Schneier on Security
A blog covering security and security technology.
« Movie-Plot Threat Described as Movie-Plot Threat |
| Friday Squid Blogging: Squid Christmas Cards »
November 30, 2007
Trucker Steals Guinness from Brewery
Someone drove a truck through the front gate of the Guinness brewery in Dublin, loaded the trailer with 450 kegs of beer, and drove out the gate. Security presumed it was just another legitimate contractor coming to pick up beer for distribution, and ignored him.
Moral: look like you belong.
EDITED TO ADD (12/5): Looks like they were caught before they drank all the beer.
Posted on November 30, 2007 at 7:27 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Moral: look like you belong."
Or bribe or conspire with one of the guards. Surely they should have some protocol to decide who can take of with a €64.000 (USD 90.000) load of beer?
This is a major concern as keg when empty can be loaded with explosives
> This is a major concern as
> keg when empty can be
> loaded with explosives
You are right ! It's about time we start reporting purchases of beer kegs to homeland security for inclusion in their über profiling database ! And as a security measure we have a duty to ban draft beer at large famous events such as Oktoberfest ! Act now - think of the children !
"Moral: look like you belong."
How about, "Trust, but verify?"
latest terrorist plot: a terrorist modifies a beerkeg to take half a load of beer, and fills the other half with explosives, rigged to explode when the beer runs out. The keg will probably be in or very near a full pub when the beer runs out.
The same could be done with just about any opaque drink container for the consumer market. Before long, the American public will fear anything opaque. Meanwhile, the terrorists have bought a large number of shares of Coca Cola company and the like, and make a fortune.
@Kevin D S: How about, "Trust, but verify?"
Makes sense. Except when they trust, they are accused of incompetence, and when they verify they are accused of CYA or totalitarianism.
That said, this shouldn't have happened. It was gross negligence on the part of security.
This is pretty famous, also in literature:
* Douglas Adams, in "The Hitchhikers Guide to the Galaxy" talks about "SEP - Somebody Else's Problem" field as a way to become invisible
* In an Israeli movie called "Blaumlich Canal" an escaped lunatic starts drilling in the middle of the street. Since he seems to know what he's doing, the policeman starts blocking traffic, city officials start allocating workers to help him, etc...
Also, this is the first rule of any kind of social engineering - look like you know what you're doing, and like you should be doing it.
>180 kegs of Guinness, 180 kegs of Budweiser and 90 kegs of Carlsberg
What, did they run out of Guinness? ;)
>>180 kegs of Guinness, 180 kegs of Budweiser and 90 kegs of Carlsberg
>What, did they run out of Guinness? ;)
I assumed the guards just let them get away with the Guinness on the understanding they'd take the Budweiser as well.
lorrys come and go all day long (and through the night), who wants to hold up commerce?
Woah, I think this story hits home more than any other. Say ... where are the Guinness warehouses in the US? And does any one know where I might be able to rent a truck on the dl?
Party at that guy's house!
"Look like you belong."
That is, I think, Rule 3 in the Terrorist Handbook.
And, of course, Homeland Security profiling aims attention at people who look like they don't belong.
I want to know what he's planning to do with it. Reselling it to pubs would be problematic.
I've wondered for a long time how they truly keep track of the shipping crates at the Port of Long Beach. Maybe Guinness should ask them for advice on keeping track of beer kegs.
Don't forget that with this much beer, they could distill the CH3CH2OH from the beer for various nefarious uses:
1) Cause a toxic reaction in hundreds of people!
2) Make thousands of people drunk, so they won't react properly to the real terrorist threat of painting the local courthouse mauve!
3) Burn a lot of stuff!
4) Put it into a combustion engine to get to the site to terrorize!
5) Put it in scary, looming containers (apparently wires & lights are good for this) in suspicious places to terrorize the populace for the (possible) price of a littering charge!
"This is a major concern as keg when empty can be loaded with explosives"
There are cheaper and less conspicuous ways of getting beer kegs. They wanted the contents, not the kegs.
This goes to show that crap security never goes unnoticed: people always think "they never checked my paperwork, I could have been anyone!", and if that story gets passed on, someone may well decide to try it.
"There's nowhere you can't go if you look concerned and carry a clipboard."
A variation on that old chestnut just worked splendidly well here.
It's obvious that they wanted the contents not the kegs. Just like the fabled story where a guy is seen wheeling load after load of dirt from a construction site. He wasn't stealing the dirt, he was stealing the wheelbarrows.
Customs and Excise are going to be a bit unhappy. Given how much paperwork is involved in moving alcohol around, there was a major mistake here. But getting rid of it will be easy - it's probably already spread out in bars around the country.
I used to work as a computer tech at a major video game company. On an assignment to apply a security patch to some random machine (we had recently had an uncharacteristic virus outbreak), I just walked into our company's Security Control Center, showing no ID (though it was required that ID be visibly worn at all times, even for just walking around the campus), not recognizing anybody, and simply stating that I was, "looking for cube number 97 to apply a security patch." I was let in, handed a flashlight to look for the port I needed, and left semi-alone with the whole company's security systems at my fingertips.
Sometimes I really wish I was evil, or at least malignant.
"Moral: look like you belong."
Nothing new about that --- it worked quite nicely for the folks who pretended they were with IBM to bomb the MGM Grand a few decades ago...
@Roxanne: serial numbers, barcodes, RFID etc. used as a key to a tracking database containing information on said code's whereabouts.
You can fault their ethics, you can fault their morals, but you can't fault their methods and you can't fault their taste...
"I just walked into our company's Security Control Center, showing no ID (though it was required that ID be visibly worn at all times, even for just walking around the campus)"
I have been working as a contractor for three Fortune-50 companies over the past four years. Each of them has a requirement that a badge be visibly worn at all times. I have consistently and deliberately stored my badge in my wallet for the past four years, and never, ever, been challenged on the issue.
All three of these nameless places, BTW, have an electronic badge-in system, with no corresponding requirement to badge out, rendering the entire thing "security theatre."
On the other hand I have to commend Wells Fargo for having real-live physical security: they had badge-in, badge-out, mantrap doors, and a human guard who inspected your badge visually before you badged in.
>On the other hand I have to commend Wells Fargo for having real-live
physical security: they had badge-in, badge-out, mantrap doors, and a human
guard who inspected your badge visually before you badged in.
But did they have Guiness?
"Moral: look like you belong." or at the company I work for look like you belong to one of the groups that borrow office cubicles in your company.
This could be part of a truly sadistic terrorist plot in the Dublin.
The terrorist could drain all the kegs and replace the good Guinness beer with American beer. I can't imagine the riots that would ensue in Ireland. Horrific... shudder.
I'm a security guard. We get fired if we do our jobs too well. That doesn't bother me as much as the fact that we have to guess how well they want us to do our jobs.
Somebody made the wrong guess and will be looking for employment soon.
Regarding the "explosives in tampered kegs" plot, this will of course have to be mitigated by only allowing beer containers of 4oz or less. Of course, the price will remain the same...
Alec... Guinness... Alec... Guinness
Something vaguely familiar here...
Vehicle-borne improvised explosive devices (VBIEDs) containers such as a beer kegs,
Vehicle bombs are one of the most effective weapons in the terrorists' arsenal. These bombs are capable of delivering a large quantity of explosives to a target and can cause a great deal of damage.
In general, vehicle bombs fall into three categories:
* large vehicle-borne improvised explosive device (LVBIED). An LVBIED is a lorry or truck filled with explosives. These vehicles enable terrorists to carry very large amounts of explosives, possibly several tonnes, to a target and cause casualties and destruction over a range of hundreds of metres
* vehicle-borne improvised explosive device (VBIED). A VBIED is a car or van filled with explosive, driven to a target and then detonated.
* under vehicle improvised explosive device (UVIED). A UVIED is a type of small, 'booby-trap' improvised explosive device placed in, on, or under a vehicle, and designed to explode when the vehicle moves.
Vehicle bombs typically use an improvised explosive; sometimes a flammable substances is added to enhance the effect e.g. liquefied petroleum gas (LPG). The bomb can be made in advance at a safe location some distance from the target. The explosive may be in the load-carrying area of the vehicle, concealed in the chassis or behind panels, or in one or more containers such as a beer kegs, dustbins, wheelie bins or large suitcases.
Once assembled, the bomb can be delivered at a time of the terrorists' choosing and with reasonable precision, depending on defences. It can be detonated from a safe distance using a timer or remote control, or detonated on the spot by a suicide bomber.
Building a vehicle bomb requires a significant investment of time, resources and expertise. Because of this, terrorists will seek to obtain the maximum impact for their investment. They generally choose high-profile targets where they can cause the most damage, inflict mass casualties and attract widespread publicity.
What you can do
* ensure that an identified individual is responsible for security and that the police know your plans and the layout of your building
* employ basic good housekeeping such as vehicle access controls and parking restrictions
* consider using physical barriers to keep all unauthorised vehicles at a safe distance. Seek police advice on what these barriers should be and on further measures such as electronic surveillance
* where possible, vehicles that are permitted to approach your building should be authorised in advance and searched. The identity of the driver should also be cleared in advance
* consider the effectiveness of your communications and announcement systems - you may need further technical advice
* do what you can to make your building more blast resistant, paying particular attention to windows. Establish and rehearse bomb threat and evacuation drills. Bear in mind that, depending on where the suspected vehicle bomb is parked and the design of your building, staff may be safer in windowless corridors or basements than outside. Assembly areas for staff must take account of the proximity to the potential threat. A vehicle bomb delivered into your building - for instance via underground car parks or through the front of your premises - could have a far greater destructive effect on the structure than an externally detonated device
* train and rehearse your staff in identifying suspect vehicles, and in receiving and acting upon bomb warnings. Key information and telephone numbers should be prominently displayed and readily available
* have the building reviewed by a qualified security engineer or adviser when seeking advice on protected spaces.
Why do we still call them `IED's? They left the realm of improvisation some years ago.
"Never try to change color to match the walls; act like you belong, and the walls will change color to match you."
- Tracy Hickman and Margaret Weis
Notably this one's a little of both.
Jim @ 9:13 AM
We had a keg registration policy at my school long before 9/11, and for exactly the same reasons as the UMN page states. It was so campus PD knew whose head to land on when a bunch of drunk freshmen had to be taken to the hospital.
Guinness: Just the thing to go with Fried Calamari on a Friday night...!
(Wow! 39 Messages, and I'm first!)
@Well: it's easy to verify without going overboard. For pick-ups there's an order your company sent to the shipping company, and paperwork the shipping company sent back. You'll know the shipping company, the truck number, usually the driver's name and the time they're due in. If you get shipping-company paperwork and there's no matching order from your company for pick-up, that's a red flag. When a truck arrives, the guard gets the driver's copy of the paperwork and finds the matching paperwork in the guard shack's list of expected pick-ups. If he can't find it, the truck doesn't come in. If he does, he matches the company and truck number from the truck (and the driver's name if present) against the driver's and the shack's copies of the paperwork. If there's mismatches, or if the truck's too far off the expected time, the guard calls Shipping to send someone down to straighten the problem out or verify there's no problem. The whole thing should take no more than a couple of minutes if everything's OK.
I suspect the keg registration thing isn't quite as urgent in Ireland as in the US - the states has AFAIK the highest drinking age in the world (outside of completely prohibitionist countries where it's effectively infinite).
I guess Ireland's drinking age is 18 - still high by European standards - but they still don't have the oddity of 20 year-old "underage" drinkers...
The question is: what is the cost of 450 kegs of beer vs. some sort of check on every truck that comes in? Assuming you don't have a bunch of copycats, it's quite possible that what they're doing is the most efficient from a cost/benefit point of view.
I once worked at a municipal library which had mag strips in books which had to be de-activated or they'd set off an alarm at the door. Similar to most retail. The strips were not put in paperbacks, because the cost of the time to put in the strip was greater than the cost of the book. The cost of the paperbacks that were lost was less than the cost of putting security on all the paperbacks.
@Rich: I'd expect they'd have to do the check regardless. If nothing else, simply to be able to confirm they handed a particular shipment off to the shipper and if it's gone astray it's the shipper's fault, not the brewery's.
@Todd: it's easy to verify without going overboard.
Ditto. But it seems anywhere the line is drawn, some will argue it was overboard. Unless, of course, something goes wrong, then nothing was good enough.
What is the cheapest (total cost or marginal cost) improvement for keg security at the Guinness brewery?
The theives could be attempting to undermine the economy by distributing cheap counterfeit beer copied from the original.
He just picked them up did he and loaded them into his truck wow I wouldn't mess with him no matter what he wanted to do 160 lbs per keg 72,000 lbs this guy loaded onto his trailer. 80,000 lbs is as much as they can carry he was very brave and a horse.
Interesting to note that Jim's link has a set of point/counterpoint briefings to help get past resistance to keg registration, but not one of them mentions that people might want privacy about whether they buy kegs and how that might be handled. Is this because the keg registration people don't care or is it because they don't have an answer? It shouldn't be very difficult to say that something could be done to keep the lists of keg buyers secret until the police need them.
Alan: according to the article, the thief stole an already-loaded trailer that was waiting for a legitimate pickup (thus adding the value of the trailer itself to his haul). He didn't bring in an empty trailer and load it.
I think they've just got to work on deterrence here by actually catching the thief. I'm guessing that the cab he drove had plates, and the article mentioned that the CCTV footage was being examined (and plate numbers can fairly be reconstructed from a large number of frames, even if they're entirely illegible on any single frame). Unless the cab was also stolen (certainly not outside the realm of possibility), it won't actually be particularly hard to find the guy (and if it was stolen, then it's just a more valuable case of truck theft to solve).
@winte: You might get away with that for Budweiser, but any slight quality change in Guinness itself would cause a bar to be shut by riots. Guinness drinkers in Ireland are extremely fussy.
@ Mark Hamill:
"These are not the beer kegs you're looking for... move along."
Ironically, the thief is found dead the next day, shot for forgetting to get a tapper.
450 kegs of Guinness is a good haul, but I suspect the kegs themselves are worth much more in deposits that will never be refunded, unless there is some other method of accounting for empties in Ireland.
The biggest problem for the thieves, as I see it, is that the kegs have to be serialized or at least lot numbered in some fashion, and so if the kegs are sold as legitimate, each one will dutifully make its way back to a Guinness affiliated facility of some sort, leaving a trail in reverse.
They're actually running into problems, at least here in the states, with keg deposits that are less than the value if you bring it in as scrap metal. And most scrap places don't run the serial numbers, they just scrap the keg for the aluminum. What they plan on doing with beer, I don't know. I can only imagine that they will find someone to drink it, and perhaps make a little from that, depending, then they'll bring the kegs to a scrap yard, or various scrap yards. The whole process is pretty much pure profit, and depending on how it's handled likely untraceable.
They'll perhaps drive over the border into Northern Ireland, and sell it on the vigorous UK black market. (Booze in bulk is cheaper in much of Europe, and there is a lively trade smuggling it into the UK.)
Update: Looks like they were caught and at least some of the beer retreived:
Just proves that the Irish police (Gardai) were just as upset with the loss of the Guinness as the rest of us ;-) What's the bet that all of the Bud and Carlsberg has been found!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.