Airport security belt steals

Airport security conveyor, Arlanda airport, Stockholm

There goes our iPad. Swallowed by the security conveyor belt, immediately under the prominent sign that says “The tray stays until it is emptied.” After many uses, I came to
trust that sign.

I didn’t at first. I’d grab and hold the tray before it got to the dangerous end-of-the-line, and fight the force of it’s mechanized trajectory. Because I knew: at the end of the belt, the tray drops swiftly to a lower level and is carried back to the security officers and then on to line’s starting point, where passengers take an empty tray.

At some point I noticed all the stuff mounted above the end of the conveyor belt. There’s a video camera, a mirror, and some sort of sensors. I tested the tray-trap—warily, I left a jacket inside. The tray waited at the end of the line until I removed the jacket. Huh.

Airport security contraption

I became complacent. Next time, I didn’t pick up my jacket from the blue-bottomed tray until I had my computer re-stashed. I let my belt lie while I grabbed my mini-toothpaste.

And when Bob’s iPad sailed through with it’s light gray cover, I kept an eye on it but didn’t fetch it.

Bob takes a long time to get through security. He travels with his MacBook Pro, MacBook Air, iPad, video camera, and six or seven hard drives. (Gotta be productive on the road…) We have a strategy: I whiz through and pack up my stuff in 45 seconds or so, then keep an eye on his stuff while he’s spreading out equipment in multiple trays and taking off his belt.

Luckily, I saw the machinery swallow his iPad. If I hadn’t have noticed, it could have been forgotten in the confusion (and rush).

“Stop, thief!” Or no. I said something else. “Our iPad’s been eaten!”

“Would have made a nice little present for the security officers,” Bob said.

We could easily have walked away from it. I wonder how many people do? This security check point is at Stockholm’s Arlanda Airport. London Heathrow has the same setup. I’ve seen it in other airports, too, but I can’t remember where. Copenhagen? Munich?

© Copyright 2008-2011 Bambi Vincent. All rights reserved.

Ghost in the Wires

Ghost in the Wires cover

Ghost in the Wires cover

I thought Kevin Mitnick was a friend of mine—but that was before I read his forthcoming book, Ghost in the Wires. Kevin’s the consummate liar, it seems. He’ll say anything to get what he wants, going to extreme efforts to research, then set up support for elaborate cons. He’ll claim to be a cop, a utility employee, or your colleague from a remote office, if it serves his purpose. A faceless voice on the telephone, he’ll sweet-talk one minute, and command with authority the next. At least he used to do this, before spending five years in federal prison…

To become the boldfaced name in social engineering, Kevin honed a natural knack for people-reading from childhood. He was a telephone Zelig who rarely needed to get out of his sweats. He always found a plausible pretext for his capers and pursued them with outrageous chutzpah. Rarely would he fail to obtain the information he sought.

Can one retire a talent like that? I doubt it, but as I can’t think of what use Bob and I are to Kevin, I prefer to think that we really are his friends.

Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker is Kevin’s third book, to be published in August 2011. I love that title. The book chronicles how Kevin, from an early age, tinkered with communication devices: ham radios, telephones, cellphones, computers, and the software that runs them all. Although he was obsessively compelled to dig deeper and deeper into the gizmo-code, he never tried to make or steal money from his exploits. He did it out of his own curiosity, to learn more, and to challenge himself to do what seemed impossible.

Sometimes, in his relentless pursuit of knowledge, he simply had to break into a company’s computer to get the software, the code, or the user names and passwords that he needed. In an electronic sense, that’s breaking and entering. And when he copied that proprietary information for his own use, well, that’s stealing.

Once he’d gained access to his target computer, he’d usually fiddle with its inner settings just enough to plant a “backdoor,” an easy way in for his next visit. He might read his target’s emails and even copy them, but he never destroyed the files.

Imagine an intruder who breaks into your house, sneaks around and looks into your secret hiding places, rifles your files, and picks through your drawers. Satisfied, he then backs out quietly leaving everything just as it was, sweeps up his footprints and, oh yeah—copies your house key on the way out.

Bambi Vincent, Kevin Mitnick, Bob Arno

I’ve heard Kevin call himself a “non-profit hacker.” Sure, he got himself free phone calls, but throughout his hacking career, he was always gainfully employed. With the information he had at his fingertips, he could easily have enjoyed a life of leisure from credit card fraud. He could have sold proprietary source code in the hackers’ underworld. But no; Kevin lacks a vital attribute. He has nerves of steel and gigantic balls, but he does not possess a criminal core. He was simply educating himself.

That is, until he got himself in trouble for snooping. Then he needed that information to protect himself, so he could make untraceable phone calls, so he could listen in to others. As the Feds closed in on him, he needed to know how much they knew about him, too.

Many times while reading Ghost in the Wires I wanted to smack Kevin. I wanted to shake him and say “you just got out of juvenile detention for doing just this—why are you doing it again?” He makes it clear that his hacking was his idea of fun and entertainment, to see if he could get to the next level. Like an addicted gamer.

It turns out, after all, that Kevin was busy educating himself. From “the world’s most wanted hacker” he has become one of the most wanted security experts in the world. He’s now considered the ultimate social engineer and an “ethical hacker,” one who’s challenge is to break into his clients’ systems, whether electronically or by social engineering. In other words, as Mitnick Security, he’s now paid to do what he loves, and he no longer has to look over his shoulder.

Social engineers are an ominous bugbear to security. A company (or you!) can have the tightest security system in place, but humans are its weakest link. For a hacker like Kevin, it’s easier to simply ask for the key to the front door than to steal it. He simply has to ask in the right way. Because social engineers are basically skillful actors playing a role, they’re an invisible threat and a daunting challenge for businesses.

I’m no hacker, that’s for sure, nor even a programmer. Yet, I found it fascinating to read exactly how Kevin finagled himself into systems and tweaked them to his advantage. Kevin wanted to include more of the nitty-gritty hackery in the book, but his co-author, Bill Simon, saved us readers from too much esoterica. I think they struck an excellent balance. I never felt bogged down by the technical bits.

In fact, some might worry that Ghost is a hackery cookbook, complete with lessons in how to get others to spill their secrets. I worried about this aspect with my own book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams.

Does an exhaustive explanation of theft techniques actually teach the thieves? Kevin and I obviously came to the same conclusion: no, there’s more to gain by putting all the details out there, the better to protect yourself.

I feel a little sorry for all the good people whose trust Kevin exploited. They bought into his ruses in a good-faith effort to be helpful. No doubt that he used them, and probably got many of them into big trouble. Well, in my line of work too, thiefhunting and training the public to avoid theft, a kernel of cynicism is not a bad seed to plant. Kevin’s patsies will think twice before giving out sensitive information.

Ghost is 400+ pages of tension, broken only by Kevin’s sentimental musings about his mother and grandmother, who are constant supportive figures in his life, and the heartbreaking side-story of his brother. It’s fast reading—a tribute to the clear writing and exciting story.

Yeah, yeah, you think I’m all positive because Kevin’s my friend. He gave me an unedited galley copy of the book (littered with typos), but didn’t ask me to write about it. If I hadn’t liked it, I wouldn’t have written a word.

Or maybe I would have. After all, Kevin might not be a real friend of mine…

© Copyright 2008-present Bambi Vincent. All rights reserved.

Database data loss

Vault door; Database data loss

Vault door; Database data loss

People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”

So let’s put these questions to rest. Then we can move on to the real risk.

First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.

No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.

Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.

The real risk of identity theft and credit card fraud

It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.

Database data loss

If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.

We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.

Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.

The advantage goes to data thieves like Rogelio Hackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.

“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.

Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.

Read this for the state of cybersecurity:

A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …

InformationWeek (04/06/11)

To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:

    http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded

    http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning

    http://bit.ly/dTAmUX – Qdoba Mexican Grill – Customers’ card numbers acquired and misused

    http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers

And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?

Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.

More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.

I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:

1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.

2. Do look at DataLoss DataBase or at least skim its Twitter feed to get an idea of how much information is lost daily.

© Copyright 2008-2013 Bambi Vincent. All rights reserved.

Privacy: WAY out of our hands

Vietnam immigration

My nephew, planning an extended jaunt through Vietnam, applied for a visa. What he received horrified him. A bilingual letter authorized his entry and instructed him to pick up his visa upon arrival at Da Nang International Airport.

My nephew’s name was on an attached list, among a dozen other citizens of the world, displaying each person’s full name, date of birth, nationality, and passport number.

Is this the standard practice of the Socialist Republic of Vietnam? Group visa approvals of unrelated travelers… Information-sharing on a broad and arbitrary scale.

My outraged nephew said he would not have visited Vietnam if he’d known how visas were issued. I’ve blurred the data, but here’s what the list looked like:

Vietnam visa

© Copyright 2008-2010 Bambi Vincent. All rights reserved.

Hotel room security lapses

Delta Bessborough Hotel, Saskatoon
Delta Bessborough Hotel, Saskatoon

When you check into a hotel and are handed a key to a room that turns out to be already occupied, you have to wonder about the hotel’s security. You definitely come to a conclusion about its competence. This is no small mistake, in my book.

When we checked into the Delta Bessborough in Saskatoon, we were given a room key, as usual. We hauled our luggage up to find that the room had not been cleaned. Down we went. Got a new key. Back up to another floor. Opened the door and found a woman inside! One more time down and up and we got a third room, this one a keeper.

I’m not terribly irked by the first mistake, but I find the second inexcusable. It makes me wonder who might barge into my room later. Will I be inside at the time? Just how confused is the front desk, anyway? How much responsibility will they take for potential repercussions?

Bob and I were surprised at how insignificant the front desk people seemed to deem the error. “I know, I know you got the wrong room, sir, we apologized!” a staffer said, as if we were harassing him. Inconvenience seemed to be the complaint he was addressing; not insecurity. And—he was busy with front desk things.

Contrast that with an incident the next day at a Crown Plaza. Our checkout time was 4 p.m. We returned to the room at 3 p.m. in a rush to pack, but couldn’t get in. Our two keys no longer worked. Hearing our distress at not being able to get in, a nearby service staffer came along with his master key and let us in, no questions asked. While we were irritated that our access had been wrongly cut off, we were grateful that someone was there to let us in, and we took advantage of his empathy. On the other hand, he was someone we’d never seen, and who had never seen us. Technically, he shouldn’t have let us in. That sort of behavior compromises the safety of guests and their belongings.

At checkout, I related the matter to the front desk staff because our keys should not have been cut off. “Wait,” the front desk man said. “Would you mind repeating that for our manager? He should be aware of this.” He got it. He understood the security ramifications. I have no doubt that the entire housekeeping staff got a refresher in security protocol.

Hotel door open

A few days before, in another hotel, we actually entered the wrong room. Housekeeping was there and let us walk on in. We saw other people’s stuff and realized we were on the wrong floor. But we could have done anything. “Oh, I just wanted to grab my computer…”

I’ve already written about hotel security in the hands of housekeeping staff.

… the security of our belongings is in the hands of the maids. How well are they trained? How much discretion do they have? When should they break the rules in order to be nice? When should they bend the rules in anticipation of a nice gratuity? What about temporary workers during the hotel’s high season, do they receive as thorough training? How many of us have approached our room only to find that we forgot our key, or the key doesn’t work, and a nice service staff member volunteers to let us in?

Hotel policy is one thing; compliance is another. How do you react when you find that your key doesn’t work (for the third time), the front desk is far away (giant hotel), your feet hurt and your arms are full and you’re dead tired, and the maid with a master key says “I’m sorry. It’s for your own security.”?

At the Campanile hotel in Paris, we got a replacement key from reception just by asking for it, giving the room number only. They didn’t even ask for a name. The staff on duty were the morning shift; they were not there at our check-in late the night before. They simply had no security procedures in place whatsoever.

Bob and I have just stayed at 15 different Canadian hotels over the past 20 days. Without even looking, we found security lapses in three of them. Hotels: take note. Guests: beware. Hotel security: is there a workable protocol?

© Copyright 2008-2010 Bambi Vincent. All rights reserved.

Masked man “swapped boarding pass”?

No reports expand on the claim that this ballsy Asian impostor “swapped boarding passes with a U.S. citizen and passenger who was born in 1955.”

What 55-year-old U.S. citizen would agree to swap boarding passes with a stranger? Unless the early-20s Asian wasn’t a stranger… Then why isn’t the 55-year-old accomplice mentioned as a suspect, along with the impostor?

Or was the “swap” accomplished by picking the pocket of the other guy? Couldn’t be easier to slip a boarding pass out of a pocket and replace it with another. But then what? The other guy passes through the gate agent’s boarding-pass-scan while neither he, nor the gate agent, realize the boarding pass isn’t his; he boards the plane, looks at the (swapped) boarding pass to see his seat number, and even now fails to notice someone else’s name on the pass?

MSNBC has posted a PDF of an alleged Intelligence Alert issued by the Canada Border Services Agency. The alert states “It is believed that the subject and the actual United States Citizen passenger … performed a boarding pass swap…” which to me implies that the U.S. passenger was a complicit performer of the swap. But who is this “actual United States Citizen passenger,” anyway? Something’s missing.

Something’s fishy.
No one’s saying yet…
© Copyright 2008-2010 Bambi Vincent. All rights reserved.

Publicly accusing hotels of theft

hotel room safe

Before a lengthy stay in a certain hotel in Italy this summer, I searched for reviews of it online. Among the raves on TripAdvisor, I found one review that loudly accused the hotel staff of stealing cash from a room safe. Not only that, the writer asserted that he had discovered that other rooms on the same floor had been targeted in the past.

Hotel management immediately addressed the allegation online but, not being fluent in English, did little to ameliorate the hotel’s reputation. The damage had been done, and the accusation remains online for potential visitors to consider.

“Hoteliers Look to Shield Themselves From Dishonest Online Reviews,” wrote The New York Times on October 25.

Although TripAdvisor does allow property owners to post responses to reviews, some hoteliers want the site to monitor comments more actively and take action when managers express concerns, especially when reviews border on libel.

Chris Emmins, a founder of KwikChex, a British reputation management company [is] seeking to organize a lawsuit against TripAdvisor on behalf of its clients.

Mr. Emmins said more than 800 businesses had inquired about participating in the case, but he expected only a few dozen would meet the criteria the company hoped to test, including the legality of reviews that accuse hotel staff of theft, assault or discrimination.

“I don’t think they belong on a review site,” he said. “They’re allegations of criminality.”

Before visiting the Italian hotel, I hatched a plan to booby trap the room safe, just to see if it was opened during our stay. You know—research. Upon arrival though, I gave up the idea. The place had nothing of a dodgy feel. If a safe theft had happened there, I’m convinced that it was an anomaly. During high season, many hotels take on extra short-term help, and some may be lax with background checks. But the question remains: was there really a theft at all?

Example: Back in March, Bob and I were in the lobby of our hotel in Mumbai when a guest strode up to the reception desk and accused hotel staff of stealing her iPod from a tote bag in her room.

“Wait a minute,” Bob butted in, and began grilling her. When had she last seen the iPod? Where had her bag been? Had it been zipped? in the control of others? accessible on the plane? handled by a taxi driver? By the time he was finished, the woman realized there had been many earlier opportunities for the theft and apologized to the hotel manager. Had she made her accusation online, the blot would remain, hurting the hotel, true or not, indefinitely.

Because we give presentations on theft, people constantly tell us their experiences as victims. It often seems to us that there’s quite a bit of conclusion-jumping. A few direct questions, as above, spur the victims to rethink the circumstances surrounding the disappearances of their valuables and reconsider where the blame should lay.
© Copyright 2008-2010 Bambi Vincent. All rights reserved.

Hotel room theft by door-pushers

Hotel hall

“Door-pushers” are a problem in some cities. These thieves saunter down the long corridors of giant hotels with their arms outstretched, methodically pushing on every door on each side of the hall. Some doors open. In one city I won’t name, police get 300 to 400 reports of theft due to door-pushers every month.

“But we know there are more,” a police officer told me. “Some hotels prefer not to report them to us, but door-pushers we catch tell us they work there.” These are huge, famous hotels that don’t want negative publicity.

Hotel door

The risk is completely preventable. Just make certain your door closes tightly when you leave your room, and when you enter it. Why wouldn’t the door close tightly? Air pressure in hermetically sealed hotels is one possible reason; alignment of door latches or frames is another. Bob and I stayed in one hotel, a phenomenal one in Spokane, where the doors to suites took almost a full minute to close, due to hydraulic systems. We couldn’t pull the doors closed or hurry them along in any way. Patience was the only option. (Ours always closed properly, eventually.)
© Copyright 2008-2010 Bambi Vincent. All rights reserved.

Police, security, challenge photographers despite public right

Airport security checkpoint

Is it legal to take photos at airport security checkpoints, or not?

Occasionally I’ll politely ask a TSA officer if I may take a picture. Usually, they say no. You know, “for security reasons.”

But not always. A few times they’ve said yes, but don’t take pictures of the X-ray machines. That always leaves me a little puzzled: which X-ray machines? Which part of them? But the TSOs didn’t seem to care and left me unsupervised.

Turns out that many police and security officers, TSA included, aren’t exactly aware of what’s allowed and what isn’t. Believing photography is prohibited, or erring on the “side of security,” or just exercising their authority, no photos is the default reaction.

Heathrow security checkpoint

And many of us, meek and obedient citizens that we are, we accept that. Or we choose not to challenge the uniform. We don’t know what’s legal and what isn’t, either. We tend to have, in the back of our minds, that it’s illegal to photograph bridges, airports, even police officers.

But yes, it is perfectly legal to take pictures at TSA checkpoints, with a few minor limitations (not the X-ray monitors, not if you interfere with the screening process). You can even videotape if you like—yes, you can film the officers, too. You might be challenged. You might be delayed by the officers. You might even miss your flight.

In fact, pretty much anything can be legally photographed from a public place (again, with a few exceptions), including crimes in progress, police officers, federal buildings, the New York subway, and security checkpoints. Yep, if you can see it, you can shoot it. Pretty much. I’m talking strictly about the U.S. here.

The Washington Post’s interesting July 26 article, Freedom of photography: Police, security often clamp down despite public right reports that photographers are challenging unwarranted restrictions and posting disallowed photos online (usually after being forced to delete them, then recovering them).

…rules don’t always filter down to police officers and security guards who continue to restrict photographers, often citing authority they don’t have. Almost nine years after the terrorist attacks, which ratcheted up security at government properties and transportation hubs, anyone photographing federal buildings, bridges, trains or airports runs the risk of being seen as a potential terrorist.

Portland Oregon attorney Bert P. Krages II has posted a useful, printable document, The Photographer’s Right: Your Rights and Remedies When Stopped or Confronted for Photography, which should be in every photographer’s camera bag. On his website, Mr. Krages says:

The right to take photographs in the United States is being challenged more than ever. People are being stopped, harassed, and even intimidated into handing over their personal property simply because they were taking photographs of subjects that made other people uncomfortable. Recent examples have included photographing industrial plants, bridges, buildings, trains, and bus stations. For the most part, attempts to restrict photography are based on misguided fears about the supposed dangers that unrestricted photography presents to society.

TSA checkpoint

This issue is pertinent to Bob and me in our thiefhunting exploits. We often feel on thin ice when shooting thieves in the wild, especially abroad. And perhaps sometimes we are. We’ve been challenged and chastised many times. Once we had a videotape seized, but we’d seen it coming and swapped the tape for a blank, pocketing the valuable footage we’d just shot.

I was admonished, not too long ago, for taking a few shots of a pair of armed and uniformed police officers drinking whiskey at an airport bar. Okay, it was in Trieste, Italy, not in the U.S.; I have no idea what my legal rights were. The officers leisurely sauntered over, after they’d finished their drinks, and said no photos. Okay. Then they left. Much later, when I left, they made a beeline for me and made me delete the photos. Had they been lying in wait? Anyway, I couldn’t recover the images.

© Copyright 2008-2010 Bambi Vincent. All rights reserved.

Behavior analysis and video surveillance

Alleged member of the assassination team checks in at her hotel and waves toward the security camera. She's linked to the team by association. She wears various disguises during her stay.
Alleged member of the assassination team checks in at her hotel and waves toward the security camera. She's linked to the team by association. She wears various disguises during her stay.

For the last week, articles on the killing of Hamas operative Mahmoud al-Mabhouh in Dubai, have been a veritable smorgasbord of intriguing intelligence reports. Anyone working intelligence or security analysis has intensely followed the different, and often contradictory, summarizations of which organizations were behind the killing.

Experts and retired intelligence officers in both Israel and Europe have concluded with 99% certainty that it must be the Mossad. The most interesting conclusion was written yesterday as an opinion piece in the weekend edition of The Wall Street Journal, dated February 20-21, headlined Israel and the Dubai murder mystery, by Ronen Bergman (senior military and intelligence analyst for Yedioth Ahronoth, a daily Israeli newspaper).

Other observations and background bits that are far deeper and have more detail from the perspective of the intelligence community are posted as comments under Bruce Schneier’s blog post on the Al-Mabhouh Assassination. 

To quickly understand why Dubai officials and their own intelligence office were able to piece together so quickly what really happened, look at the 28-minute video Alleged Assassins Caught on Dubai Surveillance Tape on Wired.com

Two other alleged members in the hallway outside the victim's hotel room, making a turn to the right while looking to the left, where the victim's room is located.
Two other alleged members in the hallway outside the victim's hotel room, making a turn to the right while looking to the left, where the victim's room is located.

Ronen Bergman (and many others) wonders how the Dubai police could connect team members and their activities so quickly. In his next-to-last paragraph, he states that casino and hotel surveillance security have long used techniques to track and apprehend suspects, cheaters and thieves.

There are already companies in Las Vegas that specialize in software and database analytics of known cheaters, and cutting-edge algorithms that analyze suspect behavior. This is not yet foolproof, but is already in place in large chains where thefts by employees or employee associates are high.

In analyzing behavior, irregular movement, body language, and interaction with others, it is extremely difficult to define what is regular behavior versus irregular. But looking at the Dubai tape, there are many moments when the suspects appear to be loitering or turning or tilting their heads unnaturally. I am sure in years to come this video will be used as a case study in how not to behave to avoid surveillance analytics.

We know from our conversations with thieves around the world that the smart ones are very aware of camera surveillance and what they are capable of. The thieves simply avoid these locations and work elsewhere. A surveillance system is only as good as the monitor team. It takes a critical eye to quickly judge and determine what is suspect or irregular in order to stop crime before it happens.

A fourth alleged member of the team in the same hallway, standing with unnatural feet position, turned inwards.
A fourth alleged member of the team in the same hallway, standing with unnatural feet position, turned inwards.

Much more common is analyzing video after the fact. Once a crime has taken place, security personnel simply go back on the video timeline to establish exactly what happened and when. It then becomes essential to determine all the secondary …˜players’ around the incident, both before and after the event (attack, theft, or attempt), and to follow each individual backwards and forwards on the timeline to see who else is connected with these suspects. Examples include running the license plates of any car involved.

Facial recognition software is a good step forward if the individual already exists in a database. But this form of surveillance depends on camera angles, lights, and the suspects’ use of disguises. The Dubai suspects used many disguises, including wigs and different dress modes. The technology is in its early stages, especially the algorithms required to make irregular pattern recognition useful.

The Dubai debacle is particularly timely and interesting as a starting point for the security conference in Las Vegas today and tomorrow at the World Game Protection Conference and trade show. The keynote speaker will be Kevin Mitnick, the world-famous hacker who showed the security industry that terminals which are supposed to be fail-safe can be infiltrated. Several cases in the last few years involved clever gangs who succeeded in tampering with slots and poker machines, making huge illegal payoffs. Pattern recognition software was not able to block these modifications; only silly mistakes by the gang members tipped them off to casino management.

Kevin Mitnick is a social engineering sleuth of world-class reputation. In a few days, we’ll report on his work and keynote address. The rumor mill has been churning these past few weeks about the content of his presentation. We expect some intriguing revelations previously hidden by the gaming industry, or at least made to appear insignificant.

The manner by which the Dubai suspects moved about in hotel lobbies and around elevators, reminds us of how sophisticated pickpockets and other deception thieves operate when tracking a high target, be it a Japanese high-roller or a diamond jeweler attending a jewelry trade show. The bottom line is that it is difficult to appear natural or to blend-in as a regular traveler or tourist when your mind is running in a different direction.

More about the gaming security trade-show in a few days.