Opsec, Who Needs It?

This article from Sophos' Naked Security shows some incredible failures of opsec “because it just kept getting used.”

Unfortunately for the US and its agents, it didn’t take long to find the moles. That’s due in large part to what one former official called an “elementary system” of internet-based communications – one that was never meant to stand up to sophisticated counterintelligence efforts such as those of China or Iran, let alone one that should have been entrusted with the extremely sensitive communications between the CIA and its sources.

That system had initially been used in war zones in the Middle East, and entropy kept it in use by far more people, for far longer, than originally intended. Part of the problem is that it was easy to use, tempting intelligence agencies to overlook its shortcomings.

And then the CIA beat down the person telling them they’d been pwned :(

This all may have been avoided if a whistleblower’s warnings had been heeded. In 2008 – well before Iran or China found and arrested CIA agents – John Reidy, who worked for CIA subcontractors helping to identify, manage, and report on human assets in Iran, had already warned about fraud involving a CIA subcontractor, and a “catastrophic intelligence failure” in which “upwards of 70% of our operations had been compromised” by hostile penetration of US intelligence computer networks.

People were literally disappearing, and they did nothing.

According to Reidy, the communications system compromise became evident after operation “anomalies” began to surface in operations, including “sources abruptly and without reason ceasing all communications with us.”

Wow. And I thought my workplace was bad!