OPSEC & Social Network Sites

OPSEC

An investigator can use LinkedIn, Facebook, and other sites to build a profile of someone’s personal and work life, but like so many things in life, this is both good and bad. What might happen if it is done to your business’s employees? How might this hurt your company? Most businesses do not think about this and if they do, they usually consider key executives to be most at risk. This is entirely wrong!

Operational security (OPSEC) is the lens through which to view this risk. View each employee in terms of what he knows and to what he has access. This will change your entire outlook.

The janitor has keys and is in the building alone. Security guards possess sensitive information. The secretary to the VP of Marketing knows when you will launch a new product. Are you starting to get the picture? This leaves the problem of how to analyse the content of sites like LinkedIn and Facebook.

Facebook

For example, Facebook identifies your friends and family, and where they live. It knows your likes and dislikes. It knows your travel destinations. It knows posting habits and posts to which you will respond. All of this creates an OPSEC nightmare.

The Wolfram Alpha Facebook Report lets you see what information Facebook knows about you and your friends. It yields easy-to-understand charts, tables, and graphs in a personalized report.

This needs the account holder to log into Facebook before it will run, however, this will not stop an industrial spy, foreign agent, gangster, or terrorist. In certain dark corners of the Internet, hacking a social media account will cost about $350. Changing the privacy settings is a meagre deterrent. With the hacked account and the Wolfram Alpha Facebook Report, the crook or spy has everything he needs to plan the compromise of an employee.

LinkedIn & Spies

Using LinkedIn, researchers found the personal details of 27,000 intelligence officers that the researchers say are working on surveillance programs. They compiled the records into the ICWatch database, which is searchable by company, title, name, and location.

What might a skilled researcher find regarding your employees?

Solutions

The biggest part of dealing with this OPSEC risk is recognising that it exists. The rest of the solution involves a combination of strict social media policies, non-disclosure agreements, conditions of employment, and employment contracts coupled with employee indoctrination and training.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Getting Out of Google

Google and other search engines are wonderful things for gathering information, we all know that, but what if people with evil intent are gathering information about you?

Getting out of Street View

Google Street View provides a great deal of data that can be used to plan an attack on a facility, a person, or to conduct a kidnapping. Google offers an easy, free, and effective way to restrict access to this data.

At a client’s home, I found that his car licence plate was legible. This usually occurs when the car is parked inside a garage or car port. At the client’s workplace, several security measures were clearly visible as were other features of the facility that raised concerns.

Google’s solution is to place an opaque digital wall around your house or facility. To get out of Google Street View, first search for the street address. Once the property is visible, you will find a small box at the bottom right of the image that says “Report a problem”. Click on this to select a reason for blurring the image of the property. I usually select Other: This image presents security concerns. Add some discriptive data to help Google identify the property and complete the CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) thing that takes me several tries to get right. In 2 or 3 days a blurred wall should appear around the property.

What’s in an Employee Number

I was reviewing a stalled investigation into an apparent corporate fraud when I noticed something interesting. A surveillance photograph was in the paper file — you don’t see many real surveilance photographs any more, just muddy images taken from video.

This particular photo was so clear and detailed that I had to talk to the investigator who took it. It was taken with a long lens mounted on a camera with a 22 mp full-frame CMOS sensor. The investigator directed me to the server and directory that contained over one hundred images along with video taken using the same camera. All of this data was summarised in two paragraphs in the investigation report. This proved unfortunate, as this fine work happened early in the investigation. The investigator wrote a detailed report that someone summarised without including a proper citation. The person who did this failed to recognise that the problem had been solved. Over one year later I was hired to solve this difficult and persistent problem.

The surveillance picture clearly showed an employee pass card. The pass card clearly showed the name of the security system vendor, employee name, employee picture, and worst of all, the employee number. The employee number was the defacto authentication required for gaining information the crooks needed. During social engineering the crooks were challenged and asked for their employee number. When they provided the number the information flood gates opened.

Further investigation revealed that a fake employee pass card was made and used to gain access to the facility. The card didn’t have any electronic component, but the crook was wearing a authentic-looking employee card just like everybody else, and that was enough for him to repeatedly gain the access he needed. He just walked throughout he front door at the right time of day and followed the real employees to the department where he committed his crime, over and over again.

Once captured, this crook freely admitted that he got everything he needed from the passcards that employees wore prominently around their necks. He copied it from pictures he took, just like the first investigator did.

Asymmetric Warfare & Business Continuity

In a previous article, I wrote about a system that created a single point of failure. In a strategic sense, computers and IT as a whole have become a single point of failure in both government and industry.

Chinese military leaders call automation the great equalizer, since its enemies heavily depend upon computers. An effective attack upon their enemy’s IT infrastructure provides an immediate and disproportionate impact which is the core concept of asymmetric warfare.

This asymmetry benefits the attacker, regardless of his motives or methods.

The Olde Ways

I was summoned to a meeting with a client. The client firm is over a century old. This successful firm has learned a thing or two about security.

I was asked to surrender my electronic gadgets. Being of the old school, I had none. This pleased the gatekeeper. I was led to a room furnished with only a curious table and four old wooden bankers chairs. No telephone, no electrical outlets, one florescent light fixture above the table.  The gatekeeper had to unlock the room. She then waited at the open door until my contact arrived.

My contact enters and places pieces of chalk and a chalkboard eraser on the the table. Most of the table top is painted with chalkboard paint.

We eventually compose a handwritten Memorandum of Agreement regarding the engagement, sign it, and off we go.

These people understand the rules, especially Rule #1 — If you don’t want it overheard, don’t say it. But I must admit, I have never seen a “Magic Slate” table before.

Corporate blogging passed off as independent newsgathering

Masquerading as an independent blogger might seem like an easy way to gather some intel, at least until you are exposed as this guy was.

Corporate Blogger, or Corporate Espionage?

Doug Cantwell, a Boeing spokesman who attended a recent industry symposium as an “independent blogger.” By passing himself off as a blogger — and not as a Boeing employee — Cantwell stirred up a controversy that could have serious implications for both companies that want to experiment with social media — and for reporters who work in the new medium.

your job will be much harder when you have to persuade someone that, yes, your blog  is a legitimate, independent news outlet and no, you’re not masquerading as a reporter for the purposes of collecting intel, corporate or otherwise.

when traditional journalism jobs — particularly in newspapers — are rapidly disappearing. A venture like Defensedialogue.com, it seems, opens the door to more cynical operators who are willing to blur the lines between journalism and other lines of business.

China’s Espionage and Cyber Attack Strategy

An excellent article about the “recent discovery of Chinese cyber warfare attacks on foreign computers, on communication computers of visiting dignitaries, and espionage activities to assist a friendly country is building weapons of mass destruction (WMDI)” entitled China’s Silent Warfare at BLOg Source INTelligence reveals a lot about China’s espionage and cyber attack strategy.

Industrial Espionage News

Bad Times Can Make Firms Vulnerable to Espionage

Corporate espionage is always a threat, but when the economy is sour the temptation is greater and finding broke or disgruntled employees is easier.

Stamping out data leakage & industrial espionage during a recession

How the recession is impacting IT security and top tips to ring fence your data to minimise risk.

British pair charged in ‘industrial espionage’ row

Two Wyko engineers are alleged to have used a mobile telephone to photograph a secret piece of equipment at an American factory

Mobile Phones & Tin Foil Hats

Under certain circumstances, if you lose sight of your mobile telephone, then you may reasonably assume it has been compromised. These circumstances are more common than you might think. Here are two cases of this that I have encountered over the last year or so.

Read more

Data Slurping

An excellent article at Sharp Ideas about software called Slurp that turns an I-pod into a covert data theft device.

An unauthorized visitor shows up after work hours disguised as a janitor and carrying an iPod…He walks from computer to computer and “slurps” up all of the Microsoft Office files from each system. Within an hour he has acquired 20,000 files from over a dozen workstations…

Ex-Intel worker accused of IP theft

A former engineer at chip maker Intel Corp., Biswahoman Pani, has been charged with stealing trade secrets after taking a new job at rival Advanced Micro Devices Inc..  More than 100 pages of sensitive Intel documents, as well as 19 computer-aided-design drawings, were found in a search of Pani’s house conducted on July 1.

He began working for AMD eight days before his employment at Intel ended. Pani still had access to Intel’s computer network. Russell said Pani used this access to collect sensitive documents that might have provided valuable competitive intelligence for his new employer.

“…there is no evidence AMD knew of Pani’s actions or encouraged them. Neither is there evidence that AMD ever received the confidential Intel files.”

You can read the entire article at The Boston Globe.