Jan 8
The OSINT-ification of Job Boards: Hunting the Hunters
*Note: This article was originally published by the author on July 2, 2019.
It’s long been said that if you want to figure out what type of systems and applications a particular company is using, just have a look at their IT-related job ads. Companies often offer way too much information about which types of applications, operating systems, and services they run on IT-related job ads. If I am an adversary and wink, wink, as a security researcher I think like one, then you can bet that is one of the first places I will be conducting Open Source Intelligence (OSINT) collection from. I’ve been on the hunt for a new job lately and it amazes me just how much technical system-level details companies and job recruiters list on their job advertisements. Let’s have a peek, shall we?
OSINT is part of the data collection or Reconnaissance phase of hacking and closely mirrors what attackers might do once inside a targeted system. For instance, each new discovery of useful information about a target system might be a hop or pivot point taking the reconnaissance in another direction looking for more useful or actionable intelligence information. Let’s look at a company like FireEye. Here is a job advertisement for an “Information Security Engineer (TS/SCI Clearable)” job
This seems like a great job, right? The job description is fairly standard and starts off with a description of who the company FireEye is: intelligence-led security company with 6,300 customers across 67 countries, bought out Mandiant years ago, yadda, yadda, yadda… Operational Security (OpSec) though is not very good on this job which is one of the reasons I chose to focus on it. I don’t have anything personal against the company, I think they’re great generally speaking, but this job Ad is one of many that are lacking in OpSec.
Having personal experience in the Information Security Engineering profession, I know exactly what to look for with these types of job Ads and there are many, many like them because the Federal Government (more specifically, the National Institute of Standards and Technology, or NIST) has defined specific roles within the systems assessment and authorization process that is part of the larger NIST Special Publication 800–37/53 Risk Management Framework. When these types of DoD acronym-heavy job Ads start listing acronyms such as “Security Control Traceability Matrix (SCTM),” “Plan of Action & Milestone (POA&M),” “System Security Plan (SSP),” and
“Intelligence Community Directive (ICD) 503,” are dead giveaways of the type of highly classified National Security Systems (NSS) that work will be performed on. Of course, this fact is not lost on our adversaries who already are aware of this open-source information.
The title of the FireEye job listing mentions “TS/SCI Clearable” which is short lingo for Top Secret/Sensitive Compartmented Information security clearance eligible (one of the top-level security clearances in the government). There are basically only a few different levels of U.S. Government security clearances, the TS/SCI has different levels of specificity which are more lucrative as you go down the list because they cost more to attain. Companies try to cut costs by hiring employees that already possess these levels of security clearances so that they can save time and money by putting the employee to work in their assigned capacity in a quick fashion.
1. Confidential
2. Secret
3. Top Secret (Single Scope Background Investigation)
a. Top Secret/Sensitive Compartmented Information (TS/SCI)
b. TS/SCI with Counter-Intelligence Polygraph
c. TS/SCI with lifestyle polygraph
Interestingly, many of these DoD contractor firms will offer signing bonuses to employees or referrers of new hire job candidates for someone that has a high-level TS/SCI type of security clearance. So, essentially these companies are paying taxpayer money that they received from the federal government to perform work on a specific contract to reward their own employees for finding new hires that come pre-cleared. Though this may seem like a great practice for those already in the “clearance game,” which it no doubt is, it is textbook cronyism as those without security clearances are often skipped over by the Human Resources automated screening process. No clearance listed? “Next,” thus perpetuating the corrupt and operational insecure system.
Many companies and individuals that work in the Government/Defense Industry space think that it’s ok to list government security clearance requirements in their titles or in job descriptions despite every single one of them signing a Standard Form (SF)-312 Classified Information Non-Disclosure Agreement (NDA) form restricting recipients of a government security clearance against unauthorized disclosure and being granted special confidence and trust. Though the SF-312 doesn’t specifically preclude cleared individuals from listing their security clearances on social media sites, there have been other such notifications that have gone out from OPM and DSS admonishing the practice.
A quick search of LinkedIn for “TS/SCI” yields a plethora of results, 45,222 to be exact, including another role from FireEye.
At the time of writing, over 44,307 LinkedIn users have no shame in their game and just list the fact that they have a TS/SCI security clearance directly in their profile title. These people might as well as be waving a big flag and yelling at the top of their lungs, “Hey adversaries, come and get me!” We all realize that the United States Office of Personnel Management (OPM) was hacked in 2015, but do you think it is wise to list the fact that you have a high-level security clearance to anybody with an Internet connection and a LinkedIn account? I don’t and it is my humble opinion that these individuals should all have their security clearances revoked for publicly announcing it to the world on such a social media platform. Is this likely to happen though, no, it isn’t.
It is a well-known fact that America’s adversaries are all over social media sites such as LinkedIn among others, setting up fake profile accounts and “friending” influential and highly-cleared individuals in an attempt to collect whatever useful intelligence information they can from them. So much for subterfuge and disinformation, right?
Think about it, you publicly list the fact that you have a high-level government security clearance on your LinkedIn profile and have an upcoming work conference that you’re scheduled to attend let’s say in Silicon Valley at one of the Big Tech firms. Upon arriving at SFO (San Francisco International airport) you notice that there is an Asian-looking man following you from the baggage claim to your Uber. The man hops in a car and it follows you to the hotel you’re staying at. Later that evening you decide to go down to the hotel bar and have a drink to relax before the big meeting the next morning for which you’re set to deliver an important presentation to the Big Tech firm client on something sensitive to aerospace space technology or other. While at the hotel bar, a gorgeous female (assuming you’re a straight male in this fictitious scenario) approaches you and seems overly interested in you for no apparent reason. Suddenly, you find yourself in a compromising position, forced to choose human urges and national security. Which do you think will prevail? Most men are susceptible to this the oldest espionage trick in the book.
Oh, what’s that? You didn’t think there were foreign spies operating inside the U.S.? Wrong again, there exist a vast network of foreign intelligence service (FIS) operatives working clandestinely here on U.S. soil from all sorts of different nations such as Russia, China, Iran, etc. One of the missions of the Federal Bureau of Investigation (FBI) and Central Intelligence Agency (CIA) is to keep tabs on these sorts of foreign operatives to know what they are up to such as the Russian spy Maria Butina who infiltrated the National Rifle Association (NRA) in an attempt to influence U.S. policy towards Russian Kremlin interests in the lead up to the 2016 Presidential Election (The Guardian, 2018).
OSINT Combined With The Malicious Insider Threat
However, OPSEC is not only about foreign threats, sometimes the insider malicious threat is the biggest threat of all. Take a journey with me down this rabbit hole for a brief moment in time…
If we study the recent case of National Security Agency (NSA) contractor Harold “Hal” Martin, a 54-year-old male and former Navy Lieutenant who had worked at various contractor firms for 23 years and had managed to maintain his “high-level” (a.k.a., TS/SCI) government security clearance throughout his career, one starts to see the bigger picture involved here and how FIS agencies can target known employees through social media platforms such as LinkedIn. Martin managed to sneak 50 terabytes (TB) of files including sensitive, national secrets type of classified information, onto external storage drives he had in his personally owned vehicle and at home from 2012 to 2015 according to Wikipedia.
“The files he stole, according to charging documents, included a number of NSA files, including reports on future plans, spy tools, and technical descriptions of an NSA communications program.” — Kevin Collier, 2019, CNN
Though Martin is not accused of attempting to leak the classified NSA files online or to a FIS agency, the fact that this cleared contractor thought it was ok to exfiltrate this type of information outside of Sensitive Compartmented Information Facilities (SCIF) or Special Access Program Facilities (SAPF) over the course of years is very telling of just how lax Data Loss Prevention (DLP) tools, physical and information security control policies are even for some of the most highly-sensitive information in the U.S. Government. Additionally, this case serves to illustrate how much of a monumental task leaders have at all levels of government, military, and DoD contractor firms in attempting to properly secure this type of information even from their own employees who sometimes flip out and decide to hoard sensitive files on their home computers.
Following the Snowden leaks in 2014, the NSA and the entire government have been trying to improve information security across the board so that future unauthorized disclosures of classified information are at least more difficult to perpetrate. However, it is impossible to completely eliminate the unpredictability of the human element, which like risk, is always there looming in the background like a giant elephant in the room. Both Snowden and Martin simply copied the classified files to USB thumb drives (sticks) or external media devices and just plain up and walked out of the secure facilities they worked in. I’m sorry, but what? Why the hell are we not inspecting people’s personal bags each and every time they enter and exit a secure facility? It seems kind of common sense to me and very much necessary after so many types of these incidents. There should not be any expectations of privacy when you work in a secure facility.
Pretend for a moment that you’re the adversary, thinking like the proverbial “bad guy.” Hint: We ethical hackers and security researchers call this ‘adopting an adversary mindset.’
Using some basic OSINT techniques, for which LinkedIn is a gold mine, by the way, anyone can perform a search for Harold Martin. We know from the article and other public sources that Martin worked in the Baltimore, Maryland area for Booz Allen Hamilton (BAH) which is where NSA is headquartered at Fort Meade. BAH coincidentally happens to be the same company that Edward Snowden worked for before he leaked tons of classified NSA documents online in 2014. Anyone who is familiar with the Washington, DC area will know where Fort Meade is located between DC and the Baltimore Washington International (BWI) Thurgood Marshall Airport along the Baltimore Washington Parkway. This initial query ends up being a goose egg though, Hal’s profile has likely been deleted by now.
A Google search of Harold Martin’s name yields a Wikipedia link that contains more information about Harold including an old, protected Twitter profile. Note the use by Harold Martin of what he thought was an anonymous Twitter profile name of “hal_99999999,” but there were also mention of at least one other account by a similar profile name that Harold Martin used in the court documents.
According to a Politico article, Harold Martin used this Twitter account to send Tweets about an online auction to offer “sensitive information” to an “online entity,” also known as the Shadow Brokers. This is the point where Harold Martin decided to sell out his country’s secrets for money, a not uncommon phenomenon that has repeatedly occurred time and again. However, Martin’s defense attorneys tried to make the case that it was mental illness and not treason that led Martin down this treasonous path.
“In these messages, @HAL_999999999 asked for a meeting with the [redacted] and stated ‘shelf life, three weeks,’” Bennett wrote, describing the government’s assertions in court filings still under seal. “The Defendant’s Twitter messages … were sent just hours before what was purported to be stolen government property was advertised and posted on multiple online- content-sharing sites, including Twitter.” — Gerstein, 2018, Politico
Now Enter the Shadow Brokers
The Shadow Brokers released the NSA hacking tool exploits in August 2016, which logically by following the trail of digital evidence can be concluded were obtained from Mr. Harold T. Martin. The NSA hacking tool exploits such as EternalBlue and EternalRomance have since been used in numerous versions of malware and ransomware including NotPetya and WannaCry which caused considerable amounts of damage globally. These exploits capitalized on and new exploits continue to capitalize on organizations and individuals that fail to patch (i.e., update) their Windows Operating System (OS) software which Microsoft has issued patches for the Server Message Block
Now, if I am any good at what I do as a “bad guy” computer network espionage (CNE) operator, once I find out that someone has a TS/SCI security clearance from LinkedIn OSINT they are going on my list of targeted individuals to conduct further reconnaissance research on. I can use tools like ScrapedIn to “scrape” information from LinkedIn:
“The attraction of LinkedIn as a spying platform is that its users are predominantly white-collar workers in positions that could be exploited at high levels of business and government” — Cuthbertson, 2017, Newsweek
Next, a skilled adversary is going to determine if they can find out what this person’s Internet Protocol (IP) address is so that they can scan his personal computer system(s) for any known and potentially unpatched vulnerabilities or if they can find his/her home address, perhaps arrangements can be made for a locally-based spy hacker to hack the target’s home Wi-Fi network or just break into the residence and steal their personally hoarded digital files. Not too far a stretch, right? Why make yourself a target in this manner by listing the fact that you have a high-level security clearance? Why put your family and/or yourself at risk. At least make an adversary work a little to discover the fact that you have a clearance, though this will be easy to guess depending on what company you work for and what geographic regions (e.g., San Diego, Los Angeles, D.C., Baltimore, Boston, etc.).
You might be thinking, “OMG! Why is he giving away all of this information?” Well, friends, nothing mentioned throughout this article is confidential in any way, every bit of it is freely and openly available online. Our adversaries know more than this basic information, trust me on that. Considering the fact that OPM was hacked over four years ago, just think of the long-term implications of that data breach… If you’ve ever held a government security clearance, you should be monitoring for signs of social engineering such as spearphishing emails coming into your email accounts or random people following or surveilling you. You should monitor your credit report closely and lock down your credit by placing fraud alerts on them.
Some have drawn the correlation between former NSA classified data exfil-traitor Harold Martin and the Shadow Brokers. The Shadow Brokers is an as of yet still an unidentified group that supposedly stole the NSA hacking exploits, but it is likely that they bought them from Harold Martin or Nghia Hoang, 67, also of Maryland who worked for the NSA from 2010 to 2015 and also took Top Secret material (paper & digital) home to store on his personal computer. Hoang was a developer who worked on “highly classified projects and was employed from 2006 as a Tailored Access Operations (TAO) developer for the NSA” — Kupperman & Ellis, 2017, CNN
“Martin’s defense attorneys argued that he suffered from mental health issues, of which his hoarding was a symptom. Martin agreed to plead guilty in December 2017. This was scheduled to occur on January 22, 2018. Martin plead not guilty. According to the court’s Memorandum Opinion dated December 3, 2018, Martin’s trial date is scheduled for June 17, 2019. On March 17, 2019, Martin agreed to plead guilty to “Willful Retention of National Defense Information,” the deal called for nine years in prison, three years supervised release and a fine of up to $250,000" — Wikipedia
Either way, whether it was Martin, Hoang, or someone else who leaked the classified NSA hacking exploits, there is far too much leniency when it comes to controlling sensitive information in both the corporate and federal sectors of industry. Organizations need to clamp down on internal information security procedures because you don’t have to be an OSINT expert to figure ‘who is who in the zoo’ and what type of information you might be able to acquire by targeting someone with a clearance!
Conclusion
The aim of this article is to encourage all of the people working in the job recruiter (i.e., talent management) industry as well as cleared individuals to stop making the adversary’s job easier by publicly listing the fact that they have a security clearance. The Defense Security Service (DSS) should take action against any individual who publicly lists such information and job advertisements should not list such special requirements. This type of information should be exchanged during verbal interviews or during the online application process which is an entirely different can of worms for another time… Additionally, listing specific computer OS, software applications, hardware devices, and Cloud services are equally unwise as the organization is advertising these facts to cybercriminals who can then attempt to target their companies using known vulnerabilities for those OS, applications, and hardware. Instead, try listing a specific job title such as “Cybersecurity Engineer” that must be proficient in “x” protocols, with a solid, demonstrated understanding of information security best practices, etc. Don’t get into specifics because once again, you’re making the cybercriminals’ job that much easier.
