Kinetic fireballs, obscurity and aggregation A friend sent me an article about kinetic fireballs. It recommends the use of incendiaries to destroy biological weapons labs. The use of high explosives should be avoided. There is the potential to spread hazardous materials and injure the surrounding population. The article goes on to describe kinetic fireball incendiaries: “These are hollow spheres, made of rubberized rocket fuel; when ignited, they propel themselves around at random at high speed, bouncing off the walls and breaking through doors, turning the entire building into an inferno.” I found the article fascinating; then quickly realized the content is likely classified Secret or Top Secret. Details of this weapon should never have been posted on the Internet. The effectiveness of kinetic fireballs depends on security by obscurity to a certain extent. With knowledge of the existence of a weapon and how it works, an adversary can establish an effective countermeasure. In fact, I know of two simple techniques to render kinetic fireballs virtually useless from the details in the article but will not disclose them here for obvious reasons. The author of the article gathered data from a variety of sources. Sensitive information can be deduced by gathering several pieces of public or uncontrolled data (aggregation and inference). For this reason, semi-sensitive information must be protected as well. Commercial industry, take note. The fireball article refers to published documents and links (Jane's Defence Weekly, Alliant Techsystems, the DoD SBIR Resource Center, Exquadrum Inc, the Defense Threat Reduction Agency, FedSpending.org, etc.). Rest assured foreign governments have Analysts conducting similar open source intelligence research. Therein lies the issue. Loose lips sink ships (and businesses). Lessons learned are: 1. Classify sensitive information, including development and innovation activities: If an organization is in the process of developing a given technology or capability, that information alone may be enough for an adversary to start work on a competing product or service. Restrict information sharing based upon need-to-know. 2. Control third parties by contracts with disclosure penalties: Left to their own devices, suppliers and contractors will publicize their activities and accomplishments. Companies are in the business of making money and potential investors demand information to make informed decisions. Require third parties to submit public announcements associated with your organization for review before publication. 3. Conduct awareness initiatives: Policies, contracts and other preventive controls are first lines of defense in securing sensitive information. Awareness programs play a critical role as well. It is necessary to establish a culture of security in order to secure data. The average employee should be familiar with concepts such as aggregation, operations security and social engineering. Feel free to contact me with any questions or comments. Kind regards, Gideon Gideon T. Rasmussen CISSP, CISA, CISM, CIPP Charlotte, NC http://www.virtualcso.com http://www.infosecresources.com http://www.gideonrasmussen.com/rssfeed.xml http://groups.yahoo.com/group/gideons-infosec-list Source: Secret Rocket Balls Target WMD Bunkers: http://blog.wired.com/defense/2008/11/secret-rocket-b.html Posted: Sun Nov 16, 2008 12:55 pm INFOSEC List: