Author: chris

“Criminals don’t wear suits”

Once upon a time, in a land not-so-far-away, a small group of individuals walked to the doors of a multinational corporation, and walked out with millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources and social engineering the information from them. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? Were all on the same team, right?

No matter how strong a castles walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: Shredder out of order. Put materials in this box to be picked up by security. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (No one would ever know that this is my password, even if they do look in the drawer!)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

If it can track a thief…

The Coachella Valley Music and Arts Festival, generally referred to simply as “Coachella” is an annual festival held in Indio, California. People come from all over the country to listen to music on several stages, enjoy art exhibits, camp, and other recreational activities.

During the 2017 event, many festival-goers found that their cell phones were missing. Presumably, they had been stolen. The victims used their “find my phone” function (which are available on iDevices and Android) to locate the devices, eventually centering on attendee Reinaldo De Jesus Henao.

When the police arrived, they searched Henao and found more than 100 phones in his backpack. He was arrested on suspicion of grand theft and possession of stolen property.

This is exactly how the “find my phone” feature is supposed to work. The phones were stolen from the rightful owner, who were then able to locate them using the built-in features. But if those features can be used to track a thief, they may also be used to track you.

Be aware of your phone’s settings and features. Could someone access your Apple or Google account and track you that way? Are your pictures also recording location data? What does your phone tell someone that wants to find you?

 

The Video Clerk

In January of 2006, six terrorists were preparing for the final phase of their plan. Their intent was to storm Fort Dix with automatic rifles, with the goal of killing as many soldiers as possible. They considered the soldiers to be a viable military target, but also planned to kill as many civilians as they could.

In addition to the rifles, they had prepared explosives to target groups of people and vehicles. They had trained on a local paintball range and in the woods around the installation, and they had practiced shooting at targets at a local range. One of them men, whose father owned a pizza parlor nearby, used his pizza delivery job to scout potential targets. They had video surveillance and detailed maps. They had even traveled to other military installations to surveil their next targets. They were prepared.

How did we uncover this insidious terrorist plot? Was it international law enforcement cooperation? An insider? Maybe a paid informant or intercepted communications?

It wasn’t any of those. It was a video clerk.

The terrorists had recorded themselves on VHS video initiating a call to jihad and practicing “military-like” drills. They brought those VHS tapes to a nearby video store to convert to DVDs, which is where the clerk noticed the content. He then called the FBI, who investigated the group and arrested the men.

Not all terrorists are internationally-trained and educated sophisticates. Sometimes, they can be careless or stupid. They can be caught by people like you or me, or by a video clerk.

“I can’t do anything, I’m just a file clerk.”

“I just do badges.”

“I’m only an office worker.”

“I just make copies and burn CDs all day.”

“It’s not my job.”

There are a million excuses. But then again, who knows how many lives that clerk saved when he reported something out of the ordinary? Stay vigilant and contact designated authorities when you see anything unusual, suspicious, or strange.

One person can make a difference. Will that person be you?

What is EEFI?

Essential Elements of Friendly Information (EEFI) are defined as the answers to an intelligence agent’s questions about your system, support, deployments and force protection, otherwise known as the mission. Some examples of the questions they want to answer relates directly to your critical information listing (CIL). What is America’s space capability now and in the immediate future? Can Peterson Air Force base protect NORTHCOM? Does the Air Force care about its people? What measures will the Air Force take if their computer systems or installation are attacked? The program we all know as OPSEC is the program to deny your enemy the answers to these questions. OPSEC protects our official use and controlled unclassified information.

The purpose of the OPSEC program is to reduce the vulnerability of Air Force missions from successful collection and exploitation of your critical information providing the adversary answers to their critical questions surrounding Peterson AFB. OPSEC applies to all activities that prepare, sustain, or employ forces during all phases of your operations.

Do you post recall rosters in your cubicle? Do you post your retirement orders with your social on your overhead or desk in the open? Do you copy personal checks on the office copier and throw them into a recycle bin? Do you tear out your notes on a sensor system management meeting on future state space operations and put them into a dumpster or outdated recycle bin under your desk? Do you shred 100% of all official information? Do you shred your personal information at home? Do you have a unsecure router at home while you work on official business? Do you use a personal flash drive at work? Do you or your family members talk about your mission to your friends and young children at home with access to the internet? Do you allow your family to post deployment pictures on a social engineering sites located on the internet? Do you blog with unknown folks on the net and talk about the military and vent about weaknesses of leaders you witness on base? These are all examples of vulnerabilities that everyone in the Air Force must consider. I recommend a ready, aim fire approach to protecting information. The game Tic-Tac-Toe comes to mind. How does it apply to OPSEC?

OPSEC can be seen by your adversary as a game of tic-tac-toe. If you use OPSEC preventing collection of intelligence you place the “X” in the center square. Be smart, be a hard target. Make sure your folks use and think OPSEC and place that “X” in the center square. Ensure the answers to your enemy’s questions to go unanswered.

Even if it quacks like a duck…

…it might not be a duck.

Your adversary isn’t going to be honest about who they are or what they’re after. If they were, they wouldn’t be in business for very long! Instead, they’re often going to pretend to be something you trust or expect.

  • Be wary when receiving unsolicited phone calls, emails, or visits, especially if the person contacting you is asking for information you wouldn’t reveal to a stranger. Verify their identity before giving them anything
  • Don’t give out personal information about employees or non-public information about your company. Both are common targets for corporate spies or competitors
  • Don’t respond to emails asking for financial information or prompting you to log in, and don’t trust links in emails. If you feel the email may be legitimate, contact the sender using their public contact information to confirm
  • Make sure that websites are secure before sending any sensitive information. Whenever possible, encrypt it first
  • Double-check the URL before submitting information via the web. There’s a big difference between www.yourbank.com and www.yourbank.co.
  • Keep your antivirus and antimalware software up-to-date. Install and use a firewall

Social engineers rely on the mental shortcuts that we tend to form. We see someone with a clipboard, and we assume they’re here on official business. We get an email or phone call with very dire warnings (“The IRS is going to have me arrested??”), and we naturally want to solve those problems as quickly as possible.

Whenever someone seems to want you to feel or act a certain way, especially when it’s with a sense of urgency, stop and think about what they’re actually trying to get you to do. When you do that, you break the social engineer’s script and are less likely to fall victim to their techniques.