DEFCON Conference 26. Wagging the tail: covert passive surveillance. Part 1

In our digital age of technically literate opponents, we forget that there is a need to use physical observation of a target using the methods of the “old school”. Many organizations use monitoring groups: internal for government or external, hired to perform a specific task. The objectives of these groups range from suspected terrorists to people accused of fictitious insurance claims.

While most people think that they will never be monitored, some professions increase this likelihood. For example, if you are a journalist who meets with his sources of information only face-to-face, then you can become a target for observation, especially if the source is an informant or has information that his employer would prefer not to give. Also, do not consider it incredible the ability to monitor a hacker, pentester, speaker or DEFCON participant.



These observer teams are not lonely private detectives sitting in their car at the end of the street you live in, but highly qualified people whose job it is to go unnoticed. They observe, identify your contacts and document everything that they see or hear. They strive to look like people whom you cannot describe if you are asked about it. Their tracking methods have changed very little over decades, because these methods really work.

This report focuses on the methods of mobile and foot observation, which are used by such groups. The speakers will advise on how to determine if they are watching you, and how you can complicate the life of these observers.

Agent X: let's get right to the point. Why did we decide to devote this conversation to observation? We will discuss issues of tracking people of a sample, say, 1983, and not talk about modern technical methods of observation.

SecuritySense: ... like Facebook.

Agent X: possible. So, are you not the goal of observation?

SecuritySense:it is possible that in this room there are people who are of interest for surveillance. The far right on the slide is Zach Franklin, who led DefCon for 15 years, but DefCon itself can be aimed at you. On this slide you see Michelle Madigan. Some of you remember her attacks on our conference, so we decided to retaliate with our own undercover surveillance team. Real physical observation is a great pastime.



Agent X: ... especially when you are in a hostile environment. If your home office looks something like this slide, then you never leave your home and cannot be the target for observation.

SecuritySense: it looks like he has serious problems in his office for those who want to clean it.



Agent X:so who usually conducts surveillance? These are well-known three-letter agencies: NSA (National Security Agency), FBI (Federal Bureau of Investigation), CIA (Central Intelligence Agency), KFC. Although, perhaps, KFC has nothing to do with it, if you are not trying to sell their secret recipe to North Korea. Many companies have the ability to engage monitoring groups if they feel the need. Many government agencies, especially in the UK, such as the Revenue Service and Her Majesty’s Customs, search for fraudsters through special surveillance teams. As an individual, you can undergo 2-week training to work in such a group. If you are a former military observer, it is enough to present 2 identification documents, pay 2314 pounds,take a course and receive an appropriate certificate for the right to engage in operational surveillance.



SecuritySense: that's about $ 2,000.

Agent X: yes, quite expensive. So, from the very beginning of the report, an important fact should be noted. All vehicles from which monitoring is carried out are characterized by the so-called “heat state”. Suppose you started observing a target at 10 in the morning and are driving it all day. Each time you contact the target or attract the attention of the target, this state drops until you finally get asleep, like this toast. For example, crashing your car into a car targets surveillance.



Therefore, at the end of the working day, all observation operators report to what extent their “heat state” has reached. As a person under observation, you should strive to ensure that it drops to zero, that is, detect the observation of yourself and fail to inconspicuous surveillance.

The observation itself consists of 3 main stages: Pickup, or notching the target, Follow - chasing the target, and Housing - monitoring the target's house. Most of the talk we will have about the persecution, as this is the most fun part of the observation, during which the main events take place. We’ll talk briefly about the notch, or capture of a target for observation, because its purpose is to gain control over the movements of the target at the very beginning of the operation or operating day. For this, the observer must have a description of the target, the coordinates of its initial location and possible ways of moving. To capture the target, a stationary observation post is used, for example, a neighboring apartment or a house opposite.

SecuritySense:on the next slide, the white building on the left is the Russian Embassy in Washington, and the house opposite it, shown on the right, is a stationary FBI observation post. They owned this property and monitored the building across the road for many years.



You may ask, where are the huge surveillance cameras, and so, none of the targets passes through the main entrance, they always exit through the back door to the next street.

Agent X:Observers also use stationary hidden cameras with remote control, which automatically turn on when the object of observation appears or is deleted. They also make extensive use of mobile observation points. On the next slide, you see a 1989 mobile observation point — the Dodge minibus used by the FBI. One guy bought this car at auction and then uploaded a video on YouTube. There is an antenna on the roof of the car for listening to the house of the object of observation, each of the front and rear headlights is equipped with a microphone, you see the holes left from them, and the roof rails are equipped with video cameras. Inside are video surveillance monitors for the facility, as well as a toilet and air conditioning.



SecuritySense:Of course, he is not as pretty as a minibus on the next slide, but if you see one on your street, know that you screwed up.



Agent X:observers can also use a special vehicle for visual surveillance, which we call boot fit in England and trunk fit in America. In such a machine, the surveillance operator is in the trunk. This is not very convenient, but on the other hand, the observer can video, take photos and just watch the object from the car, which looks completely empty. This is especially convenient where a parked hefty wagon will immediately attract attention. On the slide you see such a car without a driver and passengers in the cabin, but the observer gives out a glimpse of the camera lens located behind the rear window. Such surveillance can be carried out for a very limited time, because the operative in the trunk risks health, but it works.



These methods have existed for years and have changed little. There is a movie made by the British in 1974, which they shared with our American friends as part of a "special relationship."
An excerpt of the film is shown on the screen. Announcer: the escort machine remains in place, and as soon as the target’s car passes by it, the observer passes information to another operational machine, which should follow the object of observation. Brown's car is moving west, and if he looks in the rearview mirror, he will not see anything suspicious. However, about a kilometer from the house, a green Magnum leaves the alley onto the road, which follows Brown. It looks like regular road traffic, and although the target did not see any “hanging on the tail” of cars, most of the time Brown was under surveillance.

The key phrase is "was under surveillance." Observer machines do not constantly accompany the target, do not go right behind it, because it is better to lose the object than to fail the operation due to the fact that the object notices tracking. You heard the operatives talking openly on the radio. This method of sending messages has long been outdated, and nowadays, short code phrases are used to save time and speed. It also allows you to hide the location and direction of movement of the target, because if the observer does not use encryption, his message can be intercepted, and an outsider or the object itself will be in the know. This is the message in the old classical manner: “We are waiting. Target left her home in a red baseball cap, blue t-shirt, gray trousers and black boots. The object sits in its car.Now he drives off and turns left to the intersection of High Street and Water Lane ", and so is his modern equivalent:" Seventy-seven. Alpha 1 from Charlie 1. Blue on gray. Black shoes, a red baseball cap. Performed by Bravo 1. Mobile 91 yellow 2 ". It sounds like bullshit, but the team of observers understands that the last part of the message uses the so-called spot code - symbols that are applied to terrain maps and allow you to indicate the location of the target and the direction of movement instead of pronouncing street names: “The target machine is approaching the intersection B4668 and A47. Turned on the right indicator. Now the target has turned right, heading for Earl Shilton. "red baseball cap. Performed by Bravo 1. Mobile 91 yellow 2 ". It sounds like bullshit, but the observer team understands that the last part of the message uses the so-called spot code - symbols that are applied to terrain maps and allow you to indicate the location of the target and the direction of movement instead of pronouncing street names: “The target machine is approaching intersection B4668 and A47. Turned on the right indicator. Now the target has turned right, heading for Earl Shilton. "red baseball cap. Performed by Bravo 1. Mobile 91 yellow 2 ". It sounds like bullshit, but the observer team understands that the last part of the message uses the so-called spot code - symbols that are applied to terrain maps and allow you to indicate the location of the target and the direction of movement instead of pronouncing street names: “The target machine is approaching intersection B4668 and A47. Turned on the right indicator. Now the target has turned right, heading for Earl Shilton. "“The target machine is approaching the intersection of B4668 and A47. Turned on the right indicator. Now the target has turned right, heading for Earl Shilton. "“The target machine is approaching the intersection of B4668 and A47. Turned on the right indicator. Now the target has turned right, heading for Earl Shilton. "



Looking at the spot card, you can simply say: “Bravo 1 on the red six follows to the right. Bravo 1 made “to the right”, 91 Red Five ”, and all investigators understand where the target is and where it is headed.



SecuritySense: such maps are compiled for the entire area of ​​operations, for the entire city, for each surveillance vehicle, no matter how many there are.

Agent X: 8 machines and 16 operators are commonly used.

SecuritySense: yes, there are a lot of folders with information that you need to quickly supply a large team of observers, so this is not a cheap job if done properly.

Agent X:so what should we look behind to understand that we are being monitored? If you are in Texas, where everyone drives a jeep, observers will also be in a jeep. If you are in the city, they will be in the "sedan", so as to merge with the environment and not stand out. They will not follow you on a hefty SUV with government numbers.



SecuritySense: Except for DC!

Agent X:yes, except for DC. Here is an excerpt from a local Iowa newspaper. It is reported here that in just one state, undercover surveillance agencies have been issued more than 200 Iowa license plates to government agencies. Since this is a team of professionals, they need to have several license plates to replace. If the “heating state” falls, they believe that you need to change the car number. However, you cannot stand on the side of the highway and start unscrewing the number, because someone will notice this and report it to the police. In addition, they will have to postpone the persecution for a while.

As I said, they will not go right behind you, but will use 2-3 swapping machines and parallel routes to get ahead of you. In America, it is very easy - most of your cities are divided into blocks, so it’s enough to place the blue surveillance cars on parallel streets so as to intercept the surveillance of the red car during its turns, informing the detectives about them in advance. The slide shows a standard FBI floating box. The animation shows that when the target is rotated, all the machines of the operatives move so as to keep the observed inside the box.



Traffic signals cannot interfere with the pursuit, because if one surveillance vehicle stops at “red”, the second leaves the parallel route and continues to follow the target.

How can you resist such surveillance? The first thing you will do as a person trying to detect surveillance is to use anti-surveillance, that is, hire your own observer. This guy accompanies you to find those who are watching you. If you cannot afford this, the simplest thing is to constantly change your route and use public transport. You can leave the house in your car, park it somewhere and take the bus.



It is a good solution to call a taxi, because taxis and buses usually follow routes that are not used by personal transport. If your bus moves along the “dedicated road”, then no observer will dare to accompany him. They will have to wonder why you took the bus, perhaps you want to meet someone there or pass something on to someone. At the same time, you can control the situation, provoking them to “light up”. You force them to make unexpected decisions, while there is a 50/50 chance that this decision will be in your favor, they will appear too close to you, and you will notice them.

In addition, if you figure them out, you can always call the police. Then the observers will have to explain what the hell they are doing on the public transport lane. In addition, you can use natural bottlenecks. Let's say we have two villages on opposite shores of the bay. You can take a 47-mile detour along the coast, which takes a lot of time, or use a car ferry and quickly get to your destination.



There are many such places in the lake area around New York, so remember the benefits that they can provide you. In our case, you will put observers before a difficult choice - to go around to catch you on the other side, risking not being in time, or to drive 1-2-3 observation vehicles that you will calculate onto the deck of the ferry.

The ability to use the tracking detection technique called “A long look” is computed by observation operators in advance using a map. This is a long, deserted, long and straight road without parallel tracks, following which it is enough to look back to find that you are being pursued by an convoy of several operational vehicles. Observers should avoid such situations, so surveillance in the city is much more successful. The image shows a highway with a direct line of sight of 8 miles one way, and in just 4 hours only 1 car drove along it.

SecuritySense:you must force the team of pursuers to make innovative management decisions. For example, on such a road they will not be able to park even one surveillance car, because they will not be able to put the others behind you. At the same time, the familiar “floating box” scheme breaks down. If you figure out how to squeeze them, the pursuers will break the template.

Agent X: Take advantage of technology. If you ask someone to help you, he will be able, for example, in the morning at your home to film every car that will drive 10 minutes earlier and later than yours. Then in another place during the day he will repeat this survey. As a result, you will get 2 lists of license plates, compare them, and if one or more numbers are present in both lists, then this is a surveillance team machine.
OpenALPR technology can help you. This is an open product for the automatic recognition of license plates of cars captured on video.



I will show you some footage made on my iPhone. You turn on the camera and shoot cars moving in your direction. The frames are transferred to the software, while in the lower right corner of the screen in real time there are image files that are transmitted to the software and it reads them frame by frame. This will allow you to find multiple images of the same license plate.



Using well-known technologies, we can run this application, extract it using JSON and convert it to an SQL file. Then we download the Perl translator to read this file and get a list of license plates. On the screen you see the format of the English license plates, and some of them look very similar.



These are flaws in the software itself, which sometimes cannot recognize numbers on a blurry image. But you can make a standard SQL counter, which will calculate the number of occurrences of two approximately identical numbers, and the one that occurs more times will be the correct number.

Parking is a bottleneck, you choose where to stay. Observers chasing you are forced to decide whether they can get in the same parking lot, because in this case you can find them. This is especially easy to do in a multi-level parking lot that is well visible.

There is a misconception coming from law enforcement agencies and the military that if you want to get rid of the tail, you must park backwards, not like other cars, so that you can quickly start from the parking lot if necessary. This type of parking is usually striking.



Surveillance operators tend to be as inconspicuous as possible, so they will not park their car in the opposite direction. However, if you park in this way in front of those who are observing, then immediately pay attention to yourself and make them nervous. Pay attention to the unusually parked cars on the following slides - it immediately catches the eye.





Let me remind you once again - if you are riding in a taxi, you can stop wherever you want, get out of the car, and if it is forbidden to stop private transport or there is no parking, observers will not know what to do. Car observers can be evacuated for parking in the wrong place, and how will they explain this to their superiors?

SecuritySense:the fact is that using a taxi, you can suddenly get out at the intersection and spoil it with the entire mobile surveillance scheme, forcing you to switch from car tracking to walking. In this case, they will not be able to get close enough and fast enough to you. Such a technique will confuse them and may make them make the wrong decision.

Agent X:when you return to your car, I mean “bottlenecks”, you can look around properly and look into the cars parked next to it. Like all people, observers make mistakes, and if you notice cards or a device for radio communications in the cabin, this transport is most likely used for surveillance. As my friends told me, two observation instructors, not students, but instructors who decided to visit their students at a covert observation post, parked their car and went on foot. One of the passersby told the police that there was something suspicious in the car, they looked into the passenger compartment and saw a walkie-talkie under the steering wheel.



This is a thing that is not often found in cars of respectable English, so the police waited for the instructors to return and demanded to explain what they were doing here without a special official card that allows them to observe.

When we presented this report to the organizers of the conference, they asked why we decided to talk about methods of observing the old school, while today there are a whole bunch of technical tools for conducting invisible surveillance. For example, you can set a GPS tracker on your car and track all movements. Of course, this is possible, but the target can also use modern technologies to detect bugs, find your tracker and understand what is being monitored. Yes, that’s fine - the target stopped near the shopping center, and you are a mile away from it and see on the map where it is now. But as soon as the object comes out of the car - that's all, you lost it. You do not have enough people to maintain visual contact with the target, so you will have to abandon your car, catch up with it and start chasing on foot.

SecuritySense: the point of observation is not to find out where a person is going, but to watch his behavior. First of all, observers are interested in what the goal is going to do or what it is doing now. Suppose we know that Jimmy goes to Fry every Tuesday and buys a hamburger, but this is not important to us, but who he meets and shares this hamburger with.

Agent X: Let’s look at how observers usually look and who they look like. There are a lot of stereotypes about this.

SecuritySense: The media taught us that they are usually hefty cool white men with a short haircut and a huge watch.



Agent X:if you really saw these guys on the street, you would think: “Oh God, I'm under observation!” Firstly, they can see the headphones, secondly, the left guy has a walkie-talkie walked away from his shirt and tie, and thirdly, he has a holster under his jacket. The guy on the right under the shirt sleeve has a button for conducting radio conversations. If these guys are following you, they probably want you to feel supervised.



On the next slide you see 3 people participating in one of the British television shows. One of them is a former intelligence officer, the GCHQ Government Communications Center, another of MI6's secret intelligence, and the last is an MI5 security surveillance operator. So who is who?



They have a woman working as an observer, and there are no white hefty men in the state. Real operatives do not stand out from the crowd. You will not pay attention to such a person if he takes a bus next to you.

23:45 min

To be continued very soon ...

A bit of advertising :)

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to your friends, cloud VPS for developers from $ 4.99 , a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2697 v3 (6 Cores) 10GB DDR4 480GB SSD 1Gbps from $ 19 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper at the Equinix Tier IV data center in Amsterdam? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands!Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?