Archive for February 2011
US Embassy Tripoli Security “…not the best…”
CNN published this story yesterday regarding US Embassy Tripoli’s evacuation. Acting Chief of Mission Joan Polaschik stated,
“We had not the best security… We don’t have the typical fortress America embassy compound (in Tripoli). In fact we have a group of residential villas…”
These statements are 100% true, but it should be understood that while Diplomatic Security lays out guidelines for embassy construction, we are totally dependent on the host government’s cooperation for security upgrades or new construction. In Libya’s case, new construction was not permitted due to the state of relations between Libya and the United States. In other cases, new embassy construction may not be possible for other reasons. In European capitals, buying land for a new embassy compound is often prohibitively expensive. In others, embassy buildings were given as gifts in safer times and the host government would take it as a major snub if we moved out. Luckily, these examples tend to be in countries in which we can rely on the host government’s internal security to partially compensate for the lack of physical protection we build into our new embassies.
In countries like Libya in which the host government is uncooperative, DS’s hands are tied. It’s a no-win situation for us if things start to hit the fan. We do our best to mitigate the possible threats within the restrictions that come down from the higher-ups and literally hope nothing bad happens.
The “Equivalence” Principle
I am sure there is a formal term for the concept I’m going to explain in this post, but I don’t know what it is. I call it the “equivalence” principle of security, and if you’re designing a technical or physical security system it’s essential that you understand what it entails.
The “Equivalence” principle simply states that each successive level of defense must contain equally resistant components. It makes no sense to install a forced entry ballistic resistant door in a plaster wall (if that were even physically possible). Your security system must ensure that at each level no component can be identified as the weakest link.
Security engineering is often a delicate balancing act, and obeying this principle in the field is very tough. If you under-protect something you’ve created a huge vulnerability that your enemy is sure to exploit. If you overprotect something you’re generally wasting money, and in this new era in which budget concerns are starting to dominate every aspect of what we do, wasting government funds is, in some ways, worse for your career than getting attacked by terrorists.
The equivalence principle also has implications at home. Don’t spend money on an expensive door lock if you’ve got standard pane glass windows right next to it. Don’t install a safe with a reinforced door in drywall that would allow an attacker to get at the weakly reinforced walls. Consumers often make these kinds of mistakes due to marketing (which draws focus to a flashy new lock which is subsequently installed on a cheap door) or sticker shock (securing a $500 bike with a $5 padlock and chain). If you want to protect your personal property, make sure you look at the entire picture and not what the advertisement tells you. No one component will make a system secure.
As a physical security best practice equivalence is fairly easy. You build the walls to spec and install the proper doors and windows and you’ve done the best you can. Necessities like compound access control (CAC) facilities are a little more difficult, but after we learned the importance of mantraps after the Jeddah attack our embassies’ perimeters have gotten much harder to breach. The hardlines are similarily secure; to my knowledge a modern embassy hasn’t been breached by a hostile mob ever- and the perimeter defenses usually don’t even let it get to that point.
The technical side is much more difficult. Since the details of our technical defenses are sensitive if not outright classified I won’t be able to get into them here. I can, however, tell you the main reason they fail: embassy employees. I’ll probably be saying this a lot during the time I maintain this site, but users are the bane of any security system because security is an inconvenience. If the Ambassador insists on using Skype to video chat in his or her office there’s very little anyone can or will do about it. If a Political officer decides to do official government business on an iPad (an unapproved device) it’s highly unlikely they’ll get the security violation they deserve. Such is life as a security professional.
What is OpSec?
OpSec, or “Operational Security” is a broad term defined loosely as a series of actions undertaken as a method of masking your whereabouts, mission, or purpose. Since this term tends to be a bit foreign to those outside of the military (and even to some within), I’ll try to illustrate it with some examples.
The majority of Foreign Service employees practice operational security mostly as a matter of personal safety. While serving in countries in which crime or terrorism is a significant threat, operational security issues regarding personal safety are emphasized during an in-brief upon arrival at post by the Regional Security Officer (RSO). Good OpSec practices overseas in the Foreign Service are typically varying one’s routes (both in geography and time) to work, not frequenting the same haunts, avoiding areas deemed unsafe by the Regional Security office, avoiding large crowds, etc. By now it is well known that American diplomats are surveilled and targeted abroad. By avoiding routines, Foreign Service employees reduce the odds of an attacker being able to prepare an ambush in the correct location.
OpSec is also important on the information side. Foreign Service employees all have Top Secret security clearances as a requirement for their position; a fact that is listed on the State Department’s career pages. In countries in which foreign intelligence services are known to operate and actively target Americans (read: most of the countries in the world), something as simple as mentioning you’re an American and work at the Embassy can raise your profile as someone worth more attention. When I’m at a bar or making a new acquaintance, I always respond to the obligatory “what do you do?” question with something vague and boring; “I do project management,” or “I’m sent around the region to manage infrastructure projects.” Key words I avoid include, but are not limited to, “security”, “electronics”, “information technology”, and “technical.” The fact is that security professionals throw up an instant red flag even with the good guys (Are they investigating me?). Volunteering you work on security in a foreign country also leads to further questioning, which is a situation I really don’t want to be in. They don’t need to know what I do, and odds are I don’t need to know what they do either.
Social media presents a huge threat to operational security, as evinced in high-profile incidents like the head of MI6 being outed on Facebook. The proliferation of mobile GPS receivers in smartphones and the rise of Twitter and its geolocation services has implications for American diplomats as well as people back in the States. Frequent geo-located tweets make the job of building your profile that much easier, as it gives away the shops you frequent, what you are doing/did at a certain location, and who you might be with at a certain place with an accuracy of about 3 meters. Domestically, if you tweet that you’ve gone to pick up the kids from school and will be back in an hour, that’s an hour-long window in which your house can be broken into and robbed. Even without geolocation, posts on Facebook “via iPhone” or “via Blackberry” can indicate you are in a vulnerable spot, or give away where you aren’t. Overseas you do not want to give away any more information than you have to on social networks (and never mind that your name and profiles are probably viewable to a lot more people than you think).
Practicing good OpSec is difficult. The list of blunders is long and the number of agencies affected are many. Before (and during) any major military effort by the Department of Defense, pizza shops near the Pentagon are flooded with late-night orders. A Congressman tweeted about a secret trip to Iraq… as he was arriving. OpSec is often one of the most overlooked aspects to privacy, security, and safety, especially (and sadly) in the US diplomatic community. Diligence and careful consideration are the keys to practicing good OpSec. The next time you go on a vacation, consider having a neighbor pick up your newspapers and mail for you. For those Foreign Service employees currently abroad, consider some of the examples and advice in this post and think about how you can improve.
Got any OpSec suggestions or best practices? I’d love to hear about them. Drop me an e-mail or leave a comment.
5 Reasons Passwords Are Indispensable
Recently I gave 5 Reasons Why Passwords Don’t Work as a good security method. As promised, here are 5 Reasons Passwords Are Indispensable in modern security systems.
1. Passwords are an authentication method users are comfortable with. The process of selecting and entering a password is a much less invasive authentication method than something like an iris scan. If a user is comfortable with the operation of a system, they are much more likely to use it properly and effectively.
2. Good passwords are hard to crack. Yes, I know that’s somewhat circular, but the basic point is that if passwords are of sufficient complexity, a more technical (and usually much more difficult) method of attack is required. The casual hacker using a brute-force dictionary password cracking tool will be stopped with a simple, memorable passphrase like “I am 44 years old.” (Notice how this contains special characters- a space and a period- numbers, upper and lower case letters, and contains 18 characters… long enough to meet most requirements).
3. Passwords are cheap (free, usually). Other than the occasional keypad they don’t require specialized equipment- no RFID tags or sensors, fingerprint readers, retina scanners, or guards stationed in your work area to check your ID card. You can also generate a lot of passwords in a very short time for little additional cost (although as mentioned before, this can be an issue if you require so many passwords that users start to forget them).
4. Passwords are adaptable. From mobile phones to mainframes to ATMs, passwords can be implemented on all shapes and sizes of devices.
5. Password security is easily enforceable. All it takes to forbid the use of “password1” as a password is a simple blacklist. Rules dictating password complexity, length*, special characters, case, and frequency of change are all standard best practices for password security.
The advantages and disadvantages of passwords have been debated ever since they gained primacy as a way of authentication. Recently it has become affordable and easier to provide alternative means of authentication in addition to a password, but it has yet to really take off in the consumer market. In a future post I’ll explain multi-factor authentication, how it’s implemented, and some reasons why that’s not always ideal either.
*Minimum password length can create funny and awkward situations. In college I heard (numerous times) a joke in which one of my nerdy, anti-social colleagues would attempt to set his password to “penis.” The authentication server would inevitably inform him that his password was too short.
Wi-Fi Hacking
An article was published on Wednesday about Wi-Fi “hacking” in the New York Times, “New Hacking Tools Pose Bigger Threats To Wi-Fi Users“. Never mind that none of the software tools mentioned in the article like Firesheep (October 2010), Gerix Wifi Cracker (June 2009), Aircrack-ng (July 2009), or Wifite (September 2010) are “new” and several of them don’t do any active “hacking”- the article is good in that it brings to a popular audience some of the major drawbacks of using Wi-Fi, often referred to as “wireless”, technologies.
When you plug your ethernet cable into your ethernet jack on your computer, your “link” to the outside world and any potential eavesdroppers is (for the purposes of this discussion) localized to a very small volume around that cable. Data has a discrete path to and from your machine. In a wireless system operating at radio frequencies (RF), the link is the free space between you and the wireless access point. This makes it easy for an eavesdropper to insert themselves in the area in which you are exchanging data with the access point, because RF waves are not localized like signals in an ethernet cable. The defensive mechanism in a cable is limiting physical access. For a wireless system, a different defensive mechanism is required.
Enter encryption. Encryption scrambles your data in a unique way such that only your machine and whatever service you’re interacting with on the other end can read the data. Unfortunately the website must offer the option in the form of SSL or TLS to encrypt your session and protect your credentials. When a URL starts with https, you can be reasonably assured your credentials are safe (note that anyone concurrently on the same network as you will still be able to capture the data you’re sending via the access point; this is why you’re not necessarily safe even if the public WiFi network you’re on is protected by a password when logging into unprotected websites).
Firesheep is technically a packet sniffer. It has no capacity to actively try to “guess” or “crack” your password- it just monitors traffic and captures unencrypted session cookies (small bits of text that contain details about the session… like your login credentials) for use on the machine with Firesheep installed. So if you log into facebook via the unencrypted login page http://www.facebook.com , Firesheep grabs that bit of text and passes it to Firefox on my machine, allowing me to log into your facebook account. If you used the encrypted login portal, https://www.facebook.com , your session cookie would be encrypted and unreadable by me.
How can I protect myself? The best mitigation strategy in this situation is to never pass login credentials over wireless networks in which you do not control who accesses it. Starbucks, McDonalds, Boingo hotspots in the airport… if there’s a bunch of people you don’t know connecting to the same access point you are, don’t connect in the first place. If you simply must connect to an unprotected hotspot, don’t pass login credentials over sites that do not begin with https. A login site with only the http prefix should automatically be avoided. The article also lists subscribing to a Virtual Private Network (VPN) which usually provides automatic end-to-end encryption. I think that’s a bit overkill for the less technically adept; smart browsing habits are free and always at your disposal.
Tip: Replace your old, unsecured “http” bookmarks with their “https” equivalents. Below are some common websites with their “https” login portal.
- Facebook- https://www.facebook.com/login.php
- Amazon- long ugly URL
- PayPal- https by default!
- GMail- https by default!
- Yahoo- https://login.yahoo.com
- Hotmail- https://login.live.com
- Twitter- https://twitter.com/login
- Most banks default to https, but check to be sure if you insist on doing online banking in a public setting.
Find any major websites that don’t offer an https login option, or have a site you’d like added to the list? Leave it in a comment.
The OpSec Blog 