough - don't be stupid and don't do "dirt").
5. Invest in a good safe that's bolted in the ground, high security door locks, dog, burglar system, and a few nosy neighbors. Same crime prevention advice I give everyone applies in the counterintelligence world. You need early detection and you need it yesterday.
6. Follow the Moscow Rules.
1. Assume nothing.
2. Never go against your gut.
3. Everyone is potentially under opposition control.
4. Do not look back; you are never completely alone.
5. Go with the flow, blend in.
6. Vary your pattern and stay within your cover.
7. Lull them into a sense of complacency.
8. Do not harass the opposition.
9. Pick the time and place for action.
10. Keep your options open.
7.  Adhere to the ever-wise directives of Notorious B.I.G.. Seriously, regardless of how awesome this track is, the truths contained in it are essential to the success of any campaign. Though it's not a literal translation of acceptable ethical rules of conduct, interchange the words to fit a typical political campaign and it's very illuminating. 

Information Security

1. You need a security classification program. The federal government has a security classification program that's been somewhat successful at compartmentalizing information and preventing some data leakage. You don't have to mirror theirs but you should implement something similar. The first step in this process should be the development of a risk management process. Look at what information you could never lose without seriously compromising your objectives, the information you could lose with some compromise of your objectives, and information that is safe for some data leakage or available for public release. This classification should known and enforced organization-wide. Any and all of your policies and procedures to safeguard this information should encompass the physical and virtual realms.
   
   This classification could look something likes this:
   a. Confidential - this could include documents or communication that should never leave the organization.
   
   b. Sensitive - this could include information  that if discovered could have an impact on day-to-ops or the overall reputation of the organization
   
   c. Close Hold - this could include information that is normally only discussed between as few members as possible. This should also be treated as Confidential if it warrants.
   
   d. Publicly Releasable - this is information discussed in the organization that could be disseminated for public release with little to any approval.
   
   Note: All security classifications should be used sparingly and reviewed regularly to mitigate against hyper-vigilance and overclassification.
2. Consider being more transparent and don't be "dirty". The DNC leaks proved in many ways that transparency could be a great mitigation tool. When you're seen as being overly sneaky, people assume you have "dirt" to hide. How you do this is up to you but it cannot be denied the impact transparency can have with preventing further leaks.
   
   Political parties are, by their nature, involved in some "dirt". They're either digging for "dirt" on someone else or trying to hide their own. Perhaps, it would be more prudent to limit these activities to lessen the number of attack platforms that can be used against your organization. Just a thought.
3. Assume you have an informant in your organization. This doesn't mean you have to treat everyone as if they've been compromised. It does mean you should never assume they haven't been. Don't go on an organizational "mole hunt" but you should always be aware of what you say to who you it say it to.
4. Don't trust any outside communication that isn't part of an existing conversation. Move the conversation offline. Have a gatekeeper handle these when possible. The gatekeeper should be the only person who has direct unsolicited access to communications with key personnel. To say the least, the gatekeeper must deploy a mitigation-first mindset.
5. Consider building a "secure" room at your HQ. The Intelligence Community calls them SCIFs. They're rooms in which permanent workstations and secure phones are located and are regularly swept for bugs and access control is very strict. Consider only discussing strategic information here and here only. This aids in figuring out how you've been compromised if this leaks, as well as protecting against inadvertent leaking.
6. Consider ways in which the mundane could be damaging if exposed. For political parties, imagine your entire donor database being leaked. Got any donors who would rather not have their personally identifiable information leaked? How about your call sheets or talking points to donors? Could they be useful for an adversary in figuring out how to counter you? My personal favorite - internal polling. Think the other side or an FIS wouldn't love to know how you're projecting a path to victory? How about areas your constituents feel you're weak in? What if the adversary not only used that information themselves but then leaked it, especially at a moment when you're trying to project strength?
7. Consider a breach a serious incident. Data leakage happens. Some secrets are difficult to contain. Look at the stealth bomber and the Predator drone. Things happen. That said, there should be severe ramifications for even inadvertent leakage of seriously compromising information. Whatever those consequences are for those parties, they should be swift, consistent with existing policy, and indiscriminate. Period.
   

Video: The Story of Glenn Duffie Shriver - Student, Chinese Spy

Many times, when we hear the Chinese have recruited spies on US soil, they are normally Chinese-American scientists. Like most foreign intelligence services (FIS), the Chinese realized it would be much more valuable to have someone who could get inside the Central Intelligence Agency who perhaps wasn't Chinese-American. Meet Glenn Duffie Shriver, a Michigan college student Beijing recruited to join the CIA in 2007. Although he failed to matriculate into the agency, he was paid over $70,000 to do so. American counterintelligence discovered this recruitment and prosecuted Shriver. Subsequently, in 2010, he was sentenced to four years in federal prison for committing espionage for a foreign government. The video above describes Shriver's recruitment, the consequences of his actions, and subsequent attempts by the Chinese to recruit agents from backgrounds similar to Shriver's.

Here are some resources to learn more about Shriver:

https://en.wikipedia.org/wiki/Glenn_Duffie_Shriver

http://www.fbi.gov/washingtondc/press-releases/2011/wfo012111.htm

http://www.washingtonian.com/articles/people/chinas-mole-in-training/

http://www.hanford.gov/c.cfm/oci/ci_spy.cfm?dossier=162

http://www.fbi.gov/news/stories/2014/april/students-abroad-warned-of%20foreign-intelligence-threat/video-glenn-duffie-shriver-describes-experience

Ten OPSEC Lessons Learned From The Good Guys, Bad Guys, and People-in-Between

If you've been in the security world long enough, you've heard of a term called "OPSEC" or operational security. This is a security discipline in which organizations or individual operators conduct their business in a manner that does not jeopardize their true mission. If you're a police officer who is staking out a house, it would be bad OPSEC to sit outside the house in a marked police vehicle. I think it's prudent we discuss this discipline so we can better analyze our own processes by which we protect ourselves and our operations. Reviewing the OPSEC process is a great place to start. The following come from Wikipedia (I know - it's super-scholarly):

1. Identification of Critical Information: Identifying information needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.
2. Analysis of Threats: the research and analysis of intelligence, counterintelligence, and open source information to identify likely adversaries to a planned operation.
3. Analysis of Vulnerabilities: examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.
4. Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.
5. Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans.
6. Assessment of Insider Knowledge: Assessing and ensuring employees, contractors, and key personnel having access to critical or sensitive information practice and maintain proper OPSEC measures by organizational security elements; whether by open assessment or covert assessment in order to evaluate the information being processed and/or handled on all levels of operatability (employees/mid-level/senior management) and prevent unintended/intentional disclosure.

We should also recognize good guys aren't the only ones who practice this discipline. As a matter of fact, the bad guys do as well and many are quite good at it. The lessons we could learn from them, our fellow security professionals, and others are almost immeasurable.

1. NEVER trust a big butt and a smile. Yup. I started off with that. Bear with me. Many intelligence agencies and law enforcement organizations use sex as a means to get close to a target or person of interest. Most bad guys realize this. However, many do not to their own detriment. When involved with people in a relationship or sexual encounter, they get very close to you and your secrets. I liken these people to "trusted agents" who you allow close enough to you that can get more information than you're willing or able to share publicly. Poor OPSEC practitioners often forget this. Most of their security failures stem from this fatal flaw. I'm not saying to not be in a relationship or to eschew intimacy. If you're in a job that requires you adhere to sound OPSEC principles, what I'm advising you to do is to exercise due diligence and conduct a risk analysis before you do. Think Marion Barry, Anthony Weiner, and Elliott Spitzer.



Immortal words spoken during an EPIC fail.

2. Always have a thoroughly vetted back-story for your cover. This is commonly referred to as "legend" in the intelligence community. This is an identity in line with your established, synthetic cover. For example, I previously mentioned the hacker known as the The Jester in a previous blog post. Depending on which side you're on, he's either a bad guy or a good guy. However, the lessons he teaches us about cover are insightful. Whenever someone "doxes" him, he has a prepared and detailed analysis as to how he created that cover identity. Many times he'll use a name that does exist with a person who either does not exist or who he has cleverly manufactured using a multitude of identity generators. He'll use disposable credit cards, email, LinkedIn profiles, VPNs which show logins from his cover location, etc. He even engages in cyber-deception with other actors to establish various cover stories for operations that require them. Whether you like him or not, he's certainly good at one thing we know for sure - cover discipline.
3. NEVER trust anyone you just met. I see you laughing. Many people mistakenly believe they can and should trust everyone they meet. They will often claim they don't but their behavior says otherwise. As Ronald Reagan is often quoted is saying, "In God we trust, all others we verify" I firmly believe this to be the most crucial aspect of operational security. Proper trust is needed in any environment for the mission to be accomplished. However, blind trust can and will kill any hopes of a successful mission. Whether you're checking identification at an entry control point or planning cybersecurity for an online bank, you should always treat every introduction you don't initiate as suspect. Then triage people and their level of access according to risk acceptance. This is a lesson we learned with Edward Snowden. He'd only been at Booze Hamilton a few months before he began siphoning massive amounts of classified information he had no direct access or need-to-know. Another saying I'm fond of is "Keep your enemies close, but your friends closer." I'm not saying everyone you meet is going to steal from you or betray your trust. Like my momma always says, "Not everyone that smiles at you is your friend and not every frown comes from an enemy."
4. Shut the hell up! No. Seriously. Shut up. If you hang around the special operations community, you'll hear a term used to describe the work they do as "quiet professionals". Most successful bad guys realize the best way to ensure longevity to shut the hell up. Bragging about or giving "pre-game commentary" before an operation are guaranteed ways to get caught or killed. The truly dangerous people are the one's who never say a word and just do their work. Sometimes, lethality is best expressed with silence.
   
   
   
   
   
5. Watch what you leak. While we can keep our mouths shut, it is more difficult in the information age to keep everything connected to us quiet. In order to properly protect ourselves, we have to begin this process by conducting proper risk analysis. Is what I'm doing right now giving away something I don't want the public to know? Is the the device or medium I'm talking on able to give away information I'm not comfortable with sharing? Does my enemy have the ability to intercept or analyze what I'm doing in order to gain sensitive information? What "tells" am I projecting? These are a few of many questions you should be asking in order to ensure you're limiting "noise litter".
   
   

   

   In the information age, do I need to say more?

6. If you're doing secret stuff, NEVER EVER EVER EVER EVER, talk on the wire. Look at the Mafia as a perfect example of what not to do. As an OPSEC practitioner, you should never communicate on any medium that can give away your secrets or be intercepted. John Gotti got busted talking on the wire. A person rule of thumb: If it can receive messages, it can transmit messages without you knowing. Treat every computer like an informant - feed it what you're willing to share with your adversary.
7. NEVER ever touch or be in the same place as the "product". For the uninitiated, that is one of first rules of the dope game. Every successfully, elusive drug dealer knows to keep away from the "product" (read "drugs). Whatever the "product" in your "game", ensure you put enough distance between you and it. If you have to be close to it, then have a good reason to be with it.
8. Recognize "the lion in the tall grass". When practicing OPSEC, if there is one thing you should never forget is why you're doing it. The reason you're practicing it is simple - there are people out there that oppose you. Ignore them at your detriment.
9. NEVER say something you can't backup or prove immediately. Nothing says you're a person needing to be checked out better than saying things you can backup or prove. People who are trying to vet you will require you backup what you say for a reason. Be ready for this. A great example of this is demonstrated by people who claim to be connected to someone of stature in order to gain access. In this case, they're found out because the target asked the other party who could not confirm this.
10. Treat your real intentions and identity as that gold ring from Lord of the Rings. I'm not saying put your driver's license on a necklace so a troll who think it's his "precious" won't take it. First of all, that's too cool to happen in real life. Second, you'll look like an idiot. Finally, there are more practical ways of protecting your identity. For starters, never have anything that connects your identity to your operation. Next, if you have to use your real identity in connection with an operation, give yourself some ability to deny the connection. Lastly, NEVER trust your identity, intentions, or operations to anyone or anything other than yourself.

I've decided to include the more practical list from the "Notorious B.I.G." to drive home some of these principles:

TEN CRACK COMMANDMENTS

1. Rule number uno, never let no one know
   How much, dough you hold, 'cause you know
   The cheddar breed jealousy 'specially
   If that man *** up, get your *** stuck up
2. Number two, never let 'em know your next move
   Don't you know Bad Boys move in silence or violence
   Take it from your highness
   I done squeezed mad clips at these cats for they bricks and chips
3. Number three, never trust nobody
   Your moms'll set that *** up, properly gassed up
   Hoodie to mask up, s***, for that fast buck
   She be layin' in the bushes to light that *** up
4. Number four, know you heard this before
   Never get high on your own supply
5. Number five, never sell no *** where you rest at
   I don't care if they want a ounce, tell 'em bounce
6. Number six, that God*** credit, dig it
   You think a *** head payin' you back, *** forget it
7. Seven, this rule is so underrated
   Keep your family and business completely separated
   Money and blood don't mix like two *** and no ***
   Find yourself in serious s***
8. Number eight, never keep no weight on you
   Them cats that squeeze your *** can hold jobs too
9. Number nine, shoulda been number one to me
   If you ain't gettin' bags stay the f*** from police
   If niggaz think you snitchin' ain't tryin' listen
   They be sittin' in your kitchen, waitin' to start hittin'
10. Number ten, a strong word called consignment
    Strictly for live men, not for freshmen
    If you ain't got the clientele say hell no
    'Cause they gon' want they money rain, sleet, hail, snow

Don't forget the admonition from Notorious B.IG. gives that should never be diminished:

Follow these rules, you'll have mad bread to break up
If not, twenty-four years, on the wake up
Slug hit your temple, watch your frame shake up
Caretaker did your makeup, when you pass

An information security professional known as "The Grugq" gave a very interesting talk on OPSEC, I think it is worth taking a glance at (try to contain all laughter and bafoonery at the preview image - we're running a family show here, folks):

Terrorism and Intelligence Legislation You Should Know About But Don't

Now that this NSA story has spawned the insane amount of nonsensical and baseless conjecture on my Twitter feed, I thought I'd take a moment and educate everyone on intelligence and terrorism legislation they should already know about but don't for various reasons.

Terrorism:

• Biological Weapons Anti-Terrorism Act of 1989
• Executive Order 12947 signed by President Bill Clinton Jan. 23, 1995, Prohibiting Transactions With Terrorists Who Threaten To Disrupt the Middle East Peace Process, and later expanded to include freezing the assets of Osama bin Laden and others.
• Omnibus Counterterrorism Act of 1995
• US Antiterrorism and Effective Death Penalty Act of 1996 (see also the LaGrand case which opposed in 1999-2001 Germany to the US in the International Court of Justice concerning a German citizen convicted of armed robbery and murder, and sentenced to death)
• Executive Order 13224, signed by President George W. Bush Sept. 23, 2001, among other things, authorizes the seizure of assets of organizations or individuals designated by the Secretary of the Treasury to assist, sponsor, or provide material or financial support or who are otherwise associated with terrorists. 66 Fed. Reg. 49,079 (Sept. 23, 2001).
• 2001 Uniting and Strengthening America by Providing Appropriate Tools for Intercepting and Obstructing Terrorism Act (USA PATRIOT Act)(amended March 2006) (the Financial Anti-Terrorism Act was integrated to it) - I don't have enough energy to discuss the Patriot Act. All you need to know is that it gives the US government very broad powers in order to combat terrorism.
• Homeland Security Act of 2002, Pub. L. 107-296.
• Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002
• REAL ID Act of 2005 - Perhaps one of the most controversial pieces of legislation from the Bush era, it set forth certain requirements for state driver's licenses and ID cards to be accepted by the federal government for "official purposes", as defined by the Secretary of Homeland Security. It also outlines the following: 
• Title II of the act establishes new federal standards for state-issued driver licenses and non-driver identification cards.
• Changing visa limits for temporary workers, nurses, and Australian citizens.
• Funding some reports and pilot projects related to border security.
• Introducing rules covering "delivery bonds" (similar to bail bonds but for aliens who have been released pending hearings).
• Updating and tightening the laws on application for asylum and deportation of aliens for terrorist activity.
• Waiving laws that interfere with construction of physical barriers at the borders
• Animal Enterprise Terrorism Act of 2006 - The Animal Enterprise Terrorism Act (AETA) prohibits any person from engaging in certain conduct "for the purpose of damaging or interfering with the operations of an animal enterprise." and extends to any act that either "damages or causes the loss of any real or personal property" or "places a person in reasonable fear" of injury. 
• Military Commissions Act of 2006 - The United States Military Commissions Act of 2006, also known as HR-6166, was an Act of Congress signed by President George W. Bush on October 17, 2006. The Act's stated purpose was "To authorize trial by military commission for violations of the law of war, and for other purposes." It was declared unconstitutional by the Supreme Court in 2008 but parts remain in order to use commissions to prosecute war crimes.
• National Defense Authorization Act of 2012 - The second most controversial piece of legislation from the War on Terror authorizes "the President to use all necessary and appropriate force pursuant to the Authorization for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) includes the authority for the Armed Forces of the United States to detain covered persons (as defined in subsection (b)) pending disposition under the law of war.
  (b) Covered Persons- A covered person under this section is any person as follows:
  (1) A person who planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored those responsible for those attacks.
  (2) A person who was a part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners, including any person who has committed a belligerent act or has directly supported such hostilities in aid of such enemy forces.
  (c) Disposition Under Law of War- The disposition of a person under the law of war as described in subsection (a) may include the following:
  (1) Detention under the law of war without trial until the end of the hostilities authorized by the Authorization for Use of Military Force.
  (2) Trial under chapter 47A of title 10, United States Code (as amended by the Military Commissions Act of 2009 (title XVIII of Public Law 111-84)).
  (3) Transfer for trial by an alternative court or competent tribunal having lawful jurisdiction.
  (4) Transfer to the custody or control of the person’s country of origin, any other foreign country, or any other foreign entity.
  (d) Construction- Nothing in this section is intended to limit or expand the authority of the President or the scope of the Authorization for Use of Military Force.
  (e) Authorities- Nothing in this section shall be construed to affect existing law or authorities relating to the detention of United States citizens, lawful resident aliens of the United States, or any other persons who are captured or arrested in the United States.
  (f) Requirement for Briefings of Congress- The Secretary of Defense shall regularly brief Congress regarding the application of the authority described in this section, including the organizations, entities, and individuals considered to be ‘covered persons’ for purposes of subsection (b)(2).
• Homeland Security Presidential Directive/HSPD-5 requires all federal and state agencies establish response protocols for critical domestic incidents in line with the National Incident Management System.

Intelligence

• Foreign Intelligence Surveillance Act is perhaps the most interesting and secretive of laws we have. It was enacted to combat the threat of foreign intelligence services through surveillance activities abroad and at home. It allows these broad surveillance powers to be used against foreign and domestic agents. In other words, it authorizes our government to spy on its citizens if it believes they present a credible national security threat. FISA warrants are granted by secret courts that exist solely for approving FISA warrants. Note: I said "approving" as in for every warrant the DoJ has ever applied for, they have gotten it. Nowhere else in our judicial system do such powers exist.
• Intelligence Reform and Terrorism Prevention Act of 2004 enacted several of the 9/11 Commission's recommendations. It established the the Office of the Director of National Intelligence.
• 18 USC § 798 - Disclosure of classified information - Criminalizes the unauthorized disclosure of classified information.
• 50 USC § 421 - Protection of identities of certain United States undercover intelligence officers, agents, informants, and sources - Think Valerie Plame.

Loose Lips Just Don't Sink Ships - How Leaks Compromise More Than Just Secrets

This is how the Taliban handles spies.

I'll preface this piece by saying for the record "I am NOT a spy nor have I EVER been a spy. I have NEVER worked inside the intelligence community. What you read here is my opinion backed up by historically factual information." Whew! Now that I've gotten that out of the way, we can discuss a topic I've been meaning to cover - why unauthorized disclosure of sensitive information should remain illegal without legal protections for anyone.

Most people have no clue how the United States and other countries obtain their human intelligence. They assume we send American spies into foreign lands who sneak around embassies and high-end hotels and casinos battling terrorists and criminal kingpins. Most students of modern US intelligence will tell you that is NOT the case. In fact, how we get that intelligence is by sending American intelligence officers who are trained to be clandestine but who do not steal information themselves. That's right. Most human intelligence officers are highly-trained salesmen and recruiters who work diligently to get citizens from target countries to spy on their respective countries. In other words, our HUMINT officers convince other people to betray target states and organizations. We can also get that information by using third-party human intelligence from another country who may be more ethnically credible to penetrate certain denied areas. We'll touch on that later.

This week you have no doubt heard about the Associated Press debacle with the Department of Justice. What you may not be aware of is the "leak" in question is about the alleged penetration of our government  and the Saudi government into the terrorist organization al Qaeda of the Arab Peninsula (AQAP). This was a highly classified operation which I can only assume involved undercover assets who were willing to betray this very dangerous organization. Someone in the Obama administration took it upon themselves to reveal this operation to the Associated Press. This, of course, is VERY illegal and for good reason. Remember those undercover assets I mentioned previously? What do you think would happen to those assets who were operating without the expectation their involvement would be made public to the largest news source in the world? Take a wild guess.

Do you remember Aldrich Ames? He's the guy who betrayed his country and sold secrets to the USSR. What you may not know is that through his leak, he inadvertently killed 10 Russian citizens who fed the Central Intelligence Agency information. How about Valerie Plame? She's another asset who was "burned" (her covert identity revealed publicly) for very political reasons allegedly. I can assure the target country she worked in, Iraq, deployed several counterintelligence agents to contacts she  had in that country. Once an operation has been "burned", all of the assets involved are compromised and can no longer conduct their missions.

Given what you watched above, take a few things into consideration:

• The very real danger they pose throughout the region they operate in. 
• How recluse and difficult such organizations can be and the difficulty to get someone to betray this organization. 
• The operations we were able to stop because of this operation. One of which was the latest plane plot by AQAP. 
• The potential for further penetration and more insightful intelligence disappearing because a bureaucrat in D.C. took it upon themselves to deliver to the Associated Press information about the success of this ongoing operation. 
• The likelihood the assets were compromised and the likelihood of their survival and those with whom they had contact.

So you can imagine my surprise to learn of the AP's outrage that the DoJ was investigating their contacts with various people who had knowledge of this operation. You've heard, no doubt, the DoJ subpoenaed the AP's call records for over two months and then those of reporters who may have been the source's contact. I have 11 years of criminal investigations experience and will be the first to attest that this is very customary when you're looking to connect people from one area to another. Whether or not, the DoJ should have subpoenaed the AP's phone company is a different story and "way above my pay grade".

As you can guess, unauthorized disclosure of classified information is a crime. It's actually a very serious crime. Don't believe me. Here's the statute. You'll do good to note there is zero accommodation or exemption for releases to the press.

(a) Whoever knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes, or uses in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified information—(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government; or
(2) concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or
(3) concerning the communication intelligence activities of the United States or any foreign government; or
(4) obtained by the processes of communication intelligence from the communications of any foreign government, knowing the same to have been obtained by such processes—
Shall be fined under this title or imprisoned not more than ten years, or both.
(b) As used in subsection (a) of this section—
The term “classified information” means information which, at the time of a violation of this section, is, for reasons of national security, specifically designated by a United States Government Agency for limited or restricted dissemination or distribution;
The terms “code,” “cipher,” and “cryptographic system” include in their meanings, in addition to their usual meanings, any method of secret writing and any mechanical or electrical device or method used for the purpose of disguising or concealing the contents, significance, or meanings of communications;
The term “foreign government” includes in its meaning any person or persons acting or purporting to act for or on behalf of any faction, party, department, agency, bureau, or military force of or within a foreign country, or for or on behalf of any government or any person or persons purporting to act as a government within a foreign country, whether or not such government is recognized by the United States;
The term “communication intelligence” means all procedures and methods used in the interception of communications and the obtaining of information from such communications by other than the intended recipients;
The term “unauthorized person” means any person who, or agency which, is not authorized to receive information of the categories set forth in subsection (a) of this section, by the President, or by the head of a department or agency of the United States Government which is expressly designated by the President to engage in communication intelligence activities for the United States.
(c) Nothing in this section shall prohibit the furnishing, upon lawful demand, of information to any regularly constituted committee of the Senate or House of Representatives of the United States of America, or joint committee thereof.
(d)
(1) Any person convicted of a violation of this section shall forfeit to the United States irrespective of any provision of State law—
(A) any property constituting, or derived from, any proceeds the person obtained, directly or indirectly, as the result of such violation; and
(B) any of the person’s property used, or intended to be used, in any manner or part, to commit, or to facilitate the commission of, such violation.
(2) The court, in imposing sentence on a defendant for a conviction of a violation of this section, shall order that the defendant forfeit to the United States all property described in paragraph (1).
(3) Except as provided in paragraph (4), the provisions of subsections (b), (c), and (e) through (p) ofsection 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853 (b), (c), and (e)–(p)), shall apply to—
(A) property subject to forfeiture under this subsection;
(B) any seizure or disposition of such property; and
(C) any administrative or judicial proceeding in relation to such property,
if not inconsistent with this subsection.
(4) Notwithstanding section 524 (c) of title 28, there shall be deposited in the Crime Victims Fund established under section 1402 of the Victims of Crime Act of 1984 (42U.S.C. 10601) all amounts from the forfeiture of property under this subsection remaining after the payment of expenses for forfeiture and sale authorized by law.(5)As used in this subsection, the term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States.

As you can tell, the law is very specific and for good reason, as I outlined before. The business of deriving the intelligence we need from terrorist organization and rogue states requires secrecy. The best way I can describe the importance of keeping clandestine operations secret is to have you watch my child and I play "hide-and-go seek". Children love to tell you where they're going to hide because it makes it easier for you to catch them. Imagine if your child was very clever and never told you where they were hiding. Better yet, what if you never knew they were playing the game. Then, imagine if the stakes were higher - much higher than preempting a really good game. The same could be said of the modern spy game were exponentially more lives are at risk.

What A Burned CIA Officer and A Patriot Hacktivist Can Teach Us About Cover Discipline

Ryan Fogle, an alleged CIA officer being detained by Russian
counterintelligence after his cover was "blown" (Source: AFP)

In light of the news a Central Intelligence Agency officer was detained by Russian counterintelligence, I felt it would be good to examine what it means to have good "cover discipline". In order to accomplish missions that require stealth in plain sight, intelligence operatives use what is commonly referred to as "cover" which is a fictional persona adopted by individual officers so that their true identity and purpose remain unknown to their target. "Cover" takes a significant amount of time to develop and assimilate into the officer. Persons who operate "undercover" will spend a great deal of time studying and perfecting their "cover". Where most officers get caught is when they lose "cover discipline". This could be something as simple as confusing one's "cover" name with their "real" name. In some cases, like the one depicted in this film, "cover" is often lost due to carelessness.



A recent display of good "cover" discipline came coincidentally during an exchange with a "hacktivist" known as The Jester and Jeff Bardin, a leading information security expert. The Jester and Bardin engaged in a phony confrontation regarding The Jester's alleged betrayal of Bardin's "cover" during an information security intelligence operation. The "feud" ended with Bardin "revealing" The Jester's "real" name which was actually a "cover" he developed for this operation over two years ago. It was very elaborate but according to those involved, it was a success.

Here's a snippet from The Jester and Bardin's "feud":

@th3j35t3r Fix in DM my ass. YOU blew my op and and exposed my resources. It is time your shit was blown.
— Treadstone 71 (@Treadstone71LLC) May 9, 2013

The Jester posted this with regards to his "cover" on another website:

For just such an occasion.....
-------------------------------
On the 1st July 2011 - I myself left this on pastebin >> http://goo.gl/JtI46
I also purposely left this in source code of my blog: http://goo.gl/8lwUC
Later I created this: http://goo.gl/S0UAb
and to bolsert I also created this http://goo.gl/O7EtX
It's taken almost 2 years for anyone to spot the deliberate mistake. Well Done.
He doesn't exist. It's a decoy. Good to know who's who though. Thanks.

You will notice the meticulousness of the preparation involved in developing a good cover. The Jester has been active for a few years and has yet to be successfully unmasked because of his adherence to good "cover discipline".

I'm not an intelligence expert nor have I ever claimed to be. However, I have studied intelligence gathering and espionage for quite some time. What I have learned is that spies on rely on secrecy, deception, and disguise to conduct clandestine operations. In order to be successful, spies must "live, eat, and breathe" their cover story. As it's stated in this article, "Cover is a mosaic, it's a puzzle," said James Marcinkowski, a former CIA case officer who attended the dinner. "Every piece is important [to protect] because you don't know which pieces the bad guys are missing."

For more information on "cover":

http://www.slate.com/articles/news_and_politics/explainer/2003/09/how_deep_is_cia_cover.html

http://en.wikipedia.org/wiki/Non-official_cover

http://www.npr.org/templates/story/story.php?storyId=4757713

http://seattletimes.com/html/nationworld/2002400477_ciaculture25.html

VIDEO: Defenses Against Espionage

It never ceases to amaze me how many of the cardinal rules of security and threat mitigation are relevant know matter which era or platform they are adhered to in. This video is a perfect illustration of that. It's a video produced by the National Security Council for government contractors who worked with classified projects. It follows a fictional case wherein a company loses a key piece of classified information they produced.  Of interest to security practitioners are the human security vulnerabilities exposed. Many of the fictional characters are exploited using social engineering. While the manner in which the information is much more elaborate than what we say in modern corporate espionage, the lessons are the same.

VIDEO: Espionage Target - You (June 15, 1964)

This video is a classic from the Cold War. While some of the material is outdated, those same human security vulnerabilities still exist whether it be financial, sex, or peer pressure. The only difference between when this film was produced and now is the theater of operations has changed from being solely in an analog world to a digital, multi-spectrum world.

Here's the synopsis from archives.org:

Exposes the worldwide operation of the Sino-Soviet espionage system and shows how Communist agents used any means to obtain vital information from military personnel. Reconstructs three actual cases to demonstrate various facets of espionage techniques. Explains how agents of different nationalities probe for vulnerable areas, such as loneliness, indebtedness, fast money, sex and the sporting life. Portrays the agent as he subtly approaches, ensnares and involves his victim until it is too late for the victim to retreat. Purpose: Information on communist espionage methods.

VIDEO: NOVA: Quantum Confidential

If you were a spy, how could you ensure that an encrypted message got safely to your allies? Send it using entangled particles! Here, watch how a technique called quantum cryptography could save a state secret from falling into enemy hands.

Watch Quantum Confidential on PBS. See more from NOVA.

Ten of the Craziest Security Awareness Posters (And Yes, I Made a Few Of Them Myself)

Today, on Twitter, I've been linking various security awareness posters. While many of these posters are very creative, they do send very ominous messages regarding the consequences of security violations. Because they tend to be overly dramatic and are seemingly outdated at times, they provide for a good chuckle every now and then.  I've even included some I made when I was a young security manager in the Air Force for good measure.  Enjoy.