I have waited long enough for any news reports regarding Adm. Vladimir Masorin, commander in chief of the Russian Navy, visit to Norfolk. It does not appear any media coverage of the event is forthcoming. I've been waiting for a few weeks for someone to talk about it in the media, I assumed somewhat like the naive fool I sometimes am that everyone has been waiting for this, that someone would ask any number of questions of the dear Russian Admiral regarding his statements on Russia Navy day, or perhaps about the 6 aircraft carriers he wants to build. Apparently, the visit is EMCON Alpha.But it really wasn't, the Navy told me he was coming everyday for a week, despite no pictures or any word that I can find online until this weekend.
I've avoided personal stuff in this blog, and will be generic on purpose for a paragraph. I own an IT company, I have worked in IT security for 12 years, and I have spent time in the dark corners of the internet from time to time when payed appropriately for my services. I used to be a programmer, but when someone asks me what I do now, I tell them I'm in the information business. My primary business is to gather relevant information, store information in a flexible way, and securely present the useful information. Like I said, this is generic on purpose.
In this regard I have several side projects that I sometimes revisit in hopes of one day selling. One of those projects is an information gathering tool, multi-language, that basically gathers information, similar to the function of an RSS reader for RSS feeds, except much broader in scope. It is actually better described as an open source data phishing tool.
When I read this story posted on Wired, then the follow on by Greyhawk, I decided to test some theories on blogs and OPSEC by adding additional layers into my software using open sources of information, and see if I can find any evidence of OPSEC problems outside blogs.
For years, members of the military brass have been warning that soldiers' blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.Noah and Greyhawk are both right to be skeptical. A few points to ponder.
The audits, performed by the Army Web Risk Assessment Cell between January 2006 and January 2007, found at least 1,813 violations of operational security policy on 878 official military websites. In contrast, the 10-man, Manassas, Virginia, unit discovered 28 breaches, at most, on 594 individual blogs during the same period.
The results were obtained by the Electronic Frontier Foundation, after the digital rights group filed a lawsuit under the Freedom of Information Act.
"It's clear that official Army websites are the real security problem, not blogs," said EFF staff attorney Marcia Hofmann. "Bloggers, on the whole, have been very careful and conscientious. It's a pretty major disparity." The findings stand in stark contrast to Army statements about the risks that blogs pose.
The weekend of the 18th and 19th I decided to write in additional functionality into my tool. Specifically, I started looking into search engine search strings based on some stuff discussed at a recent white hat conference, and began my little search by also including some simple blogs I made on a variety of sites, all of them free hosted. I noticed the script kiddies are doing their phishing by using specific ship names and by targeting geographic places (port and country) to generate hits, so I decided to mimic script kiddie techniques mostly and make only a few customizations, then added in a number of common naval terms and names as well, and added more throughout the week as news changed.
It seems pretty clear to me that internet search strings alone by .mil sites is a security problem in the DoD, if not the government at large. I'm willing to bet milbloggers who generate a bunch of hits and have monitored stats on blogs much longer than I have seen evidence of this. Starting on Monday the 20th I captured dozens of hits from several government sites searching for terms like: Admiral, Vladimir, Masorin, Norfolk, Washington, Visit, and Mullen. As a side note, it is noteworthy the Russians made the same mistakes from Moscow against Russian language blogs. At this point I am debating whether to conduct the test again in the future and actually produce the data as a paper, if I do I'll post it here.
This isn't a big deal though right? I got a bit concerned when on the 19th I have hits that include terms like Marmaris + Turkey + USS Kearsarge, which wouldn't be a big deal except the Kearsarge didn't arrive in Turkey until the 20th, and I couldn't find any English language website stating the ship would be in Turkey after Malta at the time. Maybe this was announced ahead of time overseas and I was simply unaware, but it seemed a bit odd.
Is this an OPSEC problem? I don't know, but this type of phishing took about 3 hours to set up and uses mostly very old hit generation techniques on free sites to track search strings from government sources, predicting data using special terms, then organizing the data. I could go into further detail, but I think to anyone with a lick of tech knowledge the point is clear.
You mil folks at work need to be careful what you put into your search engines, example don't use ship names and locations of current ops, and be mindful that everything you put into the web gets stored somewhere for output, and in many places stored publicly.
I have no idea what happened with the USS Hue City (danger circle), but I figure a story will pop up over the next few days. I'm also more interested in "Varuna 2007" than I previously was, because I can't explain why I saw so many hits with that search term came from Saudi Arabia.
When I saw this post by the CDR Salamander Saturday, I added a few terms to my phishing, and if the CDR calls his office (assuming he saves daily logs) I bet he had another visit sometime between 2:10pm and 2:15pm eastern on Monday afternoon, I did in 4 places and he ranked higher in me on the search string response list. Technology is moving fast, if the DoD is looking outside the bubble to blame bloggers I don't think they have a grip on their OPSEC issues.
No comments:
Post a Comment