Schneier on Security
A blog covering security and security technology.
« Dead on the No-Fly List |
| Natural Language Shellcode »
March 24, 2010
Some movie-plot attacks actually happen:
They never touched the floor—that would have set off an alarm.
They didn't appear on store security cameras. They cut a hole in the roof and came in at a spot where the cameras were obscured by advertising banners.
And they left with some $26,000 in laptop computers, departing the same way they came in—down a 3-inch gas pipe that runs from the roof to the ground outside the store.
EDITED TO ADD (4/13): Similar heists.
Posted on March 24, 2010 at 1:51 PM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I wonder if this is actually how it happend. I hope so, just for the cool Mission Impossible issue!
On a more serious note, I presume that this will have had to involve serious insider knowledge or lots of casing the joint visits....
Seems like a lot of efforts for 26 000$ worth of laptops which will probably sell for half of that price on the street...
I was wondering why they went to all this trouble for so little payoff, and they I saw a story about a subsequetn theft of $75M of drugs through the roof of an Eli Lilly warehouse.
So, perhaps the Best Buy hit was a practice run.
I agree. They didn't get much really. Some computers. Perhaps the computers can be tracked at some point if they are sold and their serial numbers are left intact. The only way to try and get them now is to find out who cased the place. Someone is going to be watching a lot of boring security footage....
Sounds like a reasonably proficient burglary making use of inside job. Pros would have passed on it for a bigger score (or they were disappointed in the take). We had a similar burglary once where the perps come in through the roof on knotted bed sheets and left the same way with several kilobucks worth of DRAM modules (back when 1 meg modules cost $600 a pop). They came in and left via the roof because they knew access controls and cameras would detect and record their exit. We learned all this after the fact because one of perpetrators was a former temp who still had his hand drawn map of the premises in his wallet when arrested on a different beef several _months_ later. The high tech crime unit told us bedsheets were used instead of rope because a couple sets of sheets in a Mervin's bag don't look like burglar tools in the event the crew gets stopped on the way to the job. Aah, good times...
1) I wonder who at Best Buy will be on the hot seat for this, even though any countermeasures would likely have cost far more than the $26,000 lost.
2) How much of a payoff really depends on who took them. Even if they sell them at only half price, $13,000 is quite a bit for a days work, especially for someone low on the economic todum pole.
According to some, those cameras will be of no use.
Why do I have the start of "Sneakers" running through my head -- The thief is going to return with a bag full of equipment and say something to the effect of: "I decided I didn't want these any more."
BTW: I could really see this as getting a boatload of machines that can be used in a "cloud" setup to do some serious data mining or Internet attacks.
"Pros would have passed on it for a bigger score (or they were disappointed in the take)."
Yeah, that's what I was thinking. Real pros would have taken the delivery truck while it was in transit.
This sounds more like some competent employees (current or former). And the problem with that is that it makes it easier to narrow the suspects.
Who decided where to hang the banners or who moved them last?
I think the Dubai incident spoiled me! I was sad to see there was no video online.
Sorry, my first sentence should have read "Sounds like a reasonably proficient burglary making use of inside information."
A reasonable preventative against such attacks need not cost a bazillion dollars, especially if deployed during routine PMs of BB's security systems and physical plant, but they should know that already.
Wasn't this just a plot device from "Chuck"? This must just be an elaborate way to advertise for that show.
Yes, I believe that is the correct interpretation.
huh? There's a 3-inch *gas* pipe on the outside of the building?
Lucky it didn't break, eh? If it had then (a) there could have been a quite pretty explosion and fire, and (b) any surviving perps would now be suing the store for endangering them...
Darn. Any minute now the TSA will rush in emergency regulations to search my luggage for 3 inch pipe. No chance of me getting that spare bit of plumbing home on the plane.
Interesting - it does seem like a lot of work for $26k tops though. I'd imagine the serial numbers etc. are recorded, so you'd need to be fairly careful when selling them on as well.
One thing to note is that you can only rappel (abseil to Europeans) down. To get back up, you can climb the rope (most men don't have the strength or skill to climb a thick hemp rope, never mind a thin climbing rope) or uses ascenders - a real pain nonetheless.
How did they cut the hole in the roof? If it was a 100% metal roof, I'd bet drill a hole and then use a nibbler to cut an aperture. Much quieter, though slower, than using a petrol powered angle grinder. If it had plastic skylights, I'd remove one of these.
The engadget story is interesting as well - it mentions they stole the store safe through the roof. I've got my own safe, insurance rated for £6k in cash. It's bolted down with 6 bolts, 4 into the wall and two into the floor. There is no way you could move this thing, and even if you could, it weighs about 100kg - really quite hard to haul out of a roof. Would a store have a safe any worse than this?
To those thinking the heist was too small, too much work, etc, the payoff versus the risk and work was very nice imho. They just had to do presumably a few hours of risky work, way less than the local, bottom-feeder drug dealer who scores less than 10% of that in a month. They made anywhere from a few grand to over $20k if they eBay fence it, which is nice pay for one night's work. Also, the planning involved & night cover kept the risk very low, meaning even pro's might do this while looking for a better heist.
There's one other thing to consider: notoriety. Many thugs do this stuff for both money and the thrill, and some do it for thrill alone. Back in my high school days, one group of students broke through the glass roof one day, rappelled down to the floor, and grabbed a trophy everyone had joked about stealing for years. They were only busted because one used the story to get laid. (LOL). They returned the trophy anonymously before that & only motivation was the thrill of doing it.
So, the scenario: Big T is all about thrills, nice cars, easy girls, and easy money. He usually steals credit cards or hits cash registers if particularly desperate. He wants a better score than he's been getting: a few hundred dollars for well-planned, risky work. The geek on the crew's got a plan to bust into Best Buy through the roof, snatch a bunch of shit, make bank, and book it before the store knows what hit him. He said the cameras & high tech bling aint no bang. Payoff supposed to be 26 large. The question is, "Is Big T up for having a good time?"
The problem is what they stole isn't easily "laundered". The serial numbers can be tracked. Considering it's an apple laptop, you'll likely to be using the automatic update. If apple has the serial numbers, they can track who's updating their software (or perhaps even using it since when OS X starts you likely register and it might connect to apple). You get the IP number, get that person's information, talk to them and where they got the computer and nab the guys that stole them. Too much trail as opposed to jewlery or something like that (even more regular computers have less capability to be tracked). I don't know if the serial feature is used or disabled.
On the other hand it is considerably less effort than trying to buy a computer at Bestbuy.
I don't want to pick it up in three days when you have 'installed' it.
I don't want to pay $80 for you install a bunch of nagware.
I don't want to pay $300 for an extended warranty on a $400 laptop.
They used the external 3 inch gas main as hand holds, as they scaled the outside of the building.
Boot prints were found adjacent to the pipe.
I'm conflicted. Half of me hopes they go on to greater things, because they have skill and style. The more traditional half of me hopes they get caught because they're crooks.
I know - I hope they nearly get away with some elaborate heist, but get caught because an alert security guard notices some tiny detail which is 'wrong'.
I don't see much similarity between this and the drug heist (Isaac, #3). This was quick, in-and-out, never touch the floor, use camera's blind spots. The drugs was hours loading a large truck having disabled the cameras. The only similarity is point of entry.
Cirque du Pomme is in town!
Ever watched a squirel assault a bird feeder?
This is true, but that doesn't stop laundering with one-time fences. Smart criminals use Craigslist to hire eBay sellers, give them some legit stuff to build their rep & inspire trust, then give them a bunch of stolen crap at once. Most of the money gets through before serial number tracing or deactivation even happen. They can also sell through stores with no feedback or easily spoofed high feedback. Stolen electronics are fenced through eBay all the time & quite a few crooks make it over a long time. Will these guys pull this kind of laundering off? I don't know that. I just know it's actually pretty easy and standard operating procedure for many successful fences.
Movies make out that abseiling (rappelling) is difficult. It's easy! A skill learned in minutes by a child and useful for years (climbing became a hobby).
The gear is inexpensive too, from a few quid (dollars). Ascenders are trivial to use which I carry ever since I did something really dumb.
This also means that Bruce can no longer hold his movie plot contest without being accused of planting bad ideas in peoples' head.
Um... I don't think they'll sell on ebay. Ebay is broken for laptop sales just ask Bruce!
Just out of curiosity, how hard would it be for a bunch of best buy insiders to lift the gear at the dock. After they cut a hole in the roof and slap a boot against a pipe, they can come back to work and stand around the hole with everybody else and say "ohhh, ninja-pirates. I'm not sticking around after work in case they show up."
@Bill: For some reason I'm reminded of the old saying that it's not the fall that kills you, it's the sudden stop at the end.
'High level of sophistication', 'High-level planning', 'daring', 'professional', etc
Anyone here concerned that we might be sending out the wrong signal to thieves, 'acrobatic' or otherwise?
Oh, it says $26K of Apple laptops. That's what, 3 or 4 laptops?
And I am highly suspect of the "touching the floor sets of an alarm" part of the story. The expense to wire this very large area with a sensitive floor cover would be prohibitive, and the security would be designed more towards the perimeter. Why pay so much for this when the event of an attack of this sort is unlikely? Plus, if the floor is wired, as soon as you move any displays or put a box down somewhere on it you are going to trigger it. Can you imagine trying to set the alarm for the night and it won't let you because a sensor input is being triggered? You'd have to walk over the entire store to find what was causing the problem, although the system could be set up with multiple "zones" for the floor to allow easier searching, that would add even more to the cost. If you have a fault (short circuit) in the sensor, you have to rip up the entire section of foor to fix it. I say it's more of a BS story by the security company and it was told to others who believed it, and perhaps the crooks heard it and decided not to take any chances.
Many of the computer components have unique media access control numbers that may or may not be accessible over the internet. It depends on settings at the other end.
According to comments on the news site, this was just one of several similar break ins at Best Buy's around the country. I wonder if they all targeted the same kind of laptop? Are they filling an order?
I try to teach my guards to look UP, as well as around.The ceiling is very commonly overlooked by security.
The floors aren't wired. The motion detectin sensors are all aimed at ground level, triggered if anyone walks by. They're set low so you can't crawl under them. But apparently you can walk on top of the racks and not set them off.
My guess is that this was done by a high school or college aged short-term employee and his buddies who are into rock climbing. If you've already got some gear and you've watched some action movies, then this might seem kind of cool.
Of course, Apple hardware is going to be impossible to fence because it's so easy to trace (due to the software update in OS X). The only way to use this hardware without getting caught would be to install Linux on it and use some drivers which change the MAC address reported for the ethernet and wifi chipsets. How many black market buyers are going to want to do that?
"The gear is inexpensive too, from a few quid (dollars). Ascenders are trivial to use which I carry ever since I did something really dumb."
Really?? You carry ascenders everywhere you go? I only carry them on aid climbs. Even on long multi-pitch trad climbs a pair of prussics is a lot lighter than a pair of ascenders.
I wonder why a lot of people feel that a stolen laptop is immediately traceable due to the update feature? Have any of you who claim such a thing actually had your laptop stolen and recovered because you have updates switched on?
I don't believe it is possible because:
1. Laptops have identical hardware configurations to others of the same make/model, after they are all made on assembly lines using standard hw.
2. Modern OSes purposely remove uniquely identifying information like serial numbers from transmitted data about a laptop (anonymity it) to alleviate privacy concerns.
Are you saying that apple (or microsoft) is uniquely able to filter and to trace back to a particular laptop from the millions of update requests all over the world that come to their servers? Then we should be really concerned about our privacy.
Btw, I had my laptop stolen and neither microsoft or kaspersky (I have their antivirus which updates every 15 mins) offered any help due to reasons I explained above.
Maybe stolen to order?
Does sound like an inside job.
Next thing you know "The Ring" will be rappelling into the Buy More in Burbank...
Contrast this Best Buy job with the bank robbery I just heard about.
Allegedly, the theives called the bank before the robbery and told them to have the money ready for them.
It's true in some cases, but these are Apple computers. The software and hardware are more tightly integrated than most other computers and include hardware chips that uniquely identify it (you can overwrite the OS that came with it but the serial number is still there). It might be reprogrammable but that's a lot of work. They rely on the serial numbers for many things such as verifying software and when you do repairs to the machine at the apple store(if you sell it to a regular guy it's bound to happen). Also, you don't have control of the OS completely and if Apple implements some way to contact a server with the serials some guy that thought he got a legit computer likely won't avoid them. Are you really going to use an external firewall to prevent this?
The issue here is that a user that bought the computer would never think to do any of this. However, if the thieves stole the computers for their personal use, it's likely that they can overcome most any way apple implemented the checks (might require reversing though)
I don't think apple is in the business of tracking stuff for LE agencies so it's not a problem, and I don't think a couple of rogue computers are really a big deal for these companies, but they do have the capabilities to do it.
Not related to this, but there is a case apparently of a airport worker looking at the images of the full body scanner. Apparently he saw something juicy :D
Hopefully Bruce will talk about it.
"... Plus, if the floor is wired, as soon as you move any displays or put a box down somewhere on it you are going to trigger it. Can you imagine trying to set the alarm for the night and it won't let you because a sensor input is being triggered? ..."
Whilst you are correct in the rest of your points with regards the floor sensors, I guess there is something you are unaware of.
That is "Delta" or "state change" alarm switches.
The floor is laid out with a grid of preasure pads each one reports back individualy to the alarm box (usually they are multiplexed like the keys on a key board but in a "non blocking" way).
The alarm when set knows which pads are active and which pads are inactive. The alarm is triggered when a pad changes state.
This sort of system is not cheap (infact we are talking both arms and both legs) but it has the advantage of variable sensitivity thus not being triggered by rats / cats / dogs etc depending on how sensitive you set it. Thus you can have an area with "unleashed guard dogs" as well...
Unlike the cheaper downwards facing or "knee knocker" "IR fan" or microwave sensors that just report movment irespective of volume or mass.
This system has other advantages as well in that it can be used to monitor the track of guards and dogs etc, thus a log of guard movment is automatic. Plus in some cases the pad resolution is better than 100gm (4oz) at 150Kg (330lb or ~24st) so you can tell if a guard picks up an item etc (or as a friend of mine put's it "you can tell where muttly has done his business and thus where to send the clean up crew").
Oh and one little oddity, if you want to "do it yourself", under floor heating of various kinds can act as "transducers" as well as providing heat and often come in conveniant 2ft x 2ft units. I was shown this when I was working for a Korean company, the engineers had designed a system as a "hobby" project to be published there.
Not sure if it's the same incident but in the UK the press is having a bit of a field day with an incident that happened at Heathrow airport.
Apparently a young female member of staff has been "severly traumertised" by a male colleague. As far as I can tell she stood unaware in the field of view of a "virtual nude" scanner. He made some comment about "big breasts" and filed a formal complaint with the police under the "anti stalker / harrasment" legislation.
As was noted by one commenter, she was traumertised by a loud mouth, how many of his colleagues will do the same to passengers but keep their mouths shut...
So it's a case of nail the loud mouth, not because he and his colleagues can letch at members of the public, but because he made comment on a co-worker...
I must admit if I was still able to fly I'd be very tempted to make a special pair of underpants, which clearly said what I thought (not sure what they could do about it but I'm sure they'd rush new legislation through to cover it).
"...On top of the building, they used a saw to cut through several inches of rubber and insulation, then sliced a 3-foot-wide square in the metal roof..."
Shame they had to do $50,000 worth of damage to the facility to steal $26,000 "worth" of laptops (must have been MacBooks; $26,000 of wintel computers wouldnt fit through a 3x3 hole). And fenced they are probably only worth 10% of retail.
If they were this sophisticated why didn't they go ahead and make it worthwhile? Maybe this was a training run for a jewel theft someplace else?
Furthermore, at 00:02:26 (ie
I'll have to agree with the idea that "because it looked fun," was probably the motivation, and "probably an inside job" posts. Even if they do make it less likely that they were "stolen during business hours" and the roof hole was just a ruse. If you can't really fence them, the reason that they stole so few was that's all they needed, or those were the only ones piled high enough that they were above the motion sensors.
@ Clive Robinson
Yes, a state change mat system like this could be used. Like you said, it would cost even more than the simple floor sensor system I mentioned. An operation like Worst Buy would probably not spend the kind of money needed to do this. It's the old "Parable of the locks" thing that Bruce has discussed on here before. Don't pay more for the lock than what you paid for what's inside the locked box.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.