A lesson in low tech for the CIA

A story in todays Times newspaper about the supposed secret use by the CIA of an airbase in Pakistan has an interesting Information Security angle. In particular because it appears that supporting information for the story comes directly from the Pentagon which apparently posted details about fuel deliveries to the base on their Defence Energy Support Center website.

One of the best penetration testers I know barely needs to touch any so-called hacking tools to get all the information that he needs to launch his attacks. Most organisations that he deals with have so much information available online, sitting behind public IP addresses, that he’s usually achieved most of his objectives simply by using Google, a notebook of lined paper and pencil, and some very strong coffee.

Low tech research provides the fastest route through high tech security controls. The Pentagon probably have details of their drone operations under the tightest security within the most secure systems. However, given a journalists’ ability to snuffle a story out of the slenderest thread of information, posting information about fuel deliveries to a remote Pakistani airbase on a public website would be like a red rag to a bull.