DOD: Be wary of social media's 'loose lips'

In an earlier era, “loose lips sink ships” was the military’s warning not to let even small details about military movements and operations slip in casual conversation. In contrast, social media Web sites today thrive on loose lips, making it even tougher to maintain operational security.

The problem is not so much people twittering away secrets as letting slip many smaller pieces of information that an adversary can piece together.

“There’s a tendency to think that if information is not classified, it’s OK to share,” said Jack Kiesler, chief of cyber counter intelligence at the Defense Intelligence Agency, in a presentation last month in Orlando, Fla., at the DODIIS Worldwide Conference for intelligence information systems professionals.

Kiesler and colleague Nick Jensen, an operational security analyst at DIA, gave a presentation titled “How Adversaries Exploit Poor Operational Security."

Operational security refers to the process of denying information to potential adversaries about capabilities or intentions of individuals or organizations by identifying and protecting generally unclassified information on the planning and execution of sensitive activities.

An adversary trying to uncover secrets will start by chipping away at operational security indicators that point them toward a target, Kiesler said. A foreign agent seeking to steal stealth technology might start by trying to identify individuals who are working on the technology, figuring out whom they associate with, following their movements, looking for clues on new research areas and so on.

Much of that information might be available through a professional profile on LinkedIn, for example. Furthermore, participation in online discussion groups or blogs might help foreign intelligence services single out disgruntled military or intelligence agency employees who could be recruited or blackmailed, Kiesler said. Not only are younger employees immersed in the social media culture, but older ones often become participants without understanding their limited control over the information they post online, he added.

Although operational security is supposed to be a standard component of military operations, Kiesler seeks to pursue it in a more disciplined way, with proactive tests of an organization’s operational security. Rather than embarrassing the organizations and individuals who flunk the test, the goal is to educate them, he said.

Jensen presented a fictional scenario that he said was based on those kinds of tests, in which a foreign agent named Jane starts by exploring the membership of a LinkedIn group called Intelligence Professionals.

In Jensen’s scenario, LinkedIn provides a target DIA employee’s basic résumé with a link to his blog. The blog, in turn, has links to other social media sites the person participates in, so the adversary can browse Flickr photos and Twitter messages, continuing to round out the picture. The DIA employee uses the same handle on many Web sites, allowing Jane to search for posts he has made elsewhere. On Slashdot, he mentions something about the Starbucks near his house.

That allows Jane to bump into her target at Starbucks, hack the wireless session he initiates from his iPhone and eventually capture information, including his online banking password. From there, she has many options to monitor his every move, drain his bank account or blackmail him.

Of course, the pull of the online world is not so easily countered. There really is an Intelligence Professionals group on LinkedIn, and Kiesler and Jensen found 163 LinkedIn members who listed DIA as their current employer, including at least one information security analyst based in Washington, D.C.

But Kiesler and Jensen said people can learn to be more circumspect and take precautions such as varying their online signatures rather than using the same user name on multiple Web sites.