Hacker OPSEC

STFU is the best policy.

Drug Delivery Service OPSEC

Some interesting lessons on how a modern New York City drug delivery service uses basic tradecraft to create a reasonable security posture.

The Source

This Vice article provides the source of the information for this blog post. Using some basic background knowledge on how covert groups operate, it is simple to parse and analyze the drug delivery service tradecraft.

Recruitment

a friend of mine solicited hardcore drugs for a Manhattan drug kingpin, who was looking for a new pot delivery guy. My friend encouraged me to try out for the job.

As with many covert groups, the recruitment process relied on personal connections. This social network grounded approach to expanding a covert organisation is generally good for initial security. The recruits are unlikely to be agents sent to infiltrate the organistation as the long standing social ties between members and recruits both establishes trust and serves as vetting.

Developing a covert organisation based on social network ties provides a means of rapid expansion and easy security clearance. The downside is that once a single member of the organisation is compromised, the adversarial security forces can easily roll up the whole network. The poor compartmentation of a social network based covert organisation is its Achilles heel. The security of the organisation is critically dependent on the security of each individual member.

ProTip: Expand your covert network with individuals who are passionate about your ideological beliefs. Ensure strong compartmentation, starting with recruitment.

Leverage

He asked me to provide documentation of my current address and phone number as an insurance policy. If I ran out on him, he warned me he’d hold my friends responsible for the deficit funds and/or drugs.

The principal of the organisation “Nathan” requires that the recruit provide a verifiable address and means of contact, along with dire warnings of consequences in the case of infractions. This is very basic control principles, typical of covert organisations.

The major security problem with this approach, of course, is that the records maintained by the network’s principal are a high value target for the adversary. Compromise of the principal’s records will lead to total collapse of the network, and interdiction for every member involved. There is no chance of evasion.

ProTip: No logs, no crime. Do not keep records of the members of your covert organisation. These records are extremely sensitive.

Operational Actions

the transaction and exit should be as swift as possible. “You aren’t here to hang out,” she said. “It’s not a social call, and they aren’t your friends. You want to walk in and be friendly and make conversation but also get to the business at hand and get out of there quickly.”

The illicit operation, the drug sale, is intended to be rapid and minimize the period of vulnerability for both parties. Interestingly, this is possibly a poor choice if the threat is surveillance. There are few reasons a random individual would enter a domicile for a short duration. Also of note, the covert organisation provides no reasonable cover story for why the agent (the drug courier) is entering the residence of the client. A simple “what were you doing?” type question would likely completely blow the whole operation.

ProTip: Minimising the period of vulnerability improves the chances of operational success. Always make sure your agents are capable of delivering plausible cover stories. Cover for action

Cover for Status

Nathan forced me to wear a button-up shirt and slacks, shave my face, and keep my hair conservatively short. He believed this uniform would attract little attention as I walked around with thousands of dollars worth of pot in a laptop case slung over my shoulder.

The covert organisation has, surprisingly enough, chosen to enforce a uniform that makes their agents blend in with the mainstream. This is completely inline with the typical operational disguises employed by covert organistations operating in controlled territory the world over. (See: Moscow Rules go with the flow; Murphy’s Laws of War: don't stand out, it draws fire)

ProTip: They got this one exactly right.

All phones are bugged

Although I used my flip-phone constantly at work, I was never given clients’ addresses over the phone. Clients calls would go to a dispatcher—a third party who took the call, traced the number through a database of numbers, and then returned the call from a different phone to confirm their request for drugs. After their request was confirmed, I received a call from another phone. The dispatcher only told me, “You got Nick,” or “You got Lucy.” I was banned from responding with anything besides a murmured “OK.”

Each operational use of the phone provides the adversary with minimal value. There is a unique identifier for the client (e.g. “Lucy”), and the agent acknowledges receipt of the directive (“OK”). The dispatchers interaction with the client is itself run over multiple phone lines and kept to short, simple, normal statements.

ProTip: This is very much inline with all covert organisations’ guidelines for using phones. Never use keywords, keep the content as vague as possible, minimize the period of vulnerability – get off the phone!

OPSEC FAIL: attracting attention

Each day I was given a stipend of $40 for cabs. No one knew if I didn’t spend the $40. Instead of taking cabs, I ran around in a frantic state that negated every other measure I took to not draw unwanted attention

This is an instance of preference divergence, a common problem for covert organisations. The financial resources provided to the agent of the principal are siphoned off and directed towards non-operational uses (the drug courier skims and pockets his cab stipend.) There doesn’t appear to be any consequence to this operational security failure, however it jeopardizes the entire organisation. If “Nathan” were a more disciplined principal he would monitor his agents more closely and ensure they are conforming to the organisational security requirements. Strangely, drug dealers are not strict disciplinarians.

ProTip: if the securit of the entire organisation is dependent on the security of each individual agent – enforce the operational security requirements strictly!

Aliases

I shook his hand and said, “I’m Jack.” He gave me a knowing grin. “So that’s the name you’re using?” he asked.

The agent is using an alias to provide pseudonymity from malicious clients. This provides some minimal level of security. It is definitely better than not having any cover at all. However, as noted above, it should be combined with a robust cover story for why the agent is visiting a residential home for a brief period.

Discharging the agent

After a promotion, the drug courier decides to find a new line of work. If the organisation was stricter in their OPSEC practices, the departure of an agent wouldn’t place anyone else in jeopardy. As it stands, it seems clear that the agent who is now drawing attention to himself by writing about his experience in a national magazine(!) still retains sufficiently sensitive information to unravel the network.

ProTip: compartment early, compartment often. It is safer than any alternative.

TL;DR

Compartment your covert organisation from recruitment through to operational action so that when your agents leave or are compromised they are unable to compromise the organisation. Ensure that your operational activities have good cover for status (e.g. a disguise) and cover for action (e.g. a strong cover story). Strong compartmentation, strong cover, and be aware of the risks of using social networks for building a covert organisation.