Entries Tagged "guards"

Page 2 of 3

APEC Conference in Sydney Social Engineered

The APEC conference is a big deal in Australia right now, and the security is serious. They’ve blocked off a major part of Sydney, implemented special APEC laws allowing extra search powers for the police, and even given everyone in Sydney the day off—just to keep people away.

Yesterday, a TV comedy team succeeded in driving a fake motorcade with Canadian flags right through all the security barriers and weren’t stopped until right outside President Bush’s hotel. Inside their motorcade was someone dressed up as Osama Bin Laden.

Excellent.

Most excellent:

The ABC later released a statement saying the team had no intention of entering a restricted zone and had been wearing mock “insecurity passes” that stated the convoy was a joke.

“It was a piece testing APEC security and the motorcade looked pretty authentic,” the Chaser source said.

“They approached the green zone, and they just waved them through ­ much to their amazement, because the sketch was meant to stop there with them being rejected.

“They were then waved through into the red zone, but rather than go all the way through they made the call to turn around.”

“Apparently that was the first time the police realised it was not authentic and they swooped in and arrested everybody.”

Eight members of the comedy team, including the film crew, were arrested, as well as three hire car drivers.

The fake motorcade ­ three cars and a motorcycle escort ­had Canadian identification.

“We just thought Canada would be a country the cops wouldn’t scrutinise too closely,” said Chaser performer Chris Taylor.

Another article.

I’ve written about these large-scale social engineering pranks before (although at this point I doubt that the Super Bowl prank was real). The trick: look like you fit in.

I’ve also written about the Australian comedy group before. They’re from a television show called The Chaser’s War on Everyhing, and they’ve tested security cameras and Trojan horses. And interviewed ignorant Americans.

And APEC security is over-the-top stupid:

On the same day police won a court battle to stop protesters marching down George Street through the APEC security zone, it emerged yesterday that at least one cafe near George Bush’s hotel has been ordered by police not to set outdoor tables with silverware, lest it fall into the wrong hands.

And office workers in Bridge Street’s AMP tower have been told to stay away from the windows, draw the blinds and not to look at helicopters.

EDITED TO ADD (9/7): Video of the motorcade and the arrests. Photo of the fake security pass.

Great video from The Chasers on APEC and security, including some very funny footage about what normal people are willing to do and have done to them in the name of security.

Posted on September 7, 2007 at 1:53 AMView Comments

Real-World Social Engineering Crime

Classic:

Late on Monday, two thieves used a swipe card to drive a van up to Easynet’s Brick Lane headquarters. Once inside they began loading equipment into their van. They were watched by two security guards—one was doing his rounds and the other watched by CCTV—but both assumed the thieves, with their legitimate swipe cards also had a legitimate reason to take the kit, according to our sources.

EDITED TO ADD (11/25): Here’s another story (link in Turkish). The police receive an anonymous emergency call from someone claiming to have planted an explosive in the Haydarpasa Numune Hospital. They evaculate the hospital (100 patients plus doctors, staff, visitors, etc.) and search the place for two hours. They find nothing. When patients and visitors return, they realize that their valuables were stolen.

Posted on October 24, 2006 at 2:13 PMView Comments

Thief Disguises Himself as Security Guard

Another in our series on the security problems of trusting people in uniform:

A thief disguised as a security guard Tuesday duped the unsuspecting staff of a top Italian art gallery into giving him more than 200,000 euros ($253,100), local media reported.

The thief showed up Tuesday morning at the Pitti Palace, a grandiose renaissance construction in central Florence and one of Italy’s best known museums, wearing the same uniform used by employees of the security firm which every day collects the institution’s takings.

After the cashier staff gave him three bags full of money, he signed a receipt and calmly walked out.

Posted on May 12, 2006 at 6:10 AMView Comments

People Trusting Uniforms

An improv group in New York dressed similarly to Best Buy employees and went into a store, secretly video taping the results.

My favorite part:

Security guards and managers started talking to each other frantically on their walkie-talkies and headsets. “Thomas Crown Affair! Thomas Crown Affair!,” one employee shouted. They were worried that were using our fake uniforms to stage some type of elaborate heist. “I want every available employee out on the floor RIGHT NOW!”

Since the people did not actually try to impersonate Best Buy employees, could they be charged with any crime?

Posted on May 4, 2006 at 1:39 PMView Comments

Security, Economics, and Lost Conference Badges

Conference badges are an interesting security token. They can be very valuable—a full conference registration at the RSA Conference this week in San Jose, for example, costs $1,985—but their value decays rapidly with time. By tomorrow afternoon, they’ll be worthless.

Counterfeiting badges is one security concern, but an even bigger concern is people losing their badge or having their badge stolen. It’s way cheaper to find or steal someone else’s badge than it is to buy your own. People could do this sort of thing on purpose, pretending to lose their badge and giving it to someone else.

A few years ago, the RSA Conference charged people $100 for a replacement badge, which is far cheaper than a second membership. So the fraud remained. (At least, I assume it did. I don’t know anything about how prevalent this kind of fraud was at RSA.)

Last year, the RSA Conference tried to further limit these types of fraud by putting people’s photographs on their badges. Clever idea, but difficult to implement.

For this to work, though, guards need to match photographs with faces. This means that either 1) you need a lot more guards at entrance points, or 2) the lines will move a lot slower. Actually, far more likely is 3) no one will check the photographs.

And it was an expensive solution for the RSA Conference. They needed the equipment to put the photos on the badges. Registration was much slower. And pro-privacy people objected to the conference keeping their photographs on file.

This year, the RSA Conference solved the problem through economics:

If you lose your badge and/or badge holder, you will be required to purchase a new one for a fee of $1,895.00.

Look how clever this is. Instead of trying to solve this particular badge fraud problem through security, they simply moved the problem from the conference to the attendee. The badges still have that $1,895 value, but now if it’s stolen and used by someone else, it’s the attendee who’s out the money. As far as the RSA Conference is concerned, the security risk is an externality.

Note that from an outside perspective, this isn’t the most efficient way to deal with the security problem. It’s likely that the cost to the RSA Conference for centralized security is less than the aggregate cost of all the individual security measures. But the RSA Conference gets to make the trade-off, so they chose a solution that was cheaper for them.

Of course, it would have been nice if the conference provided a slightly more secure attachment point for the badge holder than a thin strip of plastic. But why should they? It’s not their problem anymore.

Posted on February 16, 2006 at 7:16 AMView Comments

Prisons and Guards

This Iowa prison break illustrates an important security principle:

State Sen. Gene Fraise said he was told by prison officials that the inmates somehow got around a wire that is supposed to activate an alarm when touched. The wall also had razor wire, he said.

“The only thing I know for sure is they went over the wall in the southwest corner with a rope and a grappling hook they fashioned out of metal from somewhere,” Fraise said.

Fred Scaletta, a Corrections Department spokesman, said the inmates used upholstery webbing, a material used by inmates who make furniture at a shop inside the prison, to scale the wall. The guard tower in that section of the prison was unmanned at the time because of budget cuts, he said.

“I don’t want to say I told you so, but those towers were put there for security, and when you don’t man those towers, that puts a hole in your security,” Fraise said.

Guards = dynamic security. Tripwires = static security. Dynamic security is better than static security.

Unfortunately, some people simply don’t understand the fundamentals of security:

State Rep. Lance Horbach, a Republican, criticized Fraise for suggesting budget cuts were a factor in the escape.

“In reality, we should explore why the taut wire system failed to alert guards and security staff that these two convicts were attempting to escape,” he said.

Actually, in reality you should be putting guards in the guard towers.

Posted on November 18, 2005 at 3:34 PMView Comments

UK Border Security

The Register comments on the government using a border-security failure to push for national ID cards:

The Government spokesman the media could get hold of last weekend, leader of the House of Commons Geoff Hoon, said that the Government was looking into whether there should be “additional” passport checks on Eurostar, and added that the matter showed the need for identity cards because “it’s vitally important that we know who is coming in as well as going out.” Meanwhile the Observer reported plans by ministers to accelerate the introduction of the e-borders system in order to increase border security.

So shall we just sum that up? A terror suspect appears to have fled the country by the simple expedient of walking past an empty desk, and the Government’s reaction is not to put somebody at the desk, or to find out why, during one of the biggest manhunts London has ever seen, it was empty in the first place. No, the Government’s reaction is to explain its abject failure to play with the toys it’s got by calling for bigger, more expensive toys sooner. Asked about passport checks at Waterloo on Monday of this week, the Prime Minister’s spokeswoman said we do have passport checks—which actually we do, sort of. But, as we’ll explain shortly, we also have empty desks to go with them.

Posted on August 11, 2005 at 1:28 PMView Comments

1 2 3

Sidebar photo of Bruce Schneier by Joe MacInnis.