Wednesday, August 7, 2013

Ten OPSEC Lessons Learned From The Good Guys, Bad Guys, and People-in-Between



If you've been in the security world long enough, you've heard of a term called "OPSEC" or operational security. This is a security discipline in which organizations or individual operators conduct their business in a manner that does not jeopardize their true mission. If you're a police officer who is staking out a house, it would be bad OPSEC to sit outside the house in a marked police vehicle. I think it's prudent we discuss this discipline so we can better analyze our own processes by which we protect ourselves and our operations. Reviewing the OPSEC process is a great place to start. The following come from Wikipedia (I know - it's super-scholarly):
  1. Identification of Critical Information: Identifying information needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.
  2. Analysis of Threats: the research and analysis of intelligence, counterintelligence, and open source information to identify likely adversaries to a planned operation.
  3. Analysis of Vulnerabilities: examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.
  4. Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.
  5. Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans.
  6. Assessment of Insider Knowledge: Assessing and ensuring employees, contractors, and key personnel having access to critical or sensitive information practice and maintain proper OPSEC measures by organizational security elements; whether by open assessment or covert assessment in order to evaluate the information being processed and/or handled on all levels of operatability (employees/mid-level/senior management) and prevent unintended/intentional disclosure.
We should also recognize good guys aren't the only ones who practice this discipline. As a matter of fact, the bad guys do as well and many are quite good at it. The lessons we could learn from them, our fellow security professionals, and others are almost immeasurable.
  1. NEVER trust a big butt and a smile. Yup. I started off with that. Bear with me. Many intelligence agencies and law enforcement organizations use sex as a means to get close to a target or person of interest. Most bad guys realize this. However, many do not to their own detriment. When involved with people in a relationship or sexual encounter, they get very close to you and your secrets. I liken these people to "trusted agents" who you allow close enough to you that can get more information than you're willing or able to share publicly. Poor OPSEC practitioners often forget this. Most of their security failures stem from this fatal flaw. I'm not saying to not be in a relationship or to eschew intimacy. If you're in a job that requires you adhere to sound OPSEC principles, what I'm advising you to do is to exercise due diligence and conduct a risk analysis before you do. Think Marion Barry, Anthony Weiner, and Elliott Spitzer.
    2. Immortal words spoken during an EPIC fail.
  2. Always have a thoroughly vetted back-story for your cover. This is commonly referred to as "legend" in the intelligence community. This is an identity in line with your established, synthetic cover. For example, I previously mentioned the hacker known as the The Jester in a previous blog post. Depending on which side you're on, he's either a bad guy or a good guy. However, the lessons he teaches us about cover are insightful. Whenever someone "doxes" him, he has a prepared and detailed analysis as to how he created that cover identity. Many times he'll use a name that does exist with a person who either does not exist or who he has cleverly manufactured using a multitude of identity generators. He'll use disposable credit cards, email, LinkedIn profiles, VPNs which show logins from his cover location, etc. He even engages in cyber-deception with other actors to establish various cover stories for operations that require them. Whether you like him or not, he's certainly good at one thing we know for sure - cover discipline.
  3. NEVER trust anyone you just met. I see you laughing. Many people mistakenly believe they can and should trust everyone they meet. They will often claim they don't but their behavior says otherwise. As Ronald Reagan is often quoted is saying, "In God we trust, all others we verify" I firmly believe this to be the most crucial aspect of operational security. Proper trust is needed in any environment for the mission to be accomplished. However, blind trust can and will kill any hopes of a successful mission. Whether you're checking identification at an entry control point or planning cybersecurity for an online bank, you should always treat every introduction you don't initiate as suspect. Then triage people and their level of access according to risk acceptance. This is a lesson we learned with Edward Snowden. He'd only been at Booze Hamilton a few months before he began siphoning massive amounts of classified information he had no direct access or need-to-know. Another saying I'm fond of is "Keep your enemies close, but your friends closer." I'm not saying everyone you meet is going to steal from you or betray your trust. Like my momma always says, "Not everyone that smiles at you is your friend and not every frown comes from an enemy."
  4. Shut the hell up! No. Seriously. Shut up. If you hang around the special operations community, you'll hear a term used to describe the work they do as "quiet professionals". Most successful bad guys realize the best way to ensure longevity to shut the hell up. Bragging about or giving "pre-game commentary" before an operation are guaranteed ways to get caught or killed. The truly dangerous people are the one's who never say a word and just do their work. Sometimes, lethality is best expressed with silence.



  5. Watch what you leak. While we can keep our mouths shut, it is more difficult in the information age to keep everything connected to us quiet. In order to properly protect ourselves, we have to begin this process by conducting proper risk analysis. Is what I'm doing right now giving away something I don't want the public to know? Is the the device or medium I'm talking on able to give away information I'm not comfortable with sharing? Does my enemy have the ability to intercept or analyze what I'm doing in order to gain sensitive information? What "tells" am I projecting? These are a few of many questions you should be asking in order to ensure you're limiting "noise litter".

    In the information age, do I need to say more?
  6. If you're doing secret stuff, NEVER EVER EVER EVER EVER, talk on the wire. Look at the Mafia as a perfect example of what not to do. As an OPSEC practitioner, you should never communicate on any medium that can give away your secrets or be intercepted. John Gotti got busted talking on the wire. A person rule of thumb: If it can receive messages, it can transmit messages without you knowing. Treat every computer like an informant - feed it what you're willing to share with your adversary.
  7. NEVER ever touch or be in the same place as the "product". For the uninitiated, that is one of first rules of the dope game. Every successfully, elusive drug dealer knows to keep away from the "product" (read "drugs). Whatever the "product" in your "game", ensure you put enough distance between you and it. If you have to be close to it, then have a good reason to be with it.
  8. Recognize "the lion in the tall grass". When practicing OPSEC, if there is one thing you should never forget is why you're doing it. The reason you're practicing it is simple - there are people out there that oppose you. Ignore them at your detriment.
  9. NEVER say something you can't backup or prove immediately. Nothing says you're a person needing to be checked out better than saying things you can backup or prove. People who are trying to vet you will require you backup what you say for a reason. Be ready for this. A great example of this is demonstrated by people who claim to be connected to someone of stature in order to gain access. In this case, they're found out because the target asked the other party who could not confirm this.
  10. Treat your real intentions and identity as that gold ring from Lord of the Rings. I'm not saying put your driver's license on a necklace so a troll who think it's his "precious" won't take it. First of all, that's too cool to happen in real life. Second, you'll look like an idiot. Finally, there are more practical ways of protecting your identity. For starters, never have anything that connects your identity to your operation. Next, if you have to use your real identity in connection with an operation, give yourself some ability to deny the connection. Lastly, NEVER trust your identity, intentions, or operations to anyone or anything other than yourself.
I've decided to include the more practical list from the "Notorious B.I.G." to drive home some of these principles:

TEN CRACK COMMANDMENTS
  1. Rule number uno, never let no one know
    How much, dough you hold, 'cause you know
    The cheddar breed jealousy 'specially
    If that man *** up, get your *** stuck up
  2. Number two, never let 'em know your next move
    Don't you know Bad Boys move in silence or violence
    Take it from your highness
    I done squeezed mad clips at these cats for they bricks and chips
  3. Number three, never trust nobody
    Your moms'll set that *** up, properly gassed up
    Hoodie to mask up, s***, for that fast buck
    She be layin' in the bushes to light that *** up
  4. Number four, know you heard this before
    Never get high on your own supply
  5. Number five, never sell no *** where you rest at
    I don't care if they want a ounce, tell 'em bounce
  6. Number six, that God*** credit, dig it
    You think a *** head payin' you back, *** forget it
  7. Seven, this rule is so underrated
    Keep your family and business completely separated
    Money and blood don't mix like two *** and no ***
    Find yourself in serious s***
  8. Number eight, never keep no weight on you
    Them cats that squeeze your *** can hold jobs too
  9. Number nine, shoulda been number one to me
    If you ain't gettin' bags stay the f*** from police
    If niggaz think you snitchin' ain't tryin' listen
    They be sittin' in your kitchen, waitin' to start hittin'
  10. Number ten, a strong word called consignment
    Strictly for live men, not for freshmen
    If you ain't got the clientele say hell no
    'Cause they gon' want they money rain, sleet, hail, snow
Don't forget the admonition from Notorious B.IG. gives that should never be diminished:
Follow these rules, you'll have mad bread to break up
If not, twenty-four years, on the wake up
Slug hit your temple, watch your frame shake up
Caretaker did your makeup, when you pass

An information security professional known as "The Grugq" gave a very interesting talk on OPSEC, I think it is worth taking a glance at (try to contain all laughter and bafoonery at the preview image - we're running a family show here, folks):


Posted by at
Labels: , , , , , , ,

Wednesday, July 24, 2013

10 Ways to Mitigate The Risks and Issues Associated With Theft From Motor Vehicles



When I was stationed in England, one of the most pressing issues we faced was theft from motor vehicles. It seemed like everyday I received a report a US service member had something stolen from their vehicle. What amazed me was not the item stolen but the simplicity required in helping prevent and mitigate the issues surrounding these thefts. Here a few simple things you can do:

  1. If you leave it on your car seat, it WILL get stolen. There's no question in mind if you leave something of any value in your vehicle in plain view, it is not a matter of if but when it will be stolen. Take your valuables and secure them. If it has to remain in the vehicle, place it in your trunk. If you can take it inside, take it inside. NEVER EVER leave valuables in your car overnight. Period.
  2. Remember when I said "anything of value"? Well that also includes your GPS. The most common things most people forget to take in their homes, at the end of the day, is their detachable GPS unit. Take it inside. If you have to leave it in the car, lock it and the mount you use in the trunk. Also ensure your window doesn't have the infamous "GPS markers" - the residue left when the mount's suction piece is disconnected from your window. This is a "tell" that you have stuff of value possibly still in the vehicle.
  3. Limit things that tell everyone that you routinely store valuable things in your vehicles. If you're a cop, limit the "Thin Blue Line" or FOP stickers. It tells potential thieves that on occasion (perhaps today) you leave a gun or other department-issued gear in the vehicle. If you're in IT, now might a good time to take the ethernet cables and the old router boxes and leave them in the office or at home. Again, this tells thieves the wrong thing.
  4. Park your car in a lighted area in plain view of you and other pedestrians, passing motorists, and police officers. Most people think if they hide something, then thieves are less likely to attack. That is not the case always. Chances are you're not near as good as hiding stuff as you think. If you can't move the car to a well-lit area, at least consider moving it somewhere closer to your home.
  5. Your locked door means nothing. People normally laugh when I say this. I suspect this has to do with the fact that they forget that most thieves prefer easy methods of entry. If it's on the front seat and they want it, they will choose the path of least resistance - your windows.
  6. Get an alarm but actually go outside and turn it off when it annunciates. One of the biggest mistakes people make is they hear the car alarm go off but take a quick glance out and immediately turn off. What your car alarm is saying every time it goes off is "Hey you! Someone who is not you just touched me - as in I think someone is trying to steal stuff" It's a pain in the butt for sure to go out every single time. However, I'd rather know I actually went out and saw for myself rather than find my stuff gone because I deactivated the alarm with a visual inspection.
  7. Make securing your car a part of your nightly security routine. I do it every single night. I check all of the doors and windows in my house. Once I'm done there, I arm mine and my wife's vehicle, ensuring the doors are locked. This has to be done. 
  8. Buy insurance for all of your stuff. Seriously. Buy insurance that covers loss of stuff from your vehicle. Remember, it's not a matter of if but when your stuff will get taken.
  9. If you're parked in a public garage, practice all of the steps above AND consider parking near cameras. Thieves often hit public garages and lots because they believe they'll have some privacy (i.e. areas to hide and do their business). You rob them of that privacy by placing the vehicle some place where natural observers can see them and where there are cameras. If the garage is manned, consider parking the car nearest where the attendants are at. Also, always take your parking passes, gate keys, and ticket stubs with you.
  10. If you're in a business that requires tools in your vehicles, be extra vigilant when taking the vehicle home with you. Seriously. Of all the vehicles that get attacked, work vehicles are targeted the most. Why? You're more likely to have expensive stuff.
If you're a law enforcement officer or security manager charged with preventing these crimes, I recommend the following site to assist in helping you. - http://www.popcenter.org/problems/parking_garage_theft/
Posted by at
Labels: , , ,

Monday, July 22, 2013

Dude, You've Got Mad Pickpocket Skills

I have seen a lot of criminal acts in my 30-something years of being on this blue rock. Occasionally, I find myself amazed by how ingenious and brazen certain criminals are. This story out of China is one such case. A lady was innocently riding her bike when a pickpocket jogs next to her. As he gets closer to her, he uses chopsticks to retrieve her phone from jacket. That's right - chopsticks. You have to see it to believe it.






Yup. That's what you call a smooth operator.

Source: Shanghailist/Kotaku/Bitrebels





Posted by at
Labels: , ,
Subscribe to: Posts (Atom)

About Us