Yes, I was there. No I won’t talk about it and I am not featured on any picture.

(on the picture above… I learned a lesson there)

(some things are payed with other currency…)

GORUCK Trek. You don’t know.

Designed by spies and operators, Trek is part CIA, part Special Forces.

Green Berets serving as combat advisors teach Trekkers the fundamentals of how America’s best operate in some of the world’s most austere urban and rural environments. Situations develop quickly, and your teams are forced to make choices, quickly.

Sleep deprivation, physical exhaustion, and operational tempo mimic a real world scenario that develops from Trek to Trek. 36 Hours +

Been there. It’s all that and more. Trek kicks your behind. It’s intense, fast and in your face.
It’s not for everyone. But then again, I was never there.

The National Security Agency is trying to expand U.S. cyber expertise needed for secret intelligence operations against adversaries on computer networks through a new cyber-ops program at selected universities.

The cyber-ops curriculum is geared to providing the basic education for jobs in intelligence, military and law enforcement that are so secret they will only be revealed to some students and faculty, who need to pass security clearance requirements, during special summer seminars offered by NSA.

It is not easy to find the right people for cyber operations because the slice of the hacker community that would make a quality cyber operator inside the government is only a sliver.

I like this. However I would look outside the academic world and into the real world. People with experience, people that have been there and done that, and people that have also a background in special or black ops. (hint, hint…)

The article is interesting and it is good to see that something is being done.

You know that undisclosed place I always go? Well, I am not there. I am somewhere else.

Two weeks ago Vago Muradian from This Week in Defense News interviewed Army Lt Gen Michael Barbero, commander of the Joint IED Defeat Organization. I was struck by the similarities between the problems his command handles regarding improvised explosive devices (IEDs) and those involving digital security professionals.

A great post by Richard Bejtlich. He lists the similar points as follow:

• The threat “shares information globally,” and engages in an “arms race” with defenders, sometimes by “sitting in front of a computer” devising the latest tools and techniques.
• The adversary can introduce changes to tools and techniques in weeks and months, not years or decades as was the case with conventional or strategic weapons.
• For a “meagre expenditure,” the adversary can impose “huge costs on defenders.”
• The goal of the security program (i.e., JIEDDO) is to provide commanders freedom of maneuver to conduct operations (business) in an IED environment.
• “If you’re worrying about the device, you’re playing defense.” Don’t focus only on the device, put pressure on the networks (of adversaries who design, build, and operate the weapons.)
• Intelligence plays a key role in defeating adversaries. Winning involves applying “lethal pressure, “along with government techniques. “It takes a network to defeat a network.”
• Defeating the device attracts the most attention and funding, but training users and attacking the network must also be pursued. Training involves ensuring that operators are using countermeasures effectively and appropriately.
• JIEDDO shares threat intelligence in unclassified form so industry partners can devise countermeasures. The unclassified documents are backed by a classified appendix that describes how troops deploy countermeasures in operational settings.

Dead center. It is a fascinating comparison and as someone that has been around IEDs (and came out alive) and the information security world for a while I can really relate to what he is saying.

A New Jersey airport security supervisor accused of using a murdered man’s identity to hide his illegal immigrant status apparently bought the man’s birth certificate and Social Security number from an intermediary before his death, police said Wednesday.

More details are emerging in the case of a Newark Liberty Airport security supervisor who allegedly has been using the identity of a dead man for the last 20 years.

In an audit by the TSA’s Office of Inspector General published Monday, coincidentally the day Oyewole was arrested, investigators found an example of an airport worker who held security badges for three airports - each with a different birthplace listed.

But.. you can’t bring liquids to an airport… Yeah, I feel very secure.

Damn, if the TSA can’t even run a simple background check on their employees or people doing security at the airports, what’s stopping a freaking terrorist from stealing someone else’s identity (something so amazingly easy in the US) and apply for the TSA…?

Yeah, I feel very secure.

A great set of slides about the utilization of Open Source Intelligence (OSINT) for information gathering and as a penetration vector for pentests.