The Art of Invisibility, by Kevin Mitnick, reveals how data on us is gathered

Art of Invisibility, by Kevin Mitnick
Art of Invisibility, by Kevin Mitnick
The Art of Invisibility, by Kevin Mitnick

Our Data, Our Selves

They know who you are. They know what you buy, where you live, where you work, where you go in between. They know your most intimate secrets, not because you told anyone; they simply put the clues together and joined seemingly unrelated tidbits. Your shopping history, your online searches, words used in your email, the cell phone towers your phone used, even how fast or slowly you type. Combined, it all points to you. You leave data dribbles like greasy fingerprints to be dusted, collected, identified, and assembled.

By now we’re all used to being tracked and spied upon. We pretty much accept it, most of us. We know our web-browsers act as spies and report our every move. Our credit cards and loyalty cards provide a treasure trove to someone (but who?), and our cell phones even more. We’re spied upon even with the cameras and microphones built into our own computers and cell phones. What can we do but shrug our shoulders and give up?

We’re vigilant about not clicking on spammers’ links, we’ve learned to look for “https” URLs when we make online payments, even to recognize spoof emails. But enough is enough, right? We have to live life! Today’s technology is as vital as food and water and we have to use it. Who can spend time worrying about all this info-gathering, especially since it’s invisible, and does not present an inconvenience. Forget it. That’s life. Move on…

Or…?

Trade-offs

We constantly and willingly give up our data for something in return. And it seems like a fair exchange: handing over data is painless; the benefit is all ours! We get free stuff, convenience, points, discounts, rewards, elite status, the privilege of using a “free” app… [Warning: rant coming…

WhatsApp is my pet peeve. Many, many of my friends and colleagues, even those in the security business, use it. And what’s the first thing the app does after you download it? “WhatsApp would like to access your contacts.” “OK,” you say and—whoops!—there they go, all your contacts, including my info if I’m in your address book (and I’m not even a user!), against my will, handed over so WhatsApp and facebook can “share information with third-party providers,” in other words, so they can sell my personal info. Thanks, friends. Yet, prominently, ironically, WhatsApp proclaims on its site “Privacy and Security is in our DNA.” Okay, its messages are encrypted, but what’s private or secure (or honest) about sucking up all the contacts of a naive user? True, WhatsApp is not the only app that commits this surreptitious theft of information. Uber is another. But, I digress. …Whew. Okay, end of tirade.]

Where was I? Trade-offs. Security is a trade-off which costs us in convenience, simplicity, expense, dignity, time, and much more. Wouldn’t it be swell if we didn’t need passwords, locks, or TSA? But we do need these, obviously. Luckily, the average person can deal with the minimum required amount of security.

Privacy is another matter though. We can shut our curtains but… do you have tape over your webcam? Put your birthday on facebook? Unknowingly hand over all your contacts’ info to What’sApp or some other software company? Use a credit card, loyalty card, agree to “our terms and conditions”? Yeah, privacy is pretty hopeless nowadays. If you browse the internet or use a cell phone, you’re being tracked. Not only tracked, but micro-tracked. Data about you is collected at every turn, codified, traded, bought, sold, and used to build a scarily detailed dossier—which is also bought and sold. It’s your data shadow; it sticks to you and grows as the minutes pass, like the setting sun’s lengthening silhouette attached to your feet.

In fact, data you enter on some web forms, for example Quicken Loans’ Mortgage Calculator, is sucked up even before you give it permission by clicking “submit.”

The Art of Invisibility, by Kevin Mitnick

To avoid being tracked, to stay under the radar and off the grid, to be invisible, is a huge trade-off. A Sisyphean task. Kevin Mitnick lays it out in his book, The Art of Invisibility, step by step. And he should know, having evaded the FBI for two and a half years before he was arrested and imprisoned for five years. Remember “Free Kevin”? I highly recommend Kevin’s entertaining and page-turner previous book, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.

Entertaining, The Art of Invisibility is not. Page-turner…uh-uh. But it is fascinating, and after a good primer on the basics, goes into technical detail that might be more interesting than useful for many of us ordinary people. For every scary spy technique revealed, Mitnick tells us how to avoid that particular trap. They’re not easy to thwart—short of living in a cave secluded and self-sufficient, it’s a lot of work. As in, huge trade-off. And Mitnick tells us repeatedly: we will make a mistake. We will trip ourselves up. That’s how hackers and leakers are discovered. They make some tiny mistake that allows them to be traced and their identities revealed. But most of us don’t really want or need invisibility. We just want to avoid the obvious pitfalls and take, at least, the easy precautions.

Mitnick tells us there’s much we can do easily, and tests we can run to see just how vulnerable we are online. We should do as much as our tolerance allows, up to our own personal trade-off limit. You lock your car, right? Do you use a LoJack? You lock your home. Do you have a security system? Do you use it? Do you have iron bars on your windows? We’ll each go to a certain level, then hit our quitting point.

Simple, important steps include turning off location-sharing, blocking pop-up windows, deleting cookies, killing super-cookies, using end-to-end encrypted messaging, and many, many more.

But to truly reach online invisibility, Mitnick addresses three large categories: hide your real IP address; shield your hardware and software; and defend your anonymity. The hoops one must clamber through for each of these are many and challenging.

You can hide but you’ll still be seen

Offline is another matter. How many times per day is your photo captured by surveillance video or someone’s ordinary camera? What might they do with it? Are people flying drones over your house? Retailers can now capture the identity of your cell phone when you enter their store, and look up all kinds of details about you. So can law enforcement, in large crowds of protestors, for example.

Facial recognition software is in use in some places, namely churches, to log your attendance, and not necessarily with your knowledge or permission. (Fix: wearing special, light-emitting glasses.)

You’re tracked in multiple ways and recognized using almost every form of transportation (bus, train, subway, taxi, your own car). Uber maintains your ride history; and that’s nothing compared to what Tesla knows about its car owners. And get this: if you take a subway train, the accelerometer log on your own cell phone can be matched to the subway line you took and exactly where you boarded and debarked. Is that creepy, or what? (Fix: drop out of life entirely?)

Have a voice activated TV? It’s listening for your command; what else does it hear, and where does the speech it records go for recognition? Use Siri, Alexa, Google Assistant, or one of those voice-recognizing gizmos? They’re always on and listening; how secure are they, and who’s eavesdropping? Where does the recording go for artificial intelligence interpretation and how long is it stored?

What do you have connected to your home network? Lighting, doorbell, thermostat, baby monitor, pool control, security system, door lock, webcam, refrigerator? The Internet-of-Things (IoT) is most troublesome, because most of these peripherals you control with your phone or tablet are not built for security and are not patched or updated. A hacker can use these convenient connected systems to gain access to your entire home network. (Fix: live in a cave?)

“To master the art of invisibility, you have to prevent yourself from doing private things in public.”

Need to conduct personal business while at work? If you want it to be private, don’t use company computers, printers, or company issued cell phones. Use your own, personal device, and use your own personal cellular data network, not the company wifi. Actually, don’t use any other wifi, devices, or printers, including the library’s or the copy shop’s. They all save logs and PDFs of documents you print that you can’t delete. Your data crumbs are dribbled everywhere by default; actively preventing the leakage is not easy.

(A top secret foreign military unit recently hired Bob and me for training. But because of the insecurity of communications, and because Bob and I, mere civilians, did not have access to a “cone of silence,” the group flew us overseas without even telling us about our assignment. That’s military-grade security.)

I got a special kick out of the beginning of Chapter Fourteen. Mitnick describes a harrowing incident in which he was detained for hours by customs agents upon flying into Atlanta from Bogatá. Bob and I had also flown into Atlanta at the same time, and were to speak at the same security conference, the American Society for Industrial Security (ASIS). We were waiting for Mitnick at the airport… and waiting, and waiting. We finally left without him, and learned late that night what had happened to him, which you’ll have to read the book to find out. He was cool but shaken, if one can be both of those at once, and angry because he was unable to prepare properly for the panel he’d be moderating in the morning.

Mitnick lays out the pitfalls and tricks of returning to the U.S. from abroad, and how to keep your data out of the hands of curious Customs and Immigration officials. He explains in great detail how to use a Tor browser, a VPN, and Bitcoin to set up anonymous browsing; oh, and first turn off your home network, use a separate computer (which you purchased anonymously with cash), change your MAC address, use a personal hotspot on a burner phone (purchased anonymously), stay on the move, and remember not to check Facebook or your personal email. I skipped some steps, but you get the idea.

Know the difference between the Surface Web, the Deep Web, and the Dark Web? Mitnick explains all that, and why a law-abiding citizen might have a legitimate need to browse anonymously. If you really want to do it, all the steps are detailed. It’s a lot of work. And, as Mitnick emphasizes, a nanosecond of lapse will blow it all completely.

One thing Mitnick does not address in The Art of Invisibility is healthcare. I wonder how he would get medical treatment if he were trying for invisibility today? How did he do it when he was on the lam in the 90s (though things were much different way back then)?

I have to ask him that. If I can find him…

© Copyright Bambi Vincent 2007-present. All rights reserved.

Ghost in the Wires

Ghost in the Wires cover

Ghost in the Wires cover

I thought Kevin Mitnick was a friend of mine—but that was before I read his forthcoming book, Ghost in the Wires. Kevin’s the consummate liar, it seems. He’ll say anything to get what he wants, going to extreme efforts to research, then set up support for elaborate cons. He’ll claim to be a cop, a utility employee, or your colleague from a remote office, if it serves his purpose. A faceless voice on the telephone, he’ll sweet-talk one minute, and command with authority the next. At least he used to do this, before spending five years in federal prison…

To become the boldfaced name in social engineering, Kevin honed a natural knack for people-reading from childhood. He was a telephone Zelig who rarely needed to get out of his sweats. He always found a plausible pretext for his capers and pursued them with outrageous chutzpah. Rarely would he fail to obtain the information he sought.

Can one retire a talent like that? I doubt it, but as I can’t think of what use Bob and I are to Kevin, I prefer to think that we really are his friends.

Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker is Kevin’s third book, to be published in August 2011. I love that title. The book chronicles how Kevin, from an early age, tinkered with communication devices: ham radios, telephones, cellphones, computers, and the software that runs them all. Although he was obsessively compelled to dig deeper and deeper into the gizmo-code, he never tried to make or steal money from his exploits. He did it out of his own curiosity, to learn more, and to challenge himself to do what seemed impossible.

Sometimes, in his relentless pursuit of knowledge, he simply had to break into a company’s computer to get the software, the code, or the user names and passwords that he needed. In an electronic sense, that’s breaking and entering. And when he copied that proprietary information for his own use, well, that’s stealing.

Once he’d gained access to his target computer, he’d usually fiddle with its inner settings just enough to plant a “backdoor,” an easy way in for his next visit. He might read his target’s emails and even copy them, but he never destroyed the files.

Imagine an intruder who breaks into your house, sneaks around and looks into your secret hiding places, rifles your files, and picks through your drawers. Satisfied, he then backs out quietly leaving everything just as it was, sweeps up his footprints and, oh yeah—copies your house key on the way out.

Bambi Vincent, Kevin Mitnick, Bob Arno

I’ve heard Kevin call himself a “non-profit hacker.” Sure, he got himself free phone calls, but throughout his hacking career, he was always gainfully employed. With the information he had at his fingertips, he could easily have enjoyed a life of leisure from credit card fraud. He could have sold proprietary source code in the hackers’ underworld. But no; Kevin lacks a vital attribute. He has nerves of steel and gigantic balls, but he does not possess a criminal core. He was simply educating himself.

That is, until he got himself in trouble for snooping. Then he needed that information to protect himself, so he could make untraceable phone calls, so he could listen in to others. As the Feds closed in on him, he needed to know how much they knew about him, too.

Many times while reading Ghost in the Wires I wanted to smack Kevin. I wanted to shake him and say “you just got out of juvenile detention for doing just this—why are you doing it again?” He makes it clear that his hacking was his idea of fun and entertainment, to see if he could get to the next level. Like an addicted gamer.

It turns out, after all, that Kevin was busy educating himself. From “the world’s most wanted hacker” he has become one of the most wanted security experts in the world. He’s now considered the ultimate social engineer and an “ethical hacker,” one who’s challenge is to break into his clients’ systems, whether electronically or by social engineering. In other words, as Mitnick Security, he’s now paid to do what he loves, and he no longer has to look over his shoulder.

Social engineers are an ominous bugbear to security. A company (or you!) can have the tightest security system in place, but humans are its weakest link. For a hacker like Kevin, it’s easier to simply ask for the key to the front door than to steal it. He simply has to ask in the right way. Because social engineers are basically skillful actors playing a role, they’re an invisible threat and a daunting challenge for businesses.

I’m no hacker, that’s for sure, nor even a programmer. Yet, I found it fascinating to read exactly how Kevin finagled himself into systems and tweaked them to his advantage. Kevin wanted to include more of the nitty-gritty hackery in the book, but his co-author, Bill Simon, saved us readers from too much esoterica. I think they struck an excellent balance. I never felt bogged down by the technical bits.

In fact, some might worry that Ghost is a hackery cookbook, complete with lessons in how to get others to spill their secrets. I worried about this aspect with my own book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams.

Does an exhaustive explanation of theft techniques actually teach the thieves? Kevin and I obviously came to the same conclusion: no, there’s more to gain by putting all the details out there, the better to protect yourself.

I feel a little sorry for all the good people whose trust Kevin exploited. They bought into his ruses in a good-faith effort to be helpful. No doubt that he used them, and probably got many of them into big trouble. Well, in my line of work too, thiefhunting and training the public to avoid theft, a kernel of cynicism is not a bad seed to plant. Kevin’s patsies will think twice before giving out sensitive information.

Ghost is 400+ pages of tension, broken only by Kevin’s sentimental musings about his mother and grandmother, who are constant supportive figures in his life, and the heartbreaking side-story of his brother. It’s fast reading—a tribute to the clear writing and exciting story.

Yeah, yeah, you think I’m all positive because Kevin’s my friend. He gave me an unedited galley copy of the book (littered with typos), but didn’t ask me to write about it. If I hadn’t liked it, I wouldn’t have written a word.

Or maybe I would have. After all, Kevin might not be a real friend of mine…

© Copyright 2008-present Bambi Vincent. All rights reserved.

Behavior analysis and video surveillance

Alleged member of the assassination team checks in at her hotel and waves toward the security camera. She's linked to the team by association. She wears various disguises during her stay.
Alleged member of the assassination team checks in at her hotel and waves toward the security camera. She's linked to the team by association. She wears various disguises during her stay.

For the last week, articles on the killing of Hamas operative Mahmoud al-Mabhouh in Dubai, have been a veritable smorgasbord of intriguing intelligence reports. Anyone working intelligence or security analysis has intensely followed the different, and often contradictory, summarizations of which organizations were behind the killing.

Experts and retired intelligence officers in both Israel and Europe have concluded with 99% certainty that it must be the Mossad. The most interesting conclusion was written yesterday as an opinion piece in the weekend edition of The Wall Street Journal, dated February 20-21, headlined Israel and the Dubai murder mystery, by Ronen Bergman (senior military and intelligence analyst for Yedioth Ahronoth, a daily Israeli newspaper).

Other observations and background bits that are far deeper and have more detail from the perspective of the intelligence community are posted as comments under Bruce Schneier’s blog post on the Al-Mabhouh Assassination. 

To quickly understand why Dubai officials and their own intelligence office were able to piece together so quickly what really happened, look at the 28-minute video Alleged Assassins Caught on Dubai Surveillance Tape on Wired.com

Two other alleged members in the hallway outside the victim's hotel room, making a turn to the right while looking to the left, where the victim's room is located.
Two other alleged members in the hallway outside the victim's hotel room, making a turn to the right while looking to the left, where the victim's room is located.

Ronen Bergman (and many others) wonders how the Dubai police could connect team members and their activities so quickly. In his next-to-last paragraph, he states that casino and hotel surveillance security have long used techniques to track and apprehend suspects, cheaters and thieves.

There are already companies in Las Vegas that specialize in software and database analytics of known cheaters, and cutting-edge algorithms that analyze suspect behavior. This is not yet foolproof, but is already in place in large chains where thefts by employees or employee associates are high.

In analyzing behavior, irregular movement, body language, and interaction with others, it is extremely difficult to define what is regular behavior versus irregular. But looking at the Dubai tape, there are many moments when the suspects appear to be loitering or turning or tilting their heads unnaturally. I am sure in years to come this video will be used as a case study in how not to behave to avoid surveillance analytics.

We know from our conversations with thieves around the world that the smart ones are very aware of camera surveillance and what they are capable of. The thieves simply avoid these locations and work elsewhere. A surveillance system is only as good as the monitor team. It takes a critical eye to quickly judge and determine what is suspect or irregular in order to stop crime before it happens.

A fourth alleged member of the team in the same hallway, standing with unnatural feet position, turned inwards.
A fourth alleged member of the team in the same hallway, standing with unnatural feet position, turned inwards.

Much more common is analyzing video after the fact. Once a crime has taken place, security personnel simply go back on the video timeline to establish exactly what happened and when. It then becomes essential to determine all the secondary …˜players’ around the incident, both before and after the event (attack, theft, or attempt), and to follow each individual backwards and forwards on the timeline to see who else is connected with these suspects. Examples include running the license plates of any car involved.

Facial recognition software is a good step forward if the individual already exists in a database. But this form of surveillance depends on camera angles, lights, and the suspects’ use of disguises. The Dubai suspects used many disguises, including wigs and different dress modes. The technology is in its early stages, especially the algorithms required to make irregular pattern recognition useful.

The Dubai debacle is particularly timely and interesting as a starting point for the security conference in Las Vegas today and tomorrow at the World Game Protection Conference and trade show. The keynote speaker will be Kevin Mitnick, the world-famous hacker who showed the security industry that terminals which are supposed to be fail-safe can be infiltrated. Several cases in the last few years involved clever gangs who succeeded in tampering with slots and poker machines, making huge illegal payoffs. Pattern recognition software was not able to block these modifications; only silly mistakes by the gang members tipped them off to casino management.

Kevin Mitnick is a social engineering sleuth of world-class reputation. In a few days, we’ll report on his work and keynote address. The rumor mill has been churning these past few weeks about the content of his presentation. We expect some intriguing revelations previously hidden by the gaming industry, or at least made to appear insignificant.

The manner by which the Dubai suspects moved about in hotel lobbies and around elevators, reminds us of how sophisticated pickpockets and other deception thieves operate when tracking a high target, be it a Japanese high-roller or a diamond jeweler attending a jewelry trade show. The bottom line is that it is difficult to appear natural or to blend-in as a regular traveler or tourist when your mind is running in a different direction.

More about the gaming security trade-show in a few days.

Bob Arno on competitive intelligence

Slovenia Twitter-bird?
Slovenia Twitter-bird?

I (@bobarno) recently wrote about my reluctance to use Twitter and the pros and cons of sharing information with everyone who might be a follower. Not about the benefits of twittering, which I fully appreciate and understand, but about my own reservations and the extent of my own involvement. My concerns were competitive intelligence repercussions, and maybe my own desire to be as spunky (in a tweet) as I try to be on stage.

Well, this is obviously a timely subject matter, faced by many busy executives. In the last couple of weeks conversations with like-minded entertainers, speakers and bookers have all raised similar concerns. On May 27, Molly Murray-Threipland (who often writes about twittering in The New York Times), made the observation that it isn’t teenagers who are the largest tweeting group, but the 45 to 54’s.

Just three weeks after I wrote my own blog post, Business Week (May 21) dedicated its main theme, cover page, and several articles to the same issues. The two lead stories were Learning, and Profiting, from Online Friendships and Web 2.0: Managing Corporate Reputations.

In Managing Corporate Reputations, Gina Poole, vice-president of social software programs and enablement at IBM—that’s right, her life centers solely on how to train and harness IBM’s employees’ twitter posts—said, “You’re building your social reputation, so you don’t want to be a frivolous or an uninteresting person,” and the article summarizes “while many see Twitter as a place to indulge one’s inner self, IBM wants employees to “add value” in all their online postings.” Of course that’s seen from the perspective of the corporation and its concern of corporate image and identity.

kevin-mitnick-quote

On being perceived as mundane versus a source of brilliant repartee with deep content, take look at Kevin Mitnick’s tweets. Kevin (@kevinmitnick), one of the world’s most famous or infamous hackers, depending on your point of view of anyone who has served time in “the box” (prison-slang for a full-board vacation, courtesy of the U.S. government), twitters occasionally and has many followers. Kevin is an astute …˜social engineer’ (maybe one of the all-time best), a great observer of human behavior, and equally funny (privately at least); but Kevin does not share his latest skill sets or pen-testing exploits in his tweets. A follower (of Kevin’s) recently complained: “You never tweet anything interesting! Just your travel schedule. Tell us what you’re working on. something! Unfollow.” Kevin replied “Sorry I don’t meet your expectations of tweeting interesting stuff meniscuss—maybe i should tweet your passwords—hehe.”

Of course what they really want is some insight in “hacking” so that they can do what Kevin does, for fun or profit. High-profile pen-testing is a murky world and probably very profitable for those with the ultimate knowledge base. The hackers at the top of the food-chain have strong relationships, globally, with the …˜bad guys.’ Is it conceivable that Kevin, or someone like Kevin would tweet: “in St Petersburg today hanging with Dmitri Androsov & the Hell Knights Crew, & we’re working on some cute BackTrack exploits.” Not a chance! Acknowledging sources, or anything that would let your readers deduce your ‘deep’ friends would have to be restricted.

That’s like me asking a pickpocket in Barcelona Continue reading

Bob Arno on redflagging as criminal profiling

An eye.
An eye.

[Finally, a few words from Bob Arno.]

As we travel the world every year, we interact with organized crime figures, street criminals, and security personnel along the way, observing and absorbing the latest trends in criminal behavior and the latest techniques. Over the past twenty years, I have maintained dialogs and communications with some rather interesting criminal minds on four continents. But talking about security issues and criminal behavior, on the internet or to media in general, is always a dilemma. Yes, it’s useful to reveal the latest scoop about the rogue fringe of society, but by bringing revelations into the open we might tip our hand to the bad guys.

Striking up conversations with criminals usually means we first have to detect them, identify them, and somehow confirm that they really are thieves—unless we have direct cooperation from law enforcement agencies. We’ve developed unique skills in detecting criminal behavior and patterns that we recognize before the crimes take place. Modern crime prevention is often based on similar methods and techniques, and written into algorithms for computer analysis. Yes, they are obviously very different depending on the country where the criminals are active, the type of crimes anticipated, and other cultural factors. In security circles, a common word for this analytical activity is “redflagging.”

Bambi Vincent, Kevin Mitnick, and Bob Arno.
Bambi Vincent, Kevin Mitnick, and Bob Arno.

The kick-in-the-pants for this post came from an incident we became privy to in Atlanta last week, while there to address the ASIS annual conference—the world’s largest security convention. Kevin Mitnick, the famous (or infamous) former hacker—is there such a thing as former hacker?—was also there, as a presenter and panel host on Internet abuses. Kevin, always full of new anecdotes and intriguing …˜backend’ stories, is an old friend of ours. It was his exhaustive airport encounter earlier that day (with ICE, US customs, and the FBI) that got me thinking about redflagging, which is what entangled Kevin.

In the past few weeks, two books have been published which both indirectly focus on redflagging, how to isolate a certain behavior from the norm, and then to draw conclusions. This is not exactly science, but reasonable speculation. Behavior is an extension of human emotion; it’s difficult to completely suppress our emotions, and therefore our behavior.

The new books are The War Within: Secret White House, by Bob Woodward, and The Numerati, by Stephen Becker. Both books allude to new and secret formulas used by the U.S. government as well as the private sector, to fight terrorism and crime in general. Woodward’s book speculates about isolating terrorist leaders and taking them out with precise weapons. In his blog, Schneier on Security, Bruce Schneier wagers that Woodward is talking about “tagging.” The speculation centers around new technologies, but we can be quite certain that some algorithms on behavior are reasons for the new successes in the war on terrorism.

Lips
Lips

The other book, The Numerati, is not about politics or security developments. It’s about the latest trends in analyzing emerging patterns by drilling through data banks. A good review, “Drilling Through Data,” can be read in The Wall Street Journal, and there’s an interview with the author on NPR. The book discusses security software analytics. The last part of the book covers irregular pattern recognition and Jeff Jonas’ work in the casino industry. A good introduction to the world of Jeff Jonas and his contribution to the security industry is posted in O’Reilly’s Etech Conference pages from March 2008. Jeff Jonas works for IBM (and we assume for divisions of our National Security Agency, in some capacity or another). To get the gist of his talk on casino scams and how to detect crime in casinos using surveillance technology coupled with databases of known criminals, you have to drill further. This is very good reading for those with an interest in irregular pattern recognition.

Neither book sheds any precise information on what we want to know most: what are the security agencies concentrating on when they assemble their “trip wires” for redflagging? And that’s good; why should we let the other side know how they’re spotted?

Forehead
Forehead

In its most simplistic application, analytics are used in surveillance software in the retail and hospitality industries, and in public places. For example, the scanning of individuals hovering or loitering around an entrance or in a hotel lobby; the number of seconds a cash register’s drawer stays open in a store; how the hands of the employee at that cash register move; the angle of the hand holding the credit card (think portable skimmers).

All of which is just foreplay to the real issue: the behavior of terrorists. What speed or pace and how do they walk when approaching a target? How does a female terrorist behave differently from a male? How do they behave when stopped or challenged? And most important, what about their face reactions? Can a telephoto video scanner pick up micro-expressions and can the latest research by people like Dr. Paul Ekman and Mark Frank map these movements with accuracy?

Fake smile.
Fake smile.

For some interesting current examples of micro-expressions, watch again the recent Sarah Palin interview on ABC Evening News with Charles Gibson.   The moments for interpretation come at three minutes and 59 seconds, when Charles Gibson asks her if she has ever met with foreign heads of states. More of the same expressions when Gibson asks whether Russia was provoked to go into Georgia, five minutes and 13 seconds into the interview. And finally, at eight minutes and 34 seconds, at the question about the Bush Doctrine. Whether the clenching, lip protrusion, closing of eyes, and swaying can be interpreted as precise proof of one thing or another is up to the students of Paul Ekman.

Redflagging as a form of profiling is controversial. My points above illustrate how complex and far-reaching the conclusions may be to our society. I have not even touched on the privacy angle, the national security aspects, and what the bad guys can do to counteract the revelations made by media on the latest security innovations. Ultimately it comes down to the old argument: what do we keep secret (for national security) and what do we allow the public to know in order to protect privacy and maintain open political dialogs?

My objective today is to draw attention to the constant need to fine-tune information analytics. It is the lack of qualified experts drawing useful conclusions, which has triggered all kinds of recent mishaps, near financial ruin, and security lapses. This article is not meant to start new political discussions on security secrecy or privacy protection. Others who specialize in advancing and protecting both viewpoints are far more qualified.

[The facial features above belong to confirmed criminals, photographed during interrogation.]

Kevin Mitnick redflagged

Bob Arno and Kevin Mitnick.
Bob Arno and Kevin Mitnick.

At the Atlanta airport last week, a limo driver stood holding a sign marked “Bob Arno.” Next to him stood another driver holding a sign marked “Kevin Mitnick.” You remember Kevin Mitnick, the young hacker imprisoned for five years, released in early 2000. Remember the “Free Kevin” campaign? The guy who popularized the term “social engineering”? Kevin calls himself a non-profit hacker, since he hacked into computer systems for the fun and challenge, and gained nothing of significance.

We knew Kevin would be in Atlanta—we were all there to present at ASIS, the huge security industry conference. But Kevin was flying in straight from a job in Colombia, so we didn’t expect to arrive in sync.

First we social-engineered his driver to learn where Kevin would be staying. Same hotel as us. Then the chatty driver said that Kevin had been due in two hours ago. Huh. We left a note with the driver inviting Kevin to dinner later and left.

The airport parking attendant held us hostage. Our driver had given him the parking ticket, but he wouldn’t raise the barrier to let us pass. Something was wrong with his computer, he said. We waited. After five minutes, we requested our ticket be returned so we could go to one of the other booths, which were all empty. No car was behind us, either. The attendant refused. Bob got out of the car and demanded the ticket back, fed up with our driver’s polite style of dealing with this ticket moron. No luck. The man kept his head down in his glass booth, impervious. Neither logic nor threats worked, and it was twelve minutes before we were allowed to exit the airport parking.

We caught up with Kevin several hours later, and he told a hold-up tale that made thoughts of our little delay evaporate completely. U.S. Customs had detained him and questioned him about his many trips to Colombia.

“I have a girlfriend there,” Kevin said.

“Have you ever been arrested?”

“Yes.” Kevin couldn’t lie to federal agents.

“What for?”

“Hacking.”

“Were you hacking in Colombia?”

“Yes, but that’s my job. I was hacking for a company that hired me, to see if their system is secure.”

As Customs officers began examining Kevin’s luggage, his cell phone rang. It was his girlfriend in Bogota, hysterical. Meanwhile, an officer lifted Kevin’s laptop. Kevin wasn’t concerned about it. He routinely wipes his hard drive before crossing borders, shipping an external drive containing his data to his destination. Everyone in the field of information security knows the Department of Homeland Security’s new policy:

Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies…

“FedEx called,” the girlfriend said in her poor English, “they found cocaine in the hard drive!”

Kevin’s face went white and was instantly drenched in sweat. He wondered who could have put cocaine in his hard drive: his girlfriend? the packing/shipping storefront where he dropped it off? He assumed, understandably, that the hard drive seizure somehow prompted this Customs search.

“What are you doing here in Atlanta?” the Customs officer demanded.

“Speaking at the ASIS conference, moderating a panel on internet abuses. Here, I’ll show you.” He took the laptop and launched Firefox, intending to open the ASIS keynote web page. First, he hit “clear private data” and glanced at the officer, who instantly realized his own stupidity. The officer snatched back the computer.

HID card spoofer.
HID card spoofer.

Other officers pulled suspicious items from Kevin’s bags. Out came another laptop, which they started up, thinking they’d found gold, unaware that they’d need a password and dongle to access the real guts of that machine. Then they pulled out a large, silvery, antistatic bag and extracted its weird contents.

“They thought they found the mother-lode,” Kevin told us, able to smile in retrospect. And we could imagine why, looking at the thing.

“What’s this, huh?” the agent smirked. Like, how are you going to explain this one away? We gottcha now!

“It’s an HID key spoofer,” Kevin explained to a blank face. “Like your ID card there. You just wave your card at the door to go through, right? I just need to get close to your card and press a little button here. Then I can go through, too. This thing becomes a copy of your card key.”

“Why do you have it?” the officer demands accusingly.

“Because I demonstrate it at security conferences like ASIS.”

Somehow, Kevin kept his cool throughout four hours of grilling. When he was finally allowed to use a phone, he called an FBI agent who was to be on the panel he’d be moderating, and the FBI agent cleared him.

Having lost so much time, Kevin declined our dinner invitation, since he needed to prepare for his presentation. After listening to his long tale, Bob and I headed out to dinner alone. We found the French American Brasserie—quite worth raving about. http://www.fabatlanta.com/ Although we both ordered moules marinière, hardly a test for a brasserie, we enjoyed the meal thoroughly, along with the decor, ambiance, and service.

Kevin had been red-flagged, of course. He found out later that Customs knew nothing of the cocaine in his hard drive. He also found out that there wasn’t any cocaine in his drive. There may have been a few grains on the outside of the package, but it came from Colombia, right? Still, the drive had to be ripped open to determine that it was drug-free, and it wasn’t clear whether or not the disk itself had been damaged.