The OpSec Blog

Security and privacy information and advice at home and abroad.

Archive for February 2011

US Embassy Tripoli Security “…not the best…”

leave a comment »

CNN published this story yesterday regarding US Embassy Tripoli’s evacuation.  Acting Chief of Mission Joan Polaschik stated,

“We had not the best security… We don’t have the typical fortress America embassy compound (in Tripoli). In fact we have a group of residential villas…”

These statements are 100% true, but it should be understood that while Diplomatic Security lays out guidelines for embassy construction, we are totally dependent on the host government’s cooperation for security upgrades or new construction. In Libya’s case, new construction was not permitted due to the state of relations between Libya and the United States.  In other cases, new embassy construction may not be possible for other reasons.  In European capitals, buying land for a new embassy compound is often prohibitively expensive.  In others, embassy buildings were given as gifts in safer times and the host government would take it as a major snub if we moved out.  Luckily, these examples tend to be in countries in which we can rely on the host government’s internal security to partially compensate for the lack of physical protection we build into our new embassies.

In countries like Libya in which the host government is uncooperative, DS’s hands are tied.  It’s a no-win situation for us if things start to hit the fan.  We do our best to mitigate the possible threats within the restrictions that come down from the higher-ups and literally hope nothing bad happens.

Advertisements

Written by OSB

27/02/2011 at 11:01

The “Equivalence” Principle

leave a comment »

I am sure there is a formal term for the concept I’m going to explain in this post, but I don’t know what it is.  I call it the “equivalence” principle of security, and if you’re designing a technical or physical security system it’s essential that you understand what it entails.

The “Equivalence” principle simply states that each successive level of defense must contain equally resistant components. It makes no sense to install a forced entry ballistic resistant door in a plaster wall (if that were even physically possible).  Your security system must ensure that at each level no component can be identified as the weakest link.

Security engineering is often a delicate balancing act, and obeying this principle in the field is very tough.  If you under-protect something you’ve created a huge vulnerability that your enemy is sure to exploit.  If you overprotect something you’re generally wasting money, and in this new era in which budget concerns are starting to dominate every aspect of what we do, wasting government funds is, in some ways, worse for your career than getting attacked by terrorists.

The equivalence principle also has implications at home.  Don’t spend money on an expensive door lock if you’ve got standard pane glass windows right next to it. Don’t install a safe with a reinforced door in drywall that would allow an attacker to get at the weakly reinforced walls.  Consumers often make these kinds of mistakes due to marketing (which draws focus to a flashy new lock which is subsequently installed on a cheap door) or sticker shock (securing a $500 bike with a $5 padlock and chain).  If you want to protect your personal property, make sure you look at the entire picture and not what the advertisement tells you.  No one component will make a system secure.

As a physical security best practice equivalence is fairly easy.  You build the walls to spec and install the proper doors and windows and you’ve done the best you can.  Necessities like compound access control (CAC) facilities are a little more difficult, but after we learned the importance of mantraps after the Jeddah attack our embassies’ perimeters have gotten much harder to breach.  The hardlines are similarily secure; to my knowledge a modern embassy hasn’t been breached by a hostile mob ever- and the perimeter defenses usually don’t even let it get to that point.

The technical side is much more difficult.  Since the details of our technical defenses are sensitive if not outright classified I won’t be able to get into them here.  I can, however, tell you the main reason they fail:  embassy employees.  I’ll probably be saying this a lot during the time I maintain this site, but users are the bane of any security system because security is an inconvenience. If the Ambassador insists on using Skype to video chat in his or her office there’s very little anyone can or will do about it. If a Political officer decides to do official government business on an iPad (an unapproved device) it’s highly unlikely they’ll get the security violation they deserve.  Such is life as a security professional.

What is OpSec?

leave a comment »

OpSec, or “Operational Security” is a broad term defined loosely as a series of actions undertaken as a method of masking your whereabouts, mission, or purpose. Since this term tends to be a bit foreign to those outside of the military (and even to some within), I’ll try to illustrate it with some examples.

The majority of Foreign Service employees practice operational security mostly as a matter of personal safety.  While serving in countries in which crime or terrorism is a significant threat, operational security issues regarding personal safety are emphasized during an in-brief upon arrival at post by the Regional Security Officer (RSO).  Good OpSec practices overseas in the Foreign Service are typically varying one’s routes (both in geography and time) to work, not frequenting the same haunts, avoiding areas deemed unsafe by the Regional Security office, avoiding large crowds, etc.  By now it is well known that American diplomats are surveilled and targeted abroad.  By avoiding routines, Foreign Service employees reduce the odds of an attacker being able to prepare an ambush in the correct location.

OpSec is also important on the information side.  Foreign Service employees all have Top Secret security clearances as a requirement for their position; a fact that is listed on the State Department’s career pages.  In countries in which foreign intelligence services are known to operate and actively target Americans (read: most of the countries in the world), something as simple as mentioning you’re an American and work at the Embassy can raise your profile as someone worth more attention.  When I’m at a bar or making a new acquaintance, I always respond to the obligatory “what do you do?” question with something vague and boring;  “I do project management,” or “I’m sent around the region to manage infrastructure projects.”  Key words I avoid include, but are not limited to, “security”, “electronics”, “information technology”, and “technical.”  The fact is that security professionals throw up an instant red flag even with the good guys (Are they investigating me?).  Volunteering you work on security in a foreign country also leads to further questioning, which is a situation I really don’t want to be in. They don’t need to know what I do, and odds are I don’t need to know what they do either.

Social media presents a huge threat to operational security, as evinced in high-profile incidents like the head of MI6 being outed on Facebook.  The proliferation of mobile GPS receivers in smartphones and the rise of Twitter and its geolocation services has implications for American diplomats as well as people back in the States.  Frequent geo-located tweets make the job of building your profile that much easier, as it gives away the shops you frequent, what you are doing/did at a certain location, and who you might be with at a certain place with an accuracy of about 3 meters.  Domestically, if you tweet that you’ve gone to pick up the kids from school and will be back in an hour, that’s an hour-long window in which your house can be broken into and robbed.  Even without geolocation, posts on Facebook “via iPhone” or “via Blackberry” can indicate you are in a vulnerable spot, or give away where you aren’t.  Overseas you do not want to give away any more information than you have to on social networks (and never mind that your name and profiles are probably viewable to a lot more people than you think).

Practicing good OpSec is difficult. The list of blunders is long and the number of agencies affected are many.  Before (and during) any major military effort by the Department of Defense, pizza shops near the Pentagon are flooded with late-night orders.  A Congressman tweeted about a secret trip to Iraq… as he was arriving.  OpSec is often one of the most overlooked aspects to privacy, security, and safety, especially (and sadly) in the US diplomatic community.  Diligence and careful consideration are the keys to practicing good OpSec. The next time you go on a vacation, consider having a neighbor pick up your newspapers and mail for you.  For those Foreign Service employees currently abroad, consider some of the examples and advice in this post and think about how you can improve.

Got any OpSec suggestions or best practices?  I’d love to hear about them.  Drop me an e-mail or leave a comment.

5 Reasons Passwords Are Indispensable

leave a comment »

Recently I gave 5 Reasons Why Passwords Don’t Work as a good security method.  As promised, here are 5 Reasons Passwords Are Indispensable in modern security systems.

1. Passwords are an authentication method users are comfortable with. The process of selecting and entering a password is a much less invasive authentication method than something like an iris scan.  If a user is comfortable with the operation of a system, they are much more likely to use it properly and effectively.

2. Good passwords are hard to crack. Yes, I know that’s somewhat circular, but the basic point is that if passwords are of sufficient complexity, a more technical (and usually much more difficult) method of attack is required.  The casual hacker using a brute-force dictionary password cracking tool will be stopped with a simple, memorable passphrase like “I am 44 years old.” (Notice how this contains special characters- a space and a period- numbers, upper and lower case letters, and contains 18 characters… long enough to meet most requirements).

3. Passwords are cheap (free, usually).  Other than the occasional keypad they don’t require specialized equipment- no RFID tags or sensors, fingerprint readers, retina scanners, or guards stationed in your work area to check your ID card.   You can also generate a lot of passwords in a very short time for little additional cost (although as mentioned before, this can be an issue if you require so many passwords that users start to forget them).

4. Passwords are adaptable.  From mobile phones to mainframes to ATMs, passwords can be implemented on all shapes and sizes of devices.

5. Password security is easily enforceable.  All it takes to forbid the use of “password1” as a password is a simple blacklist.  Rules dictating password complexity, length*, special characters, case, and frequency of change are all standard best practices for password security.

The advantages and disadvantages of passwords have been debated ever since they gained primacy as a way of authentication.  Recently it has become affordable and easier to provide alternative means of authentication in addition to a password, but it has yet to really take off in the consumer market.  In a future post I’ll explain multi-factor authentication, how it’s implemented, and some reasons why that’s not always ideal either.

*Minimum password length can create funny and awkward situations.  In college I heard (numerous times) a joke in which one of my nerdy, anti-social colleagues would attempt to set his password to “penis.”  The authentication server would inevitably inform him that his password was too short.

Written by OSB

19/02/2011 at 22:42

Wi-Fi Hacking

leave a comment »

An article was published on Wednesday about Wi-Fi “hacking” in the New York Times, “New Hacking Tools Pose Bigger Threats To Wi-Fi Users“. Never mind that none of the software tools mentioned in the article like Firesheep (October 2010), Gerix Wifi Cracker (June 2009), Aircrack-ng (July 2009), or Wifite (September 2010) are “new” and several of them don’t do any active “hacking”- the article is good in that it brings to a popular audience some of the major drawbacks of using Wi-Fi, often referred to as “wireless”, technologies.

When you plug your ethernet cable into your ethernet jack on your computer, your “link” to the outside world and any potential eavesdroppers is (for the purposes of this discussion) localized to a very small volume around that cable. Data has a discrete path to and from your machine. In a wireless system operating at radio frequencies (RF), the link is the free space between you and the wireless access point. This makes it easy for an eavesdropper to insert themselves in the area in which you are exchanging data with the access point, because RF waves are not localized like signals in an ethernet cable. The defensive mechanism in a cable is limiting physical access. For a wireless system, a different defensive mechanism is required.

Enter encryption. Encryption scrambles your data in a unique way such that only your machine and whatever service you’re interacting with on the other end can read the data. Unfortunately the website must offer the option in the form of SSL or TLS to encrypt your session and protect your credentials. When a URL starts with https, you can be reasonably assured your credentials are safe (note that anyone concurrently on the same network as you will still be able to capture the data you’re sending via the access point; this is why you’re not necessarily safe even if the public WiFi network you’re on is protected by a password when logging into unprotected websites).

Firesheep is technically a packet sniffer. It has no capacity to actively try to “guess” or “crack” your password- it just monitors traffic and captures unencrypted session cookies (small bits of text that contain details about the session… like your login credentials) for use on the machine with Firesheep installed. So if you log into facebook via the unencrypted login page http://www.facebook.com , Firesheep grabs that bit of text and passes it to Firefox on my machine, allowing me to log into your facebook account. If you used the encrypted login portal, https://www.facebook.com , your session cookie would be encrypted and unreadable by me.

How can I protect myself? The best mitigation strategy in this situation is to never pass login credentials over wireless networks in which you do not control who accesses it. Starbucks, McDonalds, Boingo hotspots in the airport… if there’s a bunch of people you don’t know connecting to the same access point you are, don’t connect in the first place. If you simply must connect to an unprotected hotspot, don’t pass login credentials over sites that do not begin with https. A login site with only the http prefix should automatically be avoided. The article also lists subscribing to a Virtual Private Network (VPN) which usually provides automatic end-to-end encryption. I think that’s a bit overkill for the less technically adept; smart browsing habits are free and always at your disposal.

Tip: Replace your old, unsecured “http” bookmarks with their “https” equivalents. Below are some common websites with their “https” login portal.

Find any major websites that don’t offer an https login option, or have a site you’d like added to the list?  Leave it in a comment.

Written by OSB

19/02/2011 at 20:02

5 Reasons Why Passwords Don’t Work

with one comment

Google loginPasswords have become ubiquitous.  We can’t get away from them, as security systems have come to depend on them as an authentication/access control method.  However, the password system is an exceedingly poor method of securing anything.  Here are five reasons why passwords are a poor security method.

1. Good passwords are hard to remember. It’s a simple fact that the canonical “password” password is a lot easier to remember than “X8!^djDm=§”.  At the end of 2009, Twitter released a list of 370 passwords they had banned from use in their service due to commonality.  Are any of your passwords listed?

Furthermore, the most common effort to remedy this problem creates further disincentive to make good passwords.  You’ve probably dealt with the frustration of inane password requirements like a certain number of upper case characters or special symbols. Policies like these frustrate users and lead to other problems like those below.

(Here’s another list of commonly used passwords.)

2. Passwords get reused. How many unique passwords do you have?  If 100% of your daily passwords are unique, you are certainly in the minority.  When people start re-using passwords and e-mail addresses for more critical things like banking and e-mail, this presents a real problem.

3. Passwords are too easy to bypass. No, I’m not talking about the type of “hacking” incident that lives in the public mind, rather mundane features in practically every software application that does an interloper’s work for them.  Every major browser offers some sort of password “autofill” feature.  Nearly every website offers cookies that save you the trouble of providing your login credentials every time you want to access that site’s content.  Yahoo’s “Keep me signed in” option, for example, keeps your account logged in for two weeks!

Remember Me

Yahoos "Keep Me Signed In" keeps your machine logged into your account for 14 days.

4.  Good passwords get written down and stored in the clear. Part of my job involves going through an office space and inspecting work areas for information that could be used to compromise our networks.  Passwords get written down and “hidden” to every extent possible.  Post-it notes under the keyboard, out of place newspaper clippings containing the password in question, and my favorite- a password written in such a way that it could only be seen from an extreme off-center angle, kind of like the skull in Hans Holbein’s “The Ambassadors.”

5. Passwords are easily forgotten. This basic fact leads to several problems.  On the business side, this leads to a loss in productivity.  Not only is the user unable to access essential resources, it also demands further resources of the IT person charged with resetting the password.  Large corporations often have dedicated extensions for password resets.  For an average user, a forgotten password often leads to a series of security questions that are often incredibly easy to guess or find out through social networks.

None of the reasons above change the reality that passwords are here to stay.  Hopefully you have avoided the bad habits listed above.  Next time I’ll take the opposite side and give 5 reasons why passwords are indispensable.

Written by OSB

17/02/2011 at 21:55

Posted in Security

Tagged with , , , , ,

Detect, Defend, Deter: Diplomacy From The Bleeding Edge

leave a comment »

The US Department of State has the hefty responsibility of advocating for and protecting American citizens and interests abroad.  From the Harry S. Truman building in the heart of Foggy Bottom to Embassy Ulaanbaatar, over 11,000 Foreign Service, 8,000 Civil Service, and 30,000 Locally Employed Staff (LES) work to advance the goals of the mission.  This small cross section of the population tackles some of the world’s most pressing issues through the age-old craft of diplomacy.  They spend years away from their families and the conveniences of modern America.  They repeatedly come under fire from Congressional spendthrifts who expect more to be done with less.  The men and women of the State Department do this largely without any desire for recognition or public adulation.

Diplomacy in the modern age moves at a breathtaking pace.  The speed of technological development and its impact on culture, economics, and politics is accelerating to this day.  The State Department is caught in the bind between the competing interests of maintaining the necessary open posture to successfully conduct its business while assuring it can do so in a safe physical and technical environment.

The Bureau of Diplomatic Security employs approximately 180 Security Engineering Officers (SEO), 120 STS (Security Technical Specialists), 100 Diplomatic Couriers (DC), and over 2000 Special Agents (SA) that protect American diplomats and national security information abroad.  It is this small group of professionals that ensures that the American diplomatic corps remains safe as they carry out their critical mission.

What is the purpose of this blog?

This blog aims to educate the readership on topics of personal security and privacy through the eyes of someone who deals with such issues on a daily basis.  The author is an SEO.  The views expressed in this blog are solely that of the author, and should not be misconstrued as the official views of the Department of State, the Bureau of Diplomatic Security, or the United States Government. My goal is to get people to start thinking about their actions and their consequences.  Whether you live online, in the US, or overseas, I’ll do my best to keep it interesting.  If you have a relevant question you want answered, e-mail me and I’ll consider it for a future article.

What is not the purpose of this blog?

While SEOs are members of the US Foreign Service, you will not find personal anecdotes about sitting on the register, advice for passing the Board of Examiners/FSOT/Oral Assessment (and yes, I’ve done all three.  The FSOT/FSOA process is really not as difficult as certain people make it out to be), or how great this job is.  You will not find commentary on US Government policy unless it has direct implications to personal security or privacy.  You will not get updates on how my dog’s last vet appointment went.  You will not be updated on my or my family’s personal life aside from the occasional personal security or privacy issue I might use as an example to illustrate a point.  Last but not least, you will not get any smokescreening, personal agendas, dishonesty, or paper tigers.  You are free and encouraged to question, refute, disagree, or disprove my positions on the various topics that may appear in a courteous manner.