I live a weird and strange existence as a hacker. I am always 'on', meaning that I am always looking at the world through hacker eyes. As a result of this, and as anyone who knows me or follows my Twitter feed knows, I often find myself face planting into security fail situations of rather epic, ironic, and hilarious proportions.
This year at Shmoocon 2016 in Washington D.C., I found myself in yet another situation where, through purely innocent actions, I came into possession of the security plans for the United States Marin Corp Ball, which was held in the Washington Hilton on November 20th, 2015, the same hotel that Shmoocon was at two months later.
I am posting this write up as a case study of Operational Security fail that can be useful for all sorts of situations and organizations. For various reasons, which will become apparent, I am NOT posting the documents beyond a scrubbed copy of the cover page nor discussing specific details within them. I bear no malice or ill will to the men and women of the Marine Corp (specific missions they may be sent on is another matter entirely), and as you will soon learn, I have taken steps that they learn from this fail and their safety and security is increased as a result.
The documents in question consisted of 18 pages (several were double sided), all marked "For Official Use Only". The collection was entitled "Washington Hilton Security Plan" according to the cover page, with a sub text of "Guard Company 20 November 2015".
These documents detailed the USMC security plans for securing the Marine Corp Black and White Ball which was held on November 20th, 2015 at the Washington Hilton
The documents (without mentioning details) contain details of current threat assessments, attack methods and vectors, guard "Be On The Lookout" (BOLO) information. As well, there is operational information regarding guard equipment, movements and procedures, methodologies, mitigation strategies and recommendations. There are also maps of the hotel space that detail guard locations and patrol areas, as well as other interesting information. Along the cover page were several hand written names, phone numbers and other interesting information.
These documents, while not anything earth shattering, could be construed as Standard Operating Procedure (SOP) for other similar events that may be of interest to potential threat actors. Using this information in combination with other various information releases and publicly available sources of information may allow a threat actors actions to be more effective.
These documents were found sitting in an unlocked Fire hose Connection "cabinet" in the lower lobby area. They were folded in half and rolled up as if someone carried them around in this rolled up state all evening. It is fairly logical that someone on the security detail, at some point of the evening, grew tired of carrying them and disposed of them in the closest place possible. In this case, a rarely opened, let alone cleaned, access panel in the conference area. Rarely opened that is, until a group of hackers decided to check out the conference space before Shmoocon and indulge our curiosity about what is behind these panels and in in these cabinets.
After finding these documents, and having one hell of a laugh, I sobered up and re-thought my original plan of posting the whole lot online and calling it a day. Instead I put a call out to a contact in the FBI cyber crime division for advice.
(Side note: The FBI has done a great deal of outreach and attempts to build bridges with the security research and hacker community to allow us to reach out and ask such questions without fear. The amusingly named "FBI Cyber Ninjas" program is just starting but is encouraging. They should be lauded for providing this avenue of communication)
One encrypted phone call later from my contact and I decided against posting the document and decided to turn them over. Not out of fear from the FBI, but there was no easy way to ensure proper redaction of the documents to where I could post them and have interesting info, yet be sure of no reprisal from the Marines. I've been under enough scrutiny lately and I did not relish any more.
The documents were turned over to an FBI agent colleague of my phone contact who was at Shmoocon, with the understanding to turn them over to the proper personnel at the USMC through proper channels for whatever remediation they deem necessary.
So the lesson to be learned here, other than one of schadenfreude for the Marines, is that the small things in operational security matter. One moment of poor decision making in disposing of sensitive documents may have been un-noticed for years and/or just disposed of by hotel staff, but ocassionally, such things may be found by those you wish had not.
There is also a lesson for hackers and infosec types. Be curious, be inquisitive and open things that others ignore. Look for the side channels often overlooked in the monotony of the daily grind of staff.