July 2010
By Wayne Kinsey
INSCOM OPSEC
Nothing is more important than your personal information. If an adversary acquires enough of your personal information, they can use it to steal your identity, to present themselves as you to your friends, and to gather information that they can use against the national security interests of the nation.
One can find Personal Identity Information on numerous information systems. Security experts will say that the weakest link in any information system is the user. Why? It is easier to gather information from or about the user than it is to attack the system itself. Two examples of how adversaries might collect PII follow.
The U.S. Navy reported that certain cigarette manufacturers gave military members free packages of cigarettes after scanning a document, such as a Common Access Card or driver’s license, to verify the age of the recipient. These documents, however, contain PII, such as the individual’s social security number, birth date, address, and other personal details. CACs also contain sensitive information on PKI certificates that one uses to access government computer systems. Adversaries are always on the lookout for this type of data to use in attacking Department of Defense information systems. The stated purpose for scanning these documents was to verify the person’s age before giving them packages of cigarettes. However, was it really necessary to scan these documents and what happened with the information after the scan? Is the potential loss of PII worth two packs of cigarettes to an individual? One should know that the CAC should only be used in government facilities and one does not need to scan your driver’s license to verify your date of birth. Currently there are no indications that anyone has used the information gathered to the detriment of an individual or the government, but that is no guarantee that they won’t use it in the future.
Wikipedia describes social engineering as the manipulation of people to get them to act or divulge information for use against them or against information systems. The growth of social networking websites has increased the availability of information necessary for successful social engineering attacks. The information available from a CAC or driver’s license is a prime example of the type of information terrorists, criminals, predators and foreign intelligence services need for their social engineering endeavors.
Any of these adversaries can use information from a SNS to cause another individual to act or divulge information to their detriment or to the detriment of a government organization. To add to the problem, researchers have recently developed a program that automates a social engineering attack. The program tracks and correlates information users store in SNS. The programmers then use the gathered information to profile users and to get them to divulge still more information for future attacks. There are a number of other types of social engineering attacks, such as phishing, spear phishing and whaling that adversaries use to gather information to use against us.
Operations Security is a risk management program. Before allowing someone to scan your CAC, driver’s license, or other documentation, consider the risk of an unknown person having access to this information. When you post information on an SNS, be aware of how an adversary can use this information to the detriment of government departments and agencies. In other words, THINK OPSEC.
VAO Blog 