Simplifying Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simplifying Cyber
The Antwerp Diamond Heist: Lessons for Cybersecurity
What can the largest diamond heist in history teach us about modern cybersecurity? When $100 million in diamonds vanished from Belgium's supposedly impenetrable Diamond Center vault, it wasn't cutting-edge technology that failed—it was people and processes.
Join host Aaron Pritz and senior cybersecurity consultant Rebecca as they unpack the fascinating story of the 2003 Antwerp Diamond Heist in this surprise mystery episode. Piece by piece, they reveal how jewel thieves bypassed sophisticated security measures using remarkably simple techniques: hairspray on heat sensors, electrical tape over light detectors, and basic tools to pry open safety deposit boxes. More importantly, they uncover how fundamental breakdowns in process and human vigilance created the perfect conditions for this historic theft.
The parallels to modern cybersecurity are striking and sobering. Just as the Diamond Center's management skipped background checks and ignored maintenance warnings to save money, many organizations today prioritize convenience over security or postpone critical patches to avoid disruption. The heist demonstrates how social engineering, insider threats, and complacency can defeat even the most impressive security technologies—a lesson that remains painfully relevant in our digital world.
Whether you're responsible for protecting digital assets or physical ones, this episode offers valuable insights into the delicate balance between technology, people, and process in creating truly effective security. Listen now to discover how the most catastrophic security failures often stem not from sophisticated attacks, but from neglecting the basics.
References:
1. https://www.osti.gov/servlets/purl/1115483
2. https://www.wired.com/2009/03/ff-diamonds-2/
3. https://www.bbc.co.uk/programmes/w3cszdjz
Welcome back to Simplify and Cyber. I'm Aaron Pritz and today we have an extremely special mystery episode. It's actually so extremely special and secret that I don't even know what's going to happen. So today I'm joined by Rebecca, one of our senior cybersecurity consultants here at Reveal Risk and she's the origin of this surprise episode. And just to give you a little bit of background, basically our producer informed me via my own calendar actually that we were about to do a secret, super secret episode, mystery episode with Rebecca and she'd be taking me through it. What it is shall be determined, allowing me to take some reaction time to make some guesses about whatever it is. I'm now stalling to further guess, but Rebecca has given no indication, so I'm going to turn it over to her to unveil what is about to happen to me. Gulp.
Speaker 2:Yep, yep, I'm actually just going to actually dive right into the story. So for those of you who don't know, I'm still somewhat new to Reveal Risk. One of the things that I learned very early on is that Aaron is one of the first people into the office in the morning, and we are actually going to have you guys keep that in mind during the story, because this story starts out in a typical office building, monday morning, 6.15 am, and the first person in the office is a security guard. He's going on about three hours of sleep we're not sure why, but I would guess that he is on autopilot, so he does a couple of things and then he has to go see to his main morning duty, which is actually opening up a huge vault in the sub-basement, because this is actually not a typical office building. This is an office building in the Diamond District in Antwerp, belgium.
Speaker 1:I've always wanted to go to Belgium, so you're taking me to.
Speaker 2:Belgium, rebecca, I know, and you just got back from Switzerland, right I?
Speaker 1:did, I, did I should have just went straight there, but I'm virtually now teleporting back to Europe to undertake this adventure.
Speaker 2:There you go. So he's heading down the elevator, notices that the vault door is open. Doesn't think too much of it. There may be another security guard got there earlier than he did, but when he walks into the vault he will see what is later described as a scene looking like a bomb has gone off. There are the face plates of safety deposit boxes scattered everywhere. There are diamonds scattered everywhere. There are gems, emeralds, cash of all different currencies, family heirlooms thrown on the floor, watches, lockets.
Speaker 1:Doesn't sound like a clean job. Definitely not the Italian job with such precision. A bit of a mess, if I'm interpreting the scenario right.
Speaker 2:Yeah, it's interesting you say that, because I think one of the things we're going to explore with the story is Hollywood versus reality, right, when it comes to heists, and when it comes to cybersecurity as well. And actually, what that security guard doesn't know, as he's standing there probably trying to process what he's seeing, is the culprit probably trying to process what he's seeing? Is the culprit? The mastermind of this heist is a man that he has seen and spoken to regularly for over two years. This is the story of the 2003 Antwerp Diamond Heist.
Speaker 1:And am I the security guard in this setting, or do I play myself?
Speaker 2:I just wanted to kind of put you in the mind frame of walking into work in the morning and then finding everything that you're supposed to protect just kind of splayed out in front of you. I would imagine that is a pretty interesting experience to have, probably not a very positive one.
Speaker 1:Right, it's not going to be a good day for me as a security guard if I am.
Speaker 2:Oh, no, no. So what we're going to do with this is I'm going to give you a little bit more context around the story, but then we are going to walk through each of the security measures that this building had just from a high level and talk about how it's similar or not similar to cybersecurity and how we think this could have been prevented. So are you ready?
Speaker 1:I'm ready, let's do it.
Speaker 2:All right. So you might be wondering why this particular building in Hungary has a big giant diamond vault in the basement. Hungary actually has a pretty infamous diamond district where 80% of the world's rough diamonds pass through there. So it's a huge center for polishing, cutting diamonds, trading diamonds as well. And then actually within that full diamond district is about a three block radius called the secure Antwerp diamond area. That is a totally. Cars cannot go through there. There's ballasts at all the entrances, there's a 24 hour police presence and there's over 60 CCTV cameras there. So already really secure. And then this particular building, the Diamond Center building, is also considered to be very, very secure. It's had comparisons to Fort Knox.
Speaker 1:Got it, got it.
Speaker 2:So it's in this context that, in the fall of 2000, a man named Leonardo Noto Bartolo applies to rent an office building in the Diamond Center, which is the building. He is able to get that, no problem. He also gets a safety deposit box down in the vault and he essentially spends two years doing reconnaissance. He is not well known.
Speaker 1:As a good insider would right.
Speaker 2:Exactly, exactly, and he is very charismatic, so the social engineering part is very easy for him. He gets to know the guards really well. He does things like he stays after hours to see if anybody will kick him out, because they're supposed to. When they don't, he goes exploring around the building. Similarly, he'll go into the vault five minutes because they're supposed to. When they don't, he goes exploring around the building. Similarly, he'll go into the vault five minutes before it's supposed to be closed and then, when they do come to kick him out, he can watch the procedure as they lock up the vault.
Speaker 2:And what nobody knows in Antwerp but a lot of people know in Italy, is Noda Bartolo is actually a really well-known jewel thief and he works with a crew of people. This part of it, I will say, is somewhat similar to a Hollywood movie like Ocean's Eleven. He has, you know, accomplices. Some are alarms expert, there's a keys expert, so everybody has their role. And he's actually walking around with, like, a bag that has a camera in it, and so he's recording things and sending these back to his accomplices.
Speaker 1:They're known as the school of does he have a quirky hacker guy in this case, or was this predating the? The coolness of the hacker?
Speaker 2:I think you would say the alarms expert is probably the cool hacker guy. But um, but yeah, they do some things that are are pretty ingenious, uh, but not highly technical, I would say. And then Valentine's Day weekend 2003, on Saturday night they carry out this heist. So that is the backstory. And then let's dive into the security measures, and I think how I see this going is. I'll tell you kind of the security measures that they have to overcome. I'll let you guess as to how they did it. I'll talk through how they did it and what we can kind of learn from that. My own adventure Choose your own adventure.
Speaker 1:I'll now switch from my role of the security guard to the role of the jewel thief.
Speaker 2:Exactly yeah. Put your hacker hat and your jewel thief hat on for sure Great hat and your jewel thief hat on for sure. Great. I will say that there's a lot to discuss here, so if we start to run low on time, I might start to crib this a little bit with the guessing and everything, but other than that, let's dive on in here.
Speaker 2:So, starting with getting in the building Now, noda Bartolo did have a badge to get into the building, obviously, but at night and in off hours, like the weekends, the building was totally locked down. There were metal, corrugated metal doors that came down in front of all the entrances. There is a garage access to get into the building. Corrugated metal doors came down there. There's alarms on the windows and there is a actually a private apartment in the building where an on-call guard would stay. So they're not necessarily patrolling, but they're there as an added security presence, but then also if a tenant did need to be let in for some reason in author. So any guesses there on how maybe they get in?
Speaker 1:It's tough without seeing the visual experience, but you mentioned that they already had some access during normal ways and there were hours and they were able to see how the controls work. So if I was in this role or on a team trying to recreate the situation, I'd be looking at times of gaps of the controls or areas, times when the sensors were off, alarms were off, just to understand those patterns. I think when you mentioned that they were doing reconnaissance, obviously you're trying to study the weaknesses. So I don't know that I've spotted any specific weaknesses from what you're telling me, but I think I'm keenly looking for those.
Speaker 2:So Noda Bartolo gave an interview to Wired Magazine, actually in 2009. This is how he says it happened. He said that the thieves stashed a ladder in the back of the building. They climbed up to the second floor and there was a terrace on the second floor. There was actually a body heat detector on that terrace.
Speaker 1:They said they used a homemade polyester shield to block that heat sensor and then they disabled the alarm so you think that's like a polyester suit, like a nice crushed velvet polyester blend, or what are we talking about here?
Speaker 2:I will tell you you're zeroing in, I think, on the right thing okay, okay I don't know. He did not give more detail than essentially what I just said, so I don't know what it looked like. Uh, he did describe it, though, as a shield. Any other other quick reactions to that?
Speaker 1:So, ladder, second floor, defeating a sensor based upon something that masked the visibility to that sensor. I think I'm following along so far.
Speaker 2:So it's interesting. What I think I kind of heard is that, you know, maybe the polyester shield didn't quite add up for you or maybe it was like a little bit confusing, which I would expect, because it is that story that I just told you almost certainly is not how they got into the building. So a little bit of context on Noda Bartolo. That is how he says it happened At the time that he's giving this interview to wired. He is jumping around this story to hollywood studios to get a review, so this interview is highly suspect. There are also a laundry list of other reasons why his story on a lot of this, and specifically this, does not work, including some physical evidence. So let me tell you how they did get in the building and then I'm gonna get your reaction yep, and actually a quick aside from a Hollywood standpoint, one of my favorite long time movies.
Speaker 1:I don't know that it's held up, but the Rock, you know, sneaking into Alcatraz. You know, after seeing the movie, 10 years later, I was in San Francisco and I finally saw Alcatraz and I was looking for, you know, the setting from the shower scene, right where there was an elevated level, and you know, as they were coming up through the floor, the enemy had the drop on them and they were, you know, aiming down, and then there was the standoff. And when I got to Alcatraz and did the tour it's a one story shower there's an example of like yeah exactly.
Speaker 1:You had to change the story, so maybe I, if you're trying to pitch Hollywood, I see maybe the intent of you know the ladder and the polyester suit and the top hat that inevitably had to go with it.
Speaker 2:Yeah, I mean, and you know you can imagine it's like undercover of night, you know, sneaking up a ladder, absolutely. And one of the things that I do want to get your reaction to as well, after we talk about what most likely happened is, I think, for cybersecurity too, there is the Hollywood version of what a hacker is, and then there's the reality of what a hacker is, and you've kind of already touched on that a little bit. So most likely, like I said, he had access to the building. He had access to it after hours. And we know two things. One is that the doors from the building to the garage, they all had badge you had a badge in which would have left a digital footprint except one was essentially a garage door opener with a key, and he likely figured out that that operated on a radio frequency. I don't know how much you know about radio frequencies, but apparently there were only like a thousand or four combination.
Speaker 2:I mean you think the analog is encryption, that's child's play, essentially.
Speaker 1:So they were able to figure that out I may know from our penetration test team and a recent study the exact condition you're talking about in a small number of codes to try through on fairly common physical security badge readers maybe the outdated ones yeah, yeah, um, and they did find a duplicate like physical key in the safe that had been dropped by one of the thieves, so it pretty much indicates they were going in through the garage one way or another.
Speaker 1:Yeah, no, that's fair. And in hacking most of that, even if you're not that technical, you might remember DOS or command line prompts. It's not 3D GUI displays, it's a lot of command line interactiveness. It can be interesting what they're getting into, but the optics of it you know Sandra Bullock, the nets and visualizing that on a Mac Definite some artist's creativity to make that more meaningful than watching command lines be typed.
Speaker 2:Absolutely, absolutely. All right, let's head into the real fun stuff. So now we're, like you said, we're wearing the Thief Hat, we are in the building and we are now standing in front of the vault. So the vault actually had what I would call multi-factor authentication. They had two ways that you needed to unlock it, and we know multi-factor authentication is what you know, what you have, those kinds of things. So there was one thing which is what you know and have those kinds of things. So there was one thing which is what you know, and that was a um, a combination. So this is not a digital combination, it is a manual dial and if you looked over the dial, there's a little window that had numbers from 1 to 99, so it's a four number code, and then you would turn it one way you know know turn it to go to 44 and then turn it back to 15.
Speaker 1:Are we going to put on our virtual stethoscopes to listen to what we'll fix or what's going on here?
Speaker 2:I mean, is that your guess? Like that's a good guess.
Speaker 1:That'd be old school. I have a feeling it's maybe more complicated than that, but let's see. I have a feeling it's maybe more complicated than that, but let's see.
Speaker 2:So again, we're not positive. And, by the way, the reason that we're not positive on a lot of these some are confirmed is because the security cameras that were actually within the building all went to VHS tapes that were all at like a guard station and Noda Bartolo obviously knew exactly where that was. So we have no security camera footage from this night. We do have footage.
Speaker 1:Meaning the tapes were missing or the recordings didn't happen.
Speaker 2:The tapes were missing. They took the tapes. There was a recovery of part of a tape that was damaged. They tried to restore it, but it didn't show anything. So there's three possible options. So I will walk through all of them and then I want you to tell me what you think is most plausible and, teasing it a little bit here, what sounds the most familiar to you, because I have a feeling a couple of these are going to sound familiar. So first we have what Noto Bartolo says. Again, this is highly sounds like from a heist movie. He says they placed a fingertip sized video camera on the safe or on the safe door just above the guard's head. Video camera on the safe or on the safe door, just above the guard's head. That video camera sent the footage to a hard drive that was disguised as a fire extinguisher, and he made sure to note that it was a working fire extinguisher and this is uh, when vhs was still the medium.
Speaker 1:So we're talking physical wires, no bluetooth.
Speaker 2:At that point it would have been wirelessly. It's 2003, so would have been wirelessly.
Speaker 1:I mean, that's certainly possible at the point right, that's pretty early days yeah, it's, and it's very.
Speaker 2:It's a lot of footage that you would have too, so I don't know how big that. You know in that time how big the r drive would have had to been. There's other issues with that. I mean, even if you're placing it in a way that can't be seen, if it's above the guard's head and the guard is looking down at the knob, it's probably blocking his view, the view from the camera. Also, the guy that installed the door said that that lens, when you were up close to it you could see the numbers, but the further away you got, it was distorted. So that's a possibility, but there are issues. There's two other possibilities. One of the guards and I know this is going to shock you admitted that he had trouble remembering the code and that he had, on at least one occasion, wrote it down.
Speaker 1:Oh, the post-it note. Was it under e-board? Was it nailed to the door? What are we talking about here?
Speaker 2:well in his pocket he says but this is, you know, nota barcelona is a guy that's been stealing stuff since he was like nine years old, so I would imagine that picking a pocket would be pretty easy. The third one is so, so fascinating. I think we could do like an entire episode just on this theory, some that has been posited by an expert in the field the possibility. So if you go to, you know if you've ever had like a high school locker, or you go to the gym and you use your own locker, you know that you type, you put the code in, unlock, and then when you go to lock it back up, sometimes it bounces back at you, right, because you haven't cleared out the code, right.
Speaker 2:So this particular vault did not have a feature that a lot of vaults have, which is called an auto-scrambler. And what an auto-scrambler does is once you get the code in and you close the door, it automatically clears out the code. So you have to lock, you have to re-enter the code, but this door didn't have that. And the thought is, is that maybe the guards got complacent, they got sick of forgetting the code, and so they would enter the code in in the morning and never clear it out and just let it out and write as long as they could. Opening and closing. Those are the three theories. What are your thoughts on?
Speaker 1:Yeah, the camera one at the technology at the time does seem not probable, I think maybe the third one seems most interesting to me.
Speaker 2:Me too, and actually before we move on, can you just talk about, because you used to be an auditor, in your experience, how much of an issue is complacency?
Speaker 1:Complacency, I think boredom, complacency, routine compensating measures, writing down a password or using the same password over and over again because it's easy. So I do think sometimes laziness can be, even if you know better. It's just the convenience of your day, and sometimes that's where good intentions go by the wayside.
Speaker 2:Yep, I would agree with that. Yeah, I think I've seen that a lot and I think it's interesting the reputation of the building compared to what was actually being done. And sometimes I think you know, optimism bias just kicks in a little bit. Nobody's gonna why would we, you know, work too hard, nobody's gonna really be able to get in here. So the second part of this MFA is actually a key lock. So once you get the combination in, then you have to insert a key. It's a specially made key, it's about a foot long and it separates. So the process is you would unlock the vault and you would separate the key into two pieces. One is just basically like the big long kind of shaft of the key. The other is what's called the stamp and that's what's got all the nodules and stuff in it that turns the pins, and then the stamp is pretty small. So the stamp would go into the guard's pocket and then you would have the two pieces separated at all times. Any guesses on how they circumvented this?
Speaker 1:Sounds like the only thing that's truly the key is the thing in the pocket. So if you had a separate long pole that you could attach, could you pick the pocket of the specific key if you've not already made a clone, and then you'd have one less thing that you'd have to obtain in real time.
Speaker 2:It's a good guess, potentially, so the answer is even more kind of silly. The thieves were, so this is not disputed, although there's some details that are a little bit disputed. But everybody agrees that sitting next to the vault in a locked storage room was the entirety of the key that had just been stored there. So they just took a crowbar to that storage room and got the key and were able to get in.
Speaker 1:So just go straight through the door, just bust it.
Speaker 2:Yeah, but the process was supposed to be that the only thing that was there was the shaft and the entire key was there. So at some point the process broke down and the guards were not carrying that stamp of the key with them. So, again, complacency. And then I think this is a good time to introduce something that we kind of preach at reveal risk, which is people in process are just some right. So there's a we'll see a little bit more.
Speaker 2:There's a lot of technology in this building, but the people in process are breaking down um, and it's easy to be hard on the guards here, but there's obviously not a lot of governance taking place as well yep, yep, complacency can drive that as well.
Speaker 1:Not only the original, but even the oversight. So two levels of complacency issues cool, um.
Speaker 2:So one question I want to ask before we move on to the next measure here is we talked about how there's complacency involved, kind of at all levels. What's the best way? If you're an organization that has cybersecurity concerns and that's a concern for you, what's the best way to go?
Speaker 1:They always say like rotating duties, like if somebody is so bored and routine on their job they're going to miss the little things and they're just phoning it in. So in audit that you know when people are on vacations, like you're, you're having another person check things. So like rotations are good. I think also like having a review of the review or an external audit itself to kind of make sure that you're not only relying on the primary mechanisms of whatever the control be, even if it's once or twice a year, just to kind of make sure everything's working. Lessons learned, process improvement I was in Six Sigma in one of my jobs, so just kind of process reviews, making it simpler, reducing the opportunities for human error through simple learning a process All of those can be good options.
Speaker 2:Yeah, I would agree with all of that. All right, so let's move on to. Before they open this vault door, they have to also defeat a magnetic alarm. So magnetic alarm, they're pretty common these days. You probably see them on like. Sometimes people have them even in their home security to like little pieces of plastic that are magnets. One's on the doorframe, one's on the actual door, and if you open the door it breaks the magnetic field.
Speaker 1:Yes, I was. I was coming along on a physical penetration test with our team and we were faced against some physical security controls that we were told would not be there. Were faced against some physical security controls that we were told would not be there. And I remember when we were going up the exterior stairs there were some magnetic alarms that I saw. I'm like we're supposed we're authorized to do this, but what's the chance this is going to external, silent alarm to, and then we'd have to deal with that. So I've seen those intense situations where you're like Ooh, is that activated? Is it going to work All that?
Speaker 2:Yeah, yeah, did you try to? You didn't try to defeat that magnetic alarm, or?
Speaker 1:anything we tried. Oh yeah, these specific locks. We got in through other ways, but these specific locks were very, very sophisticated. It would have taken more time than I think we were afforded to, and there was easier paths then. So don't start with the hardest options.
Speaker 2:Gotcha Any guests? Well, let me tell you a little bit. So the only difference here is that these are like a little bit more heavy duty. So they're instead of two little plastic pieces, they're kind of brick sized metal pieces on either side of the door. So that's the only difference there in terms of the alarms. But otherwise they work the exact same way as what you encountered. Any guesses on how they defeated this?
Speaker 1:Maybe magnet systems to be able to open the door without the pressure or the magnetic field being released. Or, since we've already smashed some doors, could I just cut through the door?
Speaker 2:obviously that'd leave a pretty pretty good trail yeah or or like my story of the penetration test, that if that option was too hard, maybe I'd pivot right I think they it sounds like they did explore kind of a similar option to, I think, what you brought up first, which is they explored some like heavy, like physics way, way of maintaining the magnetic field. But what they actually did is I mean, I hate to be, you know, people lost family heirlooms. I always have to remind myself but I hate to be impressed. But first they did some social engineering which is an accomplice of Notabar's clothes in the week leading up Badges in with Notabar's clothes badge and then shows the security guard a work order, he gets to go down into the vault. He likely put like a bag or something over the cameras in the vault.
Speaker 2:Why that didn't raise alarms I don't know. But then what he does is he takes like a metal plate that they had custom made based off of what they knew. They were able to fit it in between the bolts on both magnetic pieces and then he just very carefully unscrewed a little bit of each of the bolts and then in between the sensor and the door he took a hacksaw and hacked off the lower part of the bolt and then he replaced that with double-sided tape and then removed the magnetic plate. So everything looked the same right. Got it.
Speaker 2:Then on the night of the heist, they were able to just put that same plate back on it, pull off both magnets keeping them together, set them to the other side, because it's double-sided tape, and stick them there, and then they could just open the door and there's no um got it, so it was still connected to the cords.
Speaker 2:It was just placed, uh to the side stuck to the side so it would not trip, okay yeah, and again, I think you know this is where it's an extremely smart person doing something that is incredibly resourceful, but he should have never been allowed in the building. Somebody should have raised an alarm, checked on the work order, compared the work order to the fact that he was able to badge in with just a random tenant's badge. Alarm bells should have been raised, like I said, the fact that the cameras were getting covered and, yeah, I don't know, I mean, what are your thoughts on it? It's kind of mind boggling to me, to be honest.
Speaker 1:Yeah, I think basic background checks sometimes are foregone because you assume, hey, you trust people. I've worked at companies that have a culture of trust and they believe that everyone's good. But in most organizations, large small, there's always personal stressors, life stressors. You know the volume game of everyone probably at some point had good intentions, but sometimes people go astray. So I know of one company that hired somebody that didn't have a background check and they had.
Speaker 1:There was a murder, they were a murderer, but that had not been, and I won't go into too much detail there. But well, those types of stories are real and they exist. And and then there's the other thing of like sometimes background checks don't reveal things that are not public record, right? Yeah, so in this case it seems like this person had already been in jail, or they had been arrested, or they were unknown. And if and if he was going by his actual identity, then a background check or something like that could have stopped it. If, if he was, you know fake passports and things like that, perhaps you know, living a life of a different identity, it might be tougher yeah, I mean yeah, no to bartolo.
Speaker 2:A background check would have certainly revealed something. And then the added on idea of his accomplice. His accomplice is able to come in with a work order and not be questioned. There's no reason. Like you know, I don't think he brought up Notabartolo's name other than using his ID to badge in. But a tenant wouldn't be able to vouch for a maintenance man on the building. That doesn't make sense.
Speaker 1:It seems like you know, know, you think, the fort knox of diamonds. It seems like a classic case of a lot of effort going into the technology and the physical controls but not enough time spent on the human element or the process work. You know, flaws, things like that. So, yeah, I think maybe the emphasis is there's a lot of good effort put in place. It just wasn't holistic enough and with enough time any controller system or company or whatnot usually can be defeated.
Speaker 2:Yeah, yeah, yeah, absolutely, and just to put a little bit of a button on that and we'll move into the last two measures here. So one thing about this building is, although it did have a great reputation and it was fort knox, they did not have insurance on like theft insurance or insurance, and there were other buildings within the district that did and they said, like one of the reasons that they they didn't do it is because they knew that the insurance investigator would tell them you need to have background checks on your tenants and you need to, you know, do upgrades here, things.
Speaker 1:So so cost constraints, wanting to shortcut things hindsight's 2020, they probably would have got that, but they didn't for those reasons yeah, and that's fair.
Speaker 2:I mean it is important to say, like you know, these are real people the guards and the building manager and the owner. I mean I think the building manager really kind of ruined her life, this heist that happened. So definitely empathy there. But I think there's so much that we can, fortunately some of the complacency that just wasn't raised. So there's another alarm that they need to disable, another couple of alarms they need to disable before they can actually step into the vault. So the one we're going to focus on is it's a combined heat and motion sensor. So it measures when you walk into the vault, it measures the body heat change and then it also separately, using microwaves, measures temperature.
Speaker 1:um, any guesses and I will give you a little bit of a hint, at least an element of how they defeated this has a very similar, is very similar, to a youtube video that we had that went a little bit yep, so the body heat and motion, and you're referring to the using the canned air to trip the motion on a an automatic exit that shows people coming out, unlocks the door but doesn't obviously let you in unless you have a stick or canned air or whatever to sensor that. So I mean I wanted to say you know Tom Cruise coming down on a pulley system and you know, but that was a pressure sensor in the floor. So I mean I guess I would say I mean the earlier body sensor, they use the polyester. Say I mean the earlier body sensor, they used the polyester. So was there something then to keep a consistent temperature or something to wrap around the sensor so it would maintain consistency while they were coming in or out on that?
Speaker 2:It's a good callback.
Speaker 2:It's even simpler than that.
Speaker 2:The day before the heist, noda Bartolo walks into the vault, as he has so many times before, which he is allowed to, but I think he'd established enough rapport that he felt pretty comfortable.
Speaker 2:He wouldn't be flagged or watched. Really, he's got a can of hairspray in his hand and at least one documentary that I watched on this I don't know if they're speculating on this or not, but they kind of indicate that he maybe kind of stretches out like, pretends that he's stretching, and he sprays a bit of hairspray on the sensor and what that does is it temporarily masks the heat sensor. So from there, once they are, then it's the night of the heist and they're about to step into the vault. All they would really have to do, at least according to the sources that I read, is initially, as they're walking in, they would kind of walk in slow motion to kind of fool the motion sensor, which is kind of funny to think about. Um, and then they had a bit of styrofoam on a broomstick that they were able to just hang off of the motion sensor and it blocked both the heat and the motion sensor got it there both the heat and the motion sensor.
Speaker 2:Got it. There was an additional light sensor elsewhere in the vault. They were able to just take a couple of strips of rubber electrical tape and put that over the light sensor and so, yeah, I mean, like I said, the book that I read was like it's 20 euro worth of hardware equipment I'm defeating this Probably very expensive worth of hardware equipment defeating this probably very expensive rebecca, do you think that they had similar equipment to test all these macgyver type of hacks on, or do you think that they just had enough experience that they were able to contrive this without testing my hunches?
Speaker 1:one single failure would have maybe tripped an alarm that would have foiled the mission.
Speaker 2:So the answer is most probably yes. They did have a similar alarm like heat motion sensor alarm. That being said, it was well known that heat sensors of this kind could be masked and there was actually a law put in place in 2002, so before the heist in Belgium that any new sensors going in had to have like an anti-masking capability, so that this hairspray check would help. Got it.
Speaker 2:So, yes, they were. Yeah, they definitely had somebody that was an absolute alarms expert, and they probably did have at least a similar sensor that they could mess around with. It's funny, Noto Bartolo says his story is like the heist wasn't even his idea. He was approached by a shadowy figure to do it for him, and that shadowy figure provided a full-on replica of Volt, which is likely untrue, and also, I think, straight out of Ocean's Eleven.
Speaker 1:I think that's he's literally lifting a scene from or we're going to pivot to a Russell Crowe movie and his other personality was talking to his personality and it was really him yeah.
Speaker 2:Yeah, the wired article is very interesting to read, but you just got to read it with a grain of salt. So yeah, to answer your question, I think they did have copies, a copy of it or a replica or a similar sensor that they used At the same time. It wasn't the first time somebody had been able to disable a heat sensor using either Vaseline or a hairspray or something. Got it.
Speaker 2:Yeah. So I mean, I think there's analog here to obviously vulnerability patching right and vulnerabilities, but can you talk a little bit about the importance of like penetration testing and just testing out?
Speaker 1:You've got all this fancy equipment that you trust but just testing it regularly and making sure it's doing what it's physical penetration test or logical or social engineering, all controls like even thinking about multi-factor multi-factor still is a very, very good control. It was two-factor. And then the cell phone, like, controls continue to evolve because threat actors or criminals do find ways to defeat the controls, do find ways to defeat the controls. So I think any kind of test, whether it's a penetration test, a physical inspection, a walkthrough, controls review, an audit, all of them are gut checking the reality of the controls that you believe are still effective and new and different ways that they might be able to be defeated, and the goal is to come to the conclusion of these gaps, internally or with external help, before the real crime happens or the real incident happens. So all of it is, you know, one of the auditor slogans from when, as you mentioned when I was in audit way back in my career on the corporate side is trust but verify.
Speaker 1:Ultimately, people typically intend well. People don't grow up as one and two-year-olds looking to become a jewel heist or whatnot. Things happen. But I think, process, mindset, building things that are not singularly required, crying focus only on one thing, like technology, or over-focusing on physical but not thinking about the technology exploits or, to your point throughout the whole story, like simple people thing and if we can trick the human, the good controls that might be around that might be defeated because that human had full access. So I think those are, those are kind of my thoughts on the parallel learnings and, you know, kind of the testing and not being in the situation where you wish you would have had an insurance review and you wish you would have invested in the control gaps that it sounds like they knew they had and was why they were avoiding having to go through all that. So corner cutting and simple and cheaper often lead to the wish I would have post-haste analysis. That's tough to undo once you're past that point.
Speaker 2:Yeah, exactly yeah. I think that's well said for sure, and the truth is is like we all I think everybody that's worked as a security professional there were things that you knew that were there, that you just couldn't get to for some reason, or you had to deprioritize.
Speaker 1:I mean, that's the reality of it.
Speaker 2:You have to prioritize what to get done. But I think, yeah, I mean, unfortunately, it's sort of like never getting comfortable right, Never putting too much faith in one thing.
Speaker 1:Yep. Good point.
Speaker 2:Yeah, so we've got one more measure. They've got to get through the safety deposit boxes themselves. Also had a combination lock on there and then also a key. Any guesses on how they got into those safety deposit boxes?
Speaker 1:Well, now I'm going to first say smash it with a hammer, because you know the simple things. I've never had a safety. I've accessed a safety deposit box, but if it has a combination and a key picking the lock or having a copy of the key and having to have studied if it's a combination, either defeating the combination control or having that combination ahead of time those are the top line intuitive options.
Speaker 2:Yeah, I think you're on track with that first one. It's kind of a combination of both of what you said. It was a brute force method. What they did is they made a tool that was like kind of a cranking tool and it had two steel prongs on the end of it. So those two steel prongs would go into the keyhole and then they would just basically I'm not sure exactly if I can picture exactly how it would work get enough torque to put pressure on the faceplate and just pop off that faceplate and a little bit of context on that. And then I want to get your reaction and not to put too fine a point on the sort of complacency cost that we've been talking about.
Speaker 2:But there were about a dozen boxes that did not get breached and we know they tried on at least a couple of them. Those were boxes that the sort of locksmith on call had reinforced with steel. I think those boxes, like, had needed maintenance or they broke or something. So when he replaced them he reinforced the faceplate with steel because he knew it was just the inner workings of that faceplate was just thin plastic. So it was a vulnerability and he did mention multiple times to the building manager and the building owner that they needed to replace all the boxes and the decision was just made that it wasn't. So your reaction to that?
Speaker 1:Makes sense. Yeah, sometimes the cost of replacing all the boxes at once are kind of like replacing all the Windows NT machines that exist in your manufacturing plant. That would cost way too much money for anybody to contemplate, but probably less than the heist itself, which is again always hindsight. 2020, wish I would have type of analysis.
Speaker 2:Yeah, and that is one of the things that I wanted to hit on too is, you know, assessing risk, and a lot of people think about likelihood. I'm guessing when they thought about this, they thought a thief would have to get into the building, into the vault, defeat all the censors, and they're right. It's not likely that that would have happened. They really encountered some master thieves, but the impact was that it was a $100 million loss, confirmed, and likely more.
Speaker 1:That's a lot of cheddar. That's a lot of cheddar, Rebecca.
Speaker 2:It is still in the Guinness Book of World Records as the largest diamond heist ever. So that impact piece, because if we're introducing our clients to a risk register, we talk about likelihood and impact and I think a lot of people consider likelihood and put a lot of weight on that and either don't consider impact or don't put a lot of weight on it. You know, $100 million uninsured and most of the people with safety deposit boxes didn't have insurance on those either. They thought it was their insurance.
Speaker 1:So the low likelihood, high impact and because it was so likelihood, dollars went elsewhere or, if they had a risk, register effort went elsewhere. Other, bigger problems or business impact Yep, absolutely Yep. Makes sense.
Speaker 2:So that's it. They get in through, they defeat all these security measures measures. They have more diamonds than they can carry.
Speaker 2:That's why there's some left behind they are able to get out of belgium that night and back to italy, but they actually have a little bit of a stroke of that luck. Um, they had all stayed in in notabartolo's apartment in the week leading up and they had had, you know, trash and then some evidence that they like the videotapes and stuff that they collected and they dispersed. They got rid of the trash and like a nature preserve just off of the highway in belgium, which actually would have been a perfect place. Um, a lot of people dumped trash there. It was illegal but a lot of people did it, a lot of teenagers like partying there and stuff and usually doesn't get noticed and probably wouldn't have gotten noticed before the elements destroyed it. They happened to choose the one part of the land that was owned by a man that was just absolutely fed up with everybody littering on his piece of the nature reserve and he patrolled it regularly. So he didn't see it happen, but within, I think, 24 hours of them dumping the evidence, he was able to find it.
Speaker 2:The heist was all over the news by that point. So they called the police and that evidence eventually led to Noda Bartolo and several of his accomplices, although not identified, unidentified. Amazingly, noda Bartolo. Knowing that they had found the trash but still thinking he was good to go, he actually drove back to Belgium. He returned a rental car and then he actually went into the Diamond Center as well and encountered the building manager. She stalled him and he ended up being arrested at the Diamond Center. He ended up getting about 10 years. They were able to extradite and arrest at least a couple of his accomplices. They got five years. And then I want to make a quick note that the sources for all of this are in our show notes and I wanted to get your final thoughts on this diamond heist and what we can learn from it as cybersecurity professionals.
Speaker 1:I was hoping for a Scooby-Doo ending. You know we would have gotten away with it if it wasn't for those darn kids. So maybe, I don't know, like wait, can we do the and then maybe switch the ending to something more Hollywood-esque? No, no, I'm just kidding. No, I think the study you did is good.
Speaker 1:It articulates not always the complex, you know, very sophisticated attacks and the things maybe that we strive to, you know, go after because it's the threat of the day. Sometimes the simplest things can be the things that make it easy for the criminals to do what they want. So even the boring stuff like patching servers, like some of the cyber attacks that still happen today, are still focusing on the most boring things, and here you're talking about a lot of physical controls. So I think the specific thing was they didn't have lasers and sharks and like a bunch of statistics. They had simple tools and simple hacks and they had clearly had enough experience to put those into use, but they didn't have maybe enough for Hollywood, which back to your point of why the story has been embellished to make it more sexy and appealing to a consumer audience. That's kind of a key takeaway for me.
Speaker 2:Yeah, I agree with all of that. Do the basics. People in process are just as important as technology. I think the only other thing that I would add is from the time that I started in IT not even cybersecurity, but IT I have heard the feedback from people that they don't want to do security controls personally or the organization, because if there's a well-funded group out there and they really want to get at your stuff, they're going to do it, and I think one of the things that we learned I learned from this case study is like there are so many steps from the time that Notabartolo signed that lease up until the day before the heist, when he's in the vault full view of the camera spraying hairspray on the censor. There are so many opportunities where just the slightest bit of due diligence would have foiled the fees. That's what I really want people to think about as they take it as a takeaway from the story. As well.
Speaker 1:So takeaways how to action that? Thinking through process, walking it, whether you're an auditor, whether you're a control operator, thinking that through not taking for granted what you have and then having outsiders and tests and things like that to simulate it, it kind of comes together. You know, maybe if they had an audit it might not caught all these flaws that that we're taking advantage of. But really that combination of process mindset and and testing really comes together um to in any situation related to controls here, just like you're demonstrating absolutely, absolutely.
Speaker 2:So I have a confession to make I have actually never seen the Rock, so I think we should end it here, because I think I'm going to go home and watch the Rock tonight disappointment for me for a movie that in high school was you know it was so memorable and then to not have it the way.
Speaker 1:It's kind of like a movie not being as good as the book or the book not being as good as the movie. It's usually a movie not being as good as a book for a good book reader, but sometimes you get the story in your mind and then it's not the way it was.
Speaker 2:So yeah, have you seen Escape from Alcatraz?
Speaker 1:I don't know if I've seen that.
Speaker 2:Clint Eastwood movie from the 60s or 70s. I think Very good. That story is really interesting.
Speaker 1:Cool, awesome, well, yeah, thanks for putting this together. It was really fun and I did not know what to expect. I have not seen much about this case. I knew of it, but it was fun to unpack it with you and think through some analogies to what we do on a day-to-day basis or, more importantly, what other individuals that are in positions of responsibility or oversight might be able to do differently based upon the insights.
Speaker 2:Absolutely. Yeah, thanks for being game for this. We did keep it a secret from you and I'm sure that was a little nerve-wracking coming into this not knowing what to expect. So I appreciate you being game and I think your insights were really great.
Speaker 1:Awesome. Thanks for doing it. Appreciate it, had fun.
Speaker 2:All right, thank you, bye.
