Wednesday, December 11, 2013

Kenya Mall Shooting - Why It Went All Wrong & What We Can Do To Be Better

Yesterday, the New York City Police Department released a report from its SHIELD initiative about the Kenya mall shooting/terrorist attack. It was a pretty damning report to say the least. Before we talk about the report, let's talk about SHIELD is and why that's important to understand in the context of this report. SHIELD is the NYPD's homegrown information-sharing component with private sector security. It provides analysis on current and future threats. I've previously read some of SHIELD's reports. Some were good and some were typical of fusion center reports - some meat and some potatoes but not a full meal. This report was driven, in part, to go over what NYPD and private security could learn about what happened in Nairobi. There was plenty.

There were some startling revelations:
  1. Kenyan police were VASTLY outgunned. The report states, "The typical Uniformed Kenyan Police Officer is not as well equipped as their western counterparts, typically only carrying a long gun, most commonly an AK-47 style rifle with a folding stock, loaded with a single 30 round magazine. They do not carry handguns, wear body armor, gun belts or have portable radios to communicate." Each of the terrorist were carrying 250 rounds of 7.62 mm ammunition. Lack of body armor and radios to communicate resulted in fratricide. More on that later.
  2. Responding plainclothes officers were also outgunned and had no visible identification. Remember what I said about fratricide? From the report: "Very few of any of the plainclothes law enforcement first responders displayed any visible law enforcement identification such as a badge, arm band, ID card or  a raid jacket, making identification as “friend or foe” extremely difficult for other armed first responders."
  3. Realizing the police were outgunned, Kenya made the incident response a military matter. That's as bad as it sounds. The report says, "Kenyan government officials decide to transfer the handling of this incident from the police to the military. A squad of Kenya Defense Forces KDF soldiers enters the mall and shortly afterwards, in a case of mistaken identity, the troops fired on the GSU-RC Tactical Team.They kill one police officer and wounding the tactical team commander. In the ensuing confusion both the police and military personnel pull out of the mall to tend to the casualties and re-group."
  4. Responding military forces used an RPG-7 as a room clearing tool. I kid you not. And the destruction was insane. "It is reported that at some point during the day the Kenya Defense Forces decided to fire a high explosive anti-tank rocket (possibly a RPG-7 or an 84mm Recoilless Rifle) as part of their operation to neutralize the terrorists in the Nakumatt Super Market.The end result of this operation was a large fire and the partial collapse of the rear rooftop parking lot and two floors within the Nakumatt Super Market into the basement parking."
  5. It is possible the terrorists escaped in part because the Kenyan security forces failed to secure a perimeter. It is rather elementary for the very first thing Western police do in these scenarios is to lock down the perimeter. No one comes in or out unless they can be positively identified as a "friendly". This credentialing occurs by checking IDs and only first admitting law enforcement and first responders to exit upon verification.
  6. The mall employed unarmed officers who performed unsatisfactory "wand searches". This is irritating to say the least. Why? Unarmed officers are appropriate for certain environments and are the way to go in most environments. However, in high value targets, such as mass gathering locations in places like Kenya, I would have used an armed component. Armed officers are not only armed but can be equipped with radios and are usually uniformed. This makes identifying them for law enforcement somewhat easier. Also, armed officers can do things unarmed officers can't due to safety concerns such as locking down perimeters and evacuating victims.
  7. Wand searches are weak. I dislike them with a passion. Why? Officers get tricked into believing a search was "good" because the wand didn't annunciate. This is all kinds of bad. A search should be thorough in high value targets. If you're going to employ officers and have them search, have them be thorough and do it without a wand. I would use the wand only in environments where I had other search mitigators in place such as backscatters or X-ray search devices.

So what does this attack teach us in the West?
  1. The desire of terrorist groups to attack mass gathering locations is still very alive.
  2. Places like malls should consider Kenya to be a warning. If you're in mall security, I highly suggest going over your active shooter plan and rehearsing it on a fairly regular basis with local police departments and simulated shooters. In these exercise, test not just your ability to minimize casualties but to also test your security apparatus under stress. This is best accomplished by "killing" responders, taking hostages, attempting escape, and causing confusion among responders. Get your people used to chaos in these scenarios.
  3. Never do wand searches at high value targets and test your people regularly. I've gone over why I think wand searches are bad. So let's examine why you should test and train your searchers regularly. Searching is one of the most important yet often neglected security components. We usually pick rookies and the "lowest common denominator" to do this function because it's "easy". Doing good and thorough searches that you can go to sleep easy with at night are not easy. Searchers should be trained on subject "tells", physical characteristics of forbidden items by touch, sound, smell, and sight, the tools they can use to do searches better, etc. They should also be regularly "red-teamed" which is to say you should have a non-attributable person walk through security and see what they can get through. When they're done, they should report to management their findings.

    Here's a video I did on how I would search bags:

  4. CCTV and analytics are EXTREMELY important to an active shooter scenario. There are several takeaways from what we learned about CCTV and the lack of analytics in Nairobi. First, CCTV coverage was spotty in some areas. Also, the CCTV coverage was easily identified and avoided by the terrorists. We also know while they had remote viewing capability, it was five miles away and more than likely not cross-fed into the police. While a CCTV monitor can't identify every threat, video analytics can alert them to suspicious activity. At the very least, consider it an option.
  5. Garages and parking lots should be regularly patrolled. While there was a guard posted at the entrance of the garage, had a response element been closer by, they could have locked the exterior doors to the mall.
  6. Train your employees on how to sound the alarm and IMMEDIATELY lock down their storefronts and secure customers. I would consider including them as a part of your active shooter training as well. Make that mandatory training for all storefront management and their trusted employees. I would include it in a leasing agreement if I had to.
  7. Have a HIGHLY accessible public address system to sound the alarm.
  8. Train local non-law enforcement responders on the need to "shoot, move, and communicate". Seriously, I can't stress this enough. There is a huge debate in the US surrounding concealed carry permit holders as responders. I'm okay with them responding, though I prefer they receive some training on  the need to identify themselves to law enforcement prior to responding via a phone call if time and circumstance permit.
  9. Equip every security person and law enforcement officer with a radio.  If you want to avoid wasting your time clearing rooms that have already been cleared or fratricide, then you HAVE TO equip your responders with radios and share your frequencies with them.
  10. Train your personnel on reporting formats like SALUTE. We've covered this before so I won't bore you with the details.
  11. Train your security management personnel on casualty collection points, IED mitigation, cordons, perimeter searches, and periodic vulnerability assessments. These things can't be overstated in training. Trust me. You'll thank me for this later.

Monday, December 9, 2013

Social Media Investigations 101 - Are You Sure You Want To Post That?

Soooo.... You've been on Facebook a while and you've set your privacy settings to whatever new super-secret stealthy hidden mode setting Facebook has.  You probably also feel like none of your 400+ friends would ever tell anyone what you post. You look at articles about people posting things they shouldn't going viral and you think "I'm so glad that's not me. I would never do something like that." I destroy that myth everyday at my job. In real life, I investigate leads in criminal cases which can aid my clients. A favorite place I go for these leads is social media.

When I tell people I go to Facebook for leads, the first thing they like to say is "Well, you're not going to find anything on me like that." I'm polite so I smile and tell them "Probably not." Of course, I'm lying. If I've told you that, this is where you're probably feeling a little uneasy. Let's be clear, if I don't have an interest in finding something, I probably won't find it. That's not to say I can't because I assure you I can.

So, let's breakdown how I might do a social media query. I won't bore you with site specifics but I will address some things that are common throughout the social media investigations landscape. This is not to scare you. I am merely trying to inform you so you understand exactly what information you voluntarily give away.

Disclaimer: For the experts: This in not all-inclusive and I'm aware of the many advances in social media investigations. This is mainly informative for those who may not know and to spark some discussion.  All others: Please check whatever jurisdiction for whatever legalities may exist for you.

The best way to illustrate this topic is to assume you'll be doing a search yourself. If you don't mind being spooked, try this on yourself assuming you're a complete stranger who's only been given the task of obtaining whatever information exists on you in social media. I recommend creating your own "blank" account that you have no affiliation with to get started. When we get to associates, feel free to pretend and assume the worse about people on your friends list you haven't seen or spoken to in some time.
  1. Start with a subject. Having a name (preferably a first and last name is good). I've done this with neither. More on that later.
  2. Put the name in the search box of the social media site you're searching. This fruitful if you're seeing if someone is on the site or if the profile is possibly "hidden" from searches. The latter requires for you to know the subject is actually on the site. While doing this, play around with nicknames or aliases. A personal favorite of mine are email addresses. I also use their most used username if I know it. I have also looked up last names only just to see if someone posts things to a relative's profile.

    When searching Google, try to place quotations marks at the beginning and end of your subject's name. Also, type in Novice searchers give up because the results are too many. This narrows it down quite a bit.

    Despite what you think, no name is too common for a determined investigator. There are other things than our names that differentiate us. For example, your name is "John Smith". That's too common of a name for some investigators. But what happens when I search for "John Smith" in Dayton, OH who is a police officer married to a woman named Ebony? If you're the target, you're not as anonymous as you thought.
  3. Search them by username and old phone numbers. Sometimes, this is all you have to go on. Do it. That username may be their most commonly used one for everything. This could lead to old social media profiles (a time machine treasure trove of forgotten pics, lifetime issues and events, contacts, etc.), photo-sharing sites they frequent, articles they bookmark (Pinterest), comments they've made on other sites (Youtube can be great for this stuff), and sites they don't want anyone to know they frequent. Getting the username can be tricky. If I have a confirmed profile for them, I'll take the username that is in the profile's URL and then perform an "exact phrase" search on Google.

    I like to try the phone numbers search quite a bit. I'm not looking for an address neccessarily if it's a social media investigation. Some profiles are only searchable with a phone number. Also people post their numbers on sites that don't value privacy. For example, you run a shop that sells auto parts. As such, you belonged to a parts forum online. There you posted your number to get orders under a username I never knew existed. Not only do I have historical data on you possibly but I may also get a look at your posts there as well whatever I can dig up on this old username.
  4. If none of this proves fruitful, try a Google Image search. You may not be aware of this but Google now allows you to search by image. That means, I don't need your name to find you on the Internet. Sometimes, I find people use the same photo for most sites they frequent. Perhaps, you'll find a site with a picture you have and can dig up useful information such as other pictures, other usernames, and most importantly, associates.
  5. Associates are where the money is. Seriously, most people assume, wrongly, their Facebook friends feel the same way they do about things or they feel some impunity with what they post to their audience. In some cases, this may be true. However, I can guarantee it probably is not. Finding associates can be tricky if you don't know much about your subject. Hopefully, Google will help you out here. If not, I recommend spending the $19.95 to use people-search sites like Intelius or Spokeo. This should give you a list of names of people who either know your subject or lived in the same area as him. Also, try Someone went to high school with your subject and I bet you they're still on their Facebook friend's list. Another feature of some site's search engines is the suggest friend's list. If you're friends with their friends, social media sites like to let you know and ask if you want to be your subject's friend. Of course, you don't. But this provides with that profile you've been looking for or at least one of them.

    Old friendships are tricky. We think the people who have known us the longest have our best interests at heart. Let me assure, some of them don't. Most people trust these folks with lots of personal information, when they go on a tirade or a rant. The simple truth is if someone has it in for you, they can voluntarily give anyone access to whatever you share with them online.

    This young lady thought she was being "funny" outside of Arlington. Several of her "friends" didn't think so.
  6. Be careful what you "like". People wrongly assume the pages they like or the comments they reply to on someone else's page is somehow protected. Yeah, that is totally wrong. It is protected ONLY if they have set themselves up with the strictest privacy settings. Many times, a person's "likes" can reveal about themselves even if an investigator can't see anything else. A great example are Facebook Groups which advocate violence or are sexually explicit. Unfortunately, people forget to hide what pages they "like" and it suddenly has some bearing on something they never imagined it would.
  7. Search for a name in a foreign language. I see you laughing but I once had someone hide their profile by using another language to hide their name. It's a great idea but as I ran out of options, I went to Google Translate and entered the subject's name from English to Korean. Suddenly, her profile appeared.
  8. Search their friends' friends list. Some people hide in plain sight. You may be searching for the right subject but entered the wrong letter. A friend's friends list will probably have the name as something else.
  9. Search EVERY PHOTO, LOCATION TAG, EVENT SIGN-IN, etc. Sometimes, the information we seek is in places we dismiss as being "dry". Look through EVERYTHING. Trust me. This alone can give you more associates, state of mind of your subject, places they've been or frequent, events they've been or locations they can be expected to be at, and all the drama that comes with social media picture posting.
  10. When you've found what you're looking for, archive it. This sounds easier than you think. Grab your smartphone and take a picture of your screen where the information is. People trust screenshots more than they do a link they can click.
  11. Do this exercise on yourself and assume your current or future employer, spouse, child custody judge, friends, family, and others are doing the same. Those who get their 15 minutes of fame from poor Facebook posts never seem to think they'd get turned in by their "friends". Also, here's a tidbit - if you're posting information you shouldn't, never exclaim "I don't care who sees this." I GUARANTEE you will.
*Some places I like to go to search for social media investigation queries
*You're not getting all of my trade secrets

Wednesday, October 23, 2013

What's The Nature of Your Emergency?

These are words often spoken by dispatchers and those working in emergency response centers throughout the world. They are the first words spoken and often lead to some of the most confusing and panic-driven conversations. People who have something to report, whether it be suspicious or an actual emergency, report as if the person on the other line is there with them. The descriptions of the situation are often muddled, suspect descriptions are either ignored or extremely vague, and other information is untold or dragged out by the dispatcher from the caller. So how do we fix this?

The problem is not the caller but how we cultivate information from them. We assume, wrongly, they understand what it is we need or that any information is good information. Both assumptions are dead wrong. Don't fall into this trap. People don't know what emergency dispatch or law enforcement truly need. They assume you will ask all of the relevant questions from the "fog of war". Luckily, we do - sometimes. So how do we fix it? We start by giving them the format that will deliver the best results for us and get the information from them as quickly as possible so we can notify the appropriate personnel.

A format that I'm very familiar with and I used extensively in the military was called S.A.L.U.T.E.
  1. Size:  How many people do you see? How big is the object? How many gunshots did you hear?
  2. Activity:  What are they doing? Is he shooting at you? What did he say?
  3. Location:  Where are they? Where did they go? Where are you? Where did the vehicle come from? Where did you see that? Where is the object?
  4. Uniform:  What color were his clothes? What kind of clothes was she wearing? What color was the vehicle? What was the make and model?
  5. Time: When did this happen? When was the last time you heard from him? What time did the letter say the explosion would happen?
  6. Equipment:  What kind of gun did he have? Was the knife serrated? Did you see a rocket launcher? Did you see them carrying anything else?
This is all great information that when given to dispatchers aids in faster information flow which means faster mitigation/response times. I recommend agencies, if they haven't already, have their organizations begin indoctrinating their communities on the specific formatting you need. Trust me, as a former dispatcher and emergency operations center controller, I can tell you nothing is better than getting the right information to the right people as soon as possible.

Monday, August 12, 2013

The Rules: 10 Things Every Entry-level Security Person Needs to Know & Every Pro Forgets

There are principles which are inherently the same no matter what discipline of security you practice. Although, for some reason, some of us tend to forget them to our detriment. I blame 99.9% of all practitioner -caused security failures on this. What's worse is that rookies aren't the only one's who miss them. A lot of these issues come from pros who should know better. Like everything else, we need a refresher.

  1. Our business is about risk. This profession isn't just about assigning widgets to fix people's security issues. We deal with asking and solving really tough questions the end-user is often scared to address or doesn't know exist. If you're just selling a product to meet a quota or performing a security function to satisfy a job description, you're wrong. Start by asking the client about the resources he's protecting and what he's willing to do to protect it. Next, ask him if it's worth protecting. Most people believe EVERYTHING needs security. Precious time and resources are sometimes wasted defending something no one cares about to include the bad guys.
  2. Security is a state of mind; not an objective. Do you know how many of us believe the mythology that tells us we can attain security as if it were quantitative? Of course you do. An entire industry is built around this ridiculous premise. Nothing is 100% secure - ever! It can't be. There's always a vulnerability. I'm not saying not to bother with security. I'm just asking you to consider what it is you're trying to do and to consider if you and the client have realistic goals.
  3. Know your tools. I'm surprised by the number of practitioners who know so little about the tools that are available to protect their assets. People have this problematic tendency to learn from vendors about the tools offered but fail to educate themselves. Venture to some trade shows. Join ASIS. Ask around the Internet. Become a sponge. Too many of us are bricks. There aren't enough of us taking in knowledge in order to give knowledge back.
  4. Know your limitations. Face it, there are some problems you can't fix. Seriously. If you can't do the job, be honest. Say you can't and find someone else who can. You'll keep your integrity and impress the client more by being honest. You'll also develop a good rapport with trusted colleagues you refer. Trust me this is a good thing. After the referral, tag along. Be that sponge I mentioned previously.
  5. Define your goals. When I was a supervisor in the Air Force, I can't tell you how many of my troops' professional failings came from forgeting this simple step. Look, no one likes writing goals except for those insanely productive people who live inside Lifehacker.  But what's the harm in sitting down and mapping out your weaknesses, what you can to do to fix them, and assigning a goal to reach them? Absolutely nothing. So get started.

    This can and should also be applied to security projects. Define what the project is, what the client's expectations are, determine how you can meet them, and then set goals in order to meet each objective. It's simple but few people do it. Failing to do it guarantees you'll lose an opportunity to work on future projects. 
  6. Know your terrain. Do you really understand the security environment? I'm not just talking about the threat. So often, we ignore the internal and external impacts of our measures which undermine our ability to properly protect these assets. For example, in many businesses, there is a key exchange. If you need access to a secure area, you have to leave a badge to receive a key into the area. This seems like a perfectly harmless idea, until users grow tired of giving up their badges and the person conducting the exchange is increasingly wary of having to do it. Security lapses occur as the "inconvenience" outweighs the security concerns. Don't believe me? Three words - Transportation Security Administration. Learn the terrain and figure out what will work the smoothest.
  7. Education begins with exposure. My take on security education is simple - you don't know what you need to know because you're not out there asking the right people. I know some people may be scratching their heads at that. But it's the truth. So many of us are ignorant of the threat, the tools, and the terrain because we haven't taken the steps to "get smart" about them.
  8. Befriend your enemy. I'm not telling you to "friend request" al-Shabab on Facebook or chat with MS-13 members on Twitter. What I'm suggesting is that you not only read up on their operations but try to get some basic understanding of their collective psychology. Learn how they conduct target selection, who they work with, how they recruit, their tools, etc. This will not only give you an idea as to how to build a better security plan but it will also enable you to ensure it's both comprehensive and adaptive.
  9. Everyone has a sales pitch. My first venture into private security was interesting, to say the least. I learned a lot from that gig. One of the lessons that stood out the most was to always be on the lookout for the sale pitch. Learning your client's pitch will enable you to ensure how you protect his resources won't effect his "bottom-line". Would be it a good idea to have dome cameras installed over tables at restaurants? Of course not. What most restaurants sell, in addition to food, is a friendly environment where you can dine among friends. A dome camera over your table robs you of that, thus killing the restaurant's sale pitch. I've never seen that happen but it does illustrate how quickly we can lose the client's respect and business by forgetting they have a business to run as well. 
  10. Vigilance is demanded. When I wrote the first draft of this article, I originally wrote "vigilance is expected." That was a HUGE mistake. Why? Because "expected" means you accept a margin of failure. In this business, apathy is where all good security measures go to die. I recognize the fine line between hyper-vigilance and vigilance. Certainly, there needs to be a balance. Just remember, at the end of the day, when there is a breach, you'll be forced to address why you violated this most sacred of security "rules". If you're a supervisor, your vision of how your people practice their profession should have this rule at the forefront. Julius Ceasar had a special patrol he conducted before battle to catch wayward soldiers sleep on their post. The maximum and usual penalty? Death. While the consequences aren't quite as dire as this in the real world at times, complacency will destroy our ability to adequately protect the client and their resources. This is a compromise we can't afford to allow - EVER.

Wednesday, August 7, 2013

Ten OPSEC Lessons Learned From The Good Guys, Bad Guys, and People-in-Between

If you've been in the security world long enough, you've heard of a term called "OPSEC" or operational security. This is a security discipline in which organizations or individual operators conduct their business in a manner that does not jeopardize their true mission. If you're a police officer who is staking out a house, it would be bad OPSEC to sit outside the house in a marked police vehicle. I think it's prudent we discuss this discipline so we can better analyze our own processes by which we protect ourselves and our operations. Reviewing the OPSEC process is a great place to start. The following come from Wikipedia (I know - it's super-scholarly):
  1. Identification of Critical Information: Identifying information needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.
  2. Analysis of Threats: the research and analysis of intelligence, counterintelligence, and open source information to identify likely adversaries to a planned operation.
  3. Analysis of Vulnerabilities: examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.
  4. Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.
  5. Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans.
  6. Assessment of Insider Knowledge: Assessing and ensuring employees, contractors, and key personnel having access to critical or sensitive information practice and maintain proper OPSEC measures by organizational security elements; whether by open assessment or covert assessment in order to evaluate the information being processed and/or handled on all levels of operatability (employees/mid-level/senior management) and prevent unintended/intentional disclosure.
We should also recognize good guys aren't the only ones who practice this discipline. As a matter of fact, the bad guys do as well and many are quite good at it. The lessons we could learn from them, our fellow security professionals, and others are almost immeasurable.
  1. NEVER trust a big butt and a smile. Yup. I started off with that. Bear with me. Many intelligence agencies and law enforcement organizations use sex as a means to get close to a target or person of interest. Most bad guys realize this. However, many do not to their own detriment. When involved with people in a relationship or sexual encounter, they get very close to you and your secrets. I liken these people to "trusted agents" who you allow close enough to you that can get more information than you're willing or able to share publicly. Poor OPSEC practitioners often forget this. Most of their security failures stem from this fatal flaw. I'm not saying to not be in a relationship or to eschew intimacy. If you're in a job that requires you adhere to sound OPSEC principles, what I'm advising you to do is to exercise due diligence and conduct a risk analysis before you do. Think Marion Barry, Anthony Weiner, and Elliott Spitzer.
  2. Immortal words spoken during an EPIC fail.
  3. Always have a thoroughly vetted back-story for your cover. This is commonly referred to as "legend" in the intelligence community. This is an identity in line with your established, synthetic cover. For example, I previously mentioned the hacker known as the The Jester in a previous blog post. Depending on which side you're on, he's either a bad guy or a good guy. However, the lessons he teaches us about cover are insightful. Whenever someone "doxes" him, he has a prepared and detailed analysis as to how he created that cover identity. Many times he'll use a name that does exist with a person who either does not exist or who he has cleverly manufactured using a multitude of identity generators. He'll use disposable credit cards, email, LinkedIn profiles, VPNs which show logins from his cover location, etc. He even engages in cyber-deception with other actors to establish various cover stories for operations that require them. Whether you like him or not, he's certainly good at one thing we know for sure - cover discipline.
  4. NEVER trust anyone you just met. I see you laughing. Many people mistakenly believe they can and should trust everyone they meet. They will often claim they don't but their behavior says otherwise. As Ronald Reagan is often quoted is saying, "In God we trust, all others we verify" I firmly believe this to be the most crucial aspect of operational security. Proper trust is needed in any environment for the mission to be accomplished. However, blind trust can and will kill any hopes of a successful mission. Whether you're checking identification at an entry control point or planning cybersecurity for an online bank, you should always treat every introduction you don't initiate as suspect. Then triage people and their level of access according to risk acceptance. This is a lesson we learned with Edward Snowden. He'd only been at Booze Hamilton a few months before he began siphoning massive amounts of classified information he had no direct access or need-to-know. Another saying I'm fond of is "Keep your enemies close, but your friends closer." I'm not saying everyone you meet is going to steal from you or betray your trust. Like my momma always says, "Not everyone that smiles at you is your friend and not every frown comes from an enemy."
  5. Shut the hell up! No. Seriously. Shut up. If you hang around the special operations community, you'll hear a term used to describe the work they do as "quiet professionals". Most successful bad guys realize the best way to ensure longevity to shut the hell up. Bragging about or giving "pre-game commentary" before an operation are guaranteed ways to get caught or killed. The truly dangerous people are the one's who never say a word and just do their work. Sometimes, lethality is best expressed with silence.

  6. Watch what you leak. While we can keep our mouths shut, it is more difficult in the information age to keep everything connected to us quiet. In order to properly protect ourselves, we have to begin this process by conducting proper risk analysis. Is what I'm doing right now giving away something I don't want the public to know? Is the the device or medium I'm talking on able to give away information I'm not comfortable with sharing? Does my enemy have the ability to intercept or analyze what I'm doing in order to gain sensitive information? What "tells" am I projecting? These are a few of many questions you should be asking in order to ensure you're limiting "noise litter".

    In the information age, do I need to say more?
  7. If you're doing secret stuff, NEVER EVER EVER EVER EVER, talk on the wire. Look at the Mafia as a perfect example of what not to do. As an OPSEC practitioner, you should never communicate on any medium that can give away your secrets or be intercepted. John Gotti got busted talking on the wire. A person rule of thumb: If it can receive messages, it can transmit messages without you knowing. Treat every computer like an informant - feed it what you're willing to share with your adversary.
  8. NEVER ever touch or be in the same place as the "product". For the uninitiated, that is one of first rules of the dope game. Every successfully, elusive drug dealer knows to keep away from the "product" (read "drugs). Whatever the "product" in your "game", ensure you put enough distance between you and it. If you have to be close to it, then have a good reason to be with it.
  9. Recognize "the lion in the tall grass". When practicing OPSEC, if there is one thing you should never forget is why you're doing it. The reason you're practicing it is simple - there are people out there that oppose you. Ignore them at your detriment.
  10. NEVER say something you can't backup or prove immediately. Nothing says you're a person needing to be checked out better than saying things you can backup or prove. People who are trying to vet you will require you backup what you say for a reason. Be ready for this. A great example of this is demonstrated by people who claim to be connected to someone of stature in order to gain access. In this case, they're found out because the target asked the other party who could not confirm this.
  11. Treat your real intentions and identity as that gold ring from Lord of the Rings. I'm not saying put your driver's license on a necklace so a troll who think it's his "precious" won't take it. First of all, that's too cool to happen in real life. Second, you'll look like an idiot. Finally, there are more practical ways of protecting your identity. For starters, never have anything that connects your identity to your operation. Next, if you have to use your real identity in connection with an operation, give yourself some ability to deny the connection. Lastly, NEVER trust your identity, intentions, or operations to anyone or anything other than yourself.
I've decided to include the more practical list from the "Notorious B.I.G." to drive home some of these principles:

  1. Rule number uno, never let no one know
    How much, dough you hold, 'cause you know
    The cheddar breed jealousy 'specially
    If that man *** up, get your *** stuck up
  2. Number two, never let 'em know your next move
    Don't you know Bad Boys move in silence or violence
    Take it from your highness
    I done squeezed mad clips at these cats for they bricks and chips
  3. Number three, never trust nobody
    Your moms'll set that *** up, properly gassed up
    Hoodie to mask up, s***, for that fast buck
    She be layin' in the bushes to light that *** up
  4. Number four, know you heard this before
    Never get high on your own supply
  5. Number five, never sell no *** where you rest at
    I don't care if they want a ounce, tell 'em bounce
  6. Number six, that God*** credit, dig it
    You think a *** head payin' you back, *** forget it
  7. Seven, this rule is so underrated
    Keep your family and business completely separated
    Money and blood don't mix like two *** and no ***
    Find yourself in serious s***
  8. Number eight, never keep no weight on you
    Them cats that squeeze your *** can hold jobs too
  9. Number nine, shoulda been number one to me
    If you ain't gettin' bags stay the f*** from police
    If niggaz think you snitchin' ain't tryin' listen
    They be sittin' in your kitchen, waitin' to start hittin'
  10. Number ten, a strong word called consignment
    Strictly for live men, not for freshmen
    If you ain't got the clientele say hell no
    'Cause they gon' want they money rain, sleet, hail, snow
Don't forget the admonition from Notorious B.IG. gives that should never be diminished:
Follow these rules, you'll have mad bread to break up
If not, twenty-four years, on the wake up
Slug hit your temple, watch your frame shake up
Caretaker did your makeup, when you pass

An information security professional known as "The Grugq" gave a very interesting talk on OPSEC, I think it is worth taking a glance at (try to contain all laughter and bafoonery at the preview image - we're running a family show here, folks):

Wednesday, July 24, 2013

10 Ways to Mitigate The Risks and Issues Associated With Theft From Motor Vehicles

When I was stationed in England, one of the most pressing issues we faced was theft from motor vehicles. It seemed like everyday I received a report a US service member had something stolen from their vehicle. What amazed me was not the item stolen but the simplicity required in helping prevent and mitigate the issues surrounding these thefts. Here a few simple things you can do:

  1. If you leave it on your car seat, it WILL get stolen. There's no question in mind if you leave something of any value in your vehicle in plain view, it is not a matter of if but when it will be stolen. Take your valuables and secure them. If it has to remain in the vehicle, place it in your trunk. If you can take it inside, take it inside. NEVER EVER leave valuables in your car overnight. Period.
  2. Remember when I said "anything of value"? Well that also includes your GPS. The most common things most people forget to take in their homes, at the end of the day, is their detachable GPS unit. Take it inside. If you have to leave it in the car, lock it and the mount you use in the trunk. Also ensure your window doesn't have the infamous "GPS markers" - the residue left when the mount's suction piece is disconnected from your window. This is a "tell" that you have stuff of value possibly still in the vehicle.
  3. Limit things that tell everyone that you routinely store valuable things in your vehicles. If you're a cop, limit the "Thin Blue Line" or FOP stickers. It tells potential thieves that on occasion (perhaps today) you leave a gun or other department-issued gear in the vehicle. If you're in IT, now might a good time to take the ethernet cables and the old router boxes and leave them in the office or at home. Again, this tells thieves the wrong thing.
  4. Park your car in a lighted area in plain view of you and other pedestrians, passing motorists, and police officers. Most people think if they hide something, then thieves are less likely to attack. That is not the case always. Chances are you're not near as good as hiding stuff as you think. If you can't move the car to a well-lit area, at least consider moving it somewhere closer to your home.
  5. Your locked door means nothing. People normally laugh when I say this. I suspect this has to do with the fact that they forget that most thieves prefer easy methods of entry. If it's on the front seat and they want it, they will choose the path of least resistance - your windows.
  6. Get an alarm but actually go outside and turn it off when it annunciates. One of the biggest mistakes people make is they hear the car alarm go off but take a quick glance out and immediately turn off. What your car alarm is saying every time it goes off is "Hey you! Someone who is not you just touched me - as in I think someone is trying to steal stuff" It's a pain in the butt for sure to go out every single time. However, I'd rather know I actually went out and saw for myself rather than find my stuff gone because I deactivated the alarm with a visual inspection.
  7. Make securing your car a part of your nightly security routine. I do it every single night. I check all of the doors and windows in my house. Once I'm done there, I arm mine and my wife's vehicle, ensuring the doors are locked. This has to be done. 
  8. Buy insurance for all of your stuff. Seriously. Buy insurance that covers loss of stuff from your vehicle. Remember, it's not a matter of if but when your stuff will get taken.
  9. If you're parked in a public garage, practice all of the steps above AND consider parking near cameras. Thieves often hit public garages and lots because they believe they'll have some privacy (i.e. areas to hide and do their business). You rob them of that privacy by placing the vehicle some place where natural observers can see them and where there are cameras. If the garage is manned, consider parking the car nearest where the attendants are at. Also, always take your parking passes, gate keys, and ticket stubs with you.
  10. If you're in a business that requires tools in your vehicles, be extra vigilant when taking the vehicle home with you. Seriously. Of all the vehicles that get attacked, work vehicles are targeted the most. Why? You're more likely to have expensive stuff.
If you're a law enforcement officer or security manager charged with preventing these crimes, I recommend the following site to assist in helping you. -

Monday, July 22, 2013

Dude, You've Got Mad Pickpocket Skills

I have seen a lot of criminal acts in my 30-something years of being on this blue rock. Occasionally, I find myself amazed by how ingenious and brazen certain criminals are. This story out of China is one such case. A lady was innocently riding her bike when a pickpocket jogs next to her. As he gets closer to her, he uses chopsticks to retrieve her phone from jacket. That's right - chopsticks. You have to see it to believe it.

Yup. That's what you call a smooth operator.

Monday, July 15, 2013

OPINION: Who You Callin' An "Expert?!

Recently, someone called me an "expert". While I was extremely flattered, it made me think a lot about my initial reaction to that label. If you've been in this field, you will note there are several people who go around calling themselves "experts". A few of them are and a lot of them aren't. Most of my introspection was with where I saw myself and how I allowed others to see me.  Am I an "expert" or a guy who likes to talk a lot about security?

The answer to both of those is a paradox of sorts, as they are equally complicated and simple. According to some, being an "expert" means knowing a lot of stuff about security and sounding half-way intelligent about that stuff. Some would argue I fit into that category. While I hope I'm not, I certainly can understand how people can see me that way. Many people know a lot of stuff about a lot of stuff and "talk a good game" but lack real depth in their knowledge or experience. So, I can help but wonder, with 10 years of doing various jobs in security, a blog, and some above-basic knowledge, where does that place me? I'm also very passionate about security. Does passion, knowledge, and an audience make someone an "expert" and should I even want to be considered one?

When I first decided to start this blog, I did it with the intention of sharing security news and information with my audience. It soon became an opportunity to share my opinions and insight. While all that was very important, I always felt I needed something more constructive. There are tons of people all over social media and the rest of the Net who believe the "smarter" you sound, the greater your expertise. I have found a great deal of those people lack expertise and oftentimes, real knowledge of the subject matter. Don't get me wrong. I'm guilty of this as well at times. Very guilty, as a matter of fact.

So what am I? I'm a student of security in both the literal sense and the rhetorical as well. I'm eager and willing to learn from anywhere. I'm not afraid to test an idea or hypothesis in the field or be reviewed by my peers. Sometimes, what I say and do sucks. I get stuff wrong - A LOT. My ideas may not be preferred or have any chance of success. Occasionally, I don't stay in my lane. Okay. I can hear you laughing. I don't stay in my lane enough at times.

So how do I go about fixing this? I decided to start changing how I viewed my interactions with people and the objectives I set for them. In other words, I felt it was less important to demonstrate knowledge than it was to receive and learn from others. I had been afforded an opportunity to label myself as an "expert" many times. It always felt hollow and empty, as if it was undeserved. After all, I was a security guard not too long ago and I had very average experiences in the military. I wasn't Special Forces or with a federal agency doing anything "special". My resume is a reflection of being very lucky and being at the right place at the right time. I did a lot of cool things and saw some cool places in this world. But was I an "expert"? No, I am not.

Too many "experts" are not willing to admit they are in fact still learning. Too many believe it is more important to demonstrate knowledge than to receive it. Too many believe the best analysis of a problem is the one that is more conducive to a "solution" they've created. Instead of more people willing to tell us about security, we need more people willing to sit down, shut up, and listen to what others have to share. From now on, I'll be sharing my knowledge in an attempt to learn more than I teach. The only question left to ask is "Will I be alone?"

OPINION: Why Crime Prevention Fails

I have a pet-peeve with the current spate of "anti-theft" apps for mobile devices. My problem doesn't lie with their technology. Nope, my issue is with their marketing. There are a plethora of these apps that are being called "crime prevention tools". I know what you're thinking, "But if someone takes my cell phone, this app will use the GPS to track my phone and send me an email so I can tell the police where to get my phone." True, but answer this question - What crime did it stop? Seriously, what crime did your app stop? And therein lies the problem with the app and with how we view crime prevention.

Part of the reason we have such a high rate of crime in this country resides mostly in our definition of "crime prevention". Many times, we mistakenly believe "prevention" relies on the response to the crime. A faster recovery means we've sent a message to the bad guys that they can't take our stuff without the cops coming to get them. Stop laughing. That's the message the creative marketing teams behind these apps and other products will have you believe. Remember Nancy Reagan's "just say no" campaign and the "war on drugs/crime". Those sent a clear message to the bad guys - we have no clue how to stop you.

Stopping crime is a noble objective but no crime is totally preventable. As a matter of fact, it's a safe bet that at some point in your life, you will be a victim of a crime. After 10 years of doing law enforcement in the military and my current job, I have an idea as to why this is. Simply put, the reason you will be a victim of crime at some point in your life rests in two places and neither of which needs the other for the crime to take place.

The first place where the crime onset takes place is with the criminal. Remember what I said a few posts ago about how the attacker will ultimately attack you regardless of what you do? The same idea applies here. You can't control what an attacker will do. If he/she is motivated and skilled enough, which are two things you can't always plan on, there is very little you can do beforehand to stop them. That's not a defeatist attitude. This is me directing you to the second place where the crime onset occurs - the victim.

Victims, typically, do a lot of things good before an attack occurs but they also do some things terribly wrong. Where things go wrong for them is in their attitude - "I never thought it would happen to me.....But I lock my doors....Why me?" There are loads of reasons you were selected to be a victim. None of which you may have had any control over. It is for this reason I think we need a new crime strategy - crime mitigation.

As we've discussed before, your attitude towards crime mitigation has to be proactive. You have to be thinking about the best way to lower your chances of being a victim and lessening the damage from an attack. Whether you purchase a smart phone or sports car, you should have a proactive attitude towards engaging the threat. Buying an alarm or an app won't stop theft but planning on it to happen at some point may not only mitigate the damage but provide more creative solutions to prevent the loss from happening in the first place.

Monday, July 1, 2013

10 Ways to Help Mitigate and Repel Home Invasions

In my real world job, I come across many crimes. None of them is more troubling than home invasions. According to the Department of Justices' Bureau of Justice Statistics:
  • An estimated 3.7 million burglaries occurred each year on average from 2003 to 2007.
  • A household member was present in roughly 1 million burglaries and became victims of violent crimes in 266,560 burglaries
  • Offenders were known to their victims in 65% of violent burglaries; offenders were strangers in 28%.
  • Overall, 61% of offenders were unarmed when violence occurred during a burglary while a resident was present. About 12% of all households violently burglarized while someone was home faced an offender armed with a firearm.
Often, victims seem to picked at random or targeted by someone they know. However, in my experiences there a few things I think could mitigate the risks and the aftermath associated with home invasions.

  1. Prepare, prepare, prepare, prepare. Seriously, prepare. Most people assume because they lock their doors and have a gun that will stop someone from coming into their homes. Sometimes it and sometimes it doesn't. In order to mitigate this crime, potential victims have to prepare for the unthinkable and oftentimes, unlikely - someone will come and eventually break into your home while you're there. Just like every other disaster, homeowners and tenants should make preparations as if it could happen.
  2. NEVER EVER receive a visitor at a door you have never received someone at before. Many people who do home invasions often pick rear entrances to force their way inside. Think about it. Why don't you receive guests at your back door? Is it because it's dark, away from the drive, or is not in a place where you can see them approach? These are all of the reasons attackers love these entrances.
  3. NEVER EVER leave a door open that you're not close enough to shut when needed. I get it. The weather is blazing hot. Your entire house feels like an oven and all you want is a breeze. So you leave a door open. If an attacker is looking places to commit this crime, an open door is too appetizing to pass up. No matter how heroic or brave you think you are, you can never react in enough time if an attacker can open an unlocked door into your home.
  4. Consider a dog. I know. I know. Stop rolling your eyes. Seriously. Dogs can't fix everything and they are not a crime solution. However, if you live alone, a dog can be both an alarm and a defender. In a home invasion, you need all the help you can get. Imagine that it's 3am and you hear your backdoor being kicked in. So does your 100 pound German Shepherd. He goes to investigate or stays with you. Either way, there's a good chance whoever is in your home will know you have a dog (probably because he sank his teeth into the invaders flesh) or your neighbors could hear his bark.
  5. Consider buying new windows or new window locks. Older windows are ideal for home invasions, primarily because they are difficult to adequately secure. Over time, people paint over their locks which then become immobilized. Many people never bother to check if the windows lock. Checking your window locks is very important and should be a part of your daily routine.

    (Source: Bureau of Justice Statistics)

  6. Buy or build a duress alarm. I know this sounds a bit extreme and complicated. I can assure you that neither is true. I recently, built a home duress alarm for my home in less than 15 minutes using speaker wire, a rocker switch, a piezo siren, and D cell battery pack. Once I flip the switch, the same siren you hear on a car alarm is heard throughout my home. I won't divulge where I keep it but suffice it to say I have it somewhere I plan to go the second I hear or see someone break into my home. You should consider doing the same. If you don't have the materials to make one, you should buy a window/door alarm sold at "dollar stores" found across the United States. Just keep one near where you plan to be during a home invasion and activate it once it occurs. The sound will distract and alert the bad guy that you know they are there and so will most of your neighbors. Some alarm companies can install a duress alarm in your home that will emit a siren and call the police. I prefer my method only because I know firsthand that phone service can go down and cellular backups aren't installed in every home security system. Plus my method cost me $20 when I made it myself and was $2 when purchased as a window/door alarm.

    Here's a duress alarm I built. This is without an enclosure which I'll add soon enough
  7. Have a phone at your bedside and wherever you are in your home. There's nothing worse than having someone break into your home, getting to your safe haven, and not having a phone to call the police. Have a phone near you at all times. In the military, it was a cardinal sin not to be within arm's length of your weapon at all times. I consider the same to be true of your phone. Also don't have a phone near you that won't work like a cell phone you know that doesn't get reception in your home. I also can reiterate the need to have a landline phone. Stop rolling your eyes. Seriously. If your cell phone doesn't work, you'll need to get help somehow. Trust me. You'll thank me later.
  8. Figure out your safe haven. Many people call this a "panic room". I hate that term. During an emergency situation, you can't afford to panic. You need to be ready to fight off the attacker in a deliberate fashion. Ideal places for safe havens are places you and your loved ones can get to when the attack occurs. I also find it useful to think of this place as an area where I will make my last stand. In other words, should the attacker breach the door into this area I will use any and all force available to repel him. Should you find yourself in a position where you have to defend an area while your family moves to a safe haven, have a "password". You may find yourself having to gain entry into their safe haven should you believe the attacker has left or you have repelled him. Your family should know to never open the "safe haven" door unless they receive the "password". Consider giving the dispatcher this "password" so she can tell first responders and you can know if they are friend or foe.
  9. Consider your armaments. Most people think a gun is the perfect solution. In some cases, it might very well be. This isn't a discussion about calibers or rifle vs handgun vs shotgun. This is about whether your weapons can and will repel an attacker. I can't tell you what to arm yourself with. There are some folks who are just as lethal with a carpenter's pencil as they are with a shotgun. What I will tell you is to ARM YOURSELF!! Trust me. Don't get caught without a weapon during an attack. You should have armaments stationed in places you can get to immediately during an attack. Whether it be a knife or a gun, have it ready and nearby. Also don't use something you haven't trained in using and retaining. An area most gun owners fail in doing is learning weapons retention skills. There are loads of classes and seminars on this topic. Do your research and learn about how to use and retain your armaments.
  10. Secure places you have left unsecured. Sun Tzu says, "So in war, the way is to avoid what is strong and to strike at what is weak." This is true in crime prevention. Your enemy will always hit you where you're not preparing for him at. That's why you check the first floor doors and windows, basement entrances to include windows, storm shelters, etc. Any place a human being could get into you should be checking daily for signs of weakness. 

Thursday, June 6, 2013

Terrorism and Intelligence Legislation You Should Know About But Don't

Now that this NSA story has spawned the insane amount of nonsensical and baseless conjecture on my Twitter feed, I thought I'd take a moment and educate everyone on intelligence and terrorism legislation they should already know about but don't for various reasons.

  • Biological Weapons Anti-Terrorism Act of 1989
  • Executive Order 12947 signed by President Bill Clinton Jan. 23, 1995, Prohibiting Transactions With Terrorists Who Threaten To Disrupt the Middle East Peace Process, and later expanded to include freezing the assets of Osama bin Laden and others.
  • Omnibus Counterterrorism Act of 1995
  • US Antiterrorism and Effective Death Penalty Act of 1996 (see also the LaGrand case which opposed in 1999-2001 Germany to the US in the International Court of Justice concerning a German citizen convicted of armed robbery and murder, and sentenced to death)
  • Executive Order 13224, signed by President George W. Bush Sept. 23, 2001, among other things, authorizes the seizure of assets of organizations or individuals designated by the Secretary of the Treasury to assist, sponsor, or provide material or financial support or who are otherwise associated with terrorists. 66 Fed. Reg. 49,079 (Sept. 23, 2001).
  • 2001 Uniting and Strengthening America by Providing Appropriate Tools for Intercepting and Obstructing Terrorism Act (USA PATRIOT Act)(amended March 2006) (the Financial Anti-Terrorism Act was integrated to it) - I don't have enough energy to discuss the Patriot Act. All you need to know is that it gives the US government very broad powers in order to combat terrorism.
  • Homeland Security Act of 2002, Pub. L. 107-296.
  • Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002
  • REAL ID Act of 2005 - Perhaps one of the most controversial pieces of legislation from the Bush era, it set forth certain requirements for state driver's licenses and ID cards to be accepted by the federal government for "official purposes", as defined by the Secretary of Homeland Security. It also outlines the following: 
    • Title II of the act establishes new federal standards for state-issued driver licenses and non-driver identification cards.
    • Changing visa limits for temporary workers, nurses, and Australian citizens.
    • Funding some reports and pilot projects related to border security.
    • Introducing rules covering "delivery bonds" (similar to bail bonds but for aliens who have been released pending hearings).
    • Updating and tightening the laws on application for asylum and deportation of aliens for terrorist activity.
    • Waiving laws that interfere with construction of physical barriers at the borders
  • Animal Enterprise Terrorism Act of 2006 - The Animal Enterprise Terrorism Act (AETA) prohibits any person from engaging in certain conduct "for the purpose of damaging or interfering with the operations of an animal enterprise." and extends to any act that either "damages or causes the loss of any real or personal property" or "places a person in reasonable fear" of injury. 
  • Military Commissions Act of 2006 - The United States Military Commissions Act of 2006, also known as HR-6166, was an Act of Congress signed by President George W. Bush on October 17, 2006. The Act's stated purpose was "To authorize trial by military commission for violations of the law of war, and for other purposes." It was declared unconstitutional by the Supreme Court in 2008 but parts remain in order to use commissions to prosecute war crimes.
  • National Defense Authorization Act of 2012 - The second most controversial piece of legislation from the War on Terror authorizes "the President to use all necessary and appropriate force pursuant to the Authorization for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) includes the authority for the Armed Forces of the United States to detain covered persons (as defined in subsection (b)) pending disposition under the law of war.
    (b) Covered Persons- A covered person under this section is any person as follows:
    (1) A person who planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored those responsible for those attacks.
    (2) A person who was a part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners, including any person who has committed a belligerent act or has directly supported such hostilities in aid of such enemy forces.
    (c) Disposition Under Law of War- The disposition of a person under the law of war as described in subsection (a) may include the following:
    (1) Detention under the law of war without trial until the end of the hostilities authorized by the Authorization for Use of Military Force.
    (2) Trial under chapter 47A of title 10, United States Code (as amended by the Military Commissions Act of 2009 (title XVIII of Public Law 111-84)).
    (3) Transfer for trial by an alternative court or competent tribunal having lawful jurisdiction.
    (4) Transfer to the custody or control of the person’s country of origin, any other foreign country, or any other foreign entity.
    (d) Construction- Nothing in this section is intended to limit or expand the authority of the President or the scope of the Authorization for Use of Military Force.
    (e) Authorities- Nothing in this section shall be construed to affect existing law or authorities relating to the detention of United States citizens, lawful resident aliens of the United States, or any other persons who are captured or arrested in the United States.
    (f) Requirement for Briefings of Congress- The Secretary of Defense shall regularly brief Congress regarding the application of the authority described in this section, including the organizations, entities, and individuals considered to be ‘covered persons’ for purposes of subsection (b)(2).
  • Homeland Security Presidential Directive/HSPD-5 requires all federal and state agencies establish response protocols for critical domestic incidents in line with the National Incident Management System.


Monday, June 3, 2013


I often dish out a lot of criticism towards he Department of Homeland Security. However, it is not without understanding the sheer vastness of what their work undertakes. I often peruse their site (and so should you) to gain insight into what they face. This site has always been a great information source and has been very responsive towards citizen queries. Though, I'm sure some would disagree. After you take a look, I highly recommend giving their site a look.

Department of Homeland Security Site:

Friday, May 31, 2013

INFOGRAPHIC: Syria's S-300s

You may heard by now of the S-300 missiles Russia has pledged to sell to the Syrian regime. There has been a great deal of speculation from the White House and other interested entities as to whether this could prolong or even send the crisis in an even greater spiral. In an effort to provide you with the facts about the S-300, I included this pretty cool infographic from a Twitter user who has demonstrated a wealth of knowledge when it comes to missiles and all things that go "boom":

Water Wars - It Has Nothing To Do With Kevin Costner

Glass Half Empty: The Coming Water Wars

While most of the developing world has focused on oil being the resource that fuels most global conflicts, many groups have voiced concern we're missing a very important resource that is rapidly depleting - water. That's right, folks. The resource we all need to sustain our lives is going away very quickly in some places where conflicts are already occurring due to resource depletion and lack of supply to meet demand. There are LOADS of reasons why this is and I don't want to fill this space with conjecture and debate on topics I'm sure we could pontificate on endlessly. I included the infographic above for you to look at to give you some situational awareness. I've also included some links and the video below that describe the issue in greater detail. Have a look at any of these. What are your thoughts? Do you think this is something we need to concerned with? Is this something security practitioners need to be aware of when operating outside of the developing world or in water-depletion areas?

Water Wars Resources

Saturday, May 25, 2013

Loose Lips Just Don't Sink Ships - How Leaks Compromise More Than Just Secrets

This is how the Taliban handles spies.

I'll preface this piece by saying for the record "I am NOT a spy nor have I EVER been a spy. I have NEVER worked inside the intelligence community. What you read here is my opinion backed up by historically factual information." Whew! Now that I've gotten that out of the way, we can discuss a topic I've been meaning to cover - why unauthorized disclosure of sensitive information should remain illegal without legal protections for anyone.

Most people have no clue how the United States and other countries obtain their human intelligence. They assume we send American spies into foreign lands who sneak around embassies and high-end hotels and casinos battling terrorists and criminal kingpins. Most students of modern US intelligence will tell you that is NOT the case. In fact, how we get that intelligence is by sending American intelligence officers who are trained to be clandestine but who do not steal information themselves. That's right. Most human intelligence officers are highly-trained salesmen and recruiters who work diligently to get citizens from target countries to spy on their respective countries. In other words, our HUMINT officers convince other people to betray target states and organizations. We can also get that information by using third-party human intelligence from another country who may be more ethnically credible to penetrate certain denied areas. We'll touch on that later.

This week you have no doubt heard about the Associated Press debacle with the Department of Justice. What you may not be aware of is the "leak" in question is about the alleged penetration of our government  and the Saudi government into the terrorist organization al Qaeda of the Arab Peninsula (AQAP). This was a highly classified operation which I can only assume involved undercover assets who were willing to betray this very dangerous organization. Someone in the Obama administration took it upon themselves to reveal this operation to the Associated Press. This, of course, is VERY illegal and for good reason. Remember those undercover assets I mentioned previously? What do you think would happen to those assets who were operating without the expectation their involvement would be made public to the largest news source in the world? Take a wild guess.

Do you remember Aldrich Ames? He's the guy who betrayed his country and sold secrets to the USSR. What you may not know is that through his leak, he inadvertently killed 10 Russian citizens who fed the Central Intelligence Agency information. How about Valerie Plame? She's another asset who was "burned" (her covert identity revealed publicly) for very political reasons allegedly. I can assure the target country she worked in, Iraq, deployed several counterintelligence agents to contacts she  had in that country. Once an operation has been "burned", all of the assets involved are compromised and can no longer conduct their missions.

Given what you watched above, take a few things into consideration:

  • The very real danger they pose throughout the region they operate in. 
  • How recluse and difficult such organizations can be and the difficulty to get someone to betray this organization. 
  • The operations we were able to stop because of this operation. One of which was the latest plane plot by AQAP. 
  • The potential for further penetration and more insightful intelligence disappearing because a bureaucrat in D.C. took it upon themselves to deliver to the Associated Press information about the success of this ongoing operation. 
  • The likelihood the assets were compromised and the likelihood of their survival and those with whom they had contact.

So you can imagine my surprise to learn of the AP's outrage that the DoJ was investigating their contacts with various people who had knowledge of this operation. You've heard, no doubt, the DoJ subpoenaed the AP's call records for over two months and then those of reporters who may have been the source's contact. I have 11 years of criminal investigations experience and will be the first to attest that this is very customary when you're looking to connect people from one area to another. Whether or not, the DoJ should have subpoenaed the AP's phone company is a different story and "way above my pay grade".

As you can guess, unauthorized disclosure of classified information is a crime. It's actually a very serious crime. Don't believe me. Here's the statute. You'll do good to note there is zero accommodation or exemption for releases to the press.

(a) Whoever knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes, or uses in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified information—(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government; or
(2) concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or
(3) concerning the communication intelligence activities of the United States or any foreign government; or
(4) obtained by the processes of communication intelligence from the communications of any foreign government, knowing the same to have been obtained by such processes—
Shall be fined under this title or imprisoned not more than ten years, or both.
(b) As used in subsection (a) of this section—
The term “classified information” means information which, at the time of a violation of this section, is, for reasons of national security, specifically designated by a United States Government Agency for limited or restricted dissemination or distribution;
The terms “code,” “cipher,” and “cryptographic system” include in their meanings, in addition to their usual meanings, any method of secret writing and any mechanical or electrical device or method used for the purpose of disguising or concealing the contents, significance, or meanings of communications;
The term “foreign government” includes in its meaning any person or persons acting or purporting to act for or on behalf of any faction, party, department, agency, bureau, or military force of or within a foreign country, or for or on behalf of any government or any person or persons purporting to act as a government within a foreign country, whether or not such government is recognized by the United States;
The term “communication intelligence” means all procedures and methods used in the interception of communications and the obtaining of information from such communications by other than the intended recipients;
The term “unauthorized person” means any person who, or agency which, is not authorized to receive information of the categories set forth in subsection (a) of this section, by the President, or by the head of a department or agency of the United States Government which is expressly designated by the President to engage in communication intelligence activities for the United States.
(c) Nothing in this section shall prohibit the furnishing, upon lawful demand, of information to any regularly constituted committee of the Senate or House of Representatives of the United States of America, or joint committee thereof.
(1) Any person convicted of a violation of this section shall forfeit to the United States irrespective of any provision of State law—
(A) any property constituting, or derived from, any proceeds the person obtained, directly or indirectly, as the result of such violation; and
(B) any of the person’s property used, or intended to be used, in any manner or part, to commit, or to facilitate the commission of, such violation.
(2) The court, in imposing sentence on a defendant for a conviction of a violation of this section, shall order that the defendant forfeit to the United States all property described in paragraph (1).
(3) Except as provided in paragraph (4), the provisions of subsections (b), (c), and (e) through (p) ofsection 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853 (b), (c), and (e)–(p)), shall apply to—
(A) property subject to forfeiture under this subsection;
(B) any seizure or disposition of such property; and
(C) any administrative or judicial proceeding in relation to such property,
if not inconsistent with this subsection.
(4) Notwithstanding section 524 (c) of title 28, there shall be deposited in the Crime Victims Fund established under section 1402 of the Victims of Crime Act of 1984 (42U.S.C. 10601) all amounts from the forfeiture of property under this subsection remaining after the payment of expenses for forfeiture and sale authorized by law.(5)As used in this subsection, the term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States.
As you can tell, the law is very specific and for good reason, as I outlined before. The business of deriving the intelligence we need from terrorist organization and rogue states requires secrecy. The best way I can describe the importance of keeping clandestine operations secret is to have you watch my child and I play "hide-and-go seek". Children love to tell you where they're going to hide because it makes it easier for you to catch them. Imagine if your child was very clever and never told you where they were hiding. Better yet, what if you never knew they were playing the game. Then, imagine if the stakes were higher - much higher than preempting a really good game. The same could be said of the modern spy game were exponentially more lives are at risk.

About Us