DEFCON Conference 26. Wagging the tail: covert passive surveillance. Part 2

In our digital age of technically literate opponents, we forget that there is a need to use physical observation of a target using the methods of the “old school”. Many organizations use monitoring groups: internal for government or external, hired to perform a specific task. The objectives of these groups range from suspected terrorists to people accused of fictitious insurance claims.

While most people think that they will never be monitored, some professions increase this likelihood. For example, if you are a journalist who meets with his sources of information only face-to-face, then you can become a target for observation, especially if the source is an informant or has information that his employer would prefer not to give. Also, do not consider it incredible the ability to monitor a hacker, pentester, speaker or DEFCON participant.



These observer teams are not lonely private detectives sitting in their car at the end of the street you live in, but highly qualified people whose job it is to go unnoticed. They observe, identify your contacts and document everything that they see or hear. They strive to look like people whom you cannot describe if you are asked about it. Their tracking methods have changed very little over decades, because these methods really work.

This report focuses on the methods of mobile and foot observation, which are used by such groups. The speakers will advise on how to determine if they are watching you, and how you can complicate the life of these observers.

DEFCON Conference 26. Wagging the tail: covert passive surveillance. Part 1

I note that novice students of the surveillance service like to use informal uniforms. It seems like they all dress differently, but look the same, like on this slide - blue jeans and black jackets.



So they were dressed on the first day of training. However, having gained experience and knowledge, they will no longer dress in this way. While on foot surveillance, operatives must keep each other in touch. To do this, they use wireless headphones - capsules that are inserted into the ear and which cannot be seen from a distance. If you have ears as big as mine, you won’t see anything until you get close to the observer.



You need to receive signals on your earphone, and for this they use an antenna - an induction loop in the form of a wiring with a microphone, which is worn around the neck.



The data antenna is usually located under the clothes on the back and hangs over the shoulders so that it forms a T-shaped contour. On the slides you see such an antenna and a complete set for radio communications of walking observers.



All this is hidden under the clothes, so you will not see any buttons under the sleeve or wires sticking out of the ear. The kit is worn in a special vest, on one side of which there is a radio, and on the other, batteries, to save space and wear under a regular shirt.
Let's talk about clothes. Observers will use disguise by changing their appearance. This slide shows very old photographs from the Stasi archive - the secret police of the GDR. It is possible that members of the observation group will use wigs, false mustaches and dark glasses in our time. Sometimes it looks comical, but such a change in appearance works.



SecuritySense: the point is that due to the change in the shape of the figure, the guys on the slide look completely different, despite the same shirts. We change the shape of our figure and very easily dissolve in the crowd.

Agent X:one of the problems with changing the appearance of the observer is the limitation of time for such manipulations. The people being monitored remember their persecutors very well. And here an error often occurs when the surveillance operator completely changes his appearance, but leaves himself with his beloved comfortable pair of shoes. If you travel by public transport, consider traveling companions carefully. You can easily find the part of the observer’s clothes that has not changed.

SecuritySense: Think about how often you look at men's shoes?

Agent X:people love their watches, get used to them, and former military people like to wear tactical models. Such observers often forget to take them off when they change their appearance, so if you see a suspicious person, take a look at his watch. They may be the same as those of the person chasing you, who previously looked completely different. The same applies to jewelry - engagement rings, necklaces, earrings.

Suppose the observers are behind you. What will they do?



Most likely, they will begin to implement the standard ABC observation pattern. There is a direct visual observation, in which directly behind the target there is always only one person A, who holds the target in sight. Behind him is the second observer B, ready, if necessary, to go in the opposite direction, if the target turns around and goes back. In this case, the first observer will let her pass by herself and move on, and then, when the second observer takes his place, he will turn around and take his place. The third observer C follows parallel to the target on the opposite side of the street or along the side path, slightly behind the target so that turning his head to the side, the persecuted could not see him. This scheme cannot be implemented with one or two observers.



Next, the target turns around the corner, stops and waits to check if someone is chasing it. Observer C on the opposite side of the street sees this and informs the direct pursuer of target A that she has stopped moving. As soon as the observed continues the route, Agent C will report this, and the persecution will resume. In this case, agent A, immediately following the target, crosses the street and takes the role of agent C, agent C crosses the street and is attached immediately after the target, playing the role of A, and agent B continues to be behind everyone.



Reorganized in this way, the group will continue to monitor the target. There can be 14 or 15 people in the observation group, and they will constantly change their location in order to limit the target’s ability to detect surveillance.

In such a situation, you, as the observed one, can apply the anti-tracking technique using the details of the environment. Your goal is to detect observation and at the same time not to show the pursuers that you found them. One example is the subway mirrors, in which you can see the observer without turning his head and without looking back. At the same time, you control the observers and can do what you want by getting rid of the “tail”, or when the “tail” loses you out of sight.

On the street, store windows should be used. These are excellent “mirrors” reflecting everything that happens behind your back or even on the other side of the street. So you can detect the “tail”, which is not immediately behind your back, but at a decent distance. If you spot the same person on the other side of the street several times, it’s likely that he is tracking you.

SecuritySense: The CIA also trains their agents in counter-surveillance, so you should take their tricks into service and take full advantage of the urban environment. Learn how to benefit from street mirrors, find points at which radio communications disappear, look into shop windows. They teach observers both tracking routes and counter tracking routes.



Agent X:so you have to control their choice. You must force them to follow the routes you have proposed, to visit your chosen places. If you are in a large shopping center, use escalators. It’s quite natural for a person on an escalator to turn their heads around, look around, look up, etc. This will allow you to see suspicious people on the lower floors.



We all use mobile phones, so the question arises as to why telephone boxes might be needed. A telephone box is an opportunity to stop and look around. Observation agents know that if the target has stopped, they also need to stop moving and not let you out of sight. At the same time, they themselves need to take refuge somewhere - in the nearest store, cafe, etc. Therefore, use telephone booths to make them seek shelter.

SecuritySense: This is called a "cover for action." You can force them to try to track your call, that is, to force them to take some actions not envisaged by the plan. In this case, your behavior will look quite natural.

Agent X:Let me remind you again - you can use natural “bottlenecks”, such as a deserted narrow street or an underpass. You are walking along a one-way dead end street, at the end of which there is a lonely cafe, where only regulars go. Therefore, any person following you will immediately attract attention. You can choose the only route that allows you to get from point A to point B, and observers will be in difficulty. They will be forced to use workarounds or follow right behind you, risking attracting attention to themselves.



You can make unexpected decisions by visiting unusual places. For example, a man will never go to a cosmetics store, unless he buys something for his girlfriend. If you go to such a store and another guy comes in after you, it will cause your interest.



However, if there is a woman in the team of observers, they can send her, and this will not arouse your suspicions. The only place she cannot follow you is the men's toilet. I repeat: make them make decisions and think about why you went here. This may or may not be obvious. During the Cold War, there were bookmarking places in the toilets where people would put data or take sensitive information, which was convenient because no one would go into the bathroom to pick you up. So you can use the toilets to your advantage - if someone follows you there, it will be easy to spot.

Consider the elevators. Entering the elevator, you force the pursuers to make a decision: put someone next to you in a cramped metal booth or quickly run up the stairs 3-4 floors to catch up with you. Do not pay attention to what is shown in the movie - no one is able to run 15 floors to meet you at the very top.



If someone enters the elevator with you, this will be a great way to get in touch with him, while using your British accent: “I'm sorry, my watch has stopped, could you tell me the time?” Speaking about the British accent, I mean that there are amazing accents that are familiar to us from Hollywood films, they are perfectly remembered (an excerpt from the film is broadcast on the screen).

So, we come to the topic of creating a hostile environment for agents pursuing you. This is not Afghanistan or a suburb of Los Angeles, it is something that can be used as an advantage. Remember that observers always carry a radio kit with them, so they should wear enough clothing to cover it. Therefore, they will not climb into the pool after you and will not go with you to Turkish baths.



You can lead them astray by pointing in the wrong direction. They follow you to determine who you are interacting with, who you are dating, so use this as an advantage. When you meet someone on the street, shake his hand. Agents might think that you gave something to a partner. For example, when I meet my friend Trevor for a milkshake, we always hug tightly.



And again I say - use the environment! When visiting a cafe, you choose where to sit down. If you are reading a newspaper, then after reading, fold it, put it on a table and exit the cafe.

SecuritySense: consider that by doing so you “inherited”.

Agent X: Now, observers are forced to decide what to do if you leave something important inside the newspaper. A team of observers will be forced to send one of the agents to the cafe to inspect the newspaper you left. If there are several, then half of the team will go to the cafe, and the second half will continue to follow you. In this case, you will win by dividing the team of pursuers and forcing it to play according to your rules.
You can also use the dressing up technique. Remember that before you "spot" the target, observers get a description of how it looks. Suppose that a team of observers has been chasing you for 6 hours, and all this time you have such a red cap on your head.



To knock them off the trail, you can change your appearance. I'm not saying that you need to carry a suitcase with wigs and a false mustache. Take a bag with you, take off your coat and put it there, take off your hat, and thus you will already change your appearance.
You can say that all these are tricks of the “old school” and this doesn’t happen anymore ...

SecuritySense: don't forget - shit happens always and everywhere!

Agent X:on the next slide you see Richard and Cynthia Murphy. They had a small house of their own, two young children, and they lived in a small town in the state of New York. The neighbors considered them very nice people, but in reality they were Vladimir and Lydia Gureev, deeply conspiratorial Russian spies.



They entered the country in the late 80s - early 90s, their children were born in America. The Russians played a very lengthy operation, but as soon as the Gureevs came into the view of the FBI, they began the operational development of this married couple. As a result, they managed to uncover a network of 10 deeply conspiracy Russian agents.



SecuritySense: See how unhappy the people in this picture look!

Agent X:this is because they are caught. The FBI has been watching these people for almost 10 years. Surveillance is a long game, because the special services are not interested in these people on their own. The FBI is interested in their environment, the entire intelligence network, their bosses, all members of the espionage team.

SecuritySense: all surveillance schools operate on the same textbooks, and the Soviet, I apologize, Russian surveillance system is no different from the American one. Everywhere, agents use the same tricks, because nothing better has yet been invented, they have the same makeup, the same equipment. Nobody in this area is going to “reinvent the wheel” and takes advantage of what the old school of surveillance has created.

Agent X:An interesting part of this operation began after the United States deported all these spies from the country. The FBI released a video of how the surveillance was conducted. As you can see, the shooting is from a very strange angle, because the hidden camera is located in the tree trunk and is directed down. We see a man bending down, picking up foliage and taking a packet from an old mailbox lying in the ground. He must act very quickly, not dig anywhere, so as not to attract attention, so such a convenient container was used for sending.

At the moment, the observation group uses the image from the video camera, and then, as soon as this person moves away from the extraction site, he proceeds to normal observation. Here, the agents took advantage of the technical means of surveillance. But such a mailbox can be used only once, because when you return to it, a camera can already be installed there.

SecuritySense: look further - it’s completely normal, and we all do this when we walk in the park. We cross the bridge, go down under it and take out something from there (laughter in the hall).

Agent X: Children often play this way.

SecuritySense:that's it. The following video shows how careless they work. And these are people whose life is at stake and who have been engaged in espionage for 10 years!



Agent X: This is a staircase on a busy street. You see two men walking up the stairs toward each other. They have identical packages in their hands, and having met in the middle of the stairs, they exchange them. This is a classic of the genre (laughter).

SecuritySense: This is not unusual either, is it? I always do this when I use the underpass in New York: “hey man, here you have my groceries, great products, let's change!” No, this guy is not a spy at all!

Agent X:indeed, he needs to continue his studies at the spy school! This video shows a man in the subway. He turns his head, looking into the tunnel, as if the train could appear from any direction. I don’t know how long the FBI took it off, maybe then they edited the record. The man disappears from the frame, then appears again on the platform, as if he just came to hang out there. Then the camera shot a scene similar to the previous one - the same man rises up the stairs from the subway, meets with some guy and opens his backpack. He grabs some papers from him, picks them up and hides them in his bag on the go. Men disperse - one up, the other down in the subway.

SecuritySense: You see how carelessly they do it all. This is probably a characteristic feature of the Russians.

Agent X:remember, I said - you have to manage the environment. When you go to a cafe, you choose a place from which you can see the whole situation.

SecuritySense: The target of FBI surveillance is two guys in the middle of the frame.



Agent X: what they do looks very suspicious - they exchange the contents of their bags on the side of the table, so this is clearly visible. These shots were taken with a hidden video camera, which is located inside the bag lying on the next table, at a distance of about 6 feet from the target. We see that the Russian agents not only did not take advantage of the environment, but also allowed observers to approach them at the distance necessary for shooting.

SecuritySense:the observation group is located quite close to the target. I mean, this is a dangerous distance at which you can "burn". The foot of another person is visible in the frame, and I think that at least 3 FBI agents were in this cafe, however, the observed did not detect any of them.

Agent X: we cannot cover all aspects of counter-surveillance in 45 minutes, so I will try to summarize the above. So, if you are being monitored, use your environment, control the situation, choose for yourself where to go to force them to follow themselves. No need to appear where they are waiting for you.

SecuritySense: you yourself can set the pace of the chase, because you are the leader, so drive this race! Change this pace as you wish.

Agent X:make unexpected decisions. This will put them before a choice, break plans, make confusion, and force them to make a mistake. You make decisions that are beneficial to yourself; they are disadvantageous to them. So they can open up and fail the surveillance.
The best thing is if you can follow the principle of divide and conquer. You can switch their attention in the wrong direction and split the team so that only half of the observers will act against you.

Always make toasts! (the presenter means the picture from the first part, where the degree of “heating” of the tracking is demonstrated on the example of toasting). If you find yourself the target of persecution, try to do what you usually do not. Any of those present would probably not want to be monitored. If you are going to meet someone, then try to arrange a meeting in some special way.

The last rule - if you suspect that you are under surveillance, refuse the scheduled meetings. If you do not, then you can drag someone else into the circle of surveillance.



Everything that we told here is in the public domain. I have not revealed any secrets, so please do not arrest me when I leave your country.

SecuritySense:yes, everything that you heard can be read in books on surveillance.

Agent X: if you still have questions, you can ask them to us in the recreation area. Thank you for the attention!

A bit of advertising :)

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to your friends cloud-based VPS for developers from $ 4.99 , a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2697 v3 (6 Cores) 10GB DDR4 480GB SSD 1Gbps from $ 19 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper at the Equinix Tier IV data center in Amsterdam? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands!Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?