Archive for February, 2010

Security Lessons from the Hamas Assassination Video

February 19, 2010

I enjoyed watching the video recently released by Dubai authorities that shows how they pieced together the movements of an assassination team – possibly Mossad – leading up to the murder of Hamas leader Mahmoud Al Mabhouh.  It’s rare to see actual video of a black ops assassination in progress.  The team were clearly pros, although observers are already pointing out their errors.  It’s a great video and I think there are lessons in it for people who think about security in general, including information security.  You might want to watch it before you read this, but you don’t necessarily have to:

To look first at the hit squad, there is evidence that they were rushed.  They used non-Israeli passports, but some of the names on them, at least, were the same as Israeli citizens who have dual citizenship.  This is fine for minor business, but for an op like this, you’d have thought they could come up with fake passports that would have no connection to Israel.  (If it was, indeed, the Mossad.  It could also have been another country or even a different terrorist group who wanted to set Israel up.)  Further, at least one passport wasn’t valid at all – the number on it had invalid characters and the wrong length.

Second, one observer – supposedly former Mossad himself – points out that there were anywhere from 11 – 17 people on the team.  This is huge for a hit like this.  One suspects that whoever ordered the hit got word that the victim would be traveling to Dubai on short notice.  In the video, we see people staking out multiple hotels until they get confirmation that al-Mabhouh is at a specific one, so they obviously didn’t know where he was staying or exactly when he’d arrive.  If they’d known when he’d arrive, they would have tailed him from the airport… in fact, a man like that is probably used to being tailed frequently.  Then, at his hotel, the initial surveillance team has to hurry in to the elevator with him to find out where his room is; a hotel employee even seems to wonder what they’re doing.  (One suspects the guy flirted with her to throw her off; note that she toys with an earring and lifts one foot nervously as they talk at the elevator.)  If two people rushed to get in to a hotel elevator with me, got off at my floor, and then seemed confused about where they were going, I would get suspicious (9:52).  In fact, I probably would have gone to get ice or something a few minutes later to see if they were still loitering.  I certainly would have made note of their faces and ridiculous tennis garb….

However, I don’t buy the contention that they did not expect to be caught on video like this.  Granted, Dubai police did a great job of examining the forensic evidence (mostly video) quickly to piece this together.  But the use of baseball hats and disguises indicates the team expected their movements to be caught on video at some point.  The most obvious point where any of them could be truly identified was when they booked a room next door to the victim, and that was covered because the guy who checked in immediately turned over the key to someone else on the team and left the country.

Then there are the Star Trek communicators they use to talk.  Really?  The Mossad can’t come up with a two way radio that looks like an iPhone?  And the frequent calls to Austria – the theory is their C&C center was in Austria, but what reason would there be for that?  I’d think a team like this would normally go dark, perhaps with an emergency way to call off the hit, but other than that, totally self contained until it’s done or not.  Sounds like there was someone micromanaging.  Finally, there’s the fact that their attempt to bypass the door’s electronic lock was logged.  I bet if you gave me a week or two, I could figure out the hotel’s mag strip algorithm and encode a key that would open the door with no indication it was fake.

But let’s face it, for all that the mission may have been rushed, it worked.  They killed the guy and were out of the country before anyone knew he was dead.  So to look at the other side, where was the security fail?  Well, who was responsible?  No one expects hotels to provide more than passing security measures; the cameras and stuff are more to limit their liability and make criminals think twice than to actually prevent crimes – especially pro hits by nation state actors.  The Dubai police, like all police, are more for solving crimes after the fact than preventing it.  But there are still oversights worth mentioning.

The invalid Irish passport is one issue.  I find it hard to believe that country as modern as Dubai cannot at least verify that a passport has what could be a valid number on it.  Credit cards do it; the checksum is embedded in the card number.  Every place that sells beer in the U.S. has a book so they can check driver’s licenses from out of state.  Is there no international way to check a passport?  I’m not talking an int’l database of everyone who has one, just a book you can look at to see what an Irish passport looks like and what the number should be (e.g., as a regex: [A-z0-9]7).

Second, I’m somewhat surprised a well known, wanted Hamas leader who has had multiple attempts on his life can walk in to Dubai and wander around without Dubai (counter)intelligence being all over him.  And if they were watching him, they should have noticed the surveillance teams in his hotel.

I do have one issue with hotel security, which is allowing someone to request a specific room.  I can understand a request for a high or low floor, or a room with a view of the golf course or something, but the only time I’ve seen people ask for specific room numbers is in movies when they were staking someone out.  Red flag!

Mostly, of course, the security fail is with al Mabhouh.  He seems to have kept his plans under wraps, since the team didn’t know his hotel or arrival time, but once he got there he seems to have thought he was on vacation (maybe he was, do terrorists get vacation time?)  He had no security team of his own.  Just one guy watching his back would have thwarted the surveillance team.  The old “hair across the door” trick would have warned him someone was in his room.  If he had simply paid attention, he should have noticed that the two tennis guys in the lobby when he came in were the same as the ones who jumped in the elevator with him, and were *still there* when he left his room and *still carrying their tennis rackets* (although at least they had the secondary team, who he had not seen yet, follow him to his car.)  But the video shows the victim was not alert at all, walking with his head down and barely glancing at Gail.

Anyway, these are just observations.  I’ll leave it as an exercise to the reader to generalize security principles from it.


Unfollow script

February 14, 2010
This script will unfollow accounts on twitter that you are following, who have not updated yet in 2010.  YMMV.  Usage: ./ [YOUR_twitter_ account].  You need to sub in your account and password where it say [account] and [password].
curl -x “$1.json” > followers
sed -ie “s/\[//g” followers
sed -ie “s/\]//g” followers
sed -ie “s/,/ /g” followers
for i in `cat followers`
year=`curl -x “$i.xml&#8221; |grep created_at | tail -1 | cut -d” ” -f10 | cut -d”<” -f1`
if [ -z “$year” ]
curl -x –basic –user “[account]:[password]” –data “” “$i.json&#8221;
if [ “$year” != “2010” ]
curl -x –basic –user “[account]:[password]” –data “” “$i.json&#8221;