Tuesday, January 1, 2013

Attempting to steal your secrets

A friend sent me a note that United States Defense Security Service (DSS) just released their counter intelligence threat trends report for 2011.  For the uninitiated, counter intelligence is the spy vs spy stuff.  It's our military and intelligence trying to determine how and what other intelligence agencies are collecting against them.  The trends report is unclassified and openly shared because it's designed to inform everybody what to be alert for.  It's written for those working around US Govt information but it applies to pretty much everybody working at any company that has trade secrets.


75 page report:
http://www.dss.mil/documents/ci/2012-unclass-trends.pdf

18 slide summary:
http://www.dss.mil/documents/ci/2012-unclass-Trends-Brief.pdf

My summary of the summary:
Interestingly IT was at the top of the list and way up from last year.  This is funny because it seems a popular trend is for the US Gov to open source and publish papers about all the interesting stuff anyway.

http://en.wikipedia.org/wiki/Apache_Accumulo
http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_(Version_1.1U).pdf
http://www.openstack.org/

Requests For Information (RFIs) were one of the methods they were gathering intelligence, aside from trying to buy the stuff (AAT).  Asking about something and trying to buy it is still the best way to to learn the technology, nothing new here.

Suspicious contact reports were way up from the previous year.  This is partly due to a change in the definition of what constitutes an SCR but 75% still seems like a lot.

I did ctrl-f to search in the report and "social media" "facebook" "linkedin" "twitter" returned no results.  One mention of "social" in the context of "social network".  Maybe the other info about social media MO are classified, in either case I was disappointed they didn't address that more in the report.  Suspicious profiles trying to linkedin targets is one of the most common things I hear of.  It's best policy to only friend folks you know personally on social networks.

Recruiters and "head hunters" are the worst at this random-friending.  On that note, if you have proprietary, trademarked, trade secrets, or sensitive information rattling around in your head please don't spew it all out in an interview.  Talk about your competencies, not the details of your last project.  I'm often shocked about what people will tell me during interviews ostensibly to impress me.  They don't.  If they can't protect the last company's information why would I think they'd have any sort of loyalty to our team?   On the other side of the table, having gone through a few interviews several months ago, I was also shocked at how much information interviewers will provide about their company to potential hires!  I am not a lawyer and this is not legal advice, but here's a dirty and dangerous secret about proprietary information: if it's released in a public forum or in a conversation with a person without an NDA it becomes more difficult to hold people you do have NDAs with accountable for releasing it.  It, in essence, has become public information.  Oh... and another thing: that generic NDA your company has been reusing for the last decade isn't very effective anyway. Why Generic Non-Disclosure Agreements Don't Work  

If you do business, something you should also know about is denied party screening (and the legal requirements to do so especially during international dealings).  Here's a useful web site for helping to check if somebody is legit or not:
http://www.bis.doc.gov/complianceandenforcement/unauthorizedparties.htm


Hope this information helps.  If you find my blog useful or entertaining, don't forget to subscribe and receive updates.