Operations Security is defined as:
Operations Security, or OPSEC, is the process by which we protect unclassified information that can be used against us. OPSEC challenges us to look at ourselves through the eyes of an adversary (individuals, groups, countries, organizations). Essentially, anyone who can harm people, resources, or mission is an adversary.
OPSEC should be used to protect information, and thereby deny the adversary the ability to act. Nearly 90% of the information collected comes from “Open Sources”. Any information that can be obtained freely, without breaking the law, is Open Source. . It is social network sites, tweets, text messages, blogs, videos, photos, GPS mapping, newsletters, magazine or newspaper articles, your college thesis, or anything else that is publicly available.
Our OPSEC objective is to ensure a safe and secure environment. OPSEC is best employed daily when making choices about what communications to use, what is written in emails or said on the phone, postings on social networking sites and blogs. Any information you put in the public domain is also available to your adversaries.
The bottom line is that we can be are our own worst enemy. Google yourself or your organization and see how much you can find out.
Someone needs to do their annual training right quick!
Are you actually fucking kidding me
(and yes this is real, @POTUS is tied to a Gmail account) pic.twitter.com/LUdeNkEF1O
— Alex Zalben (@azalben) January 26, 2017
@_fl01 @20committee so does Press Sec but his email is WAY easier to guess. And there's last two digits of his phone no., too. pic.twitter.com/bFCtD5palc
— Ale (@aliasvaughn) January 26, 2017
Боже мой!
Miss Bianca
So, when is Jason Chaffetz going to convene hearings on this grave, grave breach of national security?
PPCLI
There will be hell to pay when Jason Chaffetz finds out about this. That man is a fanatic on the subject of cyber-security. I expect hearings to start up right away.
/s
Sister Rail Gun of Warm Humanitarianism
@Miss Bianca: He’ll be too busy reviewing the Old post Office lease.
lollipopguild
@Miss Bianca: He’s not. Anything is ok if you are a REPTHUG. The jokes they write themselves.
PPCLI
@Miss Bianca: I couldn’t have said it better myself.
Adam L Silverman
@Miss Bianca: As soon as someone get’s Congressman Gowdy’s hair ready…
dr. bloor
Looks like “Dshitgibbon” fits nicely into the blanked out portion of the e-mail address.
Roger Moore
Thanks for pointing this out. It just encouraged me to turn on two factor authentication on my Twitter account.
Miss Bianca
@Adam L Silverman: I’m not even sure I know what this means but it has cracked me up. Bigly!
@PPCLI: Oh, but you did! ; )
sherparick
Please tell James Comey he needs to expand his “e-mail” management investigation. Also, tell Dean Baquet at the NY Times that questions must be raised.
The Moar You Know
If any of our employees here at Moar Security was forwarding to a Gmail account, never mind using it as a primary, I could and would fire them on the spot. I’d have to, actually. Google/Alphabet will happily hand over everything on an account with nothing more than a subpoena, which in several states doesn’t require a judge to issue, only a lawyer.
The Moar You Know
@dr. bloor: “Dr.SmallHands”
sharl
Sorry, but I’ll wait for the authoritative NYT story on this that ties it to Hillary’s campaign. Gotta avoid fake news these days…
Adam L Silverman
@Miss Bianca: Here you go!
http://www.esquire.com/news-politics/news/a39097/trey-gowdy-photos/
schrodingers_cat
@The Moar You Know: So far a regular person what is the safest email account to have? My main account has been a gmail since forever.
Miss Bianca
@Adam L Silverman: Bwa-ha-ha!! Laffs galore!
*So* glad no one else is in the office today!
Gin & Tonic
Haven’t heard much from Giuliani Security lately. Doesn’t look like they’ve been very busy, though.
dmsilev
@The Moar You Know:
Well now. This suggests an opportunity re: Big Orange.
Xenos
Per TPM, a top FSB official in Moscow has been arrested for treason, apparently due to being a mole for the US. It appears that someone in the Trump administration may have tipped off Putin about this.
Seems to be worth a bit of investigating, right?
Adam L Silverman
@Gin & Tonic: They can’t access their email now that everything’s offline.
Gin & Tonic
@schrodingers_cat: An off-shore account, preferably in the EU, that you connect to using SSL.
p.a.
@schrodingers_cat: @Gin & Tonic:
If you’re
innocentRepublican, you have nothing to worry about.trollhattan
@Xenos: If Trump actually burned an agent of ours…. Suppose it could also be a Vlad-directed warning to moles unknown; Cripes, where’s le Carre when we need him?
PPCLI
@Gin & Tonic: Or perhaps the recent arrests of Russian FSB agents/possible US intelligence assets indicate that Rudy and co. have been very busy indeed.
Immanentize
With US assets being rounded up in Russia, I am afraid we have truly entered the frightening zone. Really scary zone.
Gelfling 545
@Gin & Tonic: Yeah, Giuliani isnt doing much with “the cyber” now, is he?
Roger Moore
@schrodingers_cat:
It depends on your threat model. If you aren’t worried about being subpoenaed and your main worry is hackers stealing your password, Google is probably fine, especially because they offer two factor authentication*. If you’re worried about subpoenas or warrants, you should probably pick a provider like HushMail that lets you send encrypted mail**. IIRC, it’s also a good idea to download your mail to your own computer and delete it off the server so anyone who wants to look at your old mail has to physically seize your computer rather than just asking for the mail from your provider.
*i.e. just getting your password isn’t enough to get into your account. You need to add a second passcode that changes based on the time. That code can either be texted to your phone or generated using an app.
**ETA: The point is to encrypt the mail on your computer and send it encrypted the whole way, so it can only be opened by somebody who has the decryption key. That protects it against snooping, either by somebody hacking the connection or getting access (legal or otherwise) to the server.
JPL
@Immanentize: The repubs will pay attention once they rid us of social security, medicare, medicaid, the ACA and get cut the taxes for millionaires and billionaires. I hope it’s not to late. By that time, our experiment in democracy could be over.
At this point, I assume that the EU intelligence operations will no longer be sharing intel with us.
Immanentize
@JPL: I am certain that is their plan, but this stuff seems to be moving much faster than they could have imagined. And they get Pence anyway. Unless Pence was fully in the know about impeachable stuff. At some point, the massive structural screw ups and political distractions will slow down their ability to push through their agenda.
p.a.
Someone posted-earlier thread ?- that PootyPoot was a) disciplining his sneaks for leaving fingerprints, b) setting up deniability: rogue element of
GRU KGB CHEKAwhatever the f#*& they’re called now did it but has been neutralized.Gin & Tonic
@Gelfling 545: When he was announced a couple of weeks ago, infosec people had a blast dissecting his company’s public-facing server. Long story short – it was a total embarrassment.
Xenos
OK,. CIA assets abroad are getting burned, the senior staff at State have been fired, and all the ambassadors have been fired with no replacement in sight.
Can it be considered a coup if the president is wiping out the executive branch? Either way, the country is going to be unable to manage its affairs at all pretty soon.
Major Major Major Major
Open thread?
My friend got interviewed in New York Magazine!
Barney
In other Sean Spicer, Press Secretary to the Shitgibbons Twitter account security news:
https://twitter.com/evanoconnell/status/824614832691355648
Adam L Silverman
@Barney: Actually he did it twice. I chose not to post those up top.
Mnemosyne
@Barney:
That’s what happens when you know your boss will only communicate via Twitter.
p.a.
@Immanentize: IF we had a fully functioning Democratic Party and a responsible media (or, let’s shoot the moon, a Dem version of FuxNews), we could tar them all together, Lord tRumpleroy, Dence, Ruin, Yertle, and take at least the Senate in ’18.
(Don’t know the Senate race breakdown for ’18. Probably bad for Dems, of course.)
Roger Moore
@p.a.:
Then we’d also have President Hillary Clinton.
Another Scott
So I was having a discussion with J about whether there were people (as opposed to corporations) who actually supported the TPP. I mentioned Farmers. There was lots of good information on the TPP at the USDA, but of course it was taken off-line. Much/most of it is at the Wayback Machine (but not some of the graphics I’m looking for).
I did some more searching and it seems that the USDA has a policy of archiving stuff and a page with those TPP links is here.
But, guess what? Clicking on those links gives different pages, or 403 errors (access denied).
Maybe it’s just a reconfiguration issue or something, but we need to keep an eye on things like this. This was work done by the US government and the people have a right to see it.
Cheers,
Scott.
Gin & Tonic
@Barney: Kinda OT, but doesn’t that guy Evan O’Connell look like the guy you’d like to kick the barstool out from under?
Stan
In Russia, password changes YOU
pseudonymous in nc
There is an argument that having an account tied to a Gmail account is better in some ways than one tied to a personal domain: you don’t run the risk of having it compromised if the domain lapses or is hijacked. That doesn’t apply when you have access to government domain email, or if you’re working at an private org with its own professional tech security people and policies.
2FA, though. With an OTP authenticator app or a USB key, not a text message.
Major Major Major Major
Didn’t our last Republican administration burn an asset just for fun/spite/because they could?
ETA: @Another Scott: To be fair, normal person websites have trouble with things like this. I can only imagine the clusterfuck that is the Trump administration trying to deal with it. This is the first time we’ve had the transfer of such a large volume of web assets from one administration to the other, so it wouldn’t surprise me if there were busted links and archival issues for some time to come in a non-malicious manner.
This is not to say that there aren’t also malicious things happening, which of course there are; but we shouldn’t necessarily be freaked out by every broken link.
O. Felix Culpa
Not sure if this has already been posted, but Republicans are openly considering Donald Trump’s “emotional stability.” Ya think?
Trigger alert: Primary source is “veteran Washington journalist Carl [::ptui::] Bernstein.”
Ryan
But you know, Hillary’s email server, so BOTH SIDES!!!
sharl
@schrodingers_cat:
I’ve been looking into this issue as well. I suspect my existing 2-factor authentication setup for g-mail is adequate for my present needs, along with broader browser (Chrome) and Win10 protections – running both Windows Defender for standard antivirus and Malwarebytes for more newly released malware that is lurking out there.
One thing relatively new is a new 2-step authorization technology known as a U2F, which requires some hardware (FIDO U2F Security Key) that fits into a USB slot – explanation here and here (Google’s page on it). Both of those sites have links to Amazon sites where you can buy the hardware (I couldn’t find it in a local Micro Center, and the guy I talked to there knew nothing about it).
I saw some infosec pros strongly urging this a while back for those with compatible systems, though since I don’t travel into the dangerous parts of the internet that infosec folks wade into as part of their jobs, I don’t know if their advice is relevant to me. The problem is that malware always becomes more innovative and easier to use with time, so while there’s no bulls-eye on me today, there may be tomorrow.
The infosec escalation: it never ends, and it is a pain in the ass.
Immanentize
Here is a reasonable question for the new administration:
Are we safe?
tobie
Did the senior management at State resign or were they fired? I’m having trouble making sense of the reports. Thanks in advance for any clarifying info.
Shakti
The only thing which surprises me is that these accounts weren’t somehow connected to a Yahoo account with security questions.
mai naem mobile
Lumpy better watch it. The 400lb hacker sitting on his bed in NJ may be hacking into his Gmail account right now. Also too, bbbuttt Hillary had a private email server….screeeeechhh!!!
Mnemosyne
@tobie:
Given that the Trump administration lies about everything, I think it’s going to be hard to say for sure. They’re already lying about which side canceled the President of Mexico’s visit here.
mike in dc
Day 7. Today is day 7. Roughly 1/2 of 1 percent of a four year term. .
Major Major Major Major
@sharl: Everybody should always use two-factor authentication where it’s available.
Gmail should be fine, but in general email itself should be considered highly non-private as a determined (particularly government) agent can often find a way in. Encryption will be your friend there, but that can always be broken by shoe-leather type stuff.
Edit: Malware doesn’t have much to do with any of this except if you get something that will log your password keystrokes or something like that, in which case nothing password-protected without two-factor is safe. And even then you can get malware on your secondary device too. Etc.
MazeDancer
There is a site called FamilyTreeNow . com that has a terror inducing amount of info about people. Searching my name produced every address I have ever had.
You can opt out they say, here is the page on that.
? Martin
@schrodingers_cat: I’ll reiterate the above. Turn on 2FA on your Gmail account and you’re almost certain to be fine. The Ubikey is cool. I have one, but it is a bit of a PITA, and overkill for most people.
Unfortunately, it’s near impossible to make email secure. Just assume that it’ll be read. The key is to ensure that nobody can hijack your account by getting your l/p.
Major Major Major Major
@MazeDancer: Oh, yes, everybody should opt out of that, but the damage was done long ago. A dossier like that is easy as pie to set up for somebody. I used to do it, sort of, but as one of the good guys. Can’t go into a large amount of detail.
sharl
@Major Major Major Major: Yep. I haven’t been doing anything nefarious that would irk a government agency (famous last words, I know), but hackers looking to capture keystrokes, passwords, etc. to gain personal information to hijack accounts and whatnot are my big personal concern.
And for Facebook users, hot off the press so to speak:
Sloane Ranger
@JPL: The BBC has just reported that, in an interview given on the flight over there, Teresa May said that the UK might end its intelligence sharing agreement with the US if Trump legalises torture.
Gin & Tonic
@sharl:
ETA: I guess the
Roger Moore
@sharl:
This is great for the authentication side of the problem, but it doesn’t guarantee anything else. So it makes it hard for somebody to hijack your account but doesn’t necessarily protect you against somebody subpoenaing your emails from the provider or intercepting your emails in transmission.
Spanky
@tobie: Answer: Yes.
J R in WV
@schrodingers_cat:
My neighbor/systems admin has identified protonmail.com as the most secure email service available. I intend to convert to that service asap. Encrypted end-to-end, all servers located in Switzerland, so not in the EU, not in the USA. Probably as protected from Trump-fomented penetration as possible.
Designed by CERN and MIT scientists, free with additional support available for a low price. 5,000,000 users so far.
sharl
@Gin & Tonic: Hahaha, definitely a growth industry, and the best in the biz are probably worth more than they’re being paid.
tobie
@Mnemosyne: @Spanky: Thanks. I guess this is a prime example of gaslighting. We’ll never know. By design.
Roger Moore
@MazeDancer:
Some of it is even accurate! I have the advantage of a relatively common name, so the information they have about me beyond my addresses is wildly incorrect. This could be either a good thing or a bad thing. On the one hand, it shows that they don’t actually know everything about me. On the other hand, it means I could potentially get in trouble for something that’s incorrectly associated with me.
Gin & Tonic
@Immanentize: In our best Laurence Olivier voice?
JPL
@Sloane Ranger: It appears that Trump values Russian intelligence anyway.
Roger Moore
@Major Major Major Major:
It won’t help. You’re opting out of that site, but they’ve mined their data from elsewhere. I occasionally get mail for the people who they list as possible relatives/associates, which I can only assume is because somebody else made that association and they’ve copied the incorrect information from there. Once that kind of information- correct or not- is out there, it’s almost impossible to eradicate.
Gin & Tonic
@Roger Moore: Which is why, as I said, store your e-mail in an EU country with better privacy laws and retrieve it using SSL.
Keith P.
@Shakti: It be hilarious if they were those kinds of accounts where you can lock them out by just failing logon a few times. That “security measure” (at least as most commonly-implemented) cracks me up.
Immanentize
@Gin & Tonic: Yes, it would have to be in a voice deeper than Spicer’s
Major Major Major Major
@Roger Moore: I know, which is why the rest of my sentence is “but the damage was done long ago.” Then there are the sentences that follow that!
cosima
@Another Scott: I read that Alaska fishermen were upset because their primary buyers for Pollock (spelling?) is Japan, and TPP would have benefitted them. Going to go out on a limb here and say that the shitgibbon/Hillary votes were probably split in that crowd, there would have been at least some of them who would not have voted to shoot themselves in the foot. I was born/raised in AK, and my ex & I had a Bristol Bay fishing permit (he still has & uses), so I know a wee bit about that crowd.
sharl
FYI, a short Twitter exchange from September among a few infosec nerds, discussing gmail security.
ETA: A site recommended for nonexpert internet users, providing a summary tutorial on security precautions.
Another Scott
@J R in WV: As long as you can still access Swiss servers from inside the USA…
:-/
Seriously, there are no guarantees that any of this stuff can’t be broken or forbidden given a determined enough government. Great Firewalls, breaking DNS, etc., etc., can all be done. I don’t expect them anytime soon, and I’m a fan of people taking reasonable precautions, but don’t fool yourself and don’t be unnecessarily paranoid.
Cheers,
Scott.
Adria McDowell (formerly Lurker Extraordinaire
@J R in WV: Could we NOT talk about Trump and penetration? ;-)
Immanentize
@Another Scott: I can’t remember — are you a lawyer? I am considering an information protection concept that is based on legal confidentiality rules….
cosima
@Sloane Ranger: *Might?!* The hell? Can we un-f&ck ourselves with regard to Brexit, please, so that we can tell the shitgibbon to &%^$*£($?
Gin & Tonic
@Immanentize: I think you missed my reference.
Roger Moore
@Another Scott:
If you can’t, you have bigger problems than unavailability of your email. Also, too, if you’re planning for the worst, it’s probably better for the failure mode to be making your email inaccessible to anyone rather than making it accessible to everyone.
Another Scott
@Immanentize: Nope, I’m not a lawyer (though I do opinionateify about legal things sometime). I’m not an IT person either – just a very long-time Internet user.
Cheers,
Scott.
Immanentize
@Gin & Tonic: I think I got it, but I was avoiding because hate both Nazis and dentists…. The latter probably scare me more than the former. Put them together? Hoffman!
Captain C
@O. Felix Culpa: I suspect a lot of Republicans are worried that if Trump actually starts a full-on investigation of vote fraud, they’ll get caught up in the dragnet, one way or another.
Captain C
Serious question: If the arrested Russians were in fact moles, and were burned by Trump people, and given that Trump is already basically openly at war with the entire IC, at what point to Trump people start having really nasty personal info leaked, accidents, or vaguely plausible natural deaths, if at all?
ETA: Or would they just be arrested?
Roger Moore
@Captain C:
I’m going to go with “not at all”. The classic response to suspect mole is a canary trap: give the mole misinformation and see if the enemy starts acting on it. The response to a known mole is twofold: strategically feed it misinformation and try to turn it into a double-agent. Harming a mole is a last resort when the other options don’t work. If the IC actually gets actionable intelligence proving that Trump is a mole and they can’t make use of him, the correct response would be to reveal it to the Congressional oversight committees. That has the advantage of being A) the legally correct thing to do and B) getting the information to people who have the power to do something with it; you can bet the Democrats on those committees would act on it.
Ian
@Xenos:
It seems worthy of quite a bit more than investigation, if merited. Now imagine the reaction of a democratic president ousting a mole.
droog
Congress and SCOTUS need to waive the nepotism rules. National Security demands that Barron Trump is appointed as Special Chief Protector of the Cyber.
Raven Onthill
Crash Override has a list of resources that include opt-out procedures for data mining sites, here: http://www.crashoverridenetwork.com/preventingdoxing.html.
Cheryl Rofer
@Captain C and @Roger Moore: We don’t know much about the Russian arrests, but there is a lively speculative game going. The arrests were in December and just revealed this week. That makes it less likely that it was Trumpies who outed them, but not impossible. Another possibility is that the intelligence report on the DNC hack gave Russian counterintelligence enough information to out these guys. Or that it started an investigation that turned them up. Or that they are an easy target to make a point. I’m trying to stick to available facts and have worked through what I’ve got here.
Sloane Ranger
@cosima: Thread is probably dead but just in case it’s not here is nothing I would like more than for us to get unf@!ked but at this point there is 0 chance of this happening. We are in what can’t be cured must be endured territory.
As for May’s comment “might” in this case is diplomatese for will. If our Intelligence people have even the slightest cause to believe the Russian arrests were the result of a leak from the Trumpeters it’s probably happening. And not just us. Expect Canada and New Zealand to do the same. Australia I’m not so sure of.
Central Texas
That OPSEC definition is interesting. I suspect that it is only one tiny step from that to considering anyone who would read the information revealed as an enemy from who everything should be concealed. Unfortunately, that “everyone” means “us”, the citizens and voters who might be interesting is what is being done our name if not on our behalf. It is not a good attitude for public officials or public servants to cultivate but is all too common and becoming more so.
J R in WV
@Adria McDowell (formerly Lurker Extraordinaire:
OUCH! Sorry, all. didn’t even see that coming! ;-0