As I did then, so do I now. And like all things under the sun, some things simply do not change.
Advanced Sensing and Warning:
There was something odd about the feeling I would get when my SIPERNET email box rang. Takes me back to one of my first tours in the Middle East. It informed me the good ole crew in Annapolis Junction would deliver a sensitive report about some malfeasance taking place on my TIG (Theater Information Grid). While it wasn’t a delightful feeling, my ego accepted. Each alert was as if someone challenged me to a unique Matrix form of Cyber Mixed Martial Arts. Back in my early 20s, my adolescence proved to be my own formidable opponent in the Cyber game. This day was no different. But then, it really was.
I had already been up for hours on end trying to mitigate a classified spillage. One of the guys in an unnamed Special Warfare Unit had inadvertently caused the spillage. (In an area that didn’t exist at the time. Most certainly training a group of people that weren’t there. Who were also not aware of the very highly classified nature of the systems of which they were working on.)
There was no blame in my mind regarding the incident. I understood, more than most, these men were not trained in the agile art I had come to love. But to the detriment of the men on CVB, this was an intolerable risk to National Intelligence on a platform which had yet been classified as such. At least this was the truth in the tiny bubble area of the base not many people even knew of.
I knew of this place only because of the position I held. The unique blend of Cyber intelligence, Cyber Defense, and Cyber Operation fused into an already ambiguous position called the IANE. This coupled with a TS/SCI clearance, + a few other attributes (which remain unspoken), really placed my AOR in a constellation of responsibilities as defined as the imaginary ones connecting our blessed Circinus. Nevertheless, this night was unique.
I sat in my seat painstakingly writing a SITREP about the previous “situation.” Suddenly, my commands AS&W report chimed from my mailbox. “Challenge Accepted” is what chimed in the back of my head way before I could execute the action given from my brain to my neck to acknowledge the blood-red labeled terminal and accept the message. The “Challange” was in all reality, a self-identified mission to debunk whatever this “OverWatch” alert was claiming. Well, this challenge wasn’t different, but it for sure was unique. You see, this was during the heyday of Microsoft SharePoint, PowerPoint, and other “Online Content Publishing” services way before the word “cloud” was a thing. But then, similar to today, the technology was so new its complete understanding, its functionality, vulnerabilities, and propensity for mishaps was ever present.
As it turned out, highly classified mission plans clearly marked “SECRET//NOFORN” on borders of a common PowerPoint template surfaced on NIPERNET. It was technically published on the Internet. The contents of which (unbeknowst to me at the time) were regarding that special place on the nonexistent base. Not only did this ASW report illuminate that the cat was out the bag. It further informed me the release (origin of the spillage) took place under my Cyber Tenant Command. Again, challenge accepted. Underestimation of the gravity this situation was to be tested tonight. And the few present for this event would end up calling my InfoSec doctoring “Draconian.” Not to revisit the Spillage Containment procedures which ensued. A very detailed story we published last year covered this, and it’s beside the point here.
Last week, I read yet another rendition of a Trello Credential Mining Google Dork release. While not surprising in content, was surprising in context. The socialization of these releases in the media have become common place as of date. And yet, it seems organizations still find themselves with an inability to thwart them effectively. bits&digits, Hold Security, and others back in 2014-15 spent numerous hours in our beginnings doing, finding, and reporting publicly facing databases, or AWS Containers, or otherwise misconfigured systems and playing the responsible disclosure game with relatively modest media attention. But, shall I say, it’s 2018.
There is little to no reason these systems should be mismanaged in a process driving organization in a GDPR day and age. A day and age where Corporate Leadership receives a verbose articulation on how to manage social media and data exposure systems. It is not my intent, and nor will it ever be, to release a rant without cause. Nor is it my intent to point fingers or blame. This solves nothing. What I hope digests from this is the days of blissfully ignored responsible disclosures are soon dead. Politicians and Media representatives alike are becoming all too aware the organizational processes resulting in these sorts of exposures are either non-existent or operationally deficient.
Time to call in a specialist or a consultant if you feel you lack the answer on mitigating these threats.
Tate, Signing Out.