06Dec Shibboleth

Shibboleth.

No, that’s not a misspelled curse word. It’s an actual, factual security related concept, and one of particular interest to OPSEC‘ers.

By definition, a Shibboleth is “is any distinguishing practice which is indicative of one’s social or regional origin. It usually refers to features of language, and particularly to a word whose pronunciation identifies its speaker as being a member or not a member of a particular group.”

Certain subtle clues, inferring membership or exclusion from a group, can be of particular importance to a security professional. For instance, during the Battle of the Bulge, American soldiers used baseball trivia and knowledge to determine if others were fellow Americans or if they were infiltrators in American uniform. Another example, based on accents and linguistic capabilities, is when the Dutch used the name of the town Scheveningen to identify Germans.

Of course, we see the same thing when we go home to our children. When they tell their friends that their parents are “phat phree”, we might not no whether to thank them or ground them. (pro tip: “phat phree” is not a compliment)

However, this only highlights the fact that, sometimes, things just might not “feel right”, and you, as well as every employee, should be looking out for that. Every company, office or group has certain in-jokes or unique features, and a lack of knowledge about some elements of common knowledge should certainly be considered suspicious, or at least warrant additional consideration. Of course, this cuts both ways- if someone is able to learn certain “inside phrases” or procedures, that shouldn’t necessitate trust. Gaining trust in this manner is one of the concepts behind social engineering.

Shibboleth. It’s just another potential clue- another clue for every “sensor” (meaning every employee) to determine when something just “isn’t right”.