DOD: Be wary of social media's 'loose lips'

Even the smallest details shared on social media sites can play a role in security breaches

In an earlier era, “loose lips sink ships” was the military’s warning not to let even small details about military movements and operations slip in casual conversation. In contrast, social media Web sites today thrive on loose lips, making it even tougher to maintain operational security.

The problem is not so much people twittering away secrets as letting slip many smaller pieces of information that an adversary can piece together.

“There’s a tendency to think that if information is not classified, it’s OK to share,” said Jack Kiesler, chief of cyber counter intelligence at the Defense Intelligence Agency, in a presentation last month in Orlando, Fla., at the DODIIS Worldwide Conference for intelligence information systems professionals.

Kiesler and colleague Nick Jensen, an operational security analyst at DIA, gave a presentation titled “How Adversaries Exploit Poor Operational Security."

Operational security refers to the process of denying information to potential adversaries about capabilities or intentions of individuals or organizations by identifying and protecting generally unclassified information on the planning and execution of sensitive activities.

An adversary trying to uncover secrets will start by chipping away at operational security indicators that point them toward a target, Kiesler said. A foreign agent seeking to steal stealth technology might start by trying to identify individuals who are working on the technology, figuring out whom they associate with, following their movements, looking for clues on new research areas and so on.

Much of that information might be available through a professional profile on LinkedIn, for example. Furthermore, participation in online discussion groups or blogs might help foreign intelligence services single out disgruntled military or intelligence agency employees who could be recruited or blackmailed, Kiesler said. Not only are younger employees immersed in the social media culture, but older ones often become participants without understanding their limited control over the information they post online, he added.

Although operational security is supposed to be a standard component of military operations, Kiesler seeks to pursue it in a more disciplined way, with proactive tests of an organization’s operational security. Rather than embarrassing the organizations and individuals who flunk the test, the goal is to educate them, he said.

Jensen presented a fictional scenario that he said was based on those kinds of tests, in which a foreign agent named Jane starts by exploring the membership of a LinkedIn group called Intelligence Professionals.

In Jensen’s scenario, LinkedIn provides a target DIA employee’s basic résumé with a link to his blog. The blog, in turn, has links to other social media sites the person participates in, so the adversary can browse Flickr photos and Twitter messages, continuing to round out the picture. The DIA employee uses the same handle on many Web sites, allowing Jane to search for posts he has made elsewhere. On Slashdot, he mentions something about the Starbucks near his house.

That allows Jane to bump into her target at Starbucks, hack the wireless session he initiates from his iPhone and eventually capture information, including his online banking password. From there, she has many options to monitor his every move, drain his bank account or blackmail him.

Of course, the pull of the online world is not so easily countered. There really is an Intelligence Professionals group on LinkedIn, and Kiesler and Jensen found 163 LinkedIn members who listed DIA as their current employer, including at least one information security analyst based in Washington, D.C.

But Kiesler and Jensen said people can learn to be more circumspect and take precautions such as varying their online signatures rather than using the same user name on multiple Web sites.

About the Author

David F. Carr is a special contributor to Defense Systems.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Thu, Jun 25, 2009

M appears to believe what he sees as important is all that is important. This attitude is precisely the dim-witted attitude which fuels the intelligence industry across the world.

Wed, Jun 24, 2009 Brieuc

What bothers me about is that the folks out there supposedly protecting us as well as the author can't even get the terminology right. If you don't understand the terminology how can you be expected to explain and have others implement it.

.It's "operations security" or OPSEC. Operations security (not operational security) is the process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information. I strongly recommend the author and the folks at DIA that you read Joint Pub 3-13.3 for a better understanding of the topic and issue

Wed, Jun 24, 2009 Mel Jones Bradenton, FL

Because the Iron Curtain is gone many uninitiated folks believe that the days of covert spies are a thing of the past. Well, they're not. In fact there is more spying now than ever. I agree with everyone's comments before me on most points made. In my business, countless people sign confidentially agreements without a clue as to how important it really is. I recently did some research for an upcoming lecture that I will present on computer authentication. Not only did i find, as expected, user names and passwords on Post It notes under the keyboard, but more illuminating was the amount of confidential information written on scratch paper in the waste basket. In one office I found discarded personnel data printouts recycled as note paper. I mean SSNs, bank account information, family member names and contact information, along with credit card information including the 3 digit security code on the card's back. Of course, I took this information to the senior auditor and that practice is now changed. But, how many people before me found such information and sold it for marketing purposes, or worst identity theft. I cannot be sure, but would bet that these same people are as careless with their own information at home. Such as simply tossing credit offers in the trash or bank statements or any other personally identifiable information. These are seriously bad habit that must be changed, and they will carry over into the work place - no matter they work for a daycare center or NORAD. Just a thought.

Tue, Jun 23, 2009 Charles Utah

This was sent to me by a friend who thought I would get a laugh out of the interesting responses from some people. Makes you wonder where their paycheck comes from. Before I retired I made several trips overseas and in discussing security practices, many of my hosts (mostly engineers and technicians) were pretty down on the way Americans just tossed stuff in the trash, let the media nose around and print stuff that gives the the opposition a step up, and a president who sold sensitive stuff to one of the biggest threats most of them saw. Yes, security gets in the way of a lot of things, especially when people who do not understand the technology or the process make the rules. But without security, many people would not have a job since the information that is critical to us making and maintaining something would be somewhere else and they would do it cheaper. I was at a company in Sunnyvale, California many years ago. Without having direct access to the plant buildings but just by hanging out in bars, meeting folks in the park, monitoring telephones, watching where folks parked and walked to, a small group identified a building next to us that we thought was not important as being a highly classified program, what they were working on, and as I recall, some more items that were too classified for our briefing (we were only at the secret level after all). Social networks makes the prep work for data gather so much simpler, as many folks forget that spying is not the movies where one guy gets the data, it is many people gathering a lot of information, sifting, gathering more based on the sifting until a pattern develops. Even personalized license plates of the people who worked in the building mentioned was part of the datum that lead to the identification of what was going on. As I recall it was a small group of people who were tasked to find out what was going on at the plant that might be interesting, so they had 30000+ people to winnow through to find the ones that were useful. And we did not have the internet system back then like we do now where your laundry is hung out to dry. Americans are overly trusting, lazy, and ignorant when it comes to what other entities want to do - just ask some folks who live closer to threats than we do.

Tue, Jun 23, 2009

Balance is indeed a fundamental concern, and work must certainly "get done," but some of the comments on this article indicate a blithe naivete. When the intelligence operative can identify and establish personal contact with someone in possession of potentially valuable information, he or she has surmounted a difficult obstacle. Of course the target won't be reviewing top secret stuff at Starbuck's, but the social environment is a perfect place in which to initiate a personal relationship that a skillful operative may be able to develop into data source. In fact, if the operative is truly skillful, the target may not even realize that valuable clues are being divulged. Much of the tradecraft of intelligence operatives is seemingly trivial, and it is very valuable to the operative to maintain that profile. This same kind of self-assured know-it-all-ism is what led some people to poo-poo the identification of Valerie Plame. But just the knowledge of who she was and where she had worked likely endangered or even condemned some of her sources. The key to security is informed vigilance, and to quote Boorstin, "The greatest obstacle to discovery is not ignorance, it is the illusion of knowledge."

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above