Category: Adversaries

The Zoo

A very small zoo was thrown into chaos when the star attraction- a gorilla named Chuck- unexpectedly died right before they opened for the day.

The owners were worried, because people came from all over just to see Chuck’s antics. Surely, the gorilla’s passing would spell the end of the beloved zoo.

But then, the owner had an idea. He called Jason, one of his employees, and offered him an extra $100 a day if he would wear a gorilla costume and pretend to be chuck- just until they could get a live replacement. Jason agreed, and minutes before opening he was suited up and ready in the enclosure.

Everyone loved Jason’s antics. The children clapped and laughed, and even the adults enjoyed watching the fake Chuck run around and beat his chest. Eventually, however, business started to die down. Chuck was still a popular attraction, but people could only watch an animal do the same tricks so many times. So Jason began changing things up. He would throw a ball out of the enclosure and wait for people to throw it back. He’d dance in a very gorilla-like way. But everyone got the biggest thrill when he would climb over the divider and hang over the lion’s pit. It was truly a death-defying spectacle.

One day, while Jason was hanging over the very hungry lion’s pit, the aging costume gave way and Jason fell hard onto the ground. The lion started circling menacingly, ready to pounce and tear the costumed man to bits.

“Help! Help!” Jason started shouting, scrambling madly to get up and out of the lion’s grasp.

“Quiet you, fool!” the lion whispered. “Are you trying to get us both fired?”

Sometimes, things aren’t what they appear. What we think is a friendly gorilla is a man in a costume. A dangerous lion is a friend. Appearances can be deceiving, so it’s important that we verify that what we’re seeing or hearing is correct.

Much like in this story, sometimes people don’t want you to know who they really are. The man with a clipboard that comes into your facility- are they really an inspector? The woman that shows up from IT saying she needs your computer for maintenance- did IT actually send anyone down?

Sometimes, it only takes a little bit of vigilance to see through someone’s disguise. And we should always be checking.

May the 4th be with you!

Today is May 4th- also known as Star Wars Day. Live long and prosper!

Kidding, kidding.

Whenever I watch the movie, I think about the hardest working person in the galaxy: the Empire’s OPSEC Manager. Probably some part-time Stormtrooper somewhere on Coruscant, who had to worry about military missions light years away. And to top it all off, that poor OPSEC manager is trying to keep information from a group that can literally read minds. Not an easy task.

After the battle of Endor, that person better have gotten a raise. Sure, it wasn’t exactly a military victory for the Empire, seeing as how the death star was destroyed and the elite ground forces were decimated by teddy bears, but that was hardly the OPSEC manager’s fault. From an OPSEC perspective, it was a resounding success.

There will be no spoiler alerts. The movie’s an American classic and it’s over three decades old. If you haven’t see it yet, you really shouldn’t be doing anything else today.

Although the location of the Death Star was known and an attack was expected, the Emperor had a secret: the death star was actually fully operational. His plan was to destroy the unprepared rebel force when they showed up to attack. And much of that fell on our poor OPSEC manager, who was tasked with making sure that secret plan remained a secret. Of the million or so people on the small moon space station, how many could have known that the station was operational? The crews that were on standby to fire it? The technicians that checked out the specs? Everybody with a window when it was tested and confirmed to be operational?

So next time you watch the series, give some thought to those hard working OPSEC managers out there in the far-away, long-ago galaxy. Whether you’re for the Empire or a rebel, you gotta admire their OPSEC game.

Remember: Loose lips destroy starships.

“Criminals don’t wear suits”

Once upon a time, in a land not-so-far-away, a small group of individuals walked to the doors of a multinational corporation, and walked out with millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources and social engineering the information from them. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? Were all on the same team, right?

No matter how strong a castles walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: Shredder out of order. Put materials in this box to be picked up by security. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (No one would ever know that this is my password, even if they do look in the drawer!)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

If it can track a thief…

The Coachella Valley Music and Arts Festival, generally referred to simply as “Coachella” is an annual festival held in Indio, California. People come from all over the country to listen to music on several stages, enjoy art exhibits, camp, and other recreational activities.

During the 2017 event, many festival-goers found that their cell phones were missing. Presumably, they had been stolen. The victims used their “find my phone” function (which are available on iDevices and Android) to locate the devices, eventually centering on attendee Reinaldo De Jesus Henao.

When the police arrived, they searched Henao and found more than 100 phones in his backpack. He was arrested on suspicion of grand theft and possession of stolen property.

This is exactly how the “find my phone” feature is supposed to work. The phones were stolen from the rightful owner, who were then able to locate them using the built-in features. But if those features can be used to track a thief, they may also be used to track you.

Be aware of your phone’s settings and features. Could someone access your Apple or Google account and track you that way? Are your pictures also recording location data? What does your phone tell someone that wants to find you?

 

The Video Clerk

In January of 2006, six terrorists were preparing for the final phase of their plan. Their intent was to storm Fort Dix with automatic rifles, with the goal of killing as many soldiers as possible. They considered the soldiers to be a viable military target, but also planned to kill as many civilians as they could.

In addition to the rifles, they had prepared explosives to target groups of people and vehicles. They had trained on a local paintball range and in the woods around the installation, and they had practiced shooting at targets at a local range. One of them men, whose father owned a pizza parlor nearby, used his pizza delivery job to scout potential targets. They had video surveillance and detailed maps. They had even traveled to other military installations to surveil their next targets. They were prepared.

How did we uncover this insidious terrorist plot? Was it international law enforcement cooperation? An insider? Maybe a paid informant or intercepted communications?

It wasn’t any of those. It was a video clerk.

The terrorists had recorded themselves on VHS video initiating a call to jihad and practicing “military-like” drills. They brought those VHS tapes to a nearby video store to convert to DVDs, which is where the clerk noticed the content. He then called the FBI, who investigated the group and arrested the men.

Not all terrorists are internationally-trained and educated sophisticates. Sometimes, they can be careless or stupid. They can be caught by people like you or me, or by a video clerk.

“I can’t do anything, I’m just a file clerk.”

“I just do badges.”

“I’m only an office worker.”

“I just make copies and burn CDs all day.”

“It’s not my job.”

There are a million excuses. But then again, who knows how many lives that clerk saved when he reported something out of the ordinary? Stay vigilant and contact designated authorities when you see anything unusual, suspicious, or strange.

One person can make a difference. Will that person be you?