Attackers Exploiting Security Procedures

In East Belfast, burglars called in a bomb threat. Residents evacuated their homes, and then the burglars proceeded to rob eight empty houses on the block.

I’ve written about this sort of thing before: sometimes security procedures themselves can be exploited by attackers. It was Step 4 of my “five-step process” from Beyond Fear (pages 14-15). A national ID card make identity theft more lucrative; forcing people to remove their laptops at airport security checkpoints makes laptop theft more common.

Moral: you can’t just focus on one threat. You need to look at the broad spectrum of threats, and pay attention to how security against one affects the others.

Tags: bombs, cost-benefit analysis, crime, false positives, hoaxes, risk assessment, spoofing, theft

Posted on April 30, 2007 at 12:27 PM • 29 Comments

Comments

Joe Patterson • April 30, 2007 1:18 PM

Evacuating in response to a bomb threat isn’t really that bad an idea (IMHO). It is one of many ways a burglar could make sure you aren’t in your house. The problem is having a house that isn’t sufficiently resilient against burglars when there’s no one home. Prune that limb of the attack tree against your house, and it doesn’t do them any good to call in the bomb threat.

(of course, you can’t actually prune that limb completely, but you can modify the leaves sufficiently that it becomes too expensive a proposition for the reasonably expected return on burglary)

Ken • April 30, 2007 1:19 PM

Not so much different from the lowlifes that read the obituary pages and strike while the family is attending funeral services…

Spider • April 30, 2007 1:51 PM

“forcing people to remove their laptops at airport security checkpoints makes laptop theft more common.”

What makes you think the didn’t consider that? Given the choice between increased laptop thefts versus an airborne bomb. I’d think they would choose to increase laptop theft. Wouldn’t that be the better choice?

Bruce Schneier • April 30, 2007 1:56 PM

“Not so much different from the lowlifes that read the obituary pages and strike while the family is attending funeral services…”

Or the burglars who figure out when people are on vacation. (See “Home Alone.”)

Don • April 30, 2007 2:08 PM

“The problem is having a house that isn’t sufficiently resilient against burglars when there’s no one home.”

Is that an option? Depending on how the threat was worded it’s possible residents were instructed to leave their homes accessible to the police for sniffing.

dragonfrog • April 30, 2007 2:29 PM

@Spider

“Given the choice between increased laptop thefts versus an airborne bomb. I’d think they would choose to increase laptop theft.”

You’ve phrased it as increasing the likelihood of laptop thefts by (some amount A), versus decreasing the likelihood of an airborne bomb from 100% to 0%.

In fact, they’re increasing the likelihood of laptop thefts by (some amount A), and decreased the likelihood of an airborne bomb by (some amount B).

The question is, what are amounts A and B, and what does their ratio need to be for the measure to make sense.

And unfortunately, the number of airborne bombs is so vanishingly small in the first place, that we have no real way of knowing if B is even non-zero.

jeff • April 30, 2007 2:54 PM

@dragonfrog

And don’t forget that they don’t have to pay for the laptops, so their cost of “A” is zero. Compare zero to any B which is even only arguably over zero and guess which option they’ll pick.

Jeff

Clive Robinson • April 30, 2007 3:00 PM

It boils down to a question of risk and to whom.

For an authority such as the Police to not take the bomb threat credably (especialy in that part of the world) would be seen as an unacceptable risk.

Where as the authority allowing the homes to be burgled is an acceptable risk as no life has been lost, and the individuals might be insured against theft (again unlikly in that part of the world).

From the home owners perspective the risk boils down to, stay in my house or not (I shall ignore the fact that they might in all probability be forcefully removed by the police as has happened in the past with bomb threats).

If the home owner stays they have a risk they might die if the bomb is real versus they might lose some valuables which they would probably lose anyway if a bomb did go off.

Also and this is the akward part, by staying they might in fact cause the police to not perform in a timley fasion and therefore by their action cause the bomb to go off.

Then there is the consideration of insurance if their home is damaged or destroyed by a bomb then their insurance will most likley not pay out. Therefore they will have to resort to the “insurer of last resort” who is the UK Govenment who do not have a good reputation for handing out money at the best of times.

Alternativly if they do go and they are burgled and they do have insurance then the loss will (to some extent) be covered by the insurance company.

Finaly there is the question of did the police behave in a competent fasion when they allowed the houses to be robbed. I cannot answer this one nor do I suspect can any other poster to this blog however I suspect more details will inevitably come out given time.

nostromo • April 30, 2007 3:04 PM

@spider
“Given the choice between increased laptop thefts versus an airborne bomb. I’d think they would choose to increase laptop theft.”
No, actually, I’d choose to increase my risk of succumbing to an airborne bomb, because it would still be completely negligible. Laptops, on the other hand, get stolen every minute of every day, and the best way to avoid getting your laptop stolen is to conceal the fact that you’re carrying one.
How many cases have there been of an airplane being blown up by a bomb hidden in a fake laptop? Well, now, let’s see … I think the answer is ZERO.

Andrew • April 30, 2007 3:10 PM

Moral: you can’t just focus on one threat. You need to look at the broad spectrum of threats, and pay attention to how security against one affects the others.

You are wrong. I only need to consider the threats that come out of my budget if they materialize.

This is why displacement is so common. My security does not need to be better than the junkies, as long as it is better than my neighbor’s . . .

A national ID card shifts the burden from the government to the individual. Laptop checks shift the burden from the TSA to the business traveler. Bomb threat evacuations shift the burden from local government to the home or business owner.

Notice any trends here? Organizations pushing their security burden off onto their nominal customer base?

rhr • April 30, 2007 3:24 PM

I’ve always wondered how they deal with this threat at facilities that store weapons-grade fissile material. If the building criticality alarm goes off, everybody is supposed to effect a hilariously rapid evacuation – you’re literally supposed to jump out of upper-story windows beacuse it’s safer than remaining in the building long enough to exit the normal way. If a terrorist could manage to set off the alarm it would be relatively easy to rob the place blind in the surrounding confusion…not a pleasant thought.

Aaron Luchko • April 30, 2007 3:50 PM

I have to wonder how well the police had secured the area. The fact is the property was exposed from the rear and people were able to get in without being observed. Sure they probably put up some police tape but in the case of a bomb threat I’d expect there to be police watching the entire area so that some kids or something don’t sneak in and get themselves blown up.

Neil Bartlett • April 30, 2007 4:30 PM

A similar, but much more despicable, trick was played by the “Real IRA” in their bombing of Omagh in 1998.

A warning was telephoned in to the Police around 30 minutes before the explosion, advising that there was a bomb near the City centre courthouse. As a response, the Police attempted to shepherd as many people as possible away from the courthouse, down to the other end of the main street. The bomb then went off at that end of the street, where they had been led to “safety”. The terrorists had effectively manipulated the Police to double the number of casualties.

This photo tells the story better than any statistics or casualty numbers ever could. It was recovered from a camera found buried in the rubble. The red car on the right contains 300 pounds of fertlizer-based explosive, which is about to go off in seconds:

http://www.wesleyjohnston.com/users/ireland/images/omagh_imminent.jpg

Michael • April 30, 2007 4:49 PM

London underground used to have ‘beware of pickpockets’ signs, but people seeing them would pat their pockets to check they hadn’t been pickpocketed, letting thieves see which pocket they kept their wallet in. Or so the story goes.

Bruce Schneier • April 30, 2007 4:57 PM

“What makes you think the didn’t consider that? Given the choice between increased laptop thefts versus an airborne bomb. I’d think they would choose to increase laptop theft. Wouldn’t that be the better choice?”

It all depends on agenda. Given the tiny, tiny increased security against laptop bombs, it’s definitely not worth it to the laptop owner. But to the TSA — who doesn’t bear the costs for stolen laptops — it’s definitely the better choice.

When you see a nonsensical security trade-off, look for the externalities.

Survivor • April 30, 2007 5:17 PM

@Clive Robinson

“Then there is the consideration of insurance if their home is damaged or destroyed by a bomb then their insurance will most likley not pay out. Therefore they will have to resort to the “insurer of last resort” who is the UK Govenment who do not have a good reputation for handing out money at the best of times.”

I think you would be surprised just how much money the government paid out to businesses ruined by bombing and compensation for families of those murdered as long as the victims were not considered to be involved in terrorism.

Sorry, I cannot provide sources but my understanding was that the government quietly propped up businesses and helped victims as part of the overall governance strategy. My own family had their business premises wrecked several times by bombs but kept on going.

@Bruce

This is a very unusual aspect of the “externalities” theory; the UK government preferred to pick up the bill rather than let sectarion bombings and assassinations drive innocent people bankrupt.

Mark • April 30, 2007 5:42 PM

I always thought this kind of example was basically the Heisenberg principle: you secured it, ergo you fundumentally changed what you were originally secured.

Mind you, I’m not (perhaps obviously) a physics major…

Jason • April 30, 2007 6:55 PM

Sounds like a George Clooney movie 🙂

Jon Sowden • April 30, 2007 8:30 PM

“It all depends on agenda. Given the tiny, tiny increased security against laptop bombs, it’s definitely not worth it to the laptop owner. But to the TSA — who doesn’t bear the costs for stolen laptops — it’s definitely the better choice.”

Let’s – for argument’s sake – say that, sooner or later, another US airliner IS going to be hijacked and crashed deliberately, or blown up, or something else in which everyone dies.

As far as the TSA is concerned, the risk they are facing is 1.0

OTOH, as far as the travelling public are concerned, the risk per_flight is 0.000[inserthowevermanyzerosyouwanthere]01

I don’t want to defend the TSA or the way they go about things, but they ARE facing significantly higher risk than the rest of us.

Michael Ash • April 30, 2007 10:34 PM

“As far as the TSA is concerned, the risk they are facing is 1.0”

That’s a ridiculous argument. Taken at face value, it means that there is no way to reduce this risk either, so why even do anything?

If you want to analyze this rationally, you need to think more in terms of deaths per unit time. (Or perhaps too rationally, deaths and equipment damage cost per unit time, with a suitable conversion factor between the two.) It’s obviously possible to affect this number.

It’s like saying that any given flight will either be blown up or it won’t, so the risk is 50%.

George • April 30, 2007 10:46 PM

@What makes you think the didn’t consider that? Given the choice between increased laptop thefts versus an airborne bomb. I’d think they would choose to increase laptop theft. Wouldn’t that be the better choice?

The TSA seems to have defined “security” very narrowly, as (incompetent) protection from repetitions of specific past terrorist acts and attempts. Protecting passengers and their property from less-spectacular but much more common threats like theft is entirely outside their jurisdiction. So if their measures intended to protect air travelers from repetitions of specific past terrorist acts and attempts have the unintended effect of exposing passengers to an increased risk of threats outside their jurisdiction (such as theft), it’s simply not important. Especially since there are plenty of people who will defend the TSA by insisting that thefts of laptops and other property are a small price well worth paying for (illusory) protection from terrorism.

For that matter, I suspect that the TSA’s “security” actually increases the risk of terrorism. Crowded, inadequately staffed checkpoints that accumulate crowds of barefoot passengers awaiting screening would seem irresistible targets for suicide bombers. As are the check-in and baggage reclaim areas (also outside the “sterile area” supposedly protected by TSA screening) that accumulate crowds of passengers who have to check bags because of the stupid restrictions on liquids in carry-ons. And what about those barrels full of confiscated “liquid explosives” standing there in the middle of crowded checkpoints?

I wonder whether the TSA officials ever consider the full effect of the classified security theatre scripts they write behind locked doors in their secure facilities. For that matter, I wonder whether they ever set foot in a real airport and see for themselves how their scripts actually play with real people in real airports. Sometimes I suspect they must all travel on Halliburton jets and limousines to avoid experiencing what they so eagerly inflict on the peasants.

Not only is the emperor naked, but everyone can see that his “mojo” is embarrassingly tiny. But it’s unpatriotic to mention that.

Jon Sowden • May 1, 2007 12:50 AM

@ Michael Ash

Steady on Tonto. Think about what I said: As an organisation, TSA has to face the fact that at some point they are going to fail.

Will you forgive them that failure, because, after all, it was only one flight out of the however-many there have been since 2001? You might, but what about the rest of the country?

Not hardly.

So, they take steps, introduce stupid security theatre, piss everybody off because it just might put off the day when they fail, and at worst they can – hand on heart – say they did what they could.

You, on the other hand, face an infinitessimally small chance that any given flight you take will be The One. From that point of view it is easy, obvious, and logical to say “WTF? What’s the point? Let’s just do away with TSA!”

You roll a dice with very many sides a very few times. You can expect that your number will essentially never come up.

The TSA rolls that same dice very very many times. Their number will come up.

Granted it’s not the best way of looking at it, but as we all know people are notoriously bad at assessing and assigning risk. Frankly, I don’t think the TSAs approach is all that helpful, but the ‘why’ of their approach is – I think – obvious. Knowing the ‘why’ is useful, though, don’t you think?

Best regards
Jon

X the Unknown. • May 1, 2007 12:56 AM

@rhr: “I’ve always wondered how they deal with this threat at facilities that store weapons-grade fissile material.”

Remember a few years back when Los Alamos Labs was threatened with a wildfire?

Plenty of warning (days), well-organized evacuation – and they still lost some critical stuff! Security is bound to improve in the case of a short-notice evacuation, right?

John Davies • May 1, 2007 3:16 AM

Possibly, assuming that they can actually detect a bomb in a laptop. My experience is that you don’t usually have to turn the laptop on and it bypasses the metal detector and X-Ray machine. Ideal for hiding a bomb.

jay • May 1, 2007 4:51 AM

Similar kind of thing happened in Sri Lanka two days back. A rebel plane was able to penetrate the Colombo air space, as a security measure the SLAF shut down the power of the sectors with likely threats (which is the main airbase, next to the international airport). Parts of Colombo was in complete darkness while there were other targets well lit up. So the terrorist changed the target into an Oil Plant. Two bombs were dropped. So it does tell when you take a secure step it will expose you more than it had exposed before! I think what they would have done is turn off the runaway lights and the lights at the radar tower.

Anonymous • May 1, 2007 7:10 AM

@Survivor

“but my understanding was that the government quietly propped up businesses and helped victims as part of the overall governance strategy”

That may have been true of N.I. but there are many people in central London who tell a very different story after the 1992 Baltic Exchange and 1993 Bishopsgate bombs. Again figures are very hard to come by for the obvious reasons.

ac • May 1, 2007 7:54 AM

@John Davies

My laptops have never bypassed the X-Ray machine and since 9/11 have frequently had a chemical swipe as well. A metal detector would be pointless as they all contain metal.

Paul • May 1, 2007 9:28 AM

Getting inside the perimeter wouldn’t have posed a problem. If those houses are anything much like the one I had in South Belfast, there’s a narrow rear access alleyway (with no lighting), and back yards with 1-story high walls and solid doors. I could stand at the upstairs back window, looking out over my back yard, and had no visibility into the alley, or neighboring yards. You could march an army down those alleyways in broad daylight and not be seen. Definitely the weak link in home security, and often exploited by burglars.

The cops would have knocked on front doors during the evacuation. If they checked the back area at all, it would have been a quick sweep along the alley. They wouldn’t have taken the time to climb up the alleyway wall at every single house to check the back yards out. Too time consuming when every minute could matter; their priority was to get residents out of the danger area.

The burglars probably hid in one of the back yards, maybe even made the bomb threat call from there, and then just waited for the houses to empty and the police to be occupied looking for the alleged bomb.

Getting out of the area would have been harder. They most likely banked on there being a lot of confusion between the perimeter being re-opened, and people getting back into their homes and realizing they’d been robbed.

I’m surprised they didn’t have a helicopter with thermal imaging equipment overhead. They’d have spotted any suspicious activity at the back of the houses easily that way.

Fenris Fox • May 1, 2007 10:55 AM

I agree with you, Bruce – crap like this was bound to happen. =:oD

Schneier on Security

Attackers Exploiting Security Procedures

Comments

Leave a comment Cancel reply