USMC OPSEC
posted by Anonymous at 11.11.06
11/11/2006
Secure Computers
The following techniques can be used in engineering secure systems. These techniques, whilst useful, do not of themselves ensure security. One security maxim is "a security system is no stronger than its weakest link"
Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS and Coyotos.
A bigger OS, capable of providing a standard API like POSIX, can be built on a microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: eg Hurd.
Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified.
Strong authentication techniques can be used to ensure that communication end-points are who they say they are.
Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.
Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges.
Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.
Some of the following items may belong to the computer insecurity article:
Don't run an application with known security flaws. Either leave it turned off until it can be patched or otherwise fixed, or delete it and replace it with some other application. Publicly known flaws are the main entry used by worms to automatically break into a system and then spread to other systems connected to it. The security website Secunia provides a search tool for unpatched known flaws in popular products.
Cryptographic techniques involve transforming information, scrambling it so it becomes unreadable during transmission. The intended recipient can unscramble the message, but eavesdroppers cannot.
Backups are a way of securing your information; they are another copy of all your important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, and tapes. Backups can be kept in a multitude of locations, some of the suggested places would be a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside the vaults of banks. There is also a fourth option, which involves using one of the file hosting services that backs up files over the Internet for both business and individuals.
Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. The backup needs to be moved between the geographic sites in a secure manner, so as to prevent it from being stolen.
Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).
Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules.
Access authorization restricts access to a computer to group of users through the use of authentication systems. These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems.
Encryption is used to protect your message from the eyes of others. It can be done in several ways by switching the characters around, replacing characters with others, and even removing characters from the message. These have to be used in combination to make the encryption secure enough, that is to say, sufficiently difficult to crack. Public key encryption is a refined and practical way of doing encryption. It allows for example anyone to write a message for a list of recipients, and only those recipients will be able to read that message.
Intrusion-detection systems can scan a network for people that are on the network but who should not be there or are doing things that they should not be doing, for example trying a lot of passwords to gain access to the network.
Social engineering awareness - Keeping yourself and your employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of your network and servers.
Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS and Coyotos.
A bigger OS, capable of providing a standard API like POSIX, can be built on a microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: eg Hurd.
Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified.
Strong authentication techniques can be used to ensure that communication end-points are who they say they are.
Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.
Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges.
Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.
Some of the following items may belong to the computer insecurity article:
Don't run an application with known security flaws. Either leave it turned off until it can be patched or otherwise fixed, or delete it and replace it with some other application. Publicly known flaws are the main entry used by worms to automatically break into a system and then spread to other systems connected to it. The security website Secunia provides a search tool for unpatched known flaws in popular products.
Cryptographic techniques involve transforming information, scrambling it so it becomes unreadable during transmission. The intended recipient can unscramble the message, but eavesdroppers cannot.
Backups are a way of securing your information; they are another copy of all your important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, and tapes. Backups can be kept in a multitude of locations, some of the suggested places would be a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside the vaults of banks. There is also a fourth option, which involves using one of the file hosting services that backs up files over the Internet for both business and individuals.
Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. The backup needs to be moved between the geographic sites in a secure manner, so as to prevent it from being stolen.
Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).
Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules.
Access authorization restricts access to a computer to group of users through the use of authentication systems. These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems.
Encryption is used to protect your message from the eyes of others. It can be done in several ways by switching the characters around, replacing characters with others, and even removing characters from the message. These have to be used in combination to make the encryption secure enough, that is to say, sufficiently difficult to crack. Public key encryption is a refined and practical way of doing encryption. It allows for example anyone to write a message for a list of recipients, and only those recipients will be able to read that message.
Intrusion-detection systems can scan a network for people that are on the network but who should not be there or are doing things that they should not be doing, for example trying a lot of passwords to gain access to the network.
Social engineering awareness - Keeping yourself and your employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of your network and servers.
posted by Anonymous at 11.11.06
Random Routine
Counter surveillance requires an effort to protect those activities or information that are sensitive, whilst giving less emphasis to those activities that can be open to all.
Counter-surveillance is based on much the same process, but instead you provide security and barriers around your own personal habits. As humans we are creatures of habit. If we exhibit very predictable habits, this makes monitoring of our activities easier. But if on certain occasions we break our habits, it can also give away the fact that we are doing something at that time which is not part of our everyday work.
The best way to begin thinking about avoiding surveillance is to think about breaking the regular patterns in your life. This masks regular activity, so making it harder to practice routine surveillance. But it also masks the times when you may undertake activities out of the ordinary.
Breaking regular patterns does not mean going to bed at different times, or working different hours everyday. Instead it requires that any activities you wish to avoid being the subject of surveillance are integrated into the other events in your life - but not to the extent that they become predictable. If you change the route you take to work or to shop on a random basis, you make it more difficult to monitor your movements. If you build irregular appointments into activities that might involve surveillance, it creates a background 'noise' in the pattern of your activities that masks any change in your habits.
Counter-surveillance is based on much the same process, but instead you provide security and barriers around your own personal habits. As humans we are creatures of habit. If we exhibit very predictable habits, this makes monitoring of our activities easier. But if on certain occasions we break our habits, it can also give away the fact that we are doing something at that time which is not part of our everyday work.
The best way to begin thinking about avoiding surveillance is to think about breaking the regular patterns in your life. This masks regular activity, so making it harder to practice routine surveillance. But it also masks the times when you may undertake activities out of the ordinary.
Breaking regular patterns does not mean going to bed at different times, or working different hours everyday. Instead it requires that any activities you wish to avoid being the subject of surveillance are integrated into the other events in your life - but not to the extent that they become predictable. If you change the route you take to work or to shop on a random basis, you make it more difficult to monitor your movements. If you build irregular appointments into activities that might involve surveillance, it creates a background 'noise' in the pattern of your activities that masks any change in your habits.
posted by Anonymous at 11.11.06
INFOSEC
If you are very good at restricting all information, that state or corporations will have problems monitoring you. However, you are also likely to become more isolated and secretive in the process. Information security is primarily based on protecting equipment with security procedures and barriers. Securing the information on your computer will help your overall security. If you have a portable computer you are presented with a whole new problem because you move that system outside of your ordinary systems of security and access barriers. Therefore special care should be taken with portable computers:
The system should be secured with a BIOS password to prevent booting;
Use encryption of the hard disk, where possible, to prevent access to the contents of the hard disk if it is removed from the machine;
Ensure that your portable computer has different passwords than those used on your static equipment.
Securing your information is fairly easy. But the main issue you will have to deal with when considering personal surveillance is how to carry out meetings, and networking with people, when you need to discuss sensitive issues.
The system should be secured with a BIOS password to prevent booting;
Use encryption of the hard disk, where possible, to prevent access to the contents of the hard disk if it is removed from the machine;
Ensure that your portable computer has different passwords than those used on your static equipment.
Securing your information is fairly easy. But the main issue you will have to deal with when considering personal surveillance is how to carry out meetings, and networking with people, when you need to discuss sensitive issues.
posted by Anonymous at 11.11.06
Meetings
When organising a private meeting, if you cannot send details to all involved in ways that will not be intercepted always try to agree on meeting in one location near to the meeting place. You can then direct people to the correct location as they arrive. By keeping the location of a private meeting limited, you lessen the likelihood of the location being surveilled.
If meeting in the home or building of another person or organisation do not make a phone call from their phone to a number that is identified with you, or from a public phone box near to that building.
If the people going to a private meeting are likely to have mobile phones, ask them to turn them off before travelling to the meeting place (if all the mobile phones of a groups of people are in the same cell at the same time on the same day, it can be assumed that you have had a meeting).
If you require a private meeting place, do not keep using the same one. Alternate it as much as possible. Also, if you meet in a public place, pick somewhere with a high level of background noise, and with as many obstacles or partitions around the point where you meet, to prevent your conversations being overheard.
If you must pay for something whilst having a meeting, use cash. Or, if you cannot, get one person to pay. In this way you will not generate paper trails linking you together.
Meeting in public spaces, streets, in parks, or on public transport is not a good idea - many of these areas are surveilled by CCTV. But bars, cafes and restaurants tend not have their CCTV systems linked to a central control room, and what CCTV systems are installed are concentrated around the till.
If meeting in the home or building of another person or organisation do not make a phone call from their phone to a number that is identified with you, or from a public phone box near to that building.
If the people going to a private meeting are likely to have mobile phones, ask them to turn them off before travelling to the meeting place (if all the mobile phones of a groups of people are in the same cell at the same time on the same day, it can be assumed that you have had a meeting).
If you require a private meeting place, do not keep using the same one. Alternate it as much as possible. Also, if you meet in a public place, pick somewhere with a high level of background noise, and with as many obstacles or partitions around the point where you meet, to prevent your conversations being overheard.
If you must pay for something whilst having a meeting, use cash. Or, if you cannot, get one person to pay. In this way you will not generate paper trails linking you together.
Meeting in public spaces, streets, in parks, or on public transport is not a good idea - many of these areas are surveilled by CCTV. But bars, cafes and restaurants tend not have their CCTV systems linked to a central control room, and what CCTV systems are installed are concentrated around the till.
posted by Anonymous at 11.11.06
Communications
If you need to make a sensitive phone call that must not be directly associated with you, do so from a public phone box. But beware, if you are associated with the person at the other end of the call, and the content of their calls (rather than just the data) is being monitored, your location at that date and time will be discovered.
If using public phone boxes, try to use them randomly across an area rather than the ones that are closest to you. Also, try to avoid phone boxes on direct transport routes to your home or place of work.
If you wish to send something sensitive through the post, wear gloves to prevent creating fingerprints when producing/packing the item, do not lick the envelope or stamps to prevent creating a DNA sample, and post it in a different location to where you normally post your letters (the further the better) using stamps bought on a different day.
If you print something, use a printer that can not be traced back to you. With Printer steganography it may be possible to find out when, and where a document was printed.
If you need to send a sensitive fax, use a copy shop/bureau which has a self-service desk.
If you desperately need to keep in communication, buy a pay-as-you-go mobile phone and only use it for a day or two whilst you are engaged in sensitive work.
Cable Scrambler
Laser Microphone
If using public phone boxes, try to use them randomly across an area rather than the ones that are closest to you. Also, try to avoid phone boxes on direct transport routes to your home or place of work.
If you wish to send something sensitive through the post, wear gloves to prevent creating fingerprints when producing/packing the item, do not lick the envelope or stamps to prevent creating a DNA sample, and post it in a different location to where you normally post your letters (the further the better) using stamps bought on a different day.
If you print something, use a printer that can not be traced back to you. With Printer steganography it may be possible to find out when, and where a document was printed.
If you need to send a sensitive fax, use a copy shop/bureau which has a self-service desk.
If you desperately need to keep in communication, buy a pay-as-you-go mobile phone and only use it for a day or two whilst you are engaged in sensitive work.
Cable Scrambler
Laser Microphone
posted by Anonymous at 11.11.06
Internet
Maintain a number of alternate personas on the Internet that give you access to web mail and other services should you ever need to use them.
If you need to use the Internet, use a public access point, such as a cybercafe, a public library that doesn't require an ID, or a college computer lab that doesn't require an ID. Make sure that you do not access your own Internet services from the cybercafe - use an alternate persona.
If you need to view material that you do not wish to be associated with as part of the server logs of your Internet service provider, use a cybercafe.
If you use cybercafes as part of your communications, try not to use the same one.
If you have a laptop computer, and you wish to mask your location, let someone you trust use it online whilst you are away on sensitive work.
If you need to use the Internet, use a public access point, such as a cybercafe, a public library that doesn't require an ID, or a college computer lab that doesn't require an ID. Make sure that you do not access your own Internet services from the cybercafe - use an alternate persona.
If you need to view material that you do not wish to be associated with as part of the server logs of your Internet service provider, use a cybercafe.
If you use cybercafes as part of your communications, try not to use the same one.
If you have a laptop computer, and you wish to mask your location, let someone you trust use it online whilst you are away on sensitive work.
posted by Anonymous at 11.11.06
Payments
If you are travelling to a sensitive location, don't pay by credit/debit card or take money from a cash machine.
If you need to spend cash when travelling to/working around a sensitive location, do not spend the notes taken directly from the cash machine (their sequential numbers may be logged). Keep a supply of notes received as change elsewhere and use those.
If you need to buy something when travelling to/working around a sensitive location, do not give any loyalty cards or personalised money-off tokens as part of your purchases - they are traceable.
If you need to spend cash when travelling to/working around a sensitive location, do not spend the notes taken directly from the cash machine (their sequential numbers may be logged). Keep a supply of notes received as change elsewhere and use those.
If you need to buy something when travelling to/working around a sensitive location, do not give any loyalty cards or personalised money-off tokens as part of your purchases - they are traceable.
posted by Anonymous at 11.11.06
Mobile Phones
If in doubt, turn it off.
If travelling to a sensitive location, in an urban area do not use your phone within two or three miles of the location, or in rural areas do not use it within ten or fifteen miles of the location. This will prevent the creation of a trail that associates you with that location on that day.
If the location you are going to is nowhere near a route you regularly travel, turn off your phone before you start your journey there.
However, do not always go to places far from your home. A truly random sequence will include clustering. If you are always going locations far from your home, they can be able to back track you to your home or office based on the locations you are avoiding.
If you desperately need to mask your location, let someone else carry your phone around for the day - but this is only realistic if you take all precautions to prevent generating other document trails whilst you are moving around.
If travelling to a sensitive location, in an urban area do not use your phone within two or three miles of the location, or in rural areas do not use it within ten or fifteen miles of the location. This will prevent the creation of a trail that associates you with that location on that day.
If the location you are going to is nowhere near a route you regularly travel, turn off your phone before you start your journey there.
However, do not always go to places far from your home. A truly random sequence will include clustering. If you are always going locations far from your home, they can be able to back track you to your home or office based on the locations you are avoiding.
If you desperately need to mask your location, let someone else carry your phone around for the day - but this is only realistic if you take all precautions to prevent generating other document trails whilst you are moving around.
posted by Anonymous at 11.11.06
Travel
If you are travelling to a sensitive meeting take a different route going there and coming back, and if possible do not use the same bus or station when going to or leaving the location you are travelling to. This lessens the likelihood that your destination will be identified.
If travelling on sensitive business, try to use public transport. Using you own private cars will provide a traceable identity.
To avoid the CCTV systems in public places move with the crowd; don't rush, don't cut corners, and don't look around for CCTV cameras.
If you can build in other events/appointments as part of your journey, that will help provide an alternate motive for travelling to that area of a town or city.
Facial recognition systems work primarily on the configuration of facial features. To work they need to get a good view of the face. Looking at a slight angle towards the ground, and wearing a hat with a brim, helps fool the system.
If you travel using public transport, roaming tickets are preferable to tickets for a specific journey - they give you more flexibility over the route, and they are more difficult to associate a route travelled with a particular ticket purchase.
If you have the time available and you can obtain a roaming ticket, build in some extra time to your journey and change trains to make it hard to piece together your journey from CCTV and surveillance sources.
If travelling in a town, avoid moving through the major shopping areas, or 'controlled environments' such as shopping centres. These have the highest level of CCTV coverage.
Always assume that public transport vehicles have CCTV installed - travelling during peak hours will help mask your presence.
To make following you in person or via CCTV more difficult do not wear distinctive clothes or carry distinctive objects - blend in.
Darkness aids anonymity, but is not a foolproof solution to the latest CCTV cameras which can see in the dark.
posted by Anonymous at 11.11.06
An OPSEC Primer
What is OPSEC?
Operations Security (OPSEC) is an analytic process used to deny an adversary information - generally unclassified - concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.
Operations Security (OPSEC) is an analytic process used to deny an adversary information - generally unclassified - concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.
posted by Anonymous at 11.11.06
Links
- JIOX Blog
- JSOTF Blog
- The Center for Counterintelligence and Security Studies
- Free resources for Investigators
Previous Posts
- Bypass Alarms
- FM 34-60 Counterintelligence
- Deception 101 - Primer on Deception
- Military Geography by COL John M. Collins, US Army...
- Cultural Intelligence
- Educing Information: Interrogation Science and Art
- The Reid Technique of Interrogation
- KUBARK Counterintelligence Interrogation Manual
- The Master of Disguise by Antonio J. Mendez
- Enemies: How America's foes steal our vital secret...
Archives
- 05 November 2006
- 12 November 2006
- 10 December 2006
- 31 December 2006
- 21 January 2007
- 04 February 2007
- 28 October 2007
- 28 December 2008
