Saturday, November 29, 2014

The GateShack - Episode 04 - Ferguson - Lessons Learned

Show Notes:
First, I’d like to extend an apology for the previous episode’s audio issues. I was attempting something new while preparing the podcast and it backfired on me. For that, I apologize and I appear to have the sound sorted out.
During today’s podcast, I wanted to continue our discussion on Ferguson with some of the lessons we’ve learned since August. I focus a lot on some of the mistakes made by Ferguson PD during the early days of the protests. Some of those mistakes are still being made and they offer insight into how we, as security and law enforcement officers, can do better when responding to civil disturbances. Feel free to leave a comment on Twitter using the hashtag #FergusonLessons or leaving a comment below.

Tuesday, November 25, 2014

Riots: The Physical Security Considerations

LONDON, ENGLAND – AUGUST 08: A rioter throws a rock at riot police in Clarence Road in Hackney on August 8, 2011 in London, England. (Photo by Dan Istitene/Getty Images)

Last night, riots erupted all over Ferguson, MO after the grand jury announced they would be declining to indict Darren Wilson, the police officer who shot and killed Michael Brown. This post isNOT about that decision or the investigation itself. My opinions on that will remain out of the public sphere. However, I would like to discuss the unique physical security considerations mass protests and riots present for security practitioners. I’d like to discuss what those challenges are and how we can counter the physical attacks against assets during these events.
  1. Protests are extremely dynamic and what looks peaceful five minutes from now could be a full-blown riot the next. People assume they can do a lot of things they simply can’t. Predicting the actions of hundreds of people and whether they view your assets as a legitimate target is one of them. This is almost impossible to do. So don’t. Just err on the side of caution and just assume your assets are.
    Social media and the news can lull practitioners into believing the intelligence they’re receiving about the threat is accurate. In many cases, it can be. However, you should never use anyone else other than yourself to determine how a crowd will behave and view your assets.
  2. Agitators carry an assortment of tools to target your assets. Just because you’re seeing rocks and water bottles being thrown now does not mean you’ll only see that as a weapon against your assets. They may use chainsaws, bats, pipes, bricks, Molotov cocktails, guns, etc. against you and your assets. Consider the full gambit of tools they will have access to, factor in the time they have had to pre-stage gear, and experience. Make sure your preparations are comparable for probable threats.
  3. The people protesting aren’t always your biggest threats – they can also be your savior. In many cases, as we saw in August and last night, bystanders and peaceful protesters stood up to defend local businesses in Ferguson. Most of those storefronts were businesses who had made in-roads with protesters beforehand. Also, the peaceful protesters realized their protest was being hijacked by anarchists and thus, losing the narrative. Because of this, many protesters actively protected storefronts. You should make every effort to reach out to protesters beforehand. In some cases, I would consider offering a reward for any protester caught seeing defending your assets.
  4. Some storefronts are targeted not because of who they are but for what they have inside. Last night, I advised any pawnshop owner to remove all weapons from their locations. Why? Because most physical security measures used to defeat thieves is usually meant for one or two persons attempting the threat and reliable police response. As last night proved, the police will be to busy with other response to ensure adequate protection to those stores. If you can’t move the guns, then remove their firing pins and ammunition immediately. If you have some clue that rioting could occur, you owe it to yourself and the community you service to at least remove the weapons or firing pins until you know for sure the threat is gone.
  5. Consider how we’re trained as professionals to protect assets in your riot contingency. We detect, deter, delay, and if necessary, stop the threat. Are the measures you’re implementing do that? Can they do that with a crowd amassing your facility? If not, can you afford the risk of failure?
Here are some measures you should think about about implementing, in my opinion:
  • Remove any weapons or explosive materials from stores.
  • Shutdown gas station pumps.
  • Consider constructing steel shutters or a roll cage around your storefront. The shutters and roll cage should be secured with a heavy-duty lock with a buried shackle to prevent cutting it or using a shim to pick it.
  • Install heavy-duty glass or board windows from the inside and outside.
  • Remove cars from parking lots to other secure areas. If this is not possible, consider erecting a larger fence where the top is bent facing towards the adversary. This configuration is used in prisons to prevent scaling which is difficult to do for most people. A ladder is required in most cases. Also, remove those assets closest to the fence.
  • Conduct counter-surveillance daily before the protest is said to occur. Be on the lookout for any suspicious behavior. Have you noticed new people around your stores you haven’t seen before? How much loitering occurs and is any of it out of the ordinary? Are people asking strange questions about when you typically shutdown for the day or when do you “really lock the doors”? Have your loss prevention guys noticed any increased observance of camera locations?
  • Barriers.  Use them. I can’t say this enough. When I was a young Airman, barriers were a part of my everyday life. We used them a lot for increased threat mitigation, civil disturbance, crowd control, and even presidential visits. My preference is for the plastic jersey barriers to be filled with water or sand. Water should be used in winter because it’s more likely to freeze than like, unlike in summer where it tends to so a lot. Jersey barriers, when not filled, are highly mobile and allow the practitioner flexibility in how, when, and where they can be deployed. In many cases, a pick-up and a few able-bodied people is all you need to move them, where concrete and sandbags require forklifts and more bodies.
  • Fences. Put them up. You should make every effort to ensure protesters will have to struggle to get to your assets. The cheapest and best way to do that is through proper fencing. You should install a fence typically around 10 to 15 feet and weigh whether or not your insurance can handle barbed wire. Another consideration, if you’re using barbed wire, is aesthetics. Can you do business with the barbed wire on the fence? Some customers respond differently to that.
  • Consider guards if you have no other choice. Seriously, don’t hire guards if you don’t need to. Security officers are great at what they do. If the target of the protests is law enforcement, who do you think the rioters will look at as a potential target? Those stores with guards in uniform. Not saying you shouldn’t use guards but understand their risk and that they don’t always lower your threat profile.
  • Don’t get political. Seriously, if you have a Twitter profile for your store and you’re talking about how you hate the protesters all the time, you’re making yourself a larger target. That’s what we call “begging for a fight”. Stop. Instead, talk about how many people in the community you employ, how long you’ve been there, and how the damage impacts you and other businesses. Stay away from any discussions about what is being protested.
My list here is not all-inclusive. I am sure there are other ideas. Please, submit your ideas below so we can continue the discussion.

Monday, November 24, 2014

The GateShack - Episode 02 - The Myths of Security

During today’s episode, I cover the major myths about security and the ramifications for ignoring them. We’ll also explore Mubin Shaikh’s book, Undercover Jihadi: Inside the Toronto 18 – Al Qaeda Inspired, Homegrown, Terrorism in the West and close with an interview I conducted with Phil Harris, Founder/CEO of Geofeedia. To continue the discussion, be sure to leave a comment below or use the hashtag #securitymyths in Twitter.

Show Notes:
Mubin Shaikh’s book - Undercover Jihadi: Inside the Toronto 18 – Al Qaeda Inspired, Homegrown, Terrorism in the West available at Amazon.

For more information on Geofeedia, visit

Monday, November 3, 2014

Quote of the Day

VIDEO: Elevator Hacking: From the Pit to the Penthouse by DeviantOllam

From the video’s description:
Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don’t do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it’s easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work… allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!
While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Deviant runs the Lockpicking Village with TOOOL at HOPE, DEFCON, ShmooCon, etc, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the United States Military Academy at West Point, and the United States Naval Academy at Annapolis. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.
Howard Payne is an elevator consultant from New York specializing in code compliance and accident investigations. He has logged over 9,000 hours examining car-tops, motor rooms, and hoistways in cases ranging from minor injuries to highly-publicized fatalities, and has contributed to forensic investigations that have been recognized by local, State, and Federal courts. Howard has appeared on national broadcast television making elevators do things they never should. When he’s not riding up and down high-rise hoistways, he moonlights as a drum and bass DJ and semi-professional gambler. His favorite direction is Up and his favorite elevator feature is riot mode.

About Us