|
I
just came back from the Department of Defense Intelligence Information
Systems (DoDIIS) conference in Orlando, and one of the more interesting
sessions was on "How Adversaries Exploit Poor OPSEC" given by a couple
of Defense Intelligence Agency guys.
Although the focus was on precautions people in sensitive military and
intelligence roles should take, I came away with a lot of food for
thought for anyone who has access to any sort of sensitive information
-- military, government, corporate, whatever.
I came away with a little DIA pamphlet called "Elicitation: Would You
Recognize It" that goes through all sorts of social engineering hacks
that an adversary might run on you during a "chance" encounter at the
library or the coffee shop to elicit sensitive information in seemingly
casual conversation. The danger is not that a DIA professional would
blurt out top secret information in such an encounter. Rather, it is
that they would violate the "need to know" principle of not giving out
any sort of operational information without a good reason. In other
words, an adversary who takes a systematic approach may be able to use
many small bits of information to piece together a picture of military
operations. One person lets slip something about the mission, another
says something about who is involved, a third gives a clue about timing.
I think the WWII era motto on the subject was "Loose Lips Sink Ships."
So what are we letting slip in our online existence, in the era of
social media, which is all about sharing information with (in many
cases) perfect strangers and online personas who may not be who they
claim to be?
As part of the presentation, DIA's Nick Jensen, a Cyber Operator /
Analyst for OPSEC Operations, ran through a scenario that talked about
how easy it would be for an adversary to find a DIA employee on a site
such as LinkedIn and start piecing together a picture of who that
person is, what his job function is, what his political views are, who
he is associated with (online friends or connections), and what his
habits are.
LinkedIn provides the basic resume, which may include details on
projects and specialties. In Jensen's scenario, a DIA employee also
provides a link to his blog. The blog, in turn, has links to all the
other social media sites this person participates in -- so pretty soon
the adversary is browsing Flickr photos and Twitter status messages,
continuing to round out the picture. One of those status messages
mentions something about the Starbucks near his house (horrible
customer service, but he hangs out there anyway).
That allows the adversary to "bump into" the target at Starbucks, hack
the wireless session he initiates on his laptop, and ... well, things
go downhill from there.
Despite highlighting this danger (which I also saw mentioned in another
DIA pamphlet), the agency apparently doesn't prohibit employees from
participating in networks such as LinkedIn and Facebook. It would
probably be futile for them to try to do so, given how pervasive use of
these social networks has become. In a quick search, I found 163
LinkedIn members who listed DIA as their current place of employment,
including 22 people whose profiles included "security" as a keyword,
such as one D.C. based Information Security Analyst.
What DIA tells people is to be conscious of the kind of information
they share in such public places (and I will say that the LinkedIn
profiles I found were relatively minimal).
Still, the point about the dossier someone can build on you by hopping
between multiple social networks and looking at your connections and
status information is a sobering one -- particularly given that most
commercial organizations probably have given far less guidance on what
employees should and shouldn't be posting online.
I'm curious whether anyone outside of the military and intelligence fields is looking at these issues. |
