Chapter 10 Vehicle Surveillance

How Easy Is Vehicle Surveillance?

Whether I’m on my way into a client building I intend to break into, or just strolling around, I notice vehicles. I’m not like a car nut who enjoys interesting, old, or exotic cars, but I get a certain (odd) thrill out of building a profile of the driver by looking at their car. No-tech hackers are really good at this, and in this chapter, I’ll give you an idea of what they look for. Check out the next photo. What can you tell me about the driver?

Ok, I’ll admit—we’re starting easy. Besides the bristling antennas poking out of every panel and window, there’s a metal plate (shown below) that spells out exactly what kind of vehicle this is, and what line of work the driver’s in.

If you guessed that the car was an “undercover” or “unmarked” police car, you’re right, and you might just have a knack for vehicle surveillance. Taking the next logic jump, it’s safe to assume the driver’s either a police officer or he just jacked an officer’s ride.

Let’s take a look at another one. What can you tell me about the driver of the vehicle shown in the next photo?

The tag reads “U.S. Government” and “For Official Use Only.” If you guessed government employee, congratulations—you’re on a real tear. Keep it up. Let’s look at another example. Check out the next photo. It’s more obvious what the driver of this vehicle does for a living, but what would a no-tech hacker consider doing with this information?

When I first saw this van, I thought social engineering. With the right shirt, sporting the right logo, I could be the “Acme” Bank Security & Vault Services guy, ready to work on this company’s safes, vaults, pneumatic systems or alarm systems (not that a hacker would be at all interested in those things). Let’s try another exercise. Take a look at the next photo.

Most normal people would just see a crowded parking lot. A soccer mom would know right away that this was the parking lot of a Kohl’s department store and they would hang an immediate left, drawn in by the “biggest sale of the season” which just so happens to run every other week. A book weenie (like me) would recognize the Barnes and Noble bookstore across the parking lot. A no-tech hacker would immediately think “fed”—slang for federal agent, a term used to identify federal government employees. How would he realize this? Can you tell from the above photo? If you can’t quite tell, take a look at the next photo, which highlights the “fed’s” vehicle.

Stepping closer, a no-tech hacker would realize that the dark car was indeed owned by a government employee, and he or she would also know approximately where that employee reported for work. All of this information and more can be gleaned from the vehicle permit stuck on the window, like the one shown below.

These stickers are everywhere, especially in areas that maintain a large military or government presence, such as military bases and government-owned business corridors. Many installations also use color-coded permits, like the ones shown in the next photo.

The colors (or shades of gray, thanks to the spectrally challenged nature of black and white printing) of these permits are significant, as they reveal the employee’s status and/or rank. In some cases, the rank is more predominantly displayed, as the next photo shows.

In this particular case, a quick Google search reveals that the owner of the vehicle is Chief Master Sergeant in the U.S. Air Force.

Some stickers just make me chuckle, like the one below.

It’s not so much the sticker that’s funny, it’s that acronym—IHDIVNAVSURFWAR CEN. That’s got to be one of the longest acronyms I’ve ever seen in real life. I was tempted to follow this car so I could find out exactly what a “surf war” looked like. It would certainly give new meaning to “shooting the curl.” Government employees aren’t the only ones eyeballed by no-tech hackers. A quick glance at the Volvo in the next photo reveals either where the owner works or lives. Can you tell how?

The answer lies not in the license plate or VIN number of the vehicle, but rather in the window sticker, shown below.

Photo courtesy Garland Glessner

Oil change stickers like this one seem pretty innocuous, but a no-tech hacker can use simple deduction to realize that the address is probably close to where the owner works or lives. If the vehicle is parked in a work parking lot, and the address isn’t local, it probably is near their home. Most people won’t get an oil change somewhere that’s out of the way of their normal commute.

In some cases, it’s easy to get a history of a driver by looking at their vehicle. Judging from the next photo, can you tell me what city the driver lives in, what part of that city, and approximately how long they have lived there?

Photo courtesy Garland Glessner

The city is easy to figure out—it’s spelled out on the parking permit. Guessing how long he or she has lived in San Francisco is pretty straightforward, considering the first parking permit expired in July of 2000. Figuring out where the driver lives in San Francisco take a bit of creativity. However, Google is a no-tech hacker’s friend. A quick search for San Francisco residential parking permit map leads us to a handy PDF map, a portion of which is shown below.

The map clearly labels where, exactly, the permit is valid, pointing us to the approximate area where the driver lives. The next photo is quite similar, and can be used to deduce the same information, but in this case, a no-tech hacker can also determine where the driver lived previously and when they moved. Can you?

Photo courtesy Garland Glessner

Judging from the dates on the parking permits, the driver moved from San Francisco residential permit area “A” to residential permit area “C” sometime between February and June of 2004. Using the map we Googled above, we can get a good idea of exactly where both residential permit areas are in San Francisco.

So far we’ve only looked at the exterior of the vehicle. Although there are many other things we could use to deduce information using only exterior clues, some of the best stuff is often sitting inside a vehicle in plain site of anyone passing by–like the receipt in the next photo. Although I had to fiddle with the zoom on my crappy camera to capture the document instead of the raindrops on the window, I think the photo came out quite nicely.

This receipt lists a doctor’s name, address and phone number, the patient’s (presumably the driver’s) name and insurance company, a list of services performed on that particular date, and what the charges were for those services. Most people guard their medical information very closely, but I’m constantly surprised by how often I see information like this out in the open.

The one thing more important than medical data to most people (and most identity thieves) is financial data. I captured this photo in an employee parking lot. The document belongs to a senior level executive.

As you can see, it reveals the employee’s name, benefit information, net and gross pay, tax information and more. The most valuable piece of information, in my opinion, is the revelation of the last four digits of the employee’s social security number, which is used as a security question by most automated identity verification systems. Armed with this information, I could easily establish credit in this person’s name or steal their identity completely.

Of course, I tend to get all worked up when I catch information like this out in the open, but as the next photo reminds me, some people just don’t care about protecting their privacy. That is exactly why identity theft will continue to be a thriving criminal business.

I can’t resist, so here goes the bad pun—“It pays to Discover.” The digits from this credit card could easily be used to make purchases from any vendor that doesn’t abide by rather strict credit card screening procedures, and many of them do not. If you’ve got your medical records, bank statement or credit cards sitting on your front seat, there’s a good chance a no-tech hacker will have seen it before you get around to removing it. As I’ve said in other chapters, the key to protecting yourself is to remain vigilant, and try to see life through the eyes of a no-tech hacker. Check out the Epilogue for more good advice.