The joke goes something like this:

There was a man who had worked at a factory for twenty years. Every night when he left the plant, he would push a wheelbarrow full of straw to the guard at the gate.
The guard would look through the straw, and find nothing and pass the man through.
On the day of his retirement the man came to the guard as usual but without the wheelbarrow.
Having become friends over the years, the guard asked him, “Charlie, I’ve seen you walk out of here every night for twenty years. I know you’ve been stealing something. Now that you’re retired, tell me what it is. It’s driving me crazy.”
Charlie simply smiled and replied, “Okay, wheelbarrows!”

While wheelbarrow theft may not (or may, who are we to judge?) be your biggest concern, the message certainly is. Sometimes, the biggest threats are hiding in plain sight. Sometimes, what we assume is our biggest concern… is actually a distraction.

Tags: OPSEC, plain site

Tags: history

The first part of this clip from the movie “Home Alone” has a few good “OPSEC’ points.

For starters, Kevin obviously took a quick look at his operation (meaning his situation at home) from the perspective of an adversary- in this case, a burglar. Realizing that the deviation from an established profile (meaning signs of an occupied home) is itself an indicator (that something has changed, in this case, that the home is now unoccupied), Kevin implemented a countermeasure, which was to simulate a party.

For all appearances, the home was occupied.

Later, in a convenient plot device, Kevin overhears the burglars talking about their plans in very specific detail. Talking about their plan. Within earshot of those involved. Right before zero-hour.

Don’t you wish is was only the bad guys that do that?

YouTube - Home Alone Xmas.

According to Federal Computer Week (http://fcw.com/articles/2009/06/11/army-social-media.aspx?s=fcwdaily_120609), the US Army has directed network managers across the country to stop blocking certain Web 2.0 sites, such as Flickr and Twitter. Photobucket, MySpace and Live365 are to be blocked.

The rationale, as reflected in the order, is that: “The intent of senior Army leaders to leverage social media as a medium to allow soldiers to ‘tell the Army story’ and to facilitate the dissemination of strategic, unclassified information, the social media sites available from the Army homepage will be made accessible from all campus area network.”

Many of us OPSEC’ers may have mixed feelings about this. While it is an opportunity to leverage emerging technologies and foster technical development within the military, there always remains the possibility of an inadvertent release of information.

But, at the same time, the reality is that it’s not the technology that’s the problem, and it’s certainly not going away. The problem lies within the users, and a relatively small number at that. The problem, to put it in it’s most basic terms, is not “what” the technology allows, but “how” it is used.

So, once again, it comes down to training. And with this recent order, it will be especially critical for all of you “Army OPSEC’ers” out there. Training and awareness are the two greatest tools in an OPSEC professional’s arsenal, and it’s the focus and dedication of each one of you that will keep OPSEC effective and relevant to today’s threats.

While unsung, you’re the last line of defense between your critical information and an adversary that wants it.

Tags: Army OPSEC, OPSEC social media, OSPEC Blog

Well, it’s been a while since I’ve blogged here. No good reason, really, sometimes things get busy, and… well, you just forget that you even have a blog. You know how it goes.

Since my last post, a lot has happened. The National OPSEC Conference was a lot of fun, and OSPA had a very siccessful presence. As a result, OSPA has started working with the UN, NATO, several Law Enforcement Agencies, and a few Neighborhood Watch groups. It’s great to see OPSEC spreading like it is!

Updated the home page- it was time for another change!

Anyways, thanks for reading; more soon!

Chris

If you’re currently using Internet Explorer, please be aware that Microsoft has issued a warning about a current security flaw in all versions that is currently affecting around 2 Million users.

According to PC World Magazine, “So far most of the attacks have been geographically centered on China and have been used for the purposes of stealing computer game passwords. But with a flaw as gap-toothed as this, the possibilities of nefarious action could include the massive theft of personal information such as administrative computer passwords and financial data.”

Although workarounds are available, Microsoft has suggested using an alternate browser, such as Firefox, in the meantime. For certain government systems, which are still required to use Internet Explorer, workarounds are available. Your IT/IMO staff should have more information.

Please see http://www.washingtonpost.com/wp-dyn/content/article/2008/12/16/AR2008121601022.html for more information.

Tags: Internet, Microsoft, Security Warning

With Thanksgiving right around the corner, it makes me think of my family when I was coming up. We’d spend all day cooking the turkey, and the yams with those tiny marshmallows, and then we’d all sit around the table and watch George C. Scott in Patton.

No, not really. But it was a convenient way to segue into an incident that was briefly covered in the movie, but required a great deal of complexity in order to be successful, and an excellent example of OPSEC (and strategic misinformation!) in action.

If you’ve seen the movie, you’re familiar with the “slapping incident” of 1943, in which General Patton slapped a Soldier by the name of Charles Kuhl who was weeping in the infirmary. (For history buffs, it turned out that Kuhl had malaria at the time. Dispite the incident, however, he later recounted Patton as a “Great General”)

When the stateside public and press learned of the incident, President Eisenhower was pressured to send Patton home in disgrace. However, Eisenhower and George Marshall came up with an alternate plan.

Patton was removed from any major command, but kept in theater. The German High Command was familiar with (and some say afraid of) Patton, so his location was closely watched for any sign of impending attack. As such, his extended stay in Sicily was seen as clear indicator of an upcoming invasion through France. At a later time, his visit to Cairo caused additional resources to be misdirected towards repelling an attack from the Balkans.

.

In the months before the 1944 Normandy Invasion, Allied forces launched “Operation Fortitude”, which was a major military disinformation campaign that involved controlled leaks of information, fake (even inflatable!) military equipment, message traffic and double agents. Perhaps most effective, however, was Patton’s public leadership of the (non-existent) First US Army Group (FUSAG).

A culmination of this effort, and a memorable event for all involved, was when Patton shouted across a crowded reception hall to Eisenhower, “I’ll see you in Calais!”, which surely upset those that weren’t in on the ruse.

The efforts were highly successful and turned the tide of the war. The German Army had everything that they needed, and the Allies appeared to be practicing very poor OPSEC. This story applies today. Remember that when something seems “too perfect” or “obvious”… It just might be intentional.

…And now you know… The rest of the story.

Tags: case study, patton, WWII

The Information Age and OPSEC

By Victor Duckarmenn

In 1941, we had our first real computer called the Z-3.  By 1971, we had E-mail, in 1989, the world- wide -web, (WWW) and wireless devices by the year 2000. Additional wonders of technology increase every decade. What are the consequences of all this “progress” and technological change?  Did personal or mission related information become more secure?  Did space operations Essential Elements of Friendly Information (EEFI) become more or less important or just disappear in the advent of our space business?  I am afraid our technical information, space mission secrets, our personal and space system data are all under attack every moment of the day.  What information do you need to protect?  Let’s look at critical information and its nature.

The nature of critical information is defined in one word “vulnerable”.  With advancing technology we find ourselves bracing for insider and hacker-cracker attacks, our systems are open to increased access via commercial Off -The -Shelf (COT) purchases without the need identified to protect our internal information.  Identity theft activity is on the rise. The crime of 21^st century will obviously be the theft of personal information.  Data-mining, war-driving, and the lack of attention to our privacy and 1972 Privacy Act, has become the “white noise” behind our wireless vulnerabilities.  Consider if you will, the tempo of information flow today.  There is so much information available on the “net” or “grid” it scares Information Assurance (IA), Operations Security (OPSEC), computer security (COMPUSEC) and Info-Security (INFOSEC) subject matter experts (SME) to death.  What are the “points of information contact” we need to watch for?  What are the four OPSEC arenas in the information protection battle?  They are the physical, administrative, action and technical. In 1941 we began the information age and the  “Info-war”.  What can you, the information warrior do? Let’s look at generic measures in the four OPSEC arenas.

In order to combat the physical issues in protecting space operations information it is very simple, lock up mission sensitive, controlled unclassified, “For Official Use Only” (FOUO) and Privacy Act information.  Implement double locks where possible to eliminate corporate and individual liabilities. The lack of consequences for our failures in the past for violations of the Privacy Act, or leaving mission critical controlled unclassified in the trash caused the death of this very simple measure.  Apathy and complacency is your adversary’s tools in the information war. I call them the “gruesome two-some”. What about administration?

Don’t leave your private information, recall rosters or sensitive data out in the open, on your desk or transmit it into the airwaves for all to receive.  Administration has many natural controls to include 100% cross cut shredding, both and home and at work, the sanitization of the voice mail and out of office replies.  Just a simple clean desk policy without posting retirement orders or system information could win the OPSEC “info-war”.  What about actions?

Conversations are a form of action. Stopping off base conversations about the mission failure or success, which can also be electronic, or talking out loud where local people do not have a “need to know” can be key to the denial of information to your intelligence enemies.  What about the technical area?

One recommendation is to ensure success in the technical arena is to simply restrict your wireless usage during government business. Use a landline to discuss command and control information.  A cell phone or personal assistant device (PAD) is like lighting up a cave with a halogen flashlight – the bats know you’re in the cave!  It is important not to lose a cell phone or government thumb drive that is filled with critical information.  So what?

The information age is still growing and the value of protecting our space operations information is more “value added” everyday.  Protect your wingman’s personal information.  Protect your missions’ operation information. Your personal OPSEC has come of age; the information age!

Tags: playstation, video games, xbox

The Oregon Newspaper “The Oregonian” reported the following on August 19, 2008:

Two men made off with hundreds of dollars in cash by dressing as security guards, standing outside a bank’s night deposit slot and persuading people to hand over their money because the slot was broken.

The men offered to make the deposits for customers at the Washington Square branch of Wells Fargo Bank the next day when the bank reopened, said Jim Wolf, a Tigard Police Department spokesman.

“Wells Fargo had absolutely no idea who these men were,” Wolf said.

He said the men wore uniforms and had badges and guns. The night deposit slot was covered by a blue engraved sign saying it was out of order.

The men offered to collect the deposits by putting them in a black box they had, Wolf said. The deposits came from businesses that normally use the slot to deposit the day’s receipts from their tills.

Two people who gave deposits to the men said the sign over the slot read “Out of Service.”

These men had many factors in their favor. Generally, people trust those that appear to have authority. Also, many people consider it “rude” to question someone who’s “just doing their job”, and many people have very low standards for correlation; in this case, the sign said the deposit box was out of order, and there was a guard nearby- “it must be true!”

The same threats exist against your organization. A “Social Engineer” will rely on those same assumptions, and several more, when attempting to infiltrate or obtain information to which they wouldn’t normally have access. Remember that enforcing security isn’t “rude”, and following proper procedures isn’t being “paranoid”!

Tags: social engineering