US military personnel have been uploading nuclear secrets to online learning platforms, where they can be found by anyone. Free flashcard apps such as Chegg, Quizlet, and Cram have hosted the scarily detailed secret data for as long as eight years—possibly longer.
Open-source intelligence researchers discovered the careless whispers from a simple Google search. You might not be responsible for nuclear weapons, but you can still learn lessons about protecting your organization’s secrets.
Rote learning is bad enough without suffering fallout from information leakage. In this week’s Security Blogwatch, we file our cards away securely.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Toxic Town.
Monkey see, monkey do
What’s the craic? Foeke Postma reports that military personnel Expose Nuclear Weapons Secrets Via Flashcard Apps:
For [military personnel] tasked with the custody of nuclear weapons … security protocols are lengthy, detailed and need to be known by heart. To simplify this process, some service members have been using publicly visible flashcard learning apps — inadvertently revealing a multitude of [secrets] about US nuclear weapons and the bases at which they are stored.
…
The flashcards studied by [personnel] tasked with guarding these devices reveal not just the bases, but even identify the exact shelters with “hot” vaults that likely contain nuclear weapons. They also detail intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have.
…
[We were] able to discover cards used by military personnel [on] free flashcard platforms. [Some] had been publicly visible online as far back as 2013, [and some] detailed processes that were being learned by users until at least April 2021. … However, all flashcards described within this article appear to have been taken down from the learning platforms on which they appeared after [we] reached out to NATO and the US Military.
…
In many cases, servicemen or women have added … highly specific security details [e.g.], the location of modems that connect vaults to the monitoring facility, the procedures for duress signals for each area on base, the sight pictures of cameras aimed at the vault as well as the components and workings of their console.
…
There also appear to be cards for completely different military uses. For example … questions about carrying out a drone strike using an MQ-9 Reaper.
Wow, SRSLY? Matthew Gault has more bad news for the DoD—U.S. Military Personnel Spilled Nuclear Secrets in Online Flashcards:
That the U.S. has nuclear weapons in Europe is an open secret. … But details about [the bases’] operations have remained a closely guarded secret. The flashcards spilled many of those secrets.
…
The Pentagon scrubbed some of those secret laden flashcards from the web, but it didn’t get them all. Many are still archived on the Wayback Machine.
…
Air Force nuclear personnel have a life or death job that’s incredibly boring and filled with mindless tedium. They’re routinely tested to make sure they’re keeping up with the myriad technical details they need to stay on top of the job. Sometimes they cheat to pass the test. … Cheating, uploading nuclear secrets to the internet, and dropping acid on the job aren’t comforting to the communities who live near the bases.
What lessons can we learn? Gareth Corfield concludes—Leaked data proves very educational:
The … findings are similar to the open-source intelligence [we] found when looking at beer-rating app Untappd last year. [We were] able to easily identify key government personnel working in militarily sensitive establishments.
Online OPSEC is important: Subscribing to ebooks website Scribd and searching for certain terms can reveal all manner of confidential manuals and handbooks, and slide-deck website Prezi occasionally contains internal slideshows the content of which probably wasn't intended to be published to the wider world.
Think of it this way: if you’re uploading sensitive data to a website that isn’t operated by or contracted to your [organization] you probably shouldn’t do it. Particularly if you're guarding nuclear weapons.
You’d think that would be standard OPSEC. morpheuskafka agrees:
Quizlet is a repository for a lot of information that shouldn't be online—from test answers to proprietary line-of-business stuff (e.g., retail training materials) to security related stuff (security trainings, emergency response codes). … One appears to list a number of installations that hold various critical networking infrastructure as well as the names of various admins.
…
But I would have thought the military would be smart enough not to use it. … As members of the military who are trained and indoctrinated into OPSEC and information handling practices, I would expect them to have made a better decision.
Instead, the secrets are hiding in plain sight. ShanghaiBill channels Churchill:
The truth should be protected with a bodyguard of lies. The DoD should periodically intentionally leak fake "nuclear security protocols" so if the real thing ever leaks, [the opposing force] will have no idea if it is real or not.
But doesn’t the DoD have its own learning platforms? Yes, but angry_octet has bad news:
Systems like AKO (Army Knowledge Online) are notoriously terrible. US compliance systems often favour rote learning over knowledge, hence memorising vast numbers of irrelevant details as a false proxy for competency.
Ouch. How can the problem be fixed? This Anonymous Coward advises thuswise:
Here's a tip on handling secrets: The fewer you know, the fewer you can leak, even by accident, and the fewer you can be accused of divulging. This is why it's always a good idea to try to brief people from public sources, a trick I picked up from a now retired Colonel.
…
Handling secrets isn't that hard. Keeping them is harder.
But 1MachineElf thinks that sounds disastrous:
Many family members have been pressuring me to steer my IT/InfoSec career towards obtaining a security clearance. … I fear that I could not last through such an ordeal: The concept of not being able to collaborate with coworkers due to arbitrary security rules sounds like a disaster.
Meanwhile, are you feeling what geekmux is feeling?
I have a feeling the combination to their luggage is … 4…3…2…1
The moral of the story?
What secrets might your organization be leaking via free apps? Is there a red-team opportunity here?
And finally
It shouldn’t work, but somehow it does—gloriously
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Lisa Jasmin Adams (via Pixabay)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
