LPRC - Episode 17 – Asset Tracking & Cyber Security ft. Caston Thomas of InterWorks
Episode Date: January 5, 2019The post Episode 17 – Asset Tracking & Cyber Security ft. Caston Thomas of InterWorks appeared first on Loss Prevention Research Council....
Transcript
Discussion (0)
Hi, everyone. Welcome to Crime Science. In this podcast, we aim to explore the science of crime and the practical application of the science for loss prevention and asset protection practitioners, as well as other professionals.
Co-host Dr. Reid Hayes of the Loss Prevention Research Council and Tom Meehan of ControlTech discuss a wide range of topics with industry experts, thought leaders, solution providers, and many more.
In today's episode, Dr. Reid Hayes and Tom Meehan discuss different asset tracking methods and cybersecurity with Kasten Thomas of Interworks. We would like to thank
Bosch for making this episode possible. Use Bosch Camera's onboard intelligent video analytics to
quickly locate important recorded incidents or events. Bosch's forensic search saves you time
and money by searching through hours or days of video within minutes to find and collect video
evidence. Learn more about intelligent video analytics from Bosch in zones one through four of LPRC's zones of influence by visiting Bosch
online at boschsecurity.com. All right, well, welcome everybody to another episode of Crime
Science Podcast from the Loss Prevention Research Council. I'm Dr. Reed Hayes from the University of
Florida. And what we're going to do today is have a special guest that my colleague and friend Tom Meehan,
Vice President at Control Tech and longtime LP executive from Bloomingdale's and the Home Depot and others,
is going to introduce our special guest.
And I think you're going to find today we've got a lot of really interesting techie stuff for our listeners that we can use to prevent, but also to describe, understand, and most importantly, prevent crime events.
So, Tom, without further ado, if I could turn it over to you.
Yeah, great. Thank you, Reed.
exciting episode for me because it's some of the technology things that feel like they're way outside the reach of norm because they're futuristic, but most, if not all of them,
are applied today. So happy and honored to have Kasten Thomas join us. Kasten is known as the
Chuck Norris of cybersecurity. So Kasten, I'd ask, just give a brief overview of your history and how you came
up with being known as the Chuck Norris of cybersecurity. I know you're nationally recognized,
but I remember the first time I heard it, and it instantly made me more interested to listen.
Oh, yeah. I can't tell you the whole story because part of it involves bourbon in the late night. But essentially, we were having
a conversation after a conference and I was
telling war stories and some of my experiences
and just working with
clients, you know, the kinds of things that you talk about after a conference
and the guy goes, wow, it's like you're the Chuck Norris of cybersecurity. I went home that weekend and on a whim, I put it up on LinkedIn and all of a sudden I had people connecting to me going, you know, I just had to connect to you because I had to be connected to the Chuck Norris of cybersecurity. So it stuck.
And so here we are. Yeah, I can remember actually on a podcast hearing it come through and
remembering that resonated and stuck through and really went through. So before we get started,
I mean, we have a lot of interesting stuff to talk about. Our listing audience is mixed of retail asset protection professionals, law enforcement,
academia, retail strategists, and technologists. So to give the audience just a brief overview of,
you know, how you got to be where you are. Oh, goodness. It goes a long time back.
Oh, goodness. It goes a long time back. I got a degree in industrial engineering and used very little of that for the majority of my career until I started getting into asset tracking and patient flow tracking for hospitals. And because of that piece, a number of other industries I got involved with, like nuclear power plants, wanting to track equipment and improve loss prevention in that
area. Because if a container disappears, that could be potentially hundreds of thousands,
disappears that could be you know potentially hundreds of thousands maybe even million dollars in equipment that might be inside one of the containers
that they have at an off-site storage facility near the plant so that you know
it's just sitting there waiting for maintenance so I I have not had the
majority of my experience in retail but we can talk about some of my experiences there.
And then as we talk about what I refer to as the convergence of physical security and cybersecurity,
we are finding new attack plans and attack vectors related to using cybersecurity in relationship to
physical security problems I did work with a utility that back in the day when
the copper prices were so high they were having thieves use 18 wheelers with a small forklift attached to the back to break down the fence
in remote facilities where they were storing large coils of copper so that was readily available for
their maintenance and their disaster recovery teams they would just ram the fence and be gone. So something as simple as getting cameras activated with other kinds of alert sensors
and that kind of thing became very important.
But the problem in the remote facilities was there was no way to get a network to them. So as cellular technology became more economical,
we were able to get at the front end of that
and get security cameras out in those facilities
so that we could catch the bad guys
or advance on getting law enforcement dispatched to the area
to catch them in the act.
Because in that kind of thing, it was like a smash and grab.
Ten minutes, they're inside the facility, and they're gone.
So it's these kinds of ways, and cameras are just one example of where the technology that's needed,
and not just technology, but making that technology economical and reliable is absolutely key because those are the things that we come to depend on once they get deployed.
can actually write about the narrowing gap between cyber crime and organized retail crime. And actually, there's a little bit of a selfless bug here, but I'll be releasing an article soon that
talks about the similarities between physical security and cybersecurity. And for the listeners,
that was not planned. We never spoke of that before. So it just shows how the folks in the
cyber field are really linking up to traditional physical security methods. I'm really interested in some of the things that you're doing with asset
tracking in retail, RFID in a passive, a passive sense.
So a passive RFID has been around, you know, for more than 20 years,
but what have you seen with cellular related to RFID or more active
tracking? Also, I know that you're,
you're familiar with some ultrasonic
tracking and infrared. I think our listeners would really appreciate it because I think the
bulk of them are used to the traditional passive applications. Sure. And those passive applications
are typically oriented around detecting movement of people or equipment or or other assets based on
entry into or leaving an egress or ingress point what comes available with very economical cell
phone technology not having a phone itself but a very small device with a Anybody who's dealt with AT&T or Verizon or Sprint has had to deal with that little SIM card that goes in there
So it's becoming very economical
on a contracting basis to do large
deployments of
the Internet of Things type of devices that have a very low ongoing cost to be
able to put that chip in and within that be able to do very high-grade GPS tracking. So when you
think about tracking a device or a person or even a vehicle those are the
two kinds of tracking either that real-time tracking where you have a
degree of accuracy and a degree of error in knowing where something's located no
matter where it is and the other piece of it along the lines of RFID is when it goes out the door, the alarms can start going off or you can trigger a camera to videota you can do things like when an event occurs,
or I call it a triggering event, when that triggering event occurs,
you can have these engines that will take that alert from the RFID or the cellular GPS
or even Wi-Fi tracking to give you an approximate location or an exact choke
point where an event has occurred and start the cameras rolling or send an
alert to a guard who can then be dispatched into that area and depending
on the granularity with which you have that location let's say you have a nine ten doors going out properly implemented you can
actually identify exactly where that person was when they were leaving a facility and which door
they went out to very narrowly identify the culprit if you will so those are some of the key pieces and
then when we start getting into infrared because as everybody knows well not
everybody knows but using RFID that can be circumvented quite easily with just a
small piece of aluminum foil so using, we've got other ways to do detection.
And depending on the implementation of RFID emitters, then that can actually go through
multiple layers of clothing. It can go through quite literally as we've done that kind of tracking of things like infusion pumps
in hospitals, our testing has shown that it can actually go through 15 to 20 hospital-grade
blankets.
So infrared is a different type of technology that can be used for the proper use cases
and do that.
We've got other things that are coming out,
and I think this is actually being implemented in some retail establishments on a large scale,
and that is using RFID or Bluetooth inserts into the lighting fixtures that are going in.
And so this whole world of the Internet of Things makes more things connected and gives
us more intelligence that we can leverage off of because RFID sometimes goes in for loss control purposes, but sometimes
it's going in for other purposes for being able to track items as they come into or go
out of the store.
So if we can piggyback off of those other investments that are happening, then we've
got an advantage.
Wi-Fi tracking as an example
there's a great use case working with a bank that in prototype what the concept
is is that if there's a bank robbery and bank robberies often come in clusters in
an area because it's the same culprit.
If you're able to build a digital fingerprint of an individual based on the Fitbit watch that they're using and a tablet that they might be carrying or the phone,
that phone gives out a digital fingerprint of the 3g 4g soon to be 5g signals the bluetooth
signal the wi-fi those two channels so if in picking up any of those identifiers of that device
and simply by having wi-fi turned on a device we can detect its presence
and its unique address and register that and so what the bank said was you know
what if we can create that digital fingerprint of everyone who was in the
bank or in the area of the bank when a robbery occurred if that fingerprint shows up at another
bank then we can put the tellers on alert do a lockdown of the facility as a precautionary basis
so that we're ready for that bad event should it occur now there are always concerns about privacy, but if we're not linking the identity of that person into the detection of their physical addresses that exist on those phones, those unique identifiers,
then we aren't doing anything wrong from the standpoint of improperly infringing on a person's privacy.
properly infringing on a person's privacy. But very often from a customer satisfaction standpoint or a customer service standpoint,
those folks are using this information with the customer having opted in to provide an
identity.
So being able to use that in doing a forensics investigation of what occurred around an event,
that can be a tremendous asset to law enforcement and to loss control in order to identifying witnesses, eliminating suspects, and so on.
Does that make sense?
Absolutely.
so on. Does that make sense? Absolutely and I think I have a couple more questions related to asset tracking but I think a couple of things you mentioned really resonate directly with the folks
that are members of the loss prevention research council. So our listener base is broad but our
members comprised of retailers and solution providers and some law enforcement members as well, use our innovation lab concept.
And in our lab today, we actually do have a technology that uses MAC address
or other newer technologies to identify a wireless device.
And so that's something that the Law Firm Research Council does.
And a lot of the things that you're talking about, the podcast is kind of an extension of the research projects that we're working on.
And I want to get your opinion and feedback on that soon.
But before I do, I had a question about ultrasonic tracking, because I don't think, you know, a lot of the folks have heard a lot about that.
My first experience when it was really directly related to ultrasonic beacons and really was not tracking as much as delivering
marketing information. So what are you seeing in the realm of ultrasonic tracking and where do you
see it applied and how it could be applied in retail? In retail, I'm not so sure. In hospitals,
there are certain environments where radio frequencies don't penetrate well.
If you've got a huge MRI system with magnets and such, you're not going to get good Wi-Fi coverage.
You're not going to get good cell coverage, especially when they're putting lead in the walls because of X-ray or other kinds of emissions.
So it's in those areas where I think that ultrasonic is the most effective.
But there are some applications using ultrasonic.
I can't remember the name of the manufacturer, but they were, when I heard about them about
a year and a half ago, were using ultrasonic communications and location tracking for venues and stadiums
and casinos. So there may be some applicability in that regard, but it's by no means anything
that I've looked at recently, and I would feel bad if I started speaking about that without the authority that I should come to the table with.
But offline, I can do a little bit of research and give you something that you can put in your show notes, and I'd be happy to do that.
That would be great.
Yeah, absolutely.
And I guess I only have a couple more questions, but these are the more, what I'd say are the interesting and exciting from a listener base.
Cassidy, I don't think a lot of people have even heard the term RFID dust.
You know, I think even ultrasonic would be something where some of the more techie guys would know about but not really dig into.
But what can you tell the listeners about RFID dust and how it's being used today and what conceptually it
means? Well, interestingly enough, a good friend of mine in the DC area actually holds one of the
original patents on that concept of RFID dust. And the initial implementations did not
astound and perform within the level of expectation, but that goes back 10 years.
But the idea of RFID dust is that in the application for intelligence and military data,
the intent and what they did do in some of their prototype systems was literally sprinkle dust size
RFID chips into documents and onto the floor of heavily secured points and as something was alerted based on those
alarms going off of something that's going out the door that shouldn't have
they would be able to actually see based on on the bottoms of the shoes of the
folks where they had been and they were able to
actually document and track where they had been and detect that they had
actually been in the area or if they had a cohort that they were working along
with they may not have had access to the secure area but in a sense they were the
mule who was supposed to
take it out. So there was a lot of forensic evidence based upon that. And as I understand
it at the time, the problem that they had were the number of false positives and not having
the analytical power in order to diagnose and come up with conclusive evidence.
But what we're finding very, very rapidly, particularly over the last few years, is that
the computing power and the algorithms for doing very, very advanced analytics and artificial
intelligence working with that concept of RFID dust or whatever that next evolution of that
would look like can be a very, very powerful tool. That's an interesting stuff. And I always think
about, you know, 10 years is not a long time, but it is a long time. And I see the potential
applications for it in every environment. It's just one of those things of timing.
And you mentioned artificial intelligence, and in every industry today,
data has evolved dramatically, and the capabilities from a software standpoint,
from a hardware standpoint, are far and above even what they were,
I would say, two years ago.
What are you seeing today related to asset tracking and artificial intelligence
in the real world in an applied environment? What are you seeing?
Well, in the cybersecurity world, there's this thing called UEBA. And what that stands for
is user and entity behavioral analytics. And applying machine learning and artificial intelligence to
movement or behavior one of the things that well the primary thing that is most natural to the
artificial intelligence and machine learning algorithms that are out today
is the idea of pattern recognition and And common behavior of people, movements,
where they go, what they're doing,
those are just patterns.
And so the ability to apply these new intelligence
applications and algorithms to movement or behavior
is the low dangling fruit of applying those algorithms. You're
seeing credit card companies use that for credit card fraud. I actually traveled across Canada
from Michigan into New York State, stopped for a coffee, and my credit card wouldn't pass.
and my credit card wouldn't pass.
And the reason was is that according to the algorithms, there's no way that I could have traveled that far and used my credit card
in one side of the United States to another.
I followed that a little bit, and I believe that what happened,
based on the credit card becoming active a couple of hours later, was that they hadn't factored in travel anywhere other than the United States and their algorithm.
So now I've done the same thing a couple of times and didn't have a problem with that credit card.
So the data is only as – or the outcomes are only as good as the data that you put in and what the algorithms are known for, but I'd much rather have that working with a couple of flaws that momentarily cut off my credit card as opposed to having a major loss or identity theft.
that same kind of thing to customer movement within a retail facility or perhaps identifying behaviors of being able to map the movement of a person
within a facility multiple times without making a purchase the way that a
grandfather is just following his grandkids and his daughter through the store
but never making a purchase would be different than the common pattern of someone who's
casing the joint, if you will. So as we identify those patterns of behavior,
and again, that comes back to the forensic information that's very often contained in
the logs and the systems that the IT people are tracking.
They have retention policies on every MAC address, every Wi-Fi identifier that comes
in proximity of that store.
That's held in a log somewhere for some period of time.
So what we're finding is more and more of a collaboration
between the physical security and loss control folks and the IT leadership.
And as the bad guys continue to learn how to circumvent systems and use the IT systems and the data that's there, along with the physical security parameters, we need to be diligent and proactive in collaborating on the defense side, just like the bad guys are doing to collaborate.
And it doesn't have to be any of the whiz-bang stuff we're talking about.
It could be as simple as, as a matter of fact, a couple of weeks ago,
and I can't obviously give too much information, but I'm working with a retailer.
They're pretty sizable.
They've got between 500 and 1,000 locations.
They're pretty sizable. They've got between 500 and 1,000 locations.
One of their administrators of their CCTV system was going on vacation, and their home system was hacked into.
It was what's called a phishing attack.
They got an email and clicked on something they shouldn't have.
Not a highly technical and information technology
security professional so I clicked on the wrong thing at home provided the
password and the credentials that they used to remotely access the corporate
CCTV system and knowing the schedule and looking at the other things in their their computer they were able to
access the system using his credentials lock everyone else out and then shut down
the camera system throughout all of the facilities knowing that he was gone and was going to be gone for two weeks. So it's these simple kinds of hacks that can have very, very bad impact on our organization.
And what we're pretty sure happened wasn't that someone specifically targeted that individual,
but through the investigation that whoever accessed his computer found out what the roles and responsibilities and other things about the individual they were able to publish
that information and sell that information on the dark web and someone
purchased that and did whatever they did now I'm not close enough to the
situation to know if there were any loss control or other types of problems
and why or any of the outcomes of why that was done.
It may have just been malicious and fun, but there's certainly a possibility that some
physical crime was committed in concert with that. But again, I don't know that. That would
just be speculation that it was certainly a possibility. And that's a great, I mean,
that story obviously directly relates to the folks that are probably the biggest listening base.
Captain, I wanted to personally thank you. I really appreciate your time for joining,
and I'm going to turn it up, turn it over to Reed for some last words.
No, and I, I do want to thank you and thank Tom for inviting you on, uh, Crime Science,
the podcast today. And, um, you know, uh, again, our, our, uh, practitioners are dealing with,
uh, just an incredible and growing array of theft, of fraud and violence, uh, issues.
array of theft, of fraud, and violence issues. And so any and everything we can do to more quickly recognize something's getting ready to happen or has, and more rapidly and accurately define
what this is and who all's involved and where they are and where they're headed.
And then, of course, for forensic purposes to document and link and incapacitate these high-rate,
high-impact offenders that are victimizing everybody the better.
And we really appreciate your technical expertise.
We need to understand better bio and digital signatures and how to find them and how to
make best use of them.
We're not here to violate anybody's privacy other than the victimizers,
the offenders themselves, for that. So I want to also thank you for participating today.
And Tom, again, thank you. I want to thank our producer, Kevin Tran, and so from Gainesville,
Florida, and from the Loss Prevention Research Council, and myself from the University of Florida, I want to thank everybody for listening.
And we look forward to getting back together with some new segments that are coming up soon.
Thanks for everybody.
Have a great one.
Thanks for listening to the Crime Science Podcast presented by the Loss Prevention Research Council and sponsored by Bosch Security.
If you enjoyed today's episode, you can find more crime science episodes and valuable information at lpresearch.org. The content provided in the Crime Science Podcast is for
informational purposes only and is not a substitute for legal, financial, or other advice. Views
expressed by guests of the Crime Science Podcast are those of the authors and do not reflect the
opinions or positions of the LF's Prevention Research Council.