# Killing with Keyboards



## George Wallace

Killing with Keyboards

Websites, Blogs and Other Sources of Program Information and Identity Theft


Who?  

This briefing was developed by Raytheon in conjunction with 
The Boeing company Future Combat Systems Office of the CIO, for Policy and Standards. 
who were inspired by a series done up by the 
National Security Agency’s IOSS www.IOSS.gov (pdf file)



Why?

Increasing your awareness that you really are a potential target, 
remembering that being “clever” in a conversation or email is very likely to fail, 
limiting what you can on the Internet, and encrypting all email and drive storage you are able to –  Really can make the difference!


----------



## George Wallace

We'll start with our main character

Chris 

Husband, father of two, weekend little league coach

He is a talented and dedicated engineer for Bright Company

In the year 2010
  Chris will kill 238 U.S. Soldiers…


…because of a decision he made tonight.


----------



## George Wallace

On rare occasions

At night Chris will log on to
engineering community web sites
and blogs, just to stay current 
with the industry.

Chris works for a defense contractor and has listened to all of the security briefings.  He knows to be careful about what he tells anyone.

Chris never uses his name and rarely posts anything at all.  When he does, he only uses his on-line name.


“EaglesFan54”


----------



## George Wallace

He posts on a site:



> 09/13/2004	EaglesFan54	I know for a fact that WIRENUT207 is dead wrong, but I can’t say how I know.  You really need to go back and get some updated information, but that’s all I can say about it.



The next year he posted:



> 05/11/2005	EaglesFan54	Kyle Boldgers new book “Beyond Advanced Electronics” is by far the best industry book I have read in 10 years.  Everyone should check it out.



Later he posts:



> 02/18/2006	EaglesFan54	I don’t agree at all that the HLT5807 chip is out of favor.  Even the military uses it on their major new programs.


----------



## George Wallace

Meet Alice

She is 16, and for the last two years her government has been teaching her English.

Alice has done well, so eight months ago they started to teach her to use a computer and to search the Internet.

Alice’s favorite English word is _Google_.

Just like every day, Alice is using Google today.  Searching for words and phrases from a list her government gave her.

Alice knows if she works hard for five years and creates lots of files for her government, they will move her family to a nicer apartment and maybe even send her to more school.

Today Alice found Chris.


----------



## George Wallace

This is what Alice found:


----------



## George Wallace

So Alice created a file to collect all relate information in:


----------



## George Wallace

The day started great for Chris.

The team he leads hit a major program milestone, and each was given an unexpected performance bonus.  For Chris it was one step closer to his retirement fishing cabin.

And then the day went bad


Yet another half day spent in a quarterly security update briefing.  Chris promised his team he would talk to senior management about not wasting their time on these anymore.

It did give the team an excuse to get some good coffee for a change.

After the briefing his team walked across the parking lot to the new “American Tea” that was just built.  It catered to the large Bright Co. team that worked at their site.

It was a great place to unwind.

The store offered free Wi-Fi (wireless Internet access), 
six free small “quiet rooms” to make phone calls,
and a 15% discount to Bright Company employees (just show your employee badge at the time of purchase).

Chris was still angry about the briefing…


While in line Chris complained to one of his team, “Do they really think a person with a Secret clearance needs to be reminded about this stuff?  And no one goes ‘dumpster-diving’ any more!  These security guys have no clue what they’re talking about.”


----------



## George Wallace

Alice’s progress was slow and steady. 

Her group leader often repeats that the searchers need to be very patient.  It may take weeks to find something important, but each petal helps you identify the flower it came from.

Each piece of the puzzle provides a new search opportunity…


----------



## George Wallace

Alice followed the information from one website to another.

What seemed like unimportant information from one site was the start of the Google search leading to other sites.

Even items which are now deleted  from web sites can still be searchable within the Google cache (history)


----------



## George Wallace

The search results produced even more new sources to follow:


----------



## George Wallace

Alice's file is growing:

Chris Raddick
(215) 555-1784 (cell phone?)
c.raddick@brightcompany.com (employer?)

Beth Raddick (wife?)
(215) 555-3159 (home phone?)
bethbear@alltheraddicks.com
alltheraddicks.com (website?)

Kyle Raddick, 16 (son?)
MySpace (blog) website


----------



## George Wallace

Each new site produces more information.

Family and club web sites can be used to find new information or confirm data.


----------



## George Wallace

The information was all there, on sites Chris had never visited or posted information to....


----------



## George Wallace

And eventually Alice was done searching.


It was a great day for Alice.

Her leader rewarded Alice for completing her 200th file.  She was allowed to recommend a family member to join her at school.  Soon Alice would have the honor of teaching her thirteen year old sister all she had learned about computers and Google.


The information about Chris was now  available for use as needed…


----------



## George Wallace

In early 2008

Alice’s government became aware that a vulnerability exists in technology which may have been integrated into certain U.S. defense projects.  To benefit from the information, they needed to know for sure.

Later that same year, Chris attended an out-of-town engineering conference for defense and related industries.

Although held at the unclassified level, conference attendance was very restricted.  Every attendee required a government sponsor.

The hotel conference center had guards outside the meeting rooms, and conference badges had to be worn when attending sessions.

Chris sat in the hotel bar.

He was tired after four days of conference

At the other end of the bar Chris noticed a guy wearing an Eagles hat.  He had seen him several times around the hotel in the last several days.  In the restaurant, lobby and elevators.  Chris walked over.

“Eagles! – In this town?”  Chris said.
“I know, I’m getting grief from everyone,” the man replied.
“Not from me. I’m actually a diehard ” Chris said.
“You’re kidding me!”  The man introduced himself as Tom.
“Well that’s definitely worth a beer,”  Tom said smiling.
“Greatly appreciated,” Chris said. “You at the conference?”
Tom nodded. “First week out of my lab in two years.”
Chris grinned. “DOD project?” Chris asked, drinking his beer.
“Sorry, can’t say,” Tom replied. “You know, that always sounds bad no matter how you say it.  Nothing personal.”
Chris smiled “No problem.  Really, I totally understand.”

Tom insisted on buying dinner.

They talked sports and generally about work, careful not to say too much.

Tom bought a second pitcher of beer, reminding Chris that Tom’s company was more than happy to pay his expense account since he traveled so rarely.

“I was actually hoping to hear if anyone else was thinking of using Clariden’s new Digital Signal Processors,” Tom mentioned casually.  “I hate being the first program to use a new chipset.”
“Don’t worry then,” Chris said, “Army is using them.”
Tom grinned.  “You must be working on that new Army program.”  
“Can’t say,” Chris said smiling, “but you definitely don’t need to worry that your program will be the first military program to use it.”

Dinner was now over

Tom was very pleased that it has gone so smoothly.  He had the confirmation he needed, and would even be able to contact Chris again if need be.

He had told Chris that he had to leave the conference the next morning to catch an early flight.  No risk of having to explain why he was not registered to attend the conference.

Tom never even had to threaten Chris with the picture in his pocket, designed to show Chris how close Tom’s supporters had come to using Chris’ family as “motivation.”


----------



## George Wallace

2009 was a very good year!

For Chris and his family...

Kyle Raddick, Chris and Beth’s oldest son had joined the Army.  They were very proud of him.  Chris took extra pride in knowing what he contributed to the success of the Army’s new system.


For Alice’s government...


Alice’s government used the information they had developed from Chris about the system vulnerability to trade with another government, who was very interested in using it against the United States.


----------



## George Wallace

In the year 2010

Another 238 U.S. Soldiers were killed.

Chris will lie in bed and watch the news tonight, and worry about the life of his son.

What will you do the next time all of those security warnings seem like they apply only to someone else?


----------



## George Wallace

The information and scenarios in the preceding self-assessment presentation were all true.

The characters and the vulnerability were the only fiction.



QUESTIONS TO ASK YOURSELF

1     *“I am no one they care about?”*   

That may be true for now, but you never know when one on-line posting will bring YOU to their attention.

Chris was just another name in a file until they needed some inside information about his program.  It never occurred to him that an intelligence agency would target him for a piece of information, but they did.


Some things to think about.

Chris had no idea that just confirming that the Clariden DSP chip was in use would be enough to hurt or kill.  But that one small piece of information was the last piece in the puzzle that the enemy was putting together.

While Chris thought he was careful, it is difficult to know exactly what an adversary is looking for, and if what you have may be of benefit.



2     “I don’t have ANY adversaries!”

Feel like all of this “war” and “terrorist” or “adversary” talk is about someone else?

Take a quick look at some other groups that use these exact same on-line information gathering techniques.

Some things to think about.

Former girlfriends, boyfriends, divorced spouses.
Angry neighbors, people you only knew casually. 
Disgruntled co-workers, employees, temporary workers. 

Identity thieves.  (Try a Google search on your name.)
Pedophiles seeking information to convince your children that they should be trusted

Anyone else who might want a little information about you, even just to know you better than you want them to.



3     “I’m smarter than the enemy!” 

It’s a common feeling.  People interviewed often say they know they are smarter than “some guy who is now just sitting in a cave hiding from us.”

Chris knew he was smarter than any adversary when he used careful expressions like, “I can’t say how I know.”

Some things to think about.

In addition to small radical groups, our adversaries are some of the largest nations in the world, who are willing to spend BILLIONS of dollars to gain an economic advantage.  Information theft is a good investment for them, even if they just trade it for something they want.

Some of the world’s best intelligence agencies are training young people as experts to go and gather information for them.  You are up against the experts!


4     “I don’t post on the Internet” 

Not posting may help you somewhat, but it is just one example of how you can come to the attention of someone with bad intentions.

Another source is unencrypted email messages which are either misrouted, intercepted, or gathered by adversaries on discarded or poorly protected backup tapes.  Stealing backup tapes is a common occurrence.

Some things to think about.

Remember that Chris did not know about all of the information sources that had information about him.  He only thought about the sites he dealt with.  Most of the others you don’t have control over, but you do have control to encrypt email and post as little “account” information as you can on web sites.



5    *“What about the Coffee Shop?”*   

The coffee shop was a reminder that while there are good business reasons to target defense contractors, etc., as customers, those methods are also good ways to gather sensitive information.

Most front businesses will not be called “Terrorist Coffee” so you need to pay attention to the less obvious.

Some things to think about.

Free Internet also provides a way to capture network traffic, including personal email passwords that are often similar to work passwords.  Every puzzle piece helps them.

Free Quiet Rooms encourage “sensitive” conversations in rooms that may have listening devices.

By showing a badge, “bad guys” know any time a facility changes its badge, and when new security like “smart chips” are rolled out.  If they have infiltrated a facility, they know to update their fake badges by the next day.





Now.......... Do you really feel safe after you post on the Internet? 



Don’t feel hopeless

Increasing your awareness  that you really are a potential target, 
remembering that being “clever” in a conversation or email is very likely to fail, 
limiting what you can on the Internet, and encrypting all email and drive storage you are able to –  Really can make the difference!


----------



## George Wallace

*Now on to PHISHING your cellphone and WiFi transmissions:*

Thanks to E.R. Campbell for this update:





Any of you who are out there, anywhere, using cell phones and WiFi for anything except the most innocuous purposes need to read this article, reproduced under the Fair Dealing provisions (§29) of the Copyright Act from the _CBC_ web site:
--------------------
 http://www.cbc.ca/technology/story/2008/12/08/f-forbes-phishing.html

 Phishing at gate B22
*Travelers beware: Poorly secured airport Wi-Fi networks are catnip for snoops*

Last Updated: Tuesday, December 9, 2008 | 7:58 AM ET 

By Taylor Buley Forbes.com

Farina booted up his computer on an American Airlines flight in October from New York to San Francisco. It was one of the first commercial flights to offer wireless Internet service. Within a couple minutes of reaching 10,000 feet, Farina was snooping the airwaves with the ability to see what his fellow passengers were doing without having to leave his cramped middle seat.

Farina isn't a bad guy. He was just doing his job as a so-called white-hat hacker for AirTight Networks, a manufacturer of wireless intrusion protection hardware and software that was invented in India and brought to market in the U.S.

AirTight's chief executive, David King, sends hackers out for unsolicited security assessments. Earlier this year he dispatched Farina and a few other of his 100-plus employees (most of whom work out of the company's offices in Pune, India) to collect wireless security data at 20 U.S. airports and eight in Asia.

They found rampant phony Wi-Fi hot spots created by phishers and, at several large airports, plenty of open or insecure networks run by critical operations such as baggage handling and ticketing. Almost all public networks allowed data such as user names and passwords to pass through the air unencrypted. Only 3 per cent of people used something more secure.

To be sure, King's missions are self-serving; he runs a business that sells the devices that plug security holes. But King says that U.S. airports have a genuine problem.

Very few, such as McCarran International in Las Vegas, monitor all wireless traffic for intruders. (The Vegas airport officials are quick to add that they don't censor for content.) Others, like San Francisco International, are laissez-faire. AirTight found that 47 wireless networks used for SFO's airport operations were wide open or poorly secured.

The most common means of protecting Wi-Fi networks, the Wired Equivalent Privacy encryption standard, or WEP, was broken in 2001.

Wireless networks are some of the most easily hacked. Indian terrorists this summer broke into underprotected networks to e-mail a warning prior to bomb blasts in Delhi and Ahmedabad. In August the U.S. Justice Department indicted 11 members of a retail hacking ring, accusing them of grabbing millions of credit and debit card numbers off networks inside stores run by TJX Companies, BJ's Wholesale Club, OfficeMax, Barnes & Noble and Forever 21, among others.

The most common means of protecting Wi-Fi networks, the Wired Equivalent Privacy encryption standard, or WEP, was broken in 2001. Nowadays a moderately skilled hacker needs only a couple of minutes to crack its key with an off-the-shelf wireless card.

In November a pair of German computer science students made a critical first step toward cracking the Wi-Fi Protected Access encryption standard, or WPA, once heralded as the solution to WEP's insecurity.

*Five Public Wi-Fi Do's and Don'ts*

•	Do access the Web using a more secure virtual private network, if your company has one.
•	Do avoid joining networks with enticing names like "Free Public Wi-Fi."
•	Don't leave your laptop radio on when it's not in use.
•	Don't transmit private info on an "http://" connection; make sure you're on an encrypted "https://" page.
•	Don't use POP e-mail software like Outlook. It doesn't encrypt your log-in info. Use secure Web mail instead.

The market for wireless intrusion prevention systems is still small: $168 million US worldwide this year, according to research firm Gartner, but that represents a 40 per cent gain from 2007.

King's AirTight competes with other sellers of Wi-Fi security gear such as AirMagnet and AirDefense, which was recently acquired by Motorola for an undisclosed sum. Publicly traded Aruba Networks and Cisco Systems sell wireless security systems that are already built into their networking gear. Four-year-old AirTight has 600 customers, including Samsung and ICICI Bank, paying between $40,000 and $50,000 a year. The private company in Mountain View, Calif., also licenses its products to hardware makers Siemens and 3Com.

King says that most of his clients are retailers, which are compelled by credit card industry audits to protect the financial data that travel on their networks, but airports are high on his prospect list. He and other security vendors say airports have been slow to harden their airwaves because of cost. It might require $200,000 to cover a place as big as San Francisco International, and the airports lack any mandate from the federal government to take control of the networks run by airlines and the companies that service them.

AirTight's system consists of a $5,000-to-$10,000 central server that can manage a few hundred sensors at a time. The sensors, which look like a home Wi-Fi access point, cost $500 to $1,200 apiece. AirTight's server sends out what the company calls marker packets that identify radios actively connected to the network. Those packets are bounced back to the sensors from any active connection. All unauthorized connections are cut off. The server continues to monitor the airwaves for unauthorized attempts to connect.

McCarran airport is one of those willing to spend money for wireless security. It runs two wireless networks, one for public use and another for airport operations.

"It was our intent to put the passenger in a bubble. He can go out to the Internet, but he can't touch anything on the airport side, and he can't see anyone else who is using the network," says Gerard Hughes, IT service manager at McCarran, which pays Aruba Networks $20,000 a year for software and hardware maintenance.

AirTight's David King will continue to cause headaches for airports with his surreptitious security scans to raise awareness and woo them as customers.

"For any security product, there is this learning curve," he says. "We're somewhere in the getting-past-the-awareness stage."
--------------------

I don’t know what ‘security’ is available for ‘public’ telecomm in e.g. KAF or the FOBs but I suspect/fear that it is about zero. I also suspect that all ‘public’ telecomms in most places where the CF operates and lives is monitored by people who you would rather did not know too much about you and your your business.


----------



## George Wallace

Just an update and a few points that some may want to ponder.

It behoves all to be security conscious.  Lapses in security can be found at every level.  Here is a glaring example:


MI6 chief's cover blown by wife's holiday pics on Facebook found on this site:  http://digg.com/tech_news/MI6_chief_s_cover_blown_by_wife_s_holiday_pics_on_Facebook

===================================================================

The Jerusalem Post

MI6 chief's cover blown on Facebook

Personal information about the new MI6 head has been exposed on Facebook in a major security blunder, the Daily Mail reported Sunday. 

Sir John Sawers was set to take over as chief of the Secret Intelligence Service in November, putting him in charge of Britain's espionage operations abroad. 

However, his wife's Facebook entries have exposed potentially compromising details about where they live and work, their friends and where they spend their holidays, said the paper. 

Among the information was the fact that the intelligence chief's brother-in-law is an associate of historian and Holocaust denier David Irving. 

After the Mail informed the Foreign Office of the blunder, all the material was removed from the Internet. 

The British newspaper quoted senior politicians as saying that the security lapse raised serious doubts about Sawers' suitability to head the intelligence service.

More on Link in title.

=====================================================================

From the BBC

New MI6 spymaster named


A Cambridge-educated career spy has been named as the new chief - also known as "C" - of the Secret Intelligence Service, MI6. 
Richard Billing Dearlove, 54, currently the service's assistant chief, succeeds the present "C", Sir David Spedding, when he retires at the end of August. Mr Dearlove is only the second MI6 chief to have his appointment announced publicly. 

The new spymaster was selected from a short-list of candidates drawn from both inside and outside the service. The appointment was made by Foreign Secretary Robin Cook in consultation with the Prime Minister Tony Blair. 

Although Mr Dearlove's appointment was announced, the much-vaunted spirit of greater openness and accountability of the security services did not extend to releasing a photograph of the new chief. 

Classic MI6 background 

An official curriculum vitae was released to the press, however. It shows he comes from the classic security service background of public school followed by Oxbridge - something Robin Cook and Mr Blair have said they are keen to change. 

The short resume reveals Mr Dearlove was born somewhere in Cornwall on 23 January 1945. 

He was educated at the independent fee-paying Monkton Combe School near Bath and in 1962-63 spent a year at Kent School in Connecticut, USA, before going to Queen's College, Cambridge. 

The official biography reveals that he joined MI6 in 1966 as a 21-year-old graduate - signalling that, like more familiar spy names (mostly notorious for having been double agents) Mr Dearlove appears to have been recruited while studying at Cambridge. 

In 1968 he received his first overseas posting to the Kenyan capital, Nairobi. Several postings later, he became head of MI6's Washington station in 1991. 

He returned to the UK in 1993 as director of personnel and administration. The following year he became director of operations and in 1998 he was additionally made assistant chief.

He is married with three grown-up children and was given an OBE in 1984. 

Described as an "all-rounder" in intelligence terms, sources insist he was chosen as the best candidate from those available. His appointment will be seen as a shift of emphasis by the service after Sir David, who was an Arabist from MI6's elite Middle East specialists, dubbed the "camel corps". 

It reflects a new commitment in the post Cold War-era to combating international organised crime as well as MI6's more traditional espionage activities. 

One of the green ink brigade 

As service chief, his pay will be on the same level as a Permanent Secretary which, from 1 April, is between £98,400 to £168,910. 

Like every incumbent since the first chief Captain Sir Mansfield Cumming in 1909, he will be known in Whitehall as "C" and tradition dictates that he writes his memorandums in green ink - something modern folklore holds is a sign of battiness. 

Apart from that, the Foreign Office was giving little away. But the media has succeeded in tracking down his home - a three-storey semi-detached Edwardian house in a leafy residential street in Putney, south west London. 

One neighbour, a middle-aged woman who declined to be named, said Mr Dearlove and his wife had been so secretive, it had become a family joke. 

"It's been a joke with me and my husband, that the man next door was a spy. We've lived here two years and only met them once, we hardly ever see them," she said. 

She added that notes had been posted through neighbours' doors asking them not to speak to reporters if asked about the Dearloves. 

Seven-foot hedge 

Other neighbours, even those living very near to the new chief spy's house - which is hidden from public view by a seven-foot tall hedge - said they either did not know the couple or had never seen them. 

And both his old public school and Queen's College, Cambridge, have apparently been warned not to talk to journalists about their former student. 

"I fear we are not in a position to make any comment about Richard Dearlove at all. I'm sure you understand why," said a spokesman at Monkton Combe School. 

There was a similar line at Queen's where a woman in the Bursar's office said: "I don't think you will find anyone in the college willing to speak about this". 

Kent School in the US initially promised to be more forthcoming. "How exciting," said a woman in the admissions office when told of their former student's new job. 

The alumni office initially offered to help, then said it was temporarily unable to access its records because of a computer error but promised to help once the system was back up. 

Yet by late afternoon, the long arm of the spooks based in MI6's modern gothic headquarters on the Thames appeared to have reached across the Atlantic. "We cannot give out any information about Richard Dearlove. It's confidential," the alumni office had decided.

More on Link in title.

===============================================================================

Whoops- Incoming MI6 chief's wife spills details on Facebook

MI6 chief's cover is blown by wife's holiday snaps on Facebook - Mixx

New MI6 chief's wife blatantly breaches secrecy by posting 'plenty 

MI6 chief's wife posts all on Facebook

Wife of new MI6 chief spills personal details on Facebook - TECH 

MI6 chief blows his cover as wife's Facebook account reveals ...

MI6 chief's Facebook details cut - Worldnews.com

Incoming MI6 chief in Facebook security slip 

As can be seen, even those in the business of Security, at the highest levels, can make slips in judgement.  There are pages of links to this infraction on the internet.  This person's whole life is open to public viewing.



Remember to take SECURITY seriously.


----------



## Edward Campbell

Here, reproduced under the Fair Dealing provisions of the Copyright Act from the _Ottawa Citizen is a pertinent article:

http://www.ottawacitizen.com/business/That+Facebook+friend+could+foreign/5715416/story.html 



That Facebook ‘friend’ could be a foreign spy

By Vito Pilieci, The Ottawa Citizen

November 15, 2011

OTTAWA — Hackers are becoming so targeted with their attacks that they are mining Facebook profiles for personal information that could help them steal sensitive data.

Security expert Michel Juneau-Katsuya says a Department of National Defence employee told investigators he received an email from someone pretending to be a co-worker who said he had seen the employee at his daughter’s soccer game over the weekend. The hacker claimed to have been added to the employee’s work team, which was assembling sensitive information, and asked for a copy of the work done so far.

The personal information came from pictures the DND staffer had posted to Facebook. The staffer alerted department officials.

“Breeches will happen because of human beings getting involved somewhere,” said Juneau-Katsuya. chief executive of the Northgate Group security firm and a former senior intelligence officer for the Canadian Security Intelligence Service.

“Whether that’s willingly, unwillingly, consciously or unconsciously. Whether they lost or forgot something or they simply held open the door for somebody. There is a human factor in it.”

Juneau-Katsuya says international espionage is reaching record levels as governments move away from costly military confrontations in favour of electronic attacks and computer data theft — and they are picking on average people to get what they want.

Speaking at the release of the 2011 Telus-Rotman IT Security Study, Juneau-Katsuya said more than 10 times more spy activity goes on today than at the peak of the Cold War.

“All of the spy activities can now be done remotely. It’s less expensive because you don’t have to move your assets abroad,” he said.”

The security expert said Canada is increasingly targeted because of its lack of a national cyber-security strategy, coupled with rising information breaches being perpetrated by government insiders.

Its economic health is another factor as cash-trapped nations, and even private investors, try get any advantage to safeguard their investments. That includes hacking into government servers to determine certain policy directions.

A January 2001 attack on the federal government was aimed at getting information on Saskatchewan’s potash industry. Foreign hackers masqueraded online as an aboriginal group to gain access to the Finance Department and Treasury Board networks. The hackers sent emails to high-ranking department officials containing a link to a webpage infected with a sophisticated virus. It then opened a pathway deep into the government networks and installed spy malware. They also sent infected PDF files that, when opened, unleashed more malicious code to target and download government secrets.

According to the Telus-Rotman study, uneducated employees are to blame for a majority of malicious hacker attacks on organizations. The report said more than 42 per cent of the attacks reported in 2011 are the result of employees opening email attachments infected with a virus.

The report also warns about the way federal public servants handle sensitive data, noting that 34 per cent of all the security breaches reported by government in 2011 were a result of employees losing laptops or mobile devices. The loss rate in the private sector was 30 per cent lower.

As well, the government was warned that a vast majority of its data leaks come from staff members. More than 42 per cent of all data breaches reported from within government were the result of insiders leaking information, a 28-per-cent increase over 2010, according to the report. In the private sector, insiders accounted for 16 per cent of the data lost.

The government’s problems are being compounded by unauthorized access to information by government employees — for example, a nosy employee at Canada Revenue Agency who wants to find out his neighbour’s income — which could arm those employees with sensitive information and make it difficult to determine how various leaks are happening. According to the report, more than 24 per cent of all data breaches reported in 2011 were the result of unauthorized access to information by government employees. In the private sector, unauthorized access to information by employees accounted for 11 per cent of the data breaches reported last year.

Not all of the findings were negative. Government only saw 17 data breaches in 2011, down from 22 in 2010. The private sector reported four data breaches, down from nine last year.

Juneau-Katsuya said governments and private organizations have to keep educating employees about phishing and other common attack methods. If employees don’t understand how dangerous it is to open strange email attachments, they will never be prepared for the next generation of tailored attacks, such as the use of Facebook to find personal information to entice people to send out sensitive files.

“In the last 30 years the policy of the government has been speak no evil, see no evil,” he said. “If you don’t speak about the problem you cannot expect people to start finding solutions for something they don’t know exists.”

The U.S. has allocated $1.1 billion over five years for cyber protection. It also recently announced that Defense Advanced Research Projects Agency (DARPA) has been tapped to being developing an arsenal of cyber weapons. Britain is to spend $40 billion on cyber warfare and cyber espionage preparedness.

© Copyright (c) The Ottawa Citizen

Click to expand...



Let me add some anecdotal evidence.

I am not on Facebook but, apparently, my picture was.

Recently, last month, a friend E-mailed to me to tell me that my picture was being used on Facebook by someone who was, pretty clearly, not me. The pictures (there were a few) were ones I had posted on a couple of web sites (not Army.ca) and I had, obviously thought about the fact that everything on the Internet is public and I saw, and still see, no problems with sharing those pictures.

Someone on Facebook used a few of them, including one or two of my home, on his page.

I contacted Facebook – not as easy as it looks when you are not a registered user – and told them. They, to their credit, got back to me, fairly quickly, to tell me two things:

1. They had asked the user to not misrepresent himself – but they cannot, apparently, *tell* him (I assume it was a man, I may be wrong) to “cease and desist;” and

2. My pictures were, indeed, public, etc.

The Facebook user was, apparently, using a name with had one similarity to mine and suggested that he lived in my apartment but he did not, as far as my friend could determine, use my actual address. In any event he disappeared (disabled his account?) a couple of weeks ago. My friend enlisted a couple of computer savvy friends of hers to dig a bit deeper: the impostor appears to be in the Middle East and was focused on (mainly female) "friends" in Hong Kong and Singapore (two places where I have real friends and contacts).
  _


----------



## GAP

Even here on Army.ca one can build a shallow, but comprehensive composite of an identity based on profiles, commentary and postings.....


----------



## PMedMoe

> The hacker claimed to have been added to the employee’s work team, which was assembling sensitive information, and asked for a copy of the work done so far.



I would have replied, "Come see me at work."   >

Truthfully, I wouldn't have replied at all.


----------



## Edward Campbell

Given that e.g. the Chinese Embassy have my name address, phone number, passport number and, and, and ... in fact they even send me a card and an invite for drinks every fall ... I'm not trying to "hide" anything from the best know of the (suspected) _cyber attackers_. I'm not trying to "hide" from anyone - I just don't feel a _need_ to use Facebook. So I was a little bit dismayed to find that I was being used as a _disguise_ by someone else for reasons I do not even pretend to know.


----------



## The Bread Guy

A bit of an update from the University of Haifa:


> Hackers invading databases is just the tip of the iceberg in online terrorist activity: International terrorist organizations have shifted their Internet activity focus to social networks and today a number of Facebook groups are asking users to join and support Hezbollah, Hamas and other armed groups that have been included in the West’s list of declared terror organizations. This has been shown in a new study conducted by Prof. Gabriel Weimann of the University of Haifa. “Today, about 90% of organized terrorism on the Internet is being carried out through the social media. By using these tools, the organizations are able to be active in recruiting new friends without geographical limitations,” says Prof. Weimann.
> 
> Over the past ten years, Prof. Weimann has been conducting a study of encoded and public Internet sites of international terror organizations, groups supporting these organizations, forums, video clips, and whatever information relating to global terrorism is running through the network.
> 
> According to Prof. Weimann, the shift to social media, and especially Facebook and Twitter, has not bypassed the terrorist organizations, who are keenly interested in recruiting new support in the new media’s various arenas - Facebook, chat rooms, YouTube, Myspace, and more. “The social media is enabling the terror organizations to take initiatives by making ‘Friend’ requests, uploading video clips, and the like, and they no longer have to make do with the passive tools available on regular websites,” he notes.
> 
> Facebook’s popularity is being utilized by the terror organizations, and besides recruiting new friends, they use this platform as a resource for gathering intelligence. A statement originating from Lebanon has reported that Hezbollah is searching for material on the Israeli army’s Facebook activity, while many countries such as the USA, Canada and the UK have instructed their soldiers to remove personal information from this network as a precaution in case Al Qaeda is monitoring it. “Facebook has become a great place to obtain intelligence. Many users don’t even bother finding out who they are confirming as ‘Friend’ and to whom they are providing access to a large amount of information on their personal life. The terrorists themselves, in parallel, are able to create false profiles that enable them to get into highly visible groups,” he says ....


U of Haifa info-machine blog, 8 Jan 12

Can't find the study ref'ed in the blog post/news release, but will share when I do.


----------



## The Bread Guy

As promised, here's the paper referred to in the above-mentioned news release - enjoy!


----------



## George Wallace

Some people have been having some *PERSEC* concerns lately.  Perhaps they should be reminded by the points in this topic and that the material that they post on the internet is there forever.  It does not disappear.  People will quote what you say, they may save your post in their files, whole websites are archived on other databases, people print off articles they find of interest, and a whole myriad of other methods are used to retrieve and save information that someone may be looking for.  

Think before you hit that POST button.  Would you say what you intend to post in front of your mother?  If not; perhaps it is a good sign that you should not post it.


----------



## The Bread Guy

E.R. Campbell said:
			
		

> Here, reproduced under the Fair Dealing provisions of the Copyright Act from the _Ottawa Citizen is a pertinent article:
> 
> 
> 
> *That Facebook ‘friend’ could be a foreign spy*
> 
> By Vito Pilieci, The Ottawa Citizen
> 
> November 15, 2011
> 
> OTTAWA — Hackers are becoming so targeted with their attacks that they are mining Facebook profiles for personal information that could help them steal sensitive data.
> 
> Security expert Michel Juneau-Katsuya says a Department of National Defence employee told investigators he received an email from someone pretending to be a co-worker who said he had seen the employee at his daughter’s soccer game over the weekend. The hacker claimed to have been added to the employee’s work team, which was assembling sensitive information, and asked for a copy of the work done so far ....
> 
> Click to expand...
> 
> _


_Taking this meme a step further ....



			TALIBAN insurgents are posing as "attractive women" on Facebook to befriend coalition soldiers and gather intelligence about operations.

Australian soldiers are given pre-deployment briefings about enemies creating fake profiles to spy on troops.

Personnel are also being warned that geo-tagging - a function of many websites that secretly logs the location from where a post is made or a photo is uploaded - is a significant danger.

Family and friends of soldiers are inadvertently jeopardising missions by sharing confidential information online, the report warns.

Three Australian soldiers were this month murdered inside their base, allegedly by an Afghan Army trainee.

The dangers of social media are revealed in a federal government review of social media and defence, which was finalised in March but has not been acted upon, Defence sources say.

The review found an "overt reliance" on privacy settings had led to "a false sense of security" among personnel.

The review warns troops to beware of "fake profiles - media personnel and enemies create fake profiles to gather information. For example, the Taliban have used pictures of attractive women as the front of their Facebook profiles and have befriended soldiers."

Many of the 1577 Defence members surveyed for the review had no awareness of the risk, it said, adding 58 per cent of Defence staff had no social media training.

Surveyed troops said social media open "a whole can of worms when it comes to operational, personnel and physical security".

"Many individuals who use social media are extremely trusting," the review said.

"Most did not recognise that people using fake profiles, perhaps masquerading as school friends, could capture information and movements. Few consider the possibilities of data mining and how patterns of behaviour can be identified over time." ....
		
Click to expand...

Sydney Daily Telegraph, 9 Sept 12_


----------



## ModlrMike

In light of recent events, and the directives that followed them, all of us have a responsibility to ensure our social media profiles are secure. To that end, I post the following two articles:

5 Things Sailors Need to Know About Social Media, Phishing, Security


Mark Cuban: The Big Mistake You Don't Know You're Making on Social Media

While Mr Cuban's comments are generally about commerce and employment, they make a good case for the importance of PERSEC.


----------

