Schneier on Security
A blog covering security and security technology.
« Alan F. Westin Died |
| The Court of Public Opinion »
February 28, 2013
Brazen Physical Thefts
Three brazen robberies are in the news this week.
The first was a theft at a small museum of gold nuggets worth $750,000:
Police said the daring heist happened between daytime tours, during a 20-minute window. Museum employees said the thief used an ax to smash the acrylic window, and then left the ax behind.
"He just grabbed it, threw in bag and over a fence he went," Richard Hauck said, adding that there were no surveillance cameras operating at the time.
The second was at the Four Seasons Hotel in New York:
But now, the thieves have shattered the sense of security at the hotel, following the daring smash-and-grab around 2 a.m. Saturday in the middle of the hotel's spectacular lobby.
The three thieves walked right into the hotel, and one pulled a sledgehammer and smashed the Jacob & Co. case right next to the front desk. They made away with some very expensive jewelry.
The thieves then made a quick getaway with the stolen watches, necklace, earrings, cufflinks and pendants -- with a total value reported at $2 million.
And the third was the largest -- $50 million in diamonds stolen from the Brussels Airport:
Forcing their way through the airport's perimeter fence, the thieves raced, police lights flashing, to Flight LX789, which had just been loaded with diamonds from a Brink's armored van from Antwerp, Belgium, and was getting ready for an 8:05 p.m. departure for Zurich.
Waving guns that the Brussels prosecutors' office described as "like Kalashnikovs," they calmly ordered ground staff workers and the pilot, who was outside the plane making a final inspection, to back off and began unloading scores of gem-filled packets from the cargo hold. Without firing a shot, they then sped away into the night with a booty that the Antwerp Diamond Centre said was worth around $50 million but which some Belgian news media reported as worth much more.
I don't have anywhere near enough data to call this a trend, but the similarities are striking. In all cases, the robbers barreled straight through security, relying on surprise and speed. In all cases, security based on response wasn't fast enough to do any good. And in all cases, there's surveillance video that -- at least so far -- isn't very useful.
It's important to remember that, even in our high-tech Internet world, sometimes smash-and-grab still works.
Related: Here's a nice essay about diamond thefts, and the particular problems of securing diamonds. And this essay, by the same author, explains how to fence stolen diamonds.
EDITED TO ADD (3/13): A similar case from The Netherlands.
Posted on February 28, 2013 at 6:35 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The last link on fencing diamonds has a horrible in-page pop-up that demands registration :-(
The diamond district in Antwerp is well defended, so the thieves waited until all its safeguards no longer applied. The diamond custodians probably assumed the airport was pretty safe -- with all the anti-terrorism safeguards. For background on another Belgian diamond theft, the Selby and Campbell's book Flawless is an excellent read. The thieves probe for vulnerabilities and exploit each one.
I had to wonder if i was dreaming Clive R's post of the 25th re: movements of high value items via planes on last fridays squid post......
A few months ago a van full of gunmen robbed one of Rios nicest hotels and all the customers in the middle of the day and made off with a ton of money. Of course none of them caught
Bruce, in your first example of the small museum, in the video interview, the interview asks, "No security camera?" and the employee responds, "Not at that time."
I am not sure what he means here. There are obviously cameras on the property as can be seen in the video. Does anyone know what happened to those cameras on site? Was the system broken? Did they turn it off? etc.
Waving guns that the Brussels prosecutors' office described as "like Kalashnikovs," they calmly ordered ground staff workers and the pilot, who was outside the plane making a final inspection, to back off and began unloading scores of gem-filled packets from the cargo hold. Without firing a shot, they then sped away into the night...
I'm assuming that the Kalashnikovs were these.
By reputation, the easiest rifle to acquire, especially by people who intend to use them for illicit purposes.
On the side of airport security: fences are very useful security devices, within a certain limit.
The fence doesn't exist to make illegitimate entry impossible. It exists exists to make illegitimate over-the-fence entry harder to perform and easier to identify.
The fence is only as strong as the consequences of being seen defeating it.
It strikes me that in all cases, the bad actors broke rules less stringent than "Don't steal stuff" in their quest to steal stuff. Actually, I don't know what gun laws are like in Brussels, so I could be wrong on this point.
But the point is, shouldn't security based on social norms (don't carry an ax into a hotel) present a higher bar than "Don't steal stuff" if you want to prevent stuff from getting stolen?
"The last link on fencing diamonds has a horrible in-page pop-up that demands registration :-("
Just use NoScript. I never saw a popup. ;)
"I had to wonder if i was dreaming Clive R's post of the 25th re: movements of high value items via planes on last fridays squid post"
Hardly spooky. Clive and I were discussing security aspects of the very same plane heist, which someone posted on the blog. Bruce apparently wanted to hold off on writing about it specifically so he could fold it into a more general post on physical thefts.
@ Bruce Schneier
"It's important to remember that, even in our high-tech Internet world, sometimes smash-and-grab still works."
Smash-and-grab and more careful physical heists have been happening regularly for a decade now. It would have been foolish to stop considering them. I'm surprised we haven't seen more B&E's at startups with valuable intellectual property. The thieves could grab stuff other than the data to make it look like a burglary. Then, they start pulling data off and integrating it into their own offering.
At the low end of this sort of thing are the thefts of Tide detergent there have been stories about lately. The shoplifting apparently isn't stealthy but just involves pushing a shopping cart full of bottles out the door and taking off before anyone stops you.
The airport heist makes me question the idea Bruce quoted recently that in the future all security will be outsourced. The diamond owners trusted in the airport's security so didn't provide their own. But isn't anyone's business valuable enough to them to layer their own security on top of external security?
Regarding the diamond heist, apparently the security subcontractor's insurance should pay out. But there are rumours that the actual value of the diamonds taken significantly exceeds the reported value. The diamond trade, or at least part of it, in Antwerp is also widely suspected of tax evasion. We don't know which is the greater cost to society at large: the tax evasion or the effect of robberies on cost of insurance and security. Perhaps allowing the occasional robbery works better than official inspections, to keep the diamond traders honest in reporting the full value of their trades?
The problem was not the outsourced security, but poor security at the airport. Layered security does not make sense, generally; security is a weakest-link affair, so only if the layers work fairly well in concert will both together be more secure than the strongest one individually. This case, in particular, seems to suit outsourced security, as these shipments are presumably somewhat rare, and it would take a nontrivial force to make resistance to such a determined attack sensible. Much better, I think, to hire them for the occasion than to keep them on staff, rarely used. There is a question of loyalty, but presuming that the security agency itself is not corrupt (choose one with a reputation more valuable than the goods you hire it to guard), employees can be disloyal to the task whoever signs their paycheck.
The airport theft reminds me of the jetskier who came ashore at JFK--airport perimeter security evidences much less effort than passenger checks, and primarily focused on detection, not arrest. It could, I think, even be justified: hijacking a plane on the ground is of limited value, and sabotage wants to be undetected. More likely, I think, is that security theatre works best where people can see it.
Perhaps the diamond owners didn't think through the *goals* of airport security?
Airport security isn't really designed to stop people getting to places they aren't supposed to be. It's designed to stop them getting into the wrong places *undetected*. They don't want you to sneak something onto an airplane.
The fact that the diamond heist perps were dressed as police or government security forces makes me wonder how much resistance private security staff would have put up anyway.
In their position, would you have been willing to fire on people who might have been real police, as far as you knew?
I had to wonder if I was dreaming Clive R's post of the 25th re: movements of high value items via planes on last fridays squid post
As @ Nick P noted he and I had been discussing this issue.
What might be regarded as "realy spooky" by some is as part of that conversation I talked about the UK's "Great Train Robbers" as an example as to why "cash money" had become depreciated as a tarrget item for serious crime (you can hold a 200MillionGBP gem stone in your hand, a truck to move the equivalent in 20GBP notes would be very very large and slow). Almost as I was typing it in Bruce Reynolds the person who had planned the Great Train Robbery died (at a ripe old age).
Which @ wiredog has linked to above.
@ John Honovich:
"Not at that time" might mean that they put up the cameras in response to the theft.
It strikes me that the common thread in these 3 robberies is a very common one these days: process oriented or standards based security in which the actual working parts have been abstracted away until they are grossly inadequate.
- $750,000 in gold protected solely by a pane that can be quickly smashed open with a simple tool?
- a fortune in jewellery protected solely by a case that can be quickly smashed open with a simple tool?
- tens of millions in diamonds protected by nothing but a chain-link fence?
It is a longstanding, well-known principle that a security barrier needs to incorporate an intrusion detection system and a means of reaction, as well as a physical barrier that delays the intruder long enough for the reaction. Of course, the time taken to defeat a barrier depends on the resources expended; and what the opponent is prepared to invest depends on what he expects to gain.
In the first two examples there was no reaction capability (other than relying on someone to telephone the police, who would presumably arrive after many minutes); the value of the assets protected was considerable; and yet the barriers were not capable of resisting even the simplest, lowest cost attack for more than a few seconds.
The third example is slightly more complex. Airports certainly do have reaction capabilities. (I don't know if Brussels has the capability to react to eight men with light automatic weapons, but they'd better!) Also, though the barrier itself was weak*, it was a stand-off barrier, which imposes additional delay on the attacker. Hence this attack would likely have failed -- badly -- if the reaction force was alerted as soon as the attackers reached the fence. The issue here indeed seems to be like the jetski guy: these airports combine weak perimeter barriers with little or no perimeter monitoring. The result is a supposedly "high security area" that half-naked, lost swimmer can just accidentally stumble into.
How can this sort of idiocy happen? Well, I saw an interesting demonstration recently. A certain secure area was being planned, by conventional project managers and engineers. None with any security experience. The site security manager was supposed to provide some security advice, but didn't really seem to know much about physical infrastructure, and in any case was usually too busy to turn up to project meetings.
Instead, they mainly just referred to whatever various security standards they could find, principally on the internet. And applied them with so little understanding, there seemed to be a total disengagement of the brain. Such as a fence of the same design as one that we know local boys have been climbing over -- but it's OK, because it's from a design document called "security fencing." The sole perimeter monitoring is patrolling by the site guard force: 1 man static at the gate, and 1 to patrol 2 square miles, 6 miles of perimeter, and over four dozen buildings. Not surpsingly, he does it from the heated comfort of his truck, with headlights trapping his vision into a narrow beam.
There are alarms and cameras, but they are designed as plant safety equipment that only cover the inner sanctum, so you don't see anything until the baddies are running away. The miles of fencing -- some of which runs through dense woodland -- doesn't have any alarms, camera coverage, lighting or even Mk I human eyeball coverage. All the doors are to be fitted with fancy electronic locks that they found in some government standard, but they are not solid cored doors, not alarmed, and on a weekend are not within earshot of any person.
I could go on, but you get the idea.
* Incidentally, it looks like Brussels airport is now hardening the fence: but in a way that totally fais to address the problem. Hopefully as well as the highly visible concrete blocks they will also add some monitoring.
I think it's not as irrational as it appears at first glance. It's all about incentives: I'd say the takeaway lesson is that for property crimes, there's no point in spending more on security than you spend on insurance.
For all we know they could be plastic toy guns. IF the criminals intended to use guns for their intended purpose, I'd say it were AKSU's.
This story begs another question: can a group of determined criminals hijack a plane while still on surface and then use it as they see fit? If yes, well...
This story begs another question: can a group of determined criminals hijack a plane while still on surface and then use it as they see fit? If yes well..
As Nick P and myself were discusing the other day the aircraft is extreamly light weight and very very vulnerable to even hand operated tools.
In many airports aircraft are towed by tugs from one part of the airport to another. If an attacker can find an airport where a tug is used with a fully loaded airplane then all they have to do is start with hijacking the tug driver...
If not then they need a couple of vehicals and a step lader. As an inducment to the pilot to "open up" another eaisly available weapon would be an RPG of any vintage, fired aproximatly axialy down the aircraft would cause considerable carnage. Or from one of several angles at the engins or wing roots / fuel tanks. From a terorist point of view a 747 or other "super" aircraft is several hundred human sardines in a self heating tin.
The simple problem is as the airline insurance industry knows is, airports are way to vulnerable and financialy impossible to secure to any sensible degree (the same is true for military airports). So it would only take one or two ground based attacks on fully loaded "supers" to destroy passenger confidence beyond the whit of the TSA or any other organisation and as a result more than likely cause a significant financial meltdown in the industry with knockon effects that would be close to incalculable due to the numbers of other economic sectors effected...
As you may already realise, the infamous terrorist "Carlos the Jackal" already did this, on 13 Jan 75. It was a blackly comical farce in which no-one was seriously injured and the terrorists managed to make fools of themselves.
The RPG-7 was actually operated by a Baader-Meinhof Gang  member called Weinrich. From the edge of the runway at a range of less than 150m, he fired twice at an El Al Boeing 707 that was taxiing for takeoff. Both rockets missed; the second shot actually hit an Eastern Bloc jet and damaged it, but not nearly as seriously as you might imagine, and no-one was hurt.
In the process they damaged their car , and when it was abandoned shortly afterwards the police were able to seize the launcher and two more rockets.
Moronically, Carlos tried almost exactly the same stunt 6 days later. Having lost his RPG-7, he tried to use the much older and shorter range RPG-2. To get close enough, Carlos and 3 Palestinian Arabs smuggled the 1.2 metre long recoilless rifle onto an open air observation balcony facing the runway . But they screwed it up again. Arriving late, they raced to the balcony but when they jumped up with the recoilless rifle in plain view, the Israeli jet that they meant to attack was already out of range. Worse, in the previous few days the French had added some armed guards; the terrorists were immediately spotted by a French policeman who opened fire with a submachine-gun.
The Palestinians took hostages and barricaded themselves in a toilet; the brave and wiley Carlos took advantage of this diversion to run away. Thanks to a string of tradecraft blunders, he was nearly arrested a few days later; he escaped to a notorious life of murder and mayhem because the French detectives sent to arrest him were unarmed, and he simply shot them.
Meanwhile, trapped in their toilet block, the hostage takers did even better: the French government conceded to all demands then flew them out to Iraq.
1. German communist terrorist cell, for those too young to remember.
2. I recall once reading that they had blown out the car windows with the backblast from their RPG, which would be hilarious. However I can't find a reference for that now. Maybe I'm misremembering it.
3. Yes, there was absolutely no security control for someone wanting to go up to a balcony overlooking all the airport operations, whether to farewell their loved ones, or to start blazing away with a large, heavy and very conspicuous weapon. Ah yes, the good old days when airport security was so non-existent that hijackers would take over a plane by the simple expedient of bringing a pistol and a couple of hand grenades on board.
As you may already realise, the infamous terrorist "Carlos the Jackal" already did this, on 13 Jan 75. It was a blackly comical farce...
I'm actually old enough to remember the attacks as a teenager and his (supposed) involvment with a rocket attack on a French nuclear reactor on the Rhone nearly a decade later.
As you probably know the two attacks at Orly Airport have been used as a lesson to study not just by anti-terrorist organizations but also by engineers etc.
The general opinion of most engineers was "How did they manage not to succeed?" to which many a head has been shaken and various thoughts expressed. Two of which are,
1, Lack of technical knowledge.
2, Not getting sufficiently "up close".
As you and many others will realise remedying these two deficiencies would not be impossibly difficult for sufficiently technicaly minded and security aware persons. Of which some ordinary criminals have shown themselves more than capable in one way or another.
However the question falls as nearly always when it comess to terrorists and engineering to, can they put in the effort to gain the knowledge and thus stand a chance of gaining the understanding to do the job?
So far the answer has been "apparently not", I for one am not going to hold my breath on this one.
Carlos was in many respects a failure at almost everything he did befor the early 1980's and returned to being a failure shortly after that.
He was more of a 'bar room brawler' type fighter than a planner, and he was a failure to the various people he served be it the PFLP or KGB. Both of whom in effect sacked him for incompetence or failing to carry out orders. Eventually even his infamy was nolonger sufficient to serve as coin for his protection and he was drugged, trusted up like a turkey and handed over to the French who put him on trial, convicted and jailed him, where he is beleived to be kept in solitary confinement.
Smash-and-grab and more careful physical heists have been happening regularly for a decade now
Surely this has been the predominant mode of thievery since property crimes were invented by our species, no?
@ Andy Kenney
"Surely this has been the predominant mode of thievery since property crimes were invented by our species, no?"
You've said it better than I, sir. ;)
"I'm surprised we haven't seen more B&E's at startups with valuable intellectual property."
That would be because most "valuable intellectual property" really isn't. Most of the value is in actually building a product, not the idea itself. Besides, if you're planning to sell a product based on code that you stole, it can be determined forensically later. There's really nothing of value to "fence".
@ Bron Gondwana
"That would be because most "valuable intellectual property" really isn't. Most of the value is in actually building a product, not the idea itself. "
Most espionage or attacks try to steal the valuable part. This might be product blueprints, source code, algorithms, marketing plans, legal strategy for key negotiations, etc. There are plenty of instances of IP whose owners overstate its value. However, there's plenty of valuable IP for the taking out there. The Chinese, Russians, and Israelis are the primary takers far as intelligence reports indicate. They also have a bunch of products popping up that are quite similar to ours, but minus the development time. (Hmm...)
"Besides, if you're planning to sell a product based on code that you stole, it can be determined forensically later."
If you copy it verbatim, yes. However, it can be obfuscated, refactored, etc. It might also payoff to steal the source code to learn key design or implementation choices that developers worked hard figuring out. The rewriting to hide origin can be done by lower grade programmers. There are also inexpensive refactoring tools that can really help with source theft, although I'm not sure if they're used for that. The bigger issue is: "will the theft get prosecuted?" If it's statesponsored theft or copying, esp. not obvious (e.g. obfuscated), then there's little chance of meaningful legal action. That's a good enough reason for many groups to proceed with the espionage and capitalize on the goods.
"There's really nothing of value to "fence"."
Aside from the above, there's often knockoffs and counterfeits. Another thing I'd add would be the cases of software that was stolen throughout the years that came to light. PROMIS is a classic example. Their existence supports you can make money off stolen source. Although, they don't necessarily have to sell it on an open market: underground sales of extremely high license fee software for lower rates is a viable business. It also has the side benefit of blackmail/extortion ability against the companies dumb enough to buy the software. There's more possibilities that have been realized in practice, but I think you get the idea.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..