Getting Physical: Hot Summer Security

Friday, July 16, 2010

Pete Herzog

1789975b05c7c71e14278df690cabf26

A few summers ago I read an article on a popular, international news site about locking up your home for vacation.

I read:

"Leave your car on the street in front of your house so criminals think someone's home."

I thought, really, leave one of the biggest embodiment of an expenditure most people have right on the street when you can't be around? That can't be right.

I read:

"Post dog warning signs around your home even if you don't have one."

I thought that was interesting because there are criminals who watch target houses over weeks to determine when they are empty so it won't fool them. So it might be for the opportunists, right?

But then I thought that the same crack-heads or thugs who break into places for quick cash are the same type of people I see in the park playing tug-of-war with their pit bull, certainly not the type of people who fear dogs or lack the ability to dominate them.

This is a good example of why the OSSTMM 3 requires that you don't look to the threat to prepare your security because it's too easy to only make changes which affect a small portion of the threats. That's especially true when you consider how unpredictable human behavior can be.

I read:

"Make sure you clearly post the sign that your house is armed with an alarm, most alarm companies supply them freely so ask them if you didn't receive any."

The alarm signs from companies give information about who they are and you can easily go to their website and look up the standard installation packages. These packages are often the type that offer magnetic window alarms for the first floor windows and a sensor by the front and rear door.

Many crooks are not afraid to climb to the second floor to penetrate the building. Some sites are much more specific on what you get exactly. Besides informing your criminal opponent, signs also provide visibility that you are protecting something.

Finally, it takes away the element of surprise (unless you count the less surprising "Hey, they don't haven an alarm!" type of surprise) which can catch a crook off guard when the siren sounds before they even get to your front door.

The worst thing about it is a prepared thief who will use force and violence to get you to disarm the alarm quickly even if it means waiting for you to get home within your own yard.

I read:

"Use lights or television on a timer...."

Again, some crooks will not be fooled by this due to the patterns of time or which lights go on and off and when. Normally, a light goes off at random times when a person leaves a room and a new light goes on in the adjacent room.

Then again some thieves don't care as they will just avoid the rooms where the lights are on.

There were many such pointers. I wondered how such advice could be given when it seemed so wrong. So I searched around and found this to be the same advice offered by police websites and general, government-sponsored security websites as well.

I realized there was a real lack of research into this area. Home security has a strong product focus with strong product-based advice. It needed OSSTMM 3 type research injected into it.

The biggest piece of misinformation in home security turned out to be that us non-criminal types can trust our gut and our reason to say what a criminal will do. Even criminals have a hard time saying what other criminals will do.

It's a fact. Yes, Vegas employed fraudsters to watch the floor for other fraudsters but there is no evidence that it really worked well. Actually, most casinos have moved to extensive database systems now and carefully track identities and behavioral pattern matching.

So there is no real evidence that crooks will read signs and beware of anything, choosing a neighbor's home over yours. If you apply the OSSTMM 3, you want to improve barriers to places of interaction, have controls which alert you and the crook before they can enter the home, reduce your visibility by closing all blinds and shutters, and keep your assets away from being quickly grabbed (or sitting on the street).

Physical security is hard. There is almost no limit to what physical separations can be built or overcome. Authentication systems like locks are fairly useless because to make them usable they have inherent flaws.

Cameras and the like are easy to hide from. Just the introduction of a lock into a door weakens it and not to mention if the frame can handle it. Additionally, the human factor makes it easy to get inside by exploiting trusts when the physical barriers are beyond breakable for the crook.

Most of all, nobody wants to make their home their prison with bars everywhere and living under their own surveillance system. This is why most home systems are so poorly created because it's by design to catch a low-hanging fruit which doesn't really exist anywhere but in our heads.

Combine that with the fact that most people who install the alarm systems have little idea what they're doing and you have real trouble. You can check your own alarm system to the following guidelines on how an alarm system should be installed at the Answers wiki.

Finally, the OSSTMM does state that "Eliminating the threat" is a form of security (separation). So that's good news to you gun owners. However, keep in mind that our research also shows a gun loses effectiveness to the point of adding to the homeowner's own danger when,

1. there is more than 1 person with keys to the home or lives in the home,

2. there is no alerting system,

3. the gun is locked away with trigger locks or in a cabinet, and

4. the location of the bedroom is also an entry point from the outside, and

5. the gun owner has insufficient gun handling training (and Die Hard a dozen times does not count as training).

Sometimes a can of pepper spray which is used to fumigate the space, like a hallway, between you and a thief, will not be noticeable until they stumble into it and start coughing and crying their heads off.

Pepper spray also can't be easily removed and needs time to dissipate unlike a sonic stun alarm which can be removed or destroyed. Either however will give you time to identify the person as a thief rather than a family member, time to unlock your gun, and time to choose whether or not you need to still use deadly force rather than just more spray while awaiting the police.

Just remember, there's a reason why soldiers, samurais, and ninjas wear body armor in the field because to eliminate the threat with a weapon you need to interact with the threat and that puts you in danger as well.

A bullet proof vest is nearly no good within the confines of a house because most are only helpful at more than 14 feet away and that doesn't count getting knocked off your feet or hit in the head. So the best answer is to be alerted early, stay protected behind a barrier, incapacitate or deter the trespasser, and get help as quickly as possible.

You can get the full document called the Home Security Vacation Guide at the ISECOM website. Since it's open source, we are always happy to have your input for making the checklist even better.

By the way, for those who have other "feelings" about the research and ideas within the post, I recommend you watch for my next post on why Humans are bad at Trust and why we can't trust our gut feelings.

Possibly Related Articles:
14152
Security Awareness
Security Awareness Physical Security OSSTMM
Post Rating I Like this!
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson Pete, I toally agree with your point of view. Alarm company signs only give the alarm companies free advertizing. I always thought that the main reason you see them is because it was part of the contract for the free or cheap alarm system that you advertise for them for a while.

Beware of dog signs, likewise, I have never understood. to me that just says "if you haven't thought of it yet, please bring treats for the dog before you rob us"

Lights on a timer aren't a bad idea, nor is the car one, but they need to be expanded on.

Park your car where you normally would. If that is in the street, so be it, if it's in the garage then that's the place to put it. Don't do things that are obviously out of the ordinary.

Put lights on a timer, but spend the money to get more than one timer and get the ones that can be programmed for different routines on different nights.

Most important though is have someone come to the house every night to water the plants, mow the lawn, take in the mail and newspapers, and MOST importantly hang out for a while watching the place and making it look like the place is occupied. A teenage son or daughter of a close friend will usually do this cheap. (make sure you know the kid well and trust them).

Mostly the beware of dog/alarm signs are suggested because it makes people FEEL better, but it is a false sense of security, like counting on just a threatening sounding /etc/issue file or Windows legal disclaimer to keep hackers out.
1280010857
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson ,,, on the lights thing, better than a timer if you have a cat in the house would be motion sensors. They are cheap these days and the cat's random movements will make the light show more realistic.
1280010995
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson An interesting story, when i was a teenager, I had my TV on a timer as an alarm to wake me up in hte morning. We were away on a trip and Mom's friend was taking care of the house. She was picking up the mail one morning and heard a noise downstairs... if you put a TV or radio on a timer let your house sitter know about it. :)
1280011162
1789975b05c7c71e14278df690cabf26
Pete Herzog Hi Rod, thanks for your comments. Some of the measures you mention, especially the cat one, are interesting. However, as far as the car is concerned, for many it is still their biggest asset. It's not uncommon for that to get loaded up with stuff from the owner's own home and driven away. Most people even leave their keys in the home, visible, to anyone who breaks in. My point is to remove opportunity to your assets- that's removing Visibility, Access, and Trusts. Which delves into another area you mentioned- house sitters. The less interaction with your home, the less chance that someone can make a mistake and leave a door unlocked or sensors unarmed. If it's the most trusted person in your life then you need to consider how you might be putting them in harm's way by being responsible for your home which may be already being watched for the next opportunity. It's a myth that thieves avoid homes because there is somebody home. There are Silent Burglaries which take place while people are watching tv in part of the house or sitting down to dinner. So to keep all your assets safe, including the people you love or trust, it's best to lock down the home, be sure interactions are accounted for, and leave it at rest until something happens in which case, that trusted person can react by calling the police, fire department, etc. But don't involve that person in the direct interaction of your home if you don't need them to be.

Some of this may go against what we feel is correct. I know that. However after applying OSSTMM 3 algorithms to these situations, I saw that there were things we do wrong because they feel right.
1280218624
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson To me, yes the car is a big asset, but normally it is itself insured against theft. The loss of a car to theft in and of itself is not a devastating loss to most folks. If it is a valuable collectible car you probably keep it locked away all the time anyway, so again, no change to your normal habits is required. I'd suggest making sure nothing valuable is IN the car before leaving, but I wouldn't deliberately move the car to somewhere it is not kept normally.
1280230929
1789975b05c7c71e14278df690cabf26
Pete Herzog Your car serves as both another vehicle the thieves can fill with your stuff and another headache if you need to search for and buy another car, a matter of lost days or weeks to replace. Leaving it unmoved where it normally is will not deter thieves AT ALL. They are either opportunists who will steal what you have because they want it or they are careful and watching the house, including a car which hasn't moved or people who haven't come and gone. In a world where people have more than one car, friends they might ride with, or public transportation, a car parked out front or in a driveway is never an indicator that someone is home. Therefore it is an asset or at least a hassle to replace for most people. If it isn't then do as you wish. But leaving it there provides both visibility and access to an asset which is "insecure" by definition.
1280233783
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson moving though advertizes that the home (where irreplaceable valuables (with sentimental value) are kept. I stand by my reasoning that YOUR car in the driveway (not a friend's or neighbor's car, as that too is out of the ordinary) makes it less obvious that something has changed. Moving your car to another location may save the car from being stolen, but it does not make the house (where the real valuables are) any safer, it only advertises that no-one is home. Or, at least that the driver of that car is not home.
Aditionally, it would be interesting to see statistics on how often a car is stolen as part of a home robbery. I would hazard a guess that it is a VERY low occurance rate. House theives and car theives are not usually the same people.

This certainly calls for more research.
1280235004
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson Grr, some of my comment got cut off.

The basics of what I was saying are still there though. Moving the car advertises that the house is not occupied. Not all theives that break into houses are professionals who have the house under surveillance for extended periods. There are plenty who look for obvious targets and come by when they will be least noticed to do a smash and grab. You don't want your house to be in the obviously empty group.

Besides, I doubt you could tell by walking past my house on 2 different days if my car hadn't moved between the 2 times you saw it, or just that I parked it in the exact same place I always park it.
1280235461
1789975b05c7c71e14278df690cabf26
Pete Herzog Like any statistics, the chances of a car being stolen when the house thief finds the keys in the home during break-in will differ on the region and culture of the robbery. In rural Spain it's very common. It's less common in large cities, like Barcelona, where people either don't have cars or have them in private parking garages. So YMMV.

What I do propose is that having a car in front of your home or in its regular spot on the driveway does not deter a thief. It does not deter the kind who do silent break-ins while the family is home, it does not deter the kind who watch and study homes for the next hit, and it does not deter the violent kind who use force and tie up the family. Thieves work mainly on opportunity and should your home or car present in a way that befits the thief's need or want then they will strike. The car can then only add to the visibility but it will not detract from it. So whether or not your car moved over 2 days is not as interesting to the thief as, for example, the big flatscreen tv he sees through your living room window or the laptop you carry in to your home which provide Visibility and opportunity. Now, if you have a sweet car on top of that, and upon break-in, lo and behold, your keys on on the shelf by the door, you stand to lose another asset.

So all I'm saying is that the car does not detract but it can possibly add to Visibility, a key component of diminished security.
1280303077
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson I think, if you take what I understand of your OSSTMM 3 approach, it makes the most sense to put the car away in a more defensible position all the time.
It is a shame that people, in North America at least, often have a garage attached to the house where their car would be safer, but they fill that with their least valuable items and leave the car outdoors exposed to weather and crime.
1280328995
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.