Wednesday, November 30, 2016

Video: The Search For the Perfect Door - Deviant Ollam

If there's just one video you watch today, you should watch this one. Deviant Ollam, a physical security penetration tester was at ShakaCon, an information security conference talking about how to pick the perfect door. I won't spoil the video but he covers way more than just doors. It's both insightful and illuminating. Well worth a view.

Tuesday, November 29, 2016

The Good, The Bad, & The Ugly - The Tale of A Gun Store Robbery


I have A LOT to say about the video below. The video below is of a robbery of a Tampa, Florida gun store, Tampa Arms. The robbers made entry into the establishment by DRIVING A TRUCK THROUGH THE FRONT DOOR. Yeah, an entire pickup truck and made off with approximately FORTY firearms - Glock handguns, shotguns and AR-15 rifles. I heard that, by the way and I totally agree "Damn." The video lasts about five minutes and the quality is rough to say the least.

So, let's get to the good, the bad, and the utterly atrocious.

The Good

  1. There was video and it worked. I know. That's not saying an awful lot but...given my professional experience, this is very good. It appears to be a DIY install and the quality (we'll address that later) is well, crap. But it was positioned where it could capture the entirety of the event. It didn't - mostly, because the quality was crap. Did I mention the quality is crap?
The Ugly

  1. Did you notice I only had one "good" thing to note?
The Atrocious

  1. The quality is HORRIBLE. Holy smokes! Seriously, if you're going to install a camera over an entryway to capture theft, it should either ALWAYS have good lighting or have infrared lighting during hours of limited visibility (like when robberies are more likely to occur).


  2. The position of the camera sucks. Like it sucks REALLY, REALLY, REALLY, REALLY, REALLY, REALLY, REALLY bad. When you're doing a DIY install, it is super-duper easy to miss what actual security professionals notice. Stuff like whether a camera is positioned at an angle to capture faces from multiple viewpoints. For example, the camera at the front doorway only caught the suspects' faces as they turned around. Perhaps, there should be a camera actually facing the door unobstructed. A simple test done in complete darkness after the install would have revealed what we now see - this video is useless.
  3. NEVER EVER EVER EVER EVER have firearms not locked in a secure container after store hours. Period. There is absolutely ZERO sound reasons why those weapons were out of containers. They need to be locked up. Remember the name of the game isn't just detection - there's delaying attackers as well.
  4. TEST YOUR SECURITY SYSTEM REGULARLY. The attackers had a lot of time on this particular robbery. This tells me either the alarm failed or notification was entirely too slow. Business owners should do monthly or quarterly checks with their alarm companies, to determine any issues. You should also have a good working relationship with your local police department. You store guns for crying out loud - the cops who patrol your area should have a working knowledge of your alarms and security measures.
  5. Conduct an annual vulnerability assessment. Take a moment once a year to walk through the business and see what vulnerabilities that need to be shored up. Don't think in terms of how you would hit your store. Instead, pay attention to areas that create ways for an attacker to gain access. Then, call a security consultant and have them walk you through what they see. It's also a really good idea to read industry standards pertaining to securing storefronts like yours. Tampa Arms had no excuse to not call a consultant. There's literally one around the corner and also internationally recognized, Stanley Security Solutions.


  6. Get a video alarm verification system. Had the alarms gone off, the front door sensors would have went off, surely. The motions may have caught multiple intruders too. Then again, if your installation was crap which it probably was, you may only get one of those sensors to go off. To cut down on false alarm fines (it's a HUGE deal in Tampa and probably why a system may not have been install if it wasn't) and to give responding law enforcement more situational awareness (cops respond a whole lot faster on alarms they know are legit), ask your alarm provider to talk to you about alarm verification. If they rely on you to respond or if they don't offer it, take this small piece of advice - consider a different provider.
  7. There were no physical barriers in front of the front entryway. You ever driven by a WalMart? Of course you have - you're American, probably. What's the first thing you notice in the front of most WalMarts? They have bollards by every entryway. Why is this? Take a look at the video below and you'll see why. Call the city, get a permit, dig in the ground, fill some metal pipes with concrete, and plant them in each hole. Problem solved. Also, check out the trees.



        
  8. Approximately, FIFTEEN people robbed these guys. Let that marinate. They brought multiple vehicles, had a plan, executed it, and were in uniforms. Yeah, this ain't their first rodeo. They'll hit more places. Forty guns is a great grab but the proceeds don't split that well among fifteen people and not with that much considerable risk. I know the area well where this happened and I know this shop. This was a team that knew their target and prepared for it. We'll see them again.


Monday, November 28, 2016

Terrorism Attribution in the Age of Social Media - The Struggle is Real


Update (11-28-2016 1904): A few reports have emerged from the media stating various talking points derived from the suspect's Facebook timeline, though with little independent confirmation the account indeed belongs to the suspect. He seemed to believe Muslims were mistreated by the West and also disliked it's meddling in Islamic affairs. There were also noted jihadi luminaries quoted throughout. Again, this information has not been corroborated by official law enforcement sources but could speak to motive and ultimately whether this was a terrorist attack. 

Another mass casualty incident has occurred and I engaged the tried and true method of triggering my compulsion to smash my face with my palm by looking at Twitter. Yep, it was that bad. It never ceases to amaze me that no matter how many times I tweet or blog about the painstaking work of attacker attribution, people continually participate in oversimplified and error-prone "analysis". They're often trying to do this without being at the scene, with no prior investigative experience, and in real-time. To say the least, the amount of wrong is significantly higher than actual "I called it", despite what the authors say.

You're probably wondering why I'm so passionate about the inclinations others have toward this kind of "analysis". I believe it speaks volumes about how much we value the arduous work it takes to do the investigations needed to make accurate attribution claims. It's also a HUGE part of the myth that "anyone can do security". Over the years, I have been practically screaming how false that is. What we as professionals do, takes time, significant knowledge, limited resources, and countless hours of practical experience.

Yet, here we are. Today, I have seen tweet after tweet proclaiming the attack was immediately the work of jihadist invaders or lone wolf extremists of some variety. These suppositions have come in the early moments of reporting on the attack. As it developed, we were informed of a suspect, a Somali refuge named Abdul Razak Ali Artan. As of this writing, there are tweets claiming this is conclusive "evidence" of terrorism. The actual cops working the scene haven't made one statement, as far as I know, yet about any determination of motive. But Twitter says otherwise. A population where 99.99% of people with zero to any relevant law enforcement or security experience have done in hours what it will take seasoned and ordained professionals weeks to do. Yeah, it's crap.

So, if not terrorism, then what is it, Mr. "Security Professional"? Glad, you asked. I don't have a clue and neither do you unless you're on the scene actually investigating this incident. I should know. I used to do this thing all the time. Speaking from firsthand experience, I can confirm how easy it is to engage in this hasty sort of "analysis". What I can tell you is that we often make the mistake, as amateurs, of reaching conclusions about violent mass casualty incidents with little to any information. We do this based on what we either know of the attacker or the incident. This happens with minimal confirmation from official sources or reading too much into either first reports from witnesses, police scanner traffic, or what's told in early press conferences and releases. The often-ignored practice of "wait and see" has turned into "Holy crap! Something bad happened. Let me get my initial reaction out into the Twitterverse so my followers can give me reaffirmation for the sake of my ego and incessant desire to be first to comment on all-things tragic."

There are a few ways we can fix this.
  1. Stop assuming race, ethnicity, or religion can explain why people commit acts of violence. While these things can play a role in attacks, it's unlikely they can explain every single one. Instead, disregard them initially until other information develops that establishes motive or crime typology (act of terror or just a crazy person).
  2.  No one has an exclusive monopoly over non-sanctioned violence. Just because an attacker uses a pipe bomb or even their vehicle doesn't mean the attack is terror-related. Let me put it bluntly - there are no "exclusive" tricks of the trade among bad guys. For example, looking at just the initial information we knew about Christopher Dorner's attacks and his weapons of choice, we could have assumed the attack was probably carried out by militias or other extremists versus an ex-cop with a grudge.
  3. It's too easy to get caught in the brutality of an attack and high casualty numbers and assume the attack was terrorism. Don't get caught in the weeds here, folks. Take a deep breath. Examine what we have and nothing else. When bad things happen, we naturally allow fear and our ever-incessant desire for immediate vengeance to cloud our thinking. Attribution is a game of facts and truth not emotion.
  4. Attack attribution requires more than just your gut feeling. A great example of this is a scene from Designated Survivor. It's a show about a newly, fired HUD Secretary being the "designated survivor" for a State of the Union address by which most of government  is killed in an explosion. The newly, sworn President, played by Keifer Sutherland, is doing his best to determine who the attackers are. His advisers are pleading with him to name a known group as being responsible. Much of their evidence is based on wild speculation, self-interested political jockeying, and warhawking. The Chairman of the Joint Chiefs asks the president to name this group. The President asks the FBI how sure they are of the identity of the attackers and they respond "75 percent, sir." Sutherland's character declines making the call to name the attackers. When pressed by the Chairman of the Joint Chiefs how much more certainty he needed, the President responds with "Give me 25 percent more." I won't lie. This was by far the best dialogue I've seen in a fictional television show regarding attribution. There are dire consequences when we rely on anything other than empirical data when making attribution calls.

  5. The likely suspects could be people you like and it's not wrong to not rule them out. So much of the attack attribution that occurs on social media is wrought with people trying to make the facts fit their narrative. If a person is overtly political, this is more telling than they're ready to acknowledge. In fact, they often dismiss other possible and probable theories outright. Many times, I've seen the "expert" credentials of various participants in this crazy dialogue come into play. Stop it. Take long deep breaths and remember if you're not on-scene, you know absolutely nothing. 
  6. Analysis is not a crystal ball. One of the most often over-played narratives is the intelligence community or law enforcement missed "something". Why? They assume those in these professions have to be right all the time as a part of what they do. It's as if some of us are expected to have superhuman abilities to predict the future accurately. Sometimes, like all things we think we understand, we get things wrong. It sucks when we do but it happens. Stop asking "How could they have missed this?" and start asking "What led them to believe this person posed no discernible danger?"

    Every time law enforcement does a threat assessment on supposedly dangerous persons, an interview with the subject is conducted if possible. Given our legal framework and the very imprecise art and science of "reading" people, some actually dangerous people are missed. It happens. Not often but it does. A more poignant avenue to approach is the examination of how law enforcement and security professionals have been inadvertently incentivized to go after "low-hanging fruit" rather than being given sufficient resources to investigate and mitigate these threats.
  7. The most important component to any terrorism attribution work is understanding what legally constitutes terrorism. I know the US Code is such a drag but it is the legal framework for which cops use to determine whether something is or is not an act of terror.

    Most people assume a car bomb is immediate evidence of a terrorist attack. Yeah, not quite. Other people use bombs to commit murder for a variety of reasons. They were used quite often by the mob and other organized crime networks. Yet, none of these bombers were charged with terrorism. Why? Because their motives were not terror related. Terrorism is one of the few crimes which require motive in the "elements of the offense".

    Remember that "legal framework" I mentioned in the US Code? Here it is:

    "18 U.S.C. § 2331 defines "international terrorism" and "domestic terrorism" for purposes of Chapter 113B of the U.S. Code, entitled "Terrorism.

    "International terrorism" means activities with the following three characteristics:
    1. Involve violent acts or acts dangerous to human life that violate federal or state law;
    2. Appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
    3. Occur primarily outside the territorial jurisdiction of the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum.*
         "Domestic terrorism" means activities with the following three characteristics:
    1. Involve acts dangerous to human life that violate federal or state law;
    2. Appear intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination. or kidnapping; and
    3. Occur primarily within the territorial jurisdiction of the U.S.          
         18 U.S.C. § 2332b defines the term "federal crime of terrorism" as an offense that:
    1. Is calculated to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct; and
    2. Is a violation of one of several listed statutes, including § 930(c) (relating to killing or attempted killing during an attack on a federal facility with a dangerous weapon); and § 1114 (relating to killing or attempted killing of officers and employees of the U.S.)."
I don't have all the answers and neither do you. Let's all take a deep breath and allow the cops to do their jobs.

About Us