Page 22 of 25
In the Netherlands, criminals are stealing money from ATMs by blowing them up (article in Dutch). First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas—from a safe distance—and clean up the money that flies all over the place after the ATM explodes.
Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks’ countermeasure is to install air vents so that gas can’t build up inside the ATMs.
Something like 50 million pounds was stolen from a banknote storage depot in the UK. BBC has a good chronology of the theft.
The Times writes:
Large-scale cash robbery was once a technical challenge: drilling through walls, short-circuiting alarms, gagging guards and stationing the get-away car. Today, the weak points in the banks’ defences are not grilles and vaults, but human beings. Stealing money is now partly a matter of psychology. The success of the Tonbridge robbers depended on terrifying Mr Dixon into opening the doors. They had studied their victim. They knew the route he took home, and how he would respond when his wife and child were in mortal danger. It did not take gelignite to blow open the vaults; it took fear, in the hostage technique known as “tiger kidnapping”, so called because of the predatory stalking that precedes it. Tiger kidnapping is the point where old-fashioned crime meets modern terrorism.
There was an interesting security tidbit in this article on last week’s post office shooting:
The shooter’s pass to access the facility had been expired, officials said, but she apparently used her knowledge of how security at the facility worked to gain entrance, following another vehicle in through the outer gate and getting other employees to open security doors.
This is a failure of both technology and procedure. The gate was configured to allow multiple vehicles to enter on only one person’s authorization—that’s a technology failure. And people are programmed to be polite—to hold the door for others.
SIDE NOTE: There is a common myth that workplace homicides are prevalent in the United States Postal Service. (Note the phrase “going postal.”) But not counting this event, there has been less than one shooting fatality per year at Postal Service facilities over the last 20 years. As the USPS has more than 700,000 employees, this is a lower rate than the average workplace.
Because automobile security devices are so effective, some car thieves are breaking into people’s homes in order to steal the keys.
He said modern cars with electronic keys and immobilisers were putting car thieves out of business—but the thieves were adapting.
If a car thief wants to steal a modern car, they need the keys.
The stolen goods include 150 pounds of C-4 plastic explosive and 250 pounds of thin sheets of explosives that could be used in letter bombs. Also, 2,500 detonators were missing from a storage explosive container, or magazine, in a bunker owned by Cherry Engineering.
The theft was professional:
Thieves apparently used blowtorches to cut through the storage trailers—suggesting they knew what they were after.
Most likely it’s a criminal who will resell the stuff, but it could be a terrorist organization. My guess is criminals, though.
By the way, this is in America…
The material was taken from Cherry Engineering, a company owned by Chris Cherry, a scientist at Sandia National Labs.
…where security is an afterthought:
The site, located outside Albuquerque, had no guards and no surveillance cameras.
Or maybe not even an afterthought:
It was the site’s second theft in the past two years.
If anyone is looking for something to spend national security money on that will actually make us safer, securing high-explosive-filled trailers would be high on my list.
EDITED TO ADD (12/29): The explosives were recovered.
Funny story:
At the airport where this pilot fish works, security has gotten a lot more attention since 9/11. “All the security doors that connect the concourses to office spaces and alleyways for service personnel needed an immediate upgrade,” says fish. “It seems that the use of a security badge was no longer adequate protection.
“So over the course of about a month, more than 50 doors were upgraded to require three-way protection. To open the door, a user needed to present a security badge (something you possess), a numeric code (something you know) and a biometric thumb scan (something you are).
“Present all three, and the door beeps and lets you in.”
One by one, the doors are brought online. The technology works, and everything looks fine—until fish decides to test the obvious.
After all, the average member of the public isn’t likely to forge a security badge, guess a multidigit number and fake a thumb scan. “But what happens if you just turn the handle without any of the above?” asks fish. “Would it set off alarms or call security?
“It turns out that if you turn the handle, the door opens.
“Despite the addition of all that technology and security on every single door, nobody bothered to check that the doors were set to lock by default.”
Remember, security is only as strong as the weakest link.
This Iowa prison break illustrates an important security principle:
State Sen. Gene Fraise said he was told by prison officials that the inmates somehow got around a wire that is supposed to activate an alarm when touched. The wall also had razor wire, he said.
“The only thing I know for sure is they went over the wall in the southwest corner with a rope and a grappling hook they fashioned out of metal from somewhere,” Fraise said.
Fred Scaletta, a Corrections Department spokesman, said the inmates used upholstery webbing, a material used by inmates who make furniture at a shop inside the prison, to scale the wall. The guard tower in that section of the prison was unmanned at the time because of budget cuts, he said.
“I don’t want to say I told you so, but those towers were put there for security, and when you don’t man those towers, that puts a hole in your security,” Fraise said.
Guards = dynamic security. Tripwires = static security. Dynamic security is better than static security.
Unfortunately, some people simply don’t understand the fundamentals of security:
State Rep. Lance Horbach, a Republican, criticized Fraise for suggesting budget cuts were a factor in the escape.
“In reality, we should explore why the taut wire system failed to alert guards and security staff that these two convicts were attempting to escape,” he said.
Actually, in reality you should be putting guards in the guard towers.
RFID car keys (subscription required) are becoming more popular. Since these devices broadcast a unique serial number, it’s only a matter of time before a significant percentage of the population can be tracked with them.
Lexus has made what it calls the “SmartAccess” keyless-entry system standard on its new IS sedans, designed to compete with German cars like the BMW 3 series or the Audi A4, as well as rivals such as the Infiniti G35 or the U.S.-made Cadillac CTS. BMW offers what it calls “keyless go” as an option on the new 3 series, and on its higher-priced 5, 6 and 7 series sedans.
Volkswagen AG’s Audi brand offers keyless-start systems on its A6 and A8 sedans, but not yet on U.S.-bound A4s. Cadillac’s new STS sedan, big brother to the CTS, also offers a pushbutton start.
Starter buttons have a racy flair—European sports cars and race cars used them in the past. The proliferation of starter buttons in luxury sedans has its roots in theft protection. An increasing number of cars now come with theft-deterrent systems that rely on a chip in the key fob that broadcasts a code to a receiver in the car. If the codes don’t match, the car won’t start.
Cryptography can be used to make these devices anonymous, but there’s no business reason for automobile manufacturers to field such a system. Once again, the economic barriers to security are far greater than the technical ones.
An article on “the Armani of bulletproof clothing.”
Sidebar photo of Bruce Schneier by Joe MacInnis.