The only limits to my ability to hurt you are how much data I have on you and my creativity.When I was teaching OPSEC in DC, the class started with an announcement from a coordinator. "If there are any security events, everyone needs to gather at the center building column." After they finished and introduced me, I told the class "knowing what we were just told as an attacker, the center column is where I'd plant the second bomb…
"But hold on", you say. "You'd still need to know ways to access the building, plant explosives unnoticed, and so on", and you'd be right but that's the point.
Some dangerous information can't be acted on without additional details. Some very innocuous-seeming data can become very dangerous with additional details. Basically, the aggregate of data is a force multiplier. Information in aggregate tells me:
- When to hit you.
- How to hit you.
- How to make it hurt to the maximum degree possible.
- How to ensure success in doing all of the above.
Your vacation, my opportunity
A man from Jacksonville Oregon, was relaxing at a nearby lake when he got a call asking about the horse he was giving away. He soon discovered that someone had posted a Craigslist ad stating that he had to suddenly leave his home so anyone who showed up to the address could take what they wanted.
He rushed home to find people dismantling his house and carrying off his possessions like ants on a caterpillar. When he challenged them, the thieves had the audacity to hold up a Craigslist ad as if it were a writ of ownership. By the time the police arrived, the damage was done.
He was vicimized because the attacker knew two things: 1) where he lived and, 2) that he wasn't going to be home on Saturday. Either piece of information was useless on its own, but when combined, the rest was trivially easy. That is the power of aggregation.
The concept of aggregation is well established in National Security. You have terrorist organizations working to get every detail of their target that they can and on the other side, you have OPSEC programs to teach forces the importance of information denial.
I spent years trying to find the right way to get this point across and, in doing so, learned that people find it hard to connect with examples at the Nation-State level. Instead, what about a little real-world thought experiment?
Trigger warning – some seriously dark possibilities
Assume that want to destroy your life and have at my disposal only two pieces of information: your address and…
_3-WMC-_cc2.0.jpg)
… a post online I saw where you explained how your wife, due to a misunderstanding, thought you might be cheating on her. How hard would it be to drop some scandalous love letter in the mail adorned with a girl's name as the sender and a bright red kiss mark? What happens then?
… information that you participate in alcoholics anonymous or online support groups for alcoholism. What if I sent you a "complimentary bottle of wine" sometime? Or, better yet, I wait until I see your post talking about how the wife and kids were going out of town for the weekend?
… details of your parole after serving 10 years for possession. I hide a package of incriminating evidence in a conspicuous spot of your side yard then call your parole officer claiming to be a neighbor who saw you burying something suspicious.
Should I keep going? Or do you see how little bits of information can create opportunities to absolutely destroy someone? And lest you think this is only a thought experiment, Facebook has been caught using their vast data on people to manipulate their mood as an "experiment". Best Buy was caught data mining to label customers as either "Angels" or "Devils". And the examples go on and on…
 |  | It's not a fun exercise, but it's valuable to learn to think like a bad guy if only to better protect yourself and the people you care about. And it also helps you understand why you should learn the LifeSec skill of providing the most vague and least-detailed information possible in all situations. |
You would be stunned if I told you how frequent data breaches are. So much so that they don't even make the news anymore. Instead of counting on negligent organizations to keep your data safe, we must practice information denial at all times, in all ways because it's hard for them to lose or abuse information they don't have.
Step 1: No more than necessary.
When you see a web form, do you fill it in? Why? Is every field you see necessary? Usually there's some kind of indication, but not always. To find out for sure, try pressing "sign up" or "go" or whatever and it will highlight all the necessary fields.
It goes without saying that you should rarely fill in any details of your "profile page" in games, on websites, or in apps. Why provide even more data for them to lose or abuse?
Step 2: Ask why
If you're being asked for information that you can't see the reason for, ask why (when able). For example, when I go to the dentist, they might ask for my Social Security Number. I ask, "why?"
They will say that it's necessary for billing, but this isn't my first rodeo. I always check when I change insurance to see if they every require SSN and (so far) the answer is always "no". And so I tell the dentist the same, "No. You can't have my SSN because you don't need it. I called and checked so process me without it or I'll find someone else."
 | | Not once have I ever been turned away for withholding my SSN in medical situations. Why not try it? What's the worst that could happen? You don't end up doing business with someone who's careless with your data? |
Step 3: Get creative
Sometimes there's not another dentist. Sometimes the site your need access to is the only one that will serve your purpose. Sometimes there isn't another good option and you're forced to make a decision… or are you?
To the best of my knowledge, it's not illegal to put fake answers for challenge questions (stuff like, "what's the name of your first pet"). Your phone will still get you home if you set your "home" location to somewhere NEAR your address (instead of using the real location). Most websites don't need YOUR birthday, they need A birthday. And those store discount codes work just as well with a generic phone number (Pro tip: use your area code and 867-5309 – it never fails).
 | | Important!It's up to you to determine what is legal and what isn't when using this advice. For example, if you fake a SSN that belongs to someone else, that could be problematic. But there's nothing that stops you from being creative in low-stakes situations: |
Story time!
When I was still part of the Inter-Agency OPSEC Support Staff, after a conference session where hundreds of people filed off to find food or bathrooms, the presenter and I noticed a cellphone sitting on one of the chairs in the front row. An unlocked cellphone.
We laughed about the irony of making such a mistake at a security conference before calling whoever was listed as "husband" and explaining the situation. He confirmed the phone belonged to who we thought (a regular we both recognized) so we could return it to her and that was that, but can you imagine what else we could have done?
How easy would it be to check the names and phone numbers of key contacts? If she worked somewhere sensitive, we could email her co-workers or boss and ask for sensitive information. If she was our target, we have names of friends, family, contact information, and from her map program, her home address. If we just wanted to ruin her evening, send a text to "Hubby" talking about how we've met someone and are leaving him before turning the phone off and dropping in the trash.
When you sell the phone, if it's stolen, if the data protection allows apps to peek at the data, there are so many ways that data can be taken. So why not give them nicknames instead (something you'd never actually call them to their face) so it's easy for you to know who's who, but no attacker would be able to call them and address them by name?
It's simple, safer, and fun! ("Hey Google, Call Aardvark!")
