Social engineering—is it time to curtail trust?

Judy Stevens, who has more than 270 identities.
Judy Stevens, who has more than 270 identities.

A couple of scumbags have been casing neighborhoods in Las Vegas, preying on elders. They chat up residents, pretending to be a former resident or a relative of a neighbor. They ask questions and gather information. When they’ve learned enough about someone elderly on the street, they approach the senior armed with facts and trivia—enough to garner the senior’s confidence. In every case, the bottom line is that they need money. The money’s not for them, of course; it’s for one of the neighbors, who is in a costly (fictitious) emergency situation, something medical, or maybe legal. The two solicitors are merely good samaritans.

Rick Shawn, who has more than 1,000 identities.
Rick Shawn, who has more than 1,000 identities.

Classic social engineering. This pair of con artists has bilked 19 known victims in Las Vegas, all over age 73, out of tens of thousands of dollars. It’s likely that they’re connected to similar incidents in Arizona and California; it’s probable that many other victims exist, unaware they’ve been scammed, or embarrassed to come forward.

It sounds like a couple on a crime spree, but it’s much more than that. From our intensive workshop with NABI, we know that this is organized crime. Assistant district attorney Scott Mitchell called them gypsies. Most likely, they are members of one of the families called Travelers. These families move from town to town as they pull their scams, often on the elderly. They have a large repertoire, including sweetheart swindles, pigeon drops, fake lotto schemes, and home repair. Many of these are combined with plain old burglary.

The Travelers are organized crime families. So organized, that when they find a particularly gullible victim, they pass his info to the next family members scheduled to roll through that town. Then, even if the victim realizes that the roof repair or driveway resurfacing job was shoddy, he won’t recognize the brother or cousin who offers to paint the house with leftover paint from a job down the street, or the sister collecting funds for the sick man a few houses down.

'My dog is accused of eating neighbours chicken Plyz help with bail.' Don't be tempted.
'My dog is accused of eating neighbours chicken Plyz help with bail.' Don't be tempted.

These fraudsters go to extremes in order to impersonate a good samaritan. Through social engineering, they manipulate their victims with a realistic story, bamboozle them with bullshit, dupe them, and exploit them. It always ends one way: the victims’ money in the Travelers’ hands. The two pictured above go so far as to drive their victims to their banks or ATMs.

These two have been arrested and are being held, as of this moment, at Clark County Detention Center in Las Vegas. Travelers are known to have lawyers on retainer and bail money at the ready. Although the two are considered flight risks, they may bail out on the condition that they wear GPS ankle devices.

Actually, that’s not likely. I just spoke with Lieutenant Bob Sebby, Las Vegas Metro, who said that 15 additional victims have been confirmed. Metro is asking other victims to come forward.

bv-long

Bob Arno on “Lie to me”

Two pickpockets looking for a victim.
Two pickpockets looking for a victim.

I watched the first two episodes of Fox Network’s new television program Lie to Me, whose main character is loosely based on Paul Ekman, the world’s foremost expert on facial micro-expressions and how to spot when someone is lying. This is an intriguing, new subject to the majority of us. Call it a sexy science. Who wouldn’t like to immediately realize when his mate or partner is fibbing or deceiving him? And wouldn’t we like to ask our financial advisors: “have you ever swindled or cheated any of your previous customers?”

The bad guys, too, want to know how to manipulate their expressions when asked “where were you on the night of April 18?” Will this program suddenly shed light on surveillance and interrogation techniques that have previously been shrouded in mystery? It’s said that Paul Ekman is or has been working for the NSA. It’s confirmed that he’s involved in the structure of a limited program for TSA, in which screeners are supposed to detect irrational behavior in passengers that could indicate terrorist activity, signaling the need for additional and deeper screening of their luggage.

Dr. Ekman has spent a lifetime studying micro-expressions. What’s the chance Continue reading

Bob Arno on redflagging as criminal profiling

An eye.
An eye.

[Finally, a few words from Bob Arno.]

As we travel the world every year, we interact with organized crime figures, street criminals, and security personnel along the way, observing and absorbing the latest trends in criminal behavior and the latest techniques. Over the past twenty years, I have maintained dialogs and communications with some rather interesting criminal minds on four continents. But talking about security issues and criminal behavior, on the internet or to media in general, is always a dilemma. Yes, it’s useful to reveal the latest scoop about the rogue fringe of society, but by bringing revelations into the open we might tip our hand to the bad guys.

Striking up conversations with criminals usually means we first have to detect them, identify them, and somehow confirm that they really are thieves—unless we have direct cooperation from law enforcement agencies. We’ve developed unique skills in detecting criminal behavior and patterns that we recognize before the crimes take place. Modern crime prevention is often based on similar methods and techniques, and written into algorithms for computer analysis. Yes, they are obviously very different depending on the country where the criminals are active, the type of crimes anticipated, and other cultural factors. In security circles, a common word for this analytical activity is “redflagging.”

Bambi Vincent, Kevin Mitnick, and Bob Arno.
Bambi Vincent, Kevin Mitnick, and Bob Arno.

The kick-in-the-pants for this post came from an incident we became privy to in Atlanta last week, while there to address the ASIS annual conference—the world’s largest security convention. Kevin Mitnick, the famous (or infamous) former hacker—is there such a thing as former hacker?—was also there, as a presenter and panel host on Internet abuses. Kevin, always full of new anecdotes and intriguing …˜backend’ stories, is an old friend of ours. It was his exhaustive airport encounter earlier that day (with ICE, US customs, and the FBI) that got me thinking about redflagging, which is what entangled Kevin.

In the past few weeks, two books have been published which both indirectly focus on redflagging, how to isolate a certain behavior from the norm, and then to draw conclusions. This is not exactly science, but reasonable speculation. Behavior is an extension of human emotion; it’s difficult to completely suppress our emotions, and therefore our behavior.

The new books are The War Within: Secret White House, by Bob Woodward, and The Numerati, by Stephen Becker. Both books allude to new and secret formulas used by the U.S. government as well as the private sector, to fight terrorism and crime in general. Woodward’s book speculates about isolating terrorist leaders and taking them out with precise weapons. In his blog, Schneier on Security, Bruce Schneier wagers that Woodward is talking about “tagging.” The speculation centers around new technologies, but we can be quite certain that some algorithms on behavior are reasons for the new successes in the war on terrorism.

Lips
Lips

The other book, The Numerati, is not about politics or security developments. It’s about the latest trends in analyzing emerging patterns by drilling through data banks. A good review, “Drilling Through Data,” can be read in The Wall Street Journal, and there’s an interview with the author on NPR. The book discusses security software analytics. The last part of the book covers irregular pattern recognition and Jeff Jonas’ work in the casino industry. A good introduction to the world of Jeff Jonas and his contribution to the security industry is posted in O’Reilly’s Etech Conference pages from March 2008. Jeff Jonas works for IBM (and we assume for divisions of our National Security Agency, in some capacity or another). To get the gist of his talk on casino scams and how to detect crime in casinos using surveillance technology coupled with databases of known criminals, you have to drill further. This is very good reading for those with an interest in irregular pattern recognition.

Neither book sheds any precise information on what we want to know most: what are the security agencies concentrating on when they assemble their “trip wires” for redflagging? And that’s good; why should we let the other side know how they’re spotted?

Forehead
Forehead

In its most simplistic application, analytics are used in surveillance software in the retail and hospitality industries, and in public places. For example, the scanning of individuals hovering or loitering around an entrance or in a hotel lobby; the number of seconds a cash register’s drawer stays open in a store; how the hands of the employee at that cash register move; the angle of the hand holding the credit card (think portable skimmers).

All of which is just foreplay to the real issue: the behavior of terrorists. What speed or pace and how do they walk when approaching a target? How does a female terrorist behave differently from a male? How do they behave when stopped or challenged? And most important, what about their face reactions? Can a telephoto video scanner pick up micro-expressions and can the latest research by people like Dr. Paul Ekman and Mark Frank map these movements with accuracy?

Fake smile.
Fake smile.

For some interesting current examples of micro-expressions, watch again the recent Sarah Palin interview on ABC Evening News with Charles Gibson.   The moments for interpretation come at three minutes and 59 seconds, when Charles Gibson asks her if she has ever met with foreign heads of states. More of the same expressions when Gibson asks whether Russia was provoked to go into Georgia, five minutes and 13 seconds into the interview. And finally, at eight minutes and 34 seconds, at the question about the Bush Doctrine. Whether the clenching, lip protrusion, closing of eyes, and swaying can be interpreted as precise proof of one thing or another is up to the students of Paul Ekman.

Redflagging as a form of profiling is controversial. My points above illustrate how complex and far-reaching the conclusions may be to our society. I have not even touched on the privacy angle, the national security aspects, and what the bad guys can do to counteract the revelations made by media on the latest security innovations. Ultimately it comes down to the old argument: what do we keep secret (for national security) and what do we allow the public to know in order to protect privacy and maintain open political dialogs?

My objective today is to draw attention to the constant need to fine-tune information analytics. It is the lack of qualified experts drawing useful conclusions, which has triggered all kinds of recent mishaps, near financial ruin, and security lapses. This article is not meant to start new political discussions on security secrecy or privacy protection. Others who specialize in advancing and protecting both viewpoints are far more qualified.

[The facial features above belong to confirmed criminals, photographed during interrogation.]

Kevin Mitnick redflagged

Bob Arno and Kevin Mitnick.
Bob Arno and Kevin Mitnick.

At the Atlanta airport last week, a limo driver stood holding a sign marked “Bob Arno.” Next to him stood another driver holding a sign marked “Kevin Mitnick.” You remember Kevin Mitnick, the young hacker imprisoned for five years, released in early 2000. Remember the “Free Kevin” campaign? The guy who popularized the term “social engineering”? Kevin calls himself a non-profit hacker, since he hacked into computer systems for the fun and challenge, and gained nothing of significance.

We knew Kevin would be in Atlanta—we were all there to present at ASIS, the huge security industry conference. But Kevin was flying in straight from a job in Colombia, so we didn’t expect to arrive in sync.

First we social-engineered his driver to learn where Kevin would be staying. Same hotel as us. Then the chatty driver said that Kevin had been due in two hours ago. Huh. We left a note with the driver inviting Kevin to dinner later and left.

The airport parking attendant held us hostage. Our driver had given him the parking ticket, but he wouldn’t raise the barrier to let us pass. Something was wrong with his computer, he said. We waited. After five minutes, we requested our ticket be returned so we could go to one of the other booths, which were all empty. No car was behind us, either. The attendant refused. Bob got out of the car and demanded the ticket back, fed up with our driver’s polite style of dealing with this ticket moron. No luck. The man kept his head down in his glass booth, impervious. Neither logic nor threats worked, and it was twelve minutes before we were allowed to exit the airport parking.

We caught up with Kevin several hours later, and he told a hold-up tale that made thoughts of our little delay evaporate completely. U.S. Customs had detained him and questioned him about his many trips to Colombia.

“I have a girlfriend there,” Kevin said.

“Have you ever been arrested?”

“Yes.” Kevin couldn’t lie to federal agents.

“What for?”

“Hacking.”

“Were you hacking in Colombia?”

“Yes, but that’s my job. I was hacking for a company that hired me, to see if their system is secure.”

As Customs officers began examining Kevin’s luggage, his cell phone rang. It was his girlfriend in Bogota, hysterical. Meanwhile, an officer lifted Kevin’s laptop. Kevin wasn’t concerned about it. He routinely wipes his hard drive before crossing borders, shipping an external drive containing his data to his destination. Everyone in the field of information security knows the Department of Homeland Security’s new policy:

Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies…

“FedEx called,” the girlfriend said in her poor English, “they found cocaine in the hard drive!”

Kevin’s face went white and was instantly drenched in sweat. He wondered who could have put cocaine in his hard drive: his girlfriend? the packing/shipping storefront where he dropped it off? He assumed, understandably, that the hard drive seizure somehow prompted this Customs search.

“What are you doing here in Atlanta?” the Customs officer demanded.

“Speaking at the ASIS conference, moderating a panel on internet abuses. Here, I’ll show you.” He took the laptop and launched Firefox, intending to open the ASIS keynote web page. First, he hit “clear private data” and glanced at the officer, who instantly realized his own stupidity. The officer snatched back the computer.

HID card spoofer.
HID card spoofer.

Other officers pulled suspicious items from Kevin’s bags. Out came another laptop, which they started up, thinking they’d found gold, unaware that they’d need a password and dongle to access the real guts of that machine. Then they pulled out a large, silvery, antistatic bag and extracted its weird contents.

“They thought they found the mother-lode,” Kevin told us, able to smile in retrospect. And we could imagine why, looking at the thing.

“What’s this, huh?” the agent smirked. Like, how are you going to explain this one away? We gottcha now!

“It’s an HID key spoofer,” Kevin explained to a blank face. “Like your ID card there. You just wave your card at the door to go through, right? I just need to get close to your card and press a little button here. Then I can go through, too. This thing becomes a copy of your card key.”

“Why do you have it?” the officer demands accusingly.

“Because I demonstrate it at security conferences like ASIS.”

Somehow, Kevin kept his cool throughout four hours of grilling. When he was finally allowed to use a phone, he called an FBI agent who was to be on the panel he’d be moderating, and the FBI agent cleared him.

Having lost so much time, Kevin declined our dinner invitation, since he needed to prepare for his presentation. After listening to his long tale, Bob and I headed out to dinner alone. We found the French American Brasserie—quite worth raving about. http://www.fabatlanta.com/ Although we both ordered moules marinière, hardly a test for a brasserie, we enjoyed the meal thoroughly, along with the decor, ambiance, and service.

Kevin had been red-flagged, of course. He found out later that Customs knew nothing of the cocaine in his hard drive. He also found out that there wasn’t any cocaine in his drive. There may have been a few grains on the outside of the package, but it came from Colombia, right? Still, the drive had to be ripped open to determine that it was drug-free, and it wasn’t clear whether or not the disk itself had been damaged.

Social engineering vs. security theater

Crabs in MauiFor a cross-country flight, I packed a lunch of deconstructed sandwiches. Slices of homemade walnut bread, a handful of arugula, a tomato, and a repurposed deli-container full of homemade crab salad. The crab salad was moist with mayo, lemon, and chopped apple. Spreadable, if not quite liquid, mostly filling an 8 oz container.

I didn’t expect it to pass security, so I was ready with Plan B: I’d back out of the security area, construct the sandwiches, and try again with the less-dense contraband.

So I’m pushing my carry-on along to the scanner belt when the TSA man on the x-ray calls for assistance. “Log-jam,” he says.

“They’re moving now,” I say, having straightened someone else’s bag. Mine goes through.

“I’m just trying to keep her busy [wink],” the TSA agent says, jerking his chin toward his colleague as she inspects the flow of bags.

I lock eyes with him. “Good strategy,” I wink back, and he doesn’t even glance at the screen as my bags sail through, crab salad and all.

Ah, social engineering vs. security theater. I love it.