I recently completed a study for the USAF.

"Online Vulnerabilities of USAF Personnel to Adversary Influence Operations on Social Networking Websites".

If you are in the DOD or IC and are working in IO, OPSEC, etc and are interested in a copy send me an email to mike_mcgannon@sra.com and I will forward a copy.

Adversary Influence Operations Vulnerability Self Assessment Questionnaire

Instructions: This questionnaire was designed to determine how vulnerable an online user is to Adversary Influence operations. While no one can be expected to do their jobs without accessing the internet, there are sites or types of information that users can post online that would make them more vulnerable to influence.

Ratings

0-25 Points Low Risk
26-50 Points Moderate Risk
51-75 Points High Risk
76-100 Points Target

Low Risk: You use the internet, but protect yourself online; however you should still be aware that there are risks.

Moderate Risk: You are giving away bits and pieces of critical information that put together over time could make you vulnerable to influence.

High Risk: You are posting critical information that does make you a likely target candidate.

Target: It is too late you are already a target; you have given the adversary everything they need to carry out an influence operation.

Scoring the Questionnaire: For every question with a single answer yes/no assign 1 point for yes, 0 points for no. For questions with multiple answers using the following points score

a. None 0 Points
b. 1 1 Points
c. 1 to 5 3 Points
d. More than 5 5 Points

Part I Websites

1. Are you currently in a critical career field which may be the target of Adversary Espionage or Influence Operations? (Y/N) (Target career fields include Intelligence, Special Operations, Communications, Security Forces, Aviators, Combat Weather, TACP, Nuclear Weapons)

2. Do you use social networking websites?
a. None
b. 1
c. 1 to 5
d. More than 5

3. Do you post on blogs?
a. None
b. 1
c. 1 to 5
d. More than 5

4. Do you participate in forums?
a. None
b. 1
c. 1 to 5
d. More than 5

5. Do you have a personal website?
a. None
b. 1
c. 1 to 5
d. More than 5

6. Do you use photo album websites?
a. None
b. 1
c. 1 to 5
d. More than 5

7. Do you post resumes to employment websites?
a. None
b. 1
c. 1 to 5
d. More than 5

8. Do you belong to any dating sites?
a. None
b. 1
c. 1 to 5
d. More than 5

9. Do you post on bulletin boards and newsgroups?
a. None
b. 1
c. 1 to 5
d. More than 5

10. Do you use email listservers?
a. None
b. 1
c. 1 to 5
d. More than 5

11. Do you belong to online groups and clubs?
a. None
b. 1
c. 1 to 5
d. More than 5

12. Do you participate in chat groups (AOL, Yahoo, MSN, etc)?
a. None
b. 1
c. 1 to 5
d. More than 5

13. Do you use instant messenger software?
a. None
b. 1
c. 1 to 5
d. More than 5

14. Do you use online auction sites?
a. None
b. 1
c. 1 to 5
d. More than 5

15. Do you use online training?
a. None
b. 1
c. 1 to 5
d. More than 5

16. Do you play online games?
a. None
b. 1
c. 1 to 5
d. More than 5

17. Are you on any other sites not listed above that you provide data to?
a. None
b. 1
c. 1 to 5
d. More than 5

Part II Types of Information

When you post online do you:
1. Use your real name? (Y/N)
2. Use identifying usernames i.e. USAFTACP? (Y/N)
3. Post your military/government affiliations? (Y/N)
4. Provide Personal Information
a. Hometown (Y/N)
b. Schools (Y/N)
c. Previous Employment (Y/N)
d. Names of relatives (Y/N)
e. Names of friends (Y/N)
f. Duty Stations (Y/N)
g. Military Units (Y/N)
h. Training (Y/N)
i. Deployments (Y/N)
j. Business associations (Y/N)
k. Personal associations (Y/N)
5. Post a daily journal of your activities? (Y/N)


Part III Public Records

1. Are you listed in yellow and/or white pages? (Y/N)
2. Do you have court records online? (Y/N)
3. Do you have real estate records online (county you live in may post this information without your knowledge or permission)? (Y/N)
4. Do you have an online business? (Y/N)
5. Are you listed on school/university websites? (Y/N)
6. Are you listed on professional association websites? (Y/N)
7. Do you hold patents or copyrights? (Y/N)
8. Are you published? (Y/N)

Tip Sheet: How to Protect Yourself Online

1. Use tools to make your online use anonymous. An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It accesses the Internet on the user's behalf, protecting personal information by hiding the source computer's identifying information.
2. Use generic free email accounts.
3. Use junk info in web forms (name, address, phone #, etc.).
4. Use random user names. For example USAFTACP is not a good username while spacecadet4687yb is a random username.
5. Use multiple usernames and email accounts so all of the websites you access cannot be linked together.
6. Do not use you .mil or .gov email outside of the DOD network.
7. Do not give out any personal information unless it is absolutely required for school, business or professional transactions.
8. Be mindful of OPSEC when you are online and let you friends and family know what information they should post about you, if any.

Adversary Resources

An adversary will have access to all the tools and resources that are available online that you do. So a good assumption is that if you have access to a public website then so will an adversary. If an adversary has your basic information they can pay a variety of websites for additional information about you.

Online Background Checks: After an adversary has obtained information on a subject they can perform more detailed background searches using the following services.

http://www.zabbasearch.com/
http://www.criminalwatchdog.com/
http://www.peoplelookup.com
https://www.backgroundchecks.com/

Maps and Satellite Imagery: Once they have an address they can use online tools to get directions, maps of the locations and even satellite imagery using a variety of free online websites.

http://maps.google.com/maps
http://maps.live.com/
http://www.zillow.com/

Public Records: State, County, and City Sites
http://www.brbpub.com/pubrecsitesStates.asp

State Occupational Licensing Boards http://www.brbpub.com/pubrecsitesOccStates.asp

State Appellate & Supreme Court Opinions & Decisions http://www.brbpub.com/pubrecsitesSearch.asp?subcat=Appellate+%26+Supreme +Court+Opinions+%26+Decisions

Federal Courts http://www.brbpub.com/pubrecsitesSearch.asp?subcat=Federal+Courts

Other Government & Private Information Sources

Obtain Your Own Driving Record http://www.brbpub.com/pubrecsitesSearch.asp?subcat=Obtain+Your+Own+Drivi ng+Record

Decode a VIN http://www.brbpub.com/pubrecsitesSearch.asp?subcat=Decode+a+VIN

Online Information Management: While posting your own information online can be easy to control and remove, online public records may not be as easy. Here are some links to opt out of public records on the sites listed in the previous section.

Zaba Search http://www.zabasearch.com/opt-out/

People Lookup http://www.peoplelookup.com/privacy-faq.php#5

Background checks info@backgroundchecks.com

Public Records: As laws and policies vary by state; you must contact each organization individually that has your public records to see if those can be removed from online searches.

somebody.....

somebody.....

This comes back to a conversation recently in which the question was what to do about the fact that so many soldiers, and civilians are vulnerable due to their involvement in these various areas. What do you do? Tell them not to be involved or make darn sure they are aware of the inherent risks and how serious those risks are.

In the vein of to whom this information would be valuable I think most of us would agree that most of those who would do evil are and have been more than capable of determining how to do so. It is not teaching them through this exchange that concerns me but would be not making sure that our men and women young and old are highly aware of it.

This also comes back to the point of the realistic expectation of not being vulnerable, There just is no such thing. Any battle is fought on a battlefield at some point and thus there is danger. The answer will never be to cease being on the the battlefield. It comes back to Opsec but in a way of understanding what is there rather than avoiding it.

Education, Empowerment, Training...

Is it more important to tell me I'm a target or should I be taught to understand that everyone is?

Hi Ron,


This comes back to a conversation recently in which the question was what to do about the fact that so many soldiers, and civilians are vulnerable due to their involvement in these various areas. What do you do? Tell them not to be involved or make darn sure they are aware of the inherent risks and how serious those risks are....

Is it more important to tell me I'm a target or should I be taught to understand that everyone is?

One of the most pernicious trends I have seen over the past couple of decades has been the idea that the state can, will and should, "protect" us not only from external enemies but, also, from ourselves and the consequences of our action (and inaction). A couple of my colleagues have referred to this as this the "infantalization" of society, while others have called it the "domestication" of society. Regardless of what we call it, it leads to a curious decoupling of actions from their consequences - a situation that strikes at the very soul of a democracy, regardless of its form.

Years ago, I was taking a course in Labour Process and we had to provide readings for the other people in the seminar that dealt with the issues we were looking at. Being an Anthropologist locked up with Sociologists, amongst the "academic readings" I gave there were two short stories by H. Beam Piper (here (http://www.gutenberg.org/etext/18949)and here (http://www.gutenberg.org/etext/18814)) that encapsulated my thinking and, in some ways, go to answer your question.

Marc

RTG,

It's a good checklist; thanks for posting it. BTW, the same checklist can be used to check for probability of identity theft.

Marc

The checklist wasa result of our vulnerabilit study as we identified the need for more awareness training that can be incorporated into OPSEC and CI annual training.

You're right the same rules also apply to identity theft as well.