Quirino Grandstand Hostage: Ten things the Philippines bus siege police got wrong

August 25, 2010

While searching for articles about the shootout/hostage that took place yesterday I saw this one from bbc.co.uk that summarizes all that went wrong to our PNP procedures… specifically MPD. According to what I heard it started by 8 am in the morning while I’m still in the office and got televised by 10am while I’m in the gym. I didn’t saw any news flash when I got home by 2pm not until 8pm in the evening when I woke up with our tv volume up by 50+ and shots fired everywhere..

So here it is.

A security analyst who has worked in counter-terrorism with the British Army and Scotland Yard, Charles Shoebridge, says the officers involved in Manila’s bus siege showed great courage - but they were not properly trained or equipped for the task.

Here are 10 areas where, in his view, they could have done better.

1. Determination

Philippine police end Manila bus hijack

The first officers who tried to storm the bus were driven out by gunshots from the hostage taker, former policeman Rolando Mendoza. “They showed great courage to go on board. It’s very crowded, just one aisle down the middle of the bus. But once you get on board it’s not unexpected you are going to be fired at. Squads like this have to be made up of very special people, specially trained and selected for their characteristics of courage, determination and aggression. In this case they acted as 99% of the population would have, which was to turn round and get out. They didn’t seem to have the necessary determination and aggression to follow the attack through.”

2. Lack of equipment

The police spent a long time smashing the windows of the bus, whereas explosive charges (known as frame charges) would have knocked in windows and doors instantly. “They had no ladders to get through the windows. They smashed the windows but didn’t know what to do next,” Mr Shoebridge says. “They almost looked like a group of vandals.” Their firearms were also inappropriate - some had pistols, some had assault rifles. Ideally they would have carried a short submachine gun, suitable for use in confined spaces.

3. Lost opportunity to disarm the gunman

Mendoza’s gun was not always raised

There were numerous opportunities to restrain the gunman, Mr Shoebridge believes. “The negotiators were so close to him, and he had his weapon hanging down by his side. He could have been disabled without having to kill him.”

4. Lost opportunity to shoot the gunman

The video of the drama also shows there were occasions when the gunman was standing alone, during the course of the day, and could have been shot by a sharpshooter. “You are dealing with an unpredictable and irrational individual. The rule should be that if in the course of negotiations an opportunity arises to end the situation decisively, it should be taken,” Mr Shoebridge says. Either this possibility did not occur to the officers in charge, he adds, or they considered it and decided to carry on talking.

5. Satisfying the gunman’s demands

“I wondered why the authorities just didn’t give in to all of his demands,” says Charles Shoebridge. “A promise extracted under force is not a promise that you are required to honour. Nobody wants to give in to the demands of terrorists, but in a situation like this, which did not involve a terrorist group, or release of prisoners, they could have just accepted his demands. He could be reinstated in the police - and then be immediately put in prison for life for hostage taking.” The Philippines authorities did in fact give in to the gunman’s demands, but too little, too late. One message promised to review his case, while he wanted it formally dismissed. A second message reinstating him as a police offer only arrived after the shooting had started.

6. Televised proceedings

The gunman was able to follow events on television, revealing to him everything that was going on around him. This was a “crucial defect in the police handling”, Mr Shoebridge says. He adds that police should always consider putting a barrier or screen around the area, to shield the scene from the cameras and keep the hostage taker in the dark.

7. No element of surprise

It was clear to the gunman what the police were doing at all times, not only because the whole incident was televised, but also because they moved “laboriously slowly”, Mr Shoebridge says. The police did not distract him, so were unable to exploit the “crucial element of surprise”.

8. Safeguarding the public

This boy, a bystander, was hit by a stray bullet

At least one bystander was shot, possibly because the public was allowed too close. The bullet from an M16 rifle, as carried by the gunman, can travel for about a mile, so preventing any risk of injury would have been difficult, Mr Shoebridge says, but a lot more could have been done. “When you saw the camera view from above, it was clear there was little command and control of the public on the ground,” he says.

9. Using the gunman’s brother to negotiate

Relatives and close friends can be a double-edged sword, Mr Shoebridge says. While they may have leverage over the hostage taker, what they are saying cannot be easily controlled. In this case, the gunman’s brother was included in the negotiations - however, at a certain stage he became agitated and police started to remove him from the scene. The gunman saw this on television, and became agitated himself. According to one report he fired a warning shot.

10. Insufficient training

In some parts of the Philippines, such as Mindanao, hostage taking is not an uncommon occurrence, so the country has some forces that are well trained in the necessary tactics. The detachment involved in Monday’s incident clearly was not, says Mr Shoebridge. After smashing the windows, one of the officers eventually put some CS gas inside, though “to what effect was not clear” he says. A unit involved in this work, needs to be “trained again and again, repeatedly practising precisely this kind of scenario,” he says.

Source: http://www.bbc.co.uk

AV vendors detect on average 19% of malware attacks

August 6, 2010

Traditional AV vendors continue to lag behind online criminals when it comes to detecting and protecting against new and quickly evolving threats on the Internet, according to a report by Cyveillance.

Testing shows that even the most popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases only to 61.7% after 30 days.

  (Click the pic to enlarge.)

 

 “Even after 30 days, many AV vendors cannot detect known attacks, making it critical for enterprises to take a more proactive approach to online security in order to minimize the potential for infection,” said Panos Anastassiadis, COO of Cyveillance.

Cyveillance tested thirteen popular AV solutions to determine their detection rate over a 30 day period and found that popular solutions only detect an average of 18.9% of new malware attacks. By day eight, AV solutions average a 45.7% detection rate. This rises to 56.6% on day 15, 60.3% by day 22, and 61.7% after 30 days.

    (Click the pic to enlarge.)

 Top AV solutions take an average of 11.6 days to catch up to new malware. Since this does not include malware signatures undetected even after 30 days, users should not rely on the AV industry as their only line of defense.

All figures and statistics in the Cyveillance report (registration required) are actual measurements rather than projections based upon sample datasets, unless otherwise noted.

The data used for this study were collected and analyzed between April 20, 2010 and April 22, 2010, resulting in an overall total data set of approximately 1,708 confirmed malware files. The files were then run through the latest release of the top desktop AV solutions upon initial detection and again every six hours for one month to determine their detection and lag rates.

Source: Net-Security

How can I know if my computer is infected? 10 signs of infection

Malware technology is fast evolving nowadays. Good thing that PandaLabs has produced a simple guide to the 10 most common symptoms of infection, to help all users find out if their systems are at risk:

1. My computer speaks to me. There are all types of pop-ups and messages on the desktop either advertising things, saying that the PC is infected and needs protection… This is a typical, surefire case of an infection. There is either spyware on the computer, or it has been infected by a fake antivirus (also called “rogueware”).

2. My computer is running extremely slowly. This could be a symptom of many things, including infection by a virus. If it has been infected by a virus, worm or Trojan, among other things, which are running on the computer, they could be running tasks that consume a lot of resources, making the system run more slowly than usual.

—You can view your running apps in the Task manager (CTRL+ALT+DEL) and look for any suspicious apps that is running.

3. Applications won’t start. How many times have you tried to run an application from the start menu or desktop and nothing happens? Sometimes another program might even run. As in the previous case, this could be another type of problem, but at the very least it’s a symptom that tells you that something is wrong.

4. I cannot connect to the Internet or it runs very slowly. Loss of Internet communication is another common symptom of infection, although it could also be due to a problem with your service provider or router. You might also have a connection that runs much more slowly than usual. If you have been infected, the malware could be connecting to a URL or opening separate connection sessions, thereby reducing your available bandwidth or making it practically impossible to use the Internet.

5. When I connect to the Internet, all types of windows open or the browser displays pages I have not requested. This is another certain sign of infection. Many threats are designed to redirect traffic to certain websites against the user’s will, and can even spoof Web pages, making you think you are on a legitimate site when really you have been taken to a malicious imitation.

6. Where have my files gone? Hopefully nobody will be asking this type of question, although there are still some threats around designed to delete or encrypt information, to move documents from one place to another- If you find yourself in this situation, you really ought to start worrying.

7. My antivirus has disappeared, my firewall is disabled. Another typical characteristic of many threats is that they disable security systems installed on computers. Perhaps if one thing shuts down it might just be a specific software failure; but if all your security components are disabled, you are almost certainly infected.

8.My computer is speaking a strange language. If the language of certain applications changes, the screen appears back-to-front, strange insects start ‘eating’ the desktop… you might just have an infected system.

9. Library files for running games, programs, etc. have disappeared from my computer. Once again, this could be a sign of infection, although it could also be down to incomplete or incorrect installation of programs.

10. My computer has gone mad… literally. If the computer starts acting on its own, you suddenly find your system has been sending emails without your knowledge, Internet sessions or applications open sporadically on their own - your system could be compromised by malware.

–No task manager or regedit… definitely ! lol

Hope this helps!