April 23, 2025 • 48 mins
What can the largest diamond heist in history teach us about modern cybersecurity? When $100 million in diamonds vanished from Belgium's supposedly impenetrable Diamond Center vault, it wasn't cutting-edge technology that failed—it was people and processes.
Join host Aaron Pritz and senior cybersecurity consultant Rebecca as they unpack the fascinating story of the 2003 Antwerp Diamond Heist in this surprise mystery episode. Piece by piece, they reveal how jewel thieves bypassed sophisticated security measures using remarkably simple techniques: hairspray on heat sensors, electrical tape over light detectors, and basic tools to pry open safety deposit boxes. More importantly, they uncover how fundamental breakdowns in process and human vigilance created the perfect conditions for this historic theft.
The parallels to modern cybersecurity are striking and sobering. Just as the Diamond Center's management skipped background checks and ignored maintenance warnings to save money, many organizations today prioritize convenience over security or postpone critical patches to avoid disruption. The heist demonstrates how social engineering, insider threats, and complacency can defeat even the most impressive security technologies—a lesson that remains painfully relevant in our digital world.
Whether you're responsible for protecting digital assets or physical ones, this episode offers valuable insights into the delicate balance between technology, people, and process in creating truly effective security. Listen now to discover how the most catastrophic security failures often stem not from sophisticated attacks, but from neglecting the basics.
References:
1. https://www.osti.gov/servlets/purl/1115483
2. https://www.wired.com/2009/03/ff-diamonds-2/
3. https://www.bbc.co.uk/programmes/w3cszdjz
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:06):
Welcome back to Simplify and Cyber.
I'm Aaron Pritz and today wehave an extremely special
mystery episode.
It's actually so extremelyspecial and secret that I don't
even know what's going to happen.
So today I'm joined by Rebecca,one of our senior cybersecurity
consultants here at Reveal Riskand she's the origin of this
surprise episode.
And just to give you a littlebit of background, basically our
(00:28):
producer informed me via my owncalendar actually that we were
about to do a secret, supersecret episode, mystery episode
with Rebecca and she'd be takingme through it.
What it is shall be determined,allowing me to take some
reaction time to make someguesses about whatever it is.
I'm now stalling to furtherguess, but Rebecca has given no
(00:50):
indication, so I'm going to turnit over to her to unveil what
is about to happen to me.
Gulp.
Speaker 2 (00:57):
Yep, yep, I'm actually just going to actually
dive right into the story.
So for those of you who don'tknow, I'm still somewhat new to
Reveal Risk.
One of the things that Ilearned very early on is that
Aaron is one of the first peopleinto the office in the morning,
and we are actually going tohave you guys keep that in mind
during the story, because thisstory starts out in a typical
(01:18):
office building, monday morning,6.15 am, and the first person
in the office is a securityguard.
He's going on about three hoursof sleep we're not sure why,
but I would guess that he is onautopilot, so he does a couple
of things and then he has to gosee to his main morning duty,
which is actually opening up ahuge vault in the sub-basement,
(01:41):
because this is actually not atypical office building.
This is an office building inthe Diamond District in Antwerp,
belgium.
Speaker 1 (01:49):
I've always wanted to go to Belgium, so you're taking
me to.
Speaker 2 (01:52):
Belgium, rebecca, I know, and you just got back from
Switzerland, right I?
Speaker 1 (01:55):
did, I, did I should have just went straight there,
but I'm virtually nowteleporting back to Europe to
undertake this adventure.
Speaker 2 (02:03):
There you go.
So he's heading down theelevator, notices that the vault
door is open.
Doesn't think too much of it.
There may be another securityguard got there earlier than he
did, but when he walks into thevault he will see what is later
described as a scene lookinglike a bomb has gone off.
There are the face plates ofsafety deposit boxes scattered
(02:26):
everywhere.
There are diamonds scatteredeverywhere.
There are gems, emeralds, cashof all different currencies,
family heirlooms thrown on thefloor, watches, lockets.
Speaker 1 (02:38):
Doesn't sound like a clean job.
Definitely not the Italian jobwith such precision.
A bit of a mess, if I'minterpreting the scenario right.
Speaker 2 (02:46):
Yeah, it's interesting you say that,
because I think one of thethings we're going to explore
with the story is Hollywoodversus reality, right, when it
comes to heists, and when itcomes to cybersecurity as well.
And actually, what thatsecurity guard doesn't know, as
he's standing there probablytrying to process what he's
seeing, is the culprit probablytrying to process what he's
(03:07):
seeing?
Is the culprit?
The mastermind of this heist isa man that he has seen and
spoken to regularly for over twoyears.
This is the story of the 2003Antwerp Diamond Heist.
Speaker 1 (03:17):
And am I the security guard in this setting, or do I
play myself?
Speaker 2 (03:21):
I just wanted to kind of put you in the mind frame of
walking into work in themorning and then finding
everything that you're supposedto protect just kind of splayed
out in front of you.
I would imagine that is apretty interesting experience to
have, probably not a verypositive one.
Speaker 1 (03:37):
Right, it's not going to be a good day for me as a
security guard if I am.
Speaker 2 (03:40):
Oh, no, no.
So what we're going to do withthis is I'm going to give you a
little bit more context aroundthe story, but then we are going
to walk through each of thesecurity measures that this
building had just from a highlevel and talk about how it's
similar or not similar tocybersecurity and how we think
this could have been prevented.
So are you ready?
Speaker 1 (04:00):
I'm ready, let's do it.
Speaker 2 (04:02):
All right.
So you might be wondering whythis particular building in
Hungary has a big giant diamondvault in the basement.
Hungary actually has a prettyinfamous diamond district where
80% of the world's roughdiamonds pass through there.
So it's a huge center forpolishing, cutting diamonds,
(04:24):
trading diamonds as well.
And then actually within thatfull diamond district is about a
three block radius called thesecure Antwerp diamond area.
That is a totally.
Cars cannot go through there.
There's ballasts at all theentrances, there's a 24 hour
police presence and there's over60 CCTV cameras there.
(04:46):
So already really secure.
And then this particularbuilding, the Diamond Center
building, is also considered tobe very, very secure.
It's had comparisons to FortKnox.
Speaker 1 (04:58):
Got it, got it.
Speaker 2 (05:00):
So it's in this context that, in the fall of
2000, a man named Leonardo NotoBartolo applies to rent an
office building in the DiamondCenter, which is the building.
He is able to get that, noproblem.
He also gets a safety depositbox down in the vault and he
(05:20):
essentially spends two yearsdoing reconnaissance.
He is not well known.
Speaker 1 (05:25):
As a good insider would right.
Speaker 2 (05:28):
Exactly, exactly, and he is very charismatic, so the
social engineering part is veryeasy for him.
He gets to know the guardsreally well.
He does things like he staysafter hours to see if anybody
will kick him out, becausethey're supposed to.
When they don't, he goesexploring around the building.
Similarly, he'll go into thevault five minutes because
they're supposed to.
When they don't, he goesexploring around the building.
(05:50):
Similarly, he'll go into thevault five minutes before it's
supposed to be closed and then,when they do come to kick him
out, he can watch the procedureas they lock up the vault.
And what nobody knows in Antwerpbut a lot of people know in
Italy, is Noda Bartolo isactually a really well-known
jewel thief and he works with acrew of people.
This part of it, I will say, issomewhat similar to a Hollywood
movie like Ocean's Eleven.
(06:10):
He has, you know, accomplices.
Some are alarms expert, there'sa keys expert, so everybody has
their role.
And he's actually walkingaround with, like, a bag that
has a camera in it, and so he'srecording things and sending
these back to his accomplices.
Speaker 1 (06:27):
They're known as the school of does he have a quirky
hacker guy in this case, or wasthis predating the?
The coolness of the hacker?
Speaker 2 (06:34):
I think you would say the alarms expert is probably
the cool hacker guy.
But um, but yeah, they do somethings that are are pretty
ingenious, uh, but not highlytechnical, I would say.
And then Valentine's Dayweekend 2003, on Saturday night
they carry out this heist.
So that is the backstory.
(06:55):
And then let's dive into thesecurity measures, and I think
how I see this going is.
I'll tell you kind of thesecurity measures that they have
to overcome.
I'll let you guess as to howthey did it.
I'll talk through how they didit and what we can kind of learn
from that.
My own adventure Choose yourown adventure.
Speaker 1 (07:13):
I'll now switch from my role of the security guard to
the role of the jewel thief.
Speaker 2 (07:18):
Exactly yeah.
Put your hacker hat and yourjewel thief hat on for sure
Great hat and your jewel thiefhat on for sure.
Great.
I will say that there's a lotto discuss here, so if we start
to run low on time, I mightstart to crib this a little bit
with the guessing and everything, but other than that, let's
dive on in here.
So, starting with getting in thebuilding Now, noda Bartolo did
(07:38):
have a badge to get into thebuilding, obviously, but at
night and in off hours, like theweekends, the building was
totally locked down.
There were metal, corrugatedmetal doors that came down in
front of all the entrances.
There is a garage access to getinto the building.
Corrugated metal doors camedown there.
There's alarms on the windowsand there is a actually a
(07:58):
private apartment in thebuilding where an on-call guard
would stay.
So they're not necessarilypatrolling, but they're there as
an added security presence, butthen also if a tenant did need
to be let in for some reason inauthor.
So any guesses there on howmaybe they get in?
Speaker 1 (08:17):
It's tough without seeing the visual experience,
but you mentioned that theyalready had some access during
normal ways and there were hoursand they were able to see how
the controls work.
So if I was in this role or ona team trying to recreate the
situation, I'd be looking attimes of gaps of the controls or
(08:38):
areas, times when the sensorswere off, alarms were off, just
to understand those patterns.
I think when you mentioned thatthey were doing reconnaissance,
obviously you're trying tostudy the weaknesses.
So I don't know that I'vespotted any specific weaknesses
from what you're telling me, butI think I'm keenly looking for
those.
Speaker 2 (08:58):
So Noda Bartolo gave an interview to Wired Magazine,
actually in 2009.
This is how he says it happened.
He said that the thievesstashed a ladder in the back of
the building.
They climbed up to the secondfloor and there was a terrace on
the second floor.
There was actually a body heatdetector on that terrace.
Speaker 1 (09:18):
They said they used a homemade polyester shield to
block that heat sensor and thenthey disabled the alarm so you
think that's like a polyestersuit, like a nice crushed velvet
polyester blend, or what are wetalking about here?
Speaker 2 (09:33):
I will tell you you're zeroing in, I think, on
the right thing okay, okay Idon't know.
He did not give more detailthan essentially what I just
said, so I don't know what itlooked like.
Uh, he did describe it, though,as a shield.
Any other other quick reactionsto that?
Speaker 1 (09:47):
So, ladder, second floor, defeating a sensor based
upon something that masked thevisibility to that sensor.
I think I'm following along sofar.
Speaker 2 (09:56):
So it's interesting.
What I think I kind of heard isthat, you know, maybe the
polyester shield didn't quiteadd up for you or maybe it was
like a little bit confusing,which I would expect, because it
is that story that I just toldyou almost certainly is not how
they got into the building.
So a little bit of context onNoda Bartolo.
(10:18):
That is how he says it happenedAt the time that he's giving
this interview to wired.
He is jumping around this storyto hollywood studios to get a
review, so this interview ishighly suspect.
There are also a laundry listof other reasons why his story
on a lot of this, andspecifically this, does not work
(10:39):
, including some physicalevidence.
So let me tell you how they didget in the building and then
I'm gonna get your reaction yep,and actually a quick aside from
a Hollywood standpoint, one ofmy favorite long time movies.
Speaker 1 (10:51):
I don't know that it's held up, but the Rock, you
know, sneaking into Alcatraz.
You know, after seeing themovie, 10 years later, I was in
San Francisco and I finally sawAlcatraz and I was looking for,
you know, the setting from theshower scene, right where there
was an elevated level, and youknow, as they were coming up
through the floor, the enemy hadthe drop on them and they were,
(11:12):
you know, aiming down, and thenthere was the standoff.
And when I got to Alcatraz anddid the tour it's a one story
shower there's an example oflike yeah exactly.
You had to change the story, somaybe I, if you're trying to
pitch Hollywood, I see maybe theintent of you know the ladder
and the polyester suit and thetop hat that inevitably had to
(11:32):
go with it.
Speaker 2 (11:33):
Yeah, I mean, and you know you can imagine it's like
undercover of night, you know,sneaking up a ladder, absolutely
.
And one of the things that I dowant to get your reaction to as
well, after we talk about whatmost likely happened is, I think
, for cybersecurity too, thereis the Hollywood version of what
a hacker is, and then there'sthe reality of what a hacker is,
(11:53):
and you've kind of alreadytouched on that a little bit.
So most likely, like I said, hehad access to the building.
He had access to it after hours.
And we know two things.
One is that the doors from thebuilding to the garage, they all
had badge you had a badge inwhich would have left a digital
footprint except one wasessentially a garage door opener
(12:15):
with a key, and he likelyfigured out that that operated
on a radio frequency.
I don't know how much you knowabout radio frequencies, but
apparently there were only likea thousand or four combination.
(12:38):
I mean you think the analog isencryption, that's child's play,
essentially.
Speaker 1 (12:43):
So they were able to figure that out I may know from
our penetration test team and arecent study the exact condition
you're talking about in a smallnumber of codes to try through
on fairly common physicalsecurity badge readers maybe the
outdated ones yeah, yeah, um,and they did find a duplicate
like physical key in the safethat had been dropped by one of
(13:06):
the thieves, so it pretty muchindicates they were going in
through the garage one way oranother.
Yeah, no, that's fair.
And in hacking most of that,even if you're not that
technical, you might rememberDOS or command line prompts.
It's not 3D GUI displays, it'sa lot of command line
interactiveness.
It can be interesting whatthey're getting into, but the
(13:29):
optics of it you know SandraBullock, the nets and
visualizing that on a MacDefinite some artist's
creativity to make that moremeaningful than watching command
lines be typed.
Speaker 2 (13:40):
Absolutely, absolutely.
All right, let's head into thereal fun stuff.
So now we're, like you said,we're wearing the Thief Hat, we
are in the building and we arenow standing in front of the
vault.
So the vault actually had whatI would call multi-factor
authentication.
They had two ways that youneeded to unlock it, and we know
multi-factor authentication iswhat you know, what you have,
those kinds of things.
So there was one thing which iswhat you know and have those
(14:02):
kinds of things.
So there was one thing which iswhat you know, and that was a
um, a combination.
So this is not a digitalcombination, it is a manual dial
and if you looked over the dial, there's a little window that
had numbers from 1 to 99, soit's a four number code, and
then you would turn it one wayyou know know turn it to go to
(14:24):
44 and then turn it back to 15.
Speaker 1 (14:27):
Are we going to put on our virtual stethoscopes to
listen to what we'll fix orwhat's going on here?
Speaker 2 (14:35):
I mean, is that your guess?
Like that's a good guess.
Speaker 1 (14:38):
That'd be old school.
I have a feeling it's maybemore complicated than that, but
let's see.
I have a feeling it's maybemore complicated than that, but
let's see.
Speaker 2 (14:45):
So again, we're not positive.
And, by the way, the reasonthat we're not positive on a lot
of these some are confirmed isbecause the security cameras
that were actually within thebuilding all went to VHS tapes
that were all at like a guardstation and Noda Bartolo
obviously knew exactly wherethat was.
So we have no security camerafootage from this night.
(15:06):
We do have footage.
Speaker 1 (15:07):
Meaning the tapes were missing or the recordings
didn't happen.
Speaker 2 (15:14):
The tapes were missing.
They took the tapes.
There was a recovery of part ofa tape that was damaged.
They tried to restore it, butit didn't show anything.
So there's three possibleoptions.
So I will walk through all ofthem and then I want you to tell
me what you think is mostplausible and, teasing it a
little bit here, what sounds themost familiar to you, because I
have a feeling a couple ofthese are going to sound
familiar.
So first we have what NotoBartolo says.
Again, this is highly soundslike from a heist movie.
(15:37):
He says they placed a fingertipsized video camera on the safe
or on the safe door just abovethe guard's head.
Video camera on the safe or onthe safe door, just above the
guard's head.
That video camera sent thefootage to a hard drive that was
disguised as a fireextinguisher, and he made sure
to note that it was a workingfire extinguisher and this is uh
, when vhs was still the medium.
Speaker 1 (15:59):
So we're talking physical wires, no bluetooth.
Speaker 2 (16:03):
At that point it would have been wirelessly.
It's 2003, so would have beenwirelessly.
Speaker 1 (16:09):
I mean, that's certainly possible at the point
right, that's pretty early daysyeah, it's, and it's very.
Speaker 2 (16:17):
It's a lot of footage that you would have too, so I
don't know how big that.
You know in that time how bigthe r drive would have had to
been.
There's other issues with that.
I mean, even if you're placingit in a way that can't be seen,
if it's above the guard's headand the guard is looking down at
the knob, it's probablyblocking his view, the view from
the camera.
Also, the guy that installedthe door said that that lens,
(16:41):
when you were up close to it youcould see the numbers, but the
further away you got, it wasdistorted.
So that's a possibility, butthere are issues.
There's two other possibilities.
One of the guards and I knowthis is going to shock you
admitted that he had troubleremembering the code and that he
had, on at least one occasion,wrote it down.
Speaker 1 (16:57):
Oh, the post-it note.
Was it under e-board?
Was it nailed to the door?
What are we talking about here?
Speaker 2 (17:04):
well in his pocket he says but this is, you know,
nota barcelona is a guy that'sbeen stealing stuff since he was
like nine years old, so I wouldimagine that picking a pocket
would be pretty easy.
The third one is so, sofascinating.
I think we could do like anentire episode just on this
theory, some that has beenposited by an expert in the
field the possibility.
(17:25):
So if you go to, you know ifyou've ever had like a high
school locker, or you go to thegym and you use your own locker,
you know that you type, you putthe code in, unlock, and then
when you go to lock it back up,sometimes it bounces back at you
, right, because you haven'tcleared out the code, right.
So this particular vault did nothave a feature that a lot of
(17:47):
vaults have, which is called anauto-scrambler.
And what an auto-scrambler doesis once you get the code in and
you close the door, itautomatically clears out the
code.
So you have to lock, you haveto re-enter the code, but this
door didn't have that.
And the thought is, is thatmaybe the guards got complacent,
(18:07):
they got sick of forgetting thecode, and so they would enter
the code in in the morning andnever clear it out and just let
it out and write as long as theycould.
Opening and closing.
Those are the three theories.
What are your thoughts on?
Speaker 1 (18:22):
Yeah, the camera one at the technology at the time
does seem not probable, I thinkmaybe the third one seems most
interesting to me.
Speaker 2 (18:34):
Me too, and actually before we move on, can you just
talk about, because you used tobe an auditor, in your
experience, how much of an issueis complacency?
Speaker 1 (18:44):
Complacency, I think boredom, complacency, routine
compensating measures, writingdown a password or using the
same password over and overagain because it's easy.
So I do think sometimeslaziness can be, even if you
know better.
It's just the convenience ofyour day, and sometimes that's
(19:07):
where good intentions go by thewayside.
Speaker 2 (19:11):
Yep, I would agree with that.
Yeah, I think I've seen that alot and I think it's interesting
the reputation of the buildingcompared to what was actually
being done.
And sometimes I think you know,optimism bias just kicks in a
little bit.
Nobody's gonna why would we,you know, work too hard,
nobody's gonna really be able toget in here.
So the second part of this MFAis actually a key lock.
(19:33):
So once you get the combinationin, then you have to insert a
key.
It's a specially made key, it'sabout a foot long and it
separates.
So the process is you wouldunlock the vault and you would
separate the key into two pieces.
One is just basically like thebig long kind of shaft of the
key.
The other is what's called thestamp and that's what's got all
(19:55):
the nodules and stuff in it thatturns the pins, and then the
stamp is pretty small.
So the stamp would go into theguard's pocket and then you
would have the two piecesseparated at all times.
Any guesses on how theycircumvented this?
Speaker 1 (20:10):
Sounds like the only thing that's truly the key is
the thing in the pocket.
So if you had a separate longpole that you could attach,
could you pick the pocket of thespecific key if you've not
already made a clone, and thenyou'd have one less thing that
you'd have to obtain in realtime.
Speaker 2 (20:26):
It's a good guess, potentially, so the answer is
even more kind of silly.
The thieves were, so this isnot disputed, although there's
some details that are a littlebit disputed.
But everybody agrees thatsitting next to the vault in a
locked storage room was theentirety of the key that had
just been stored there.
So they just took a crowbar tothat storage room and got the
(20:49):
key and were able to get in.
Speaker 1 (20:51):
So just go straight through the door, just bust it.
Speaker 2 (20:54):
Yeah, but the process was supposed to be that the
only thing that was there wasthe shaft and the entire key was
there.
So at some point the processbroke down and the guards were
not carrying that stamp of thekey with them.
So, again, complacency.
And then I think this is a goodtime to introduce something
that we kind of preach at revealrisk, which is people in
(21:15):
process are just some right.
So there's a we'll see a littlebit more.
There's a lot of technology inthis building, but the people in
process are breaking down um,and it's easy to be hard on the
guards here, but there'sobviously not a lot of
governance taking place as wellyep, yep, complacency can drive
(21:36):
that as well.
Speaker 1 (21:37):
Not only the original , but even the oversight.
So two levels of complacencyissues cool, um.
Speaker 2 (21:43):
So one question I want to ask before we move on to
the next measure here is wetalked about how there's
complacency involved, kind of atall levels.
What's the best way?
If you're an organization thathas cybersecurity concerns and
that's a concern for you, what'sthe best way to go?
Speaker 1 (22:00):
They always say like rotating duties, like if
somebody is so bored and routineon their job they're going to
miss the little things andthey're just phoning it in.
So in audit that you know whenpeople are on vacations, like
you're, you're having anotherperson check things.
So like rotations are good.
I think also like having areview of the review or an
(22:22):
external audit itself to kind ofmake sure that you're not only
relying on the primarymechanisms of whatever the
control be, even if it's once ortwice a year, just to kind of
make sure everything's working.
Lessons learned, processimprovement I was in Six Sigma
in one of my jobs, so just kindof process reviews, making it
simpler, reducing theopportunities for human error
(22:45):
through simple learning aprocess All of those can be good
options.
Speaker 2 (22:49):
Yeah, I would agree with all of that.
All right, so let's move on to.
Before they open this vaultdoor, they have to also defeat a
magnetic alarm.
So magnetic alarm, they'repretty common these days.
You probably see them on like.
Sometimes people have them evenin their home security to like
little pieces of plastic thatare magnets.
One's on the doorframe, one'son the actual door, and if you
(23:12):
open the door it breaks themagnetic field.
Speaker 1 (23:14):
Yes, I was.
I was coming along on aphysical penetration test with
our team and we were facedagainst some physical security
controls that we were told wouldnot be there.
Were faced against somephysical security controls that
we were told would not be there.
And I remember when we weregoing up the exterior stairs
there were some magnetic alarmsthat I saw.
I'm like we're supposed we'reauthorized to do this, but
(23:38):
what's the chance this is goingto external, silent alarm to,
and then we'd have to deal withthat.
So I've seen those intensesituations where you're like Ooh
, is that activated?
Is it going to work All that?
Speaker 2 (23:47):
Yeah, yeah, did you try to?
You didn't try to defeat thatmagnetic alarm, or?
Speaker 1 (23:53):
anything we tried.
Oh yeah, these specific locks.
We got in through other ways,but these specific locks were
very, very sophisticated.
It would have taken more timethan I think we were afforded to
, and there was easier pathsthen.
So don't start with the hardestoptions.
Speaker 2 (24:10):
Gotcha Any guests?
Well, let me tell you a littlebit.
So the only difference here isthat these are like a little bit
more heavy duty.
So they're instead of twolittle plastic pieces, they're
kind of brick sized metal pieceson either side of the door.
So that's the only differencethere in terms of the alarms.
But otherwise they work theexact same way as what you
(24:31):
encountered.
Any guesses on how theydefeated this?
Speaker 1 (24:36):
Maybe magnet systems to be able to open the door
without the pressure or themagnetic field being released.
Or, since we've already smashedsome doors, could I just cut
through the door?
Speaker 2 (24:47):
obviously that'd leave a pretty pretty good trail
yeah or or like my story of thepenetration test, that if that
option was too hard, maybe I'dpivot right I think they it
sounds like they did explorekind of a similar option to, I
think, what you brought up first, which is they explored some
like heavy, like physics way,way of maintaining the magnetic
(25:10):
field.
But what they actually did is Imean, I hate to be, you know,
people lost family heirlooms.
I always have to remind myselfbut I hate to be impressed.
But first they did some socialengineering which is an
accomplice of Notabar's clothesin the week leading up Badges in
with Notabar's clothes badgeand then shows the security
guard a work order, he gets togo down into the vault.
(25:31):
He likely put like a bag orsomething over the cameras in
the vault.
Why that didn't raise alarms Idon't know.
But then what he does is hetakes like a metal plate that
they had custom made based offof what they knew.
They were able to fit it inbetween the bolts on both
magnetic pieces and then he justvery carefully unscrewed a
(25:54):
little bit of each of the boltsand then in between the sensor
and the door he took a hacksawand hacked off the lower part of
the bolt and then he replacedthat with double-sided tape and
then removed the magnetic plate.
So everything looked the sameright.
Got it.
Then on the night of the heist,they were able to just put that
(26:16):
same plate back on it, pull offboth magnets keeping them
together, set them to the otherside, because it's double-sided
tape, and stick them there, andthen they could just open the
door and there's no um got it,so it was still connected to the
cords.
It was just placed, uh to theside stuck to the side so it
would not trip, okay yeah, andagain, I think you know this is
(26:40):
where it's an extremely smartperson doing something that is
incredibly resourceful, but heshould have never been allowed
in the building.
Somebody should have raised analarm, checked on the work order
, compared the work order to thefact that he was able to badge
in with just a random tenant'sbadge.
(27:00):
Alarm bells should have beenraised, like I said, the fact
that the cameras were gettingcovered and, yeah, I don't know,
I mean, what are your thoughtson it?
It's kind of mind boggling tome, to be honest.
Speaker 1 (27:11):
Yeah, I think basic background checks sometimes are
foregone because you assume, hey, you trust people.
I've worked at companies thathave a culture of trust and they
believe that everyone's good.
But in most organizations,large small, there's always
personal stressors, lifestressors.
You know the volume game ofeveryone probably at some point
(27:33):
had good intentions, butsometimes people go astray.
So I know of one company thathired somebody that didn't have
a background check and they had.
There was a murder, they were amurderer, but that had not been,
and I won't go into too muchdetail there.
But well, those types ofstories are real and they exist.
And and then there's the otherthing of like sometimes
background checks don't revealthings that are not public
(27:55):
record, right?
Yeah, so in this case it seemslike this person had already
been in jail, or they had beenarrested, or they were unknown.
And if and if he was going byhis actual identity, then a
background check or somethinglike that could have stopped it.
If, if he was, you know fakepassports and things like that,
perhaps you know, living a lifeof a different identity, it
(28:17):
might be tougher yeah, I meanyeah, no to bartolo.
Speaker 2 (28:22):
A background check would have certainly revealed
something.
And then the added on idea ofhis accomplice.
His accomplice is able to comein with a work order and not be
questioned.
There's no reason.
Like you know, I don't think hebrought up Notabartolo's name
other than using his ID to badgein.
But a tenant wouldn't be ableto vouch for a maintenance man
(28:43):
on the building.
That doesn't make sense.
Speaker 1 (28:51):
It seems like you know, know, you think, the fort
knox of diamonds.
It seems like a classic case ofa lot of effort going into the
technology and the physicalcontrols but not enough time
spent on the human element orthe process work.
You know, flaws, things likethat.
So, yeah, I think maybe theemphasis is there's a lot of
good effort put in place.
It just wasn't holistic enoughand with enough time any
controller system or company orwhatnot usually can be defeated.
Speaker 2 (29:14):
Yeah, yeah, yeah, absolutely, and just to put a
little bit of a button on thatand we'll move into the last two
measures here.
So one thing about thisbuilding is, although it did
have a great reputation and itwas fort knox, they did not have
insurance on like theftinsurance or insurance, and
(29:34):
there were other buildingswithin the district that did and
they said, like one of thereasons that they they didn't do
it is because they knew thatthe insurance investigator would
tell them you need to havebackground checks on your
tenants and you need to, youknow, do upgrades here, things.
Speaker 1 (29:51):
So so cost constraints, wanting to shortcut
things hindsight's 2020, theyprobably would have got that,
but they didn't for thosereasons yeah, and that's fair.
Speaker 2 (30:03):
I mean it is important to say, like you know,
these are real people theguards and the building manager
and the owner.
I mean I think the buildingmanager really kind of ruined
her life, this heist thathappened.
So definitely empathy there.
But I think there's so muchthat we can, fortunately some of
the complacency that justwasn't raised.
So there's another alarm thatthey need to disable, another
couple of alarms they need todisable before they can actually
(30:23):
step into the vault.
So the one we're going to focuson is it's a combined heat and
motion sensor.
So it measures when you walkinto the vault, it measures the
body heat change and then italso separately, using
microwaves, measures temperature.
Speaker 1 (30:41):
um, any guesses and I will give you a little bit of a
hint, at least an element ofhow they defeated this has a
very similar, is very similar,to a youtube video that we had
that went a little bit yep, sothe body heat and motion, and
you're referring to the usingthe canned air to trip the
motion on a an automatic exitthat shows people coming out,
(31:03):
unlocks the door but doesn'tobviously let you in unless you
have a stick or canned air orwhatever to sensor that.
So I mean I wanted to say youknow Tom Cruise coming down on a
pulley system and you know, butthat was a pressure sensor in
the floor.
So I mean I guess I would say Imean the earlier body sensor,
they use the polyester.
(31:24):
Say I mean the earlier bodysensor, they used the polyester.
So was there something then tokeep a consistent temperature or
something to wrap around thesensor so it would maintain
consistency while they werecoming in or out on that?
Speaker 2 (31:38):
It's a good callback.
It's even simpler than that.
The day before the heist, nodaBartolo walks into the vault, as
he has so many times before,which he is allowed to, but I
think he'd established enoughrapport that he felt pretty
comfortable.
He wouldn't be flagged orwatched.
Really, he's got a can ofhairspray in his hand and at
least one documentary that Iwatched on this I don't know if
(32:01):
they're speculating on this ornot, but they kind of indicate
that he maybe kind of stretchesout like, pretends that he's
stretching, and he sprays a bitof hairspray on the sensor and
what that does is it temporarilymasks the heat sensor.
So from there, once they are,then it's the night of the heist
(32:26):
and they're about to step intothe vault.
All they would really have todo, at least according to the
sources that I read, isinitially, as they're walking in
, they would kind of walk inslow motion to kind of fool the
motion sensor, which is kind offunny to think about.
Um, and then they had a bit ofstyrofoam on a broomstick that
they were able to just hang offof the motion sensor and it
blocked both the heat and themotion sensor got it there both
the heat and the motion sensor.
Got it.
There was an additional lightsensor elsewhere in the vault.
(32:49):
They were able to just take acouple of strips of rubber
electrical tape and put thatover the light sensor and so,
yeah, I mean, like I said, thebook that I read was like it's
20 euro worth of hardwareequipment I'm defeating this
Probably very expensive worth ofhardware equipment defeating
this probably very expensiverebecca, do you think that they
had similar equipment to testall these macgyver type of hacks
(33:11):
on, or do you think that theyjust had enough experience that
they were able to contrive thiswithout testing my hunches?
Speaker 1 (33:20):
one single failure would have maybe tripped an
alarm that would have foiled themission.
Speaker 2 (33:26):
So the answer is most probably yes.
They did have a similar alarmlike heat motion sensor alarm.
That being said, it was wellknown that heat sensors of this
kind could be masked and therewas actually a law put in place
in 2002, so before the heist inBelgium that any new sensors
(33:47):
going in had to have like ananti-masking capability, so that
this hairspray check would help.
Got it.
So, yes, they were.
Yeah, they definitely hadsomebody that was an absolute
alarms expert, and they probablydid have at least a similar
sensor that they could messaround with.
It's funny, Noto Bartolo sayshis story is like the heist
(34:11):
wasn't even his idea.
He was approached by a shadowyfigure to do it for him, and
that shadowy figure provided afull-on replica of Volt, which
is likely untrue, and also, Ithink, straight out of Ocean's
Eleven.
Speaker 1 (34:24):
I think that's he's literally lifting a scene from
or we're going to pivot to aRussell Crowe movie and his
other personality was talking tohis personality and it was
really him yeah.
Speaker 2 (34:35):
Yeah, the wired article is very interesting to
read, but you just got to readit with a grain of salt.
So yeah, to answer yourquestion, I think they did have
copies, a copy of it or areplica or a similar sensor that
they used At the same time.
It wasn't the first timesomebody had been able to
disable a heat sensor usingeither Vaseline or a hairspray
(34:58):
or something.
Got it.
Yeah.
So I mean, I think there'sanalog here to obviously
vulnerability patching right andvulnerabilities, but can you
talk a little bit about theimportance of like penetration
testing and just testing out?
Speaker 1 (35:13):
You've got all this fancy equipment that you trust
but just testing it regularlyand making sure it's doing what
it's physical penetration testor logical or social engineering
, all controls like eventhinking about multi-factor
multi-factor still is a very,very good control.
(35:33):
It was two-factor.
And then the cell phone, like,controls continue to evolve
because threat actors orcriminals do find ways to defeat
the controls, do find ways todefeat the controls.
So I think any kind of test,whether it's a penetration test,
a physical inspection, awalkthrough, controls review, an
(35:55):
audit, all of them are gutchecking the reality of the
controls that you believe arestill effective and new and
different ways that they mightbe able to be defeated, and the
goal is to come to theconclusion of these gaps,
internally or with external help, before the real crime happens
or the real incident happens.
So all of it is, you know, oneof the auditor slogans from when
(36:16):
, as you mentioned when I was inaudit way back in my career on
the corporate side is trust butverify.
Ultimately, people typicallyintend well.
People don't grow up as one andtwo-year-olds looking to become
a jewel heist or whatnot.
Things happen.
But I think, process, mindset,building things that are not
(36:37):
singularly required, cryingfocus only on one thing, like
technology, or over-focusing onphysical but not thinking about
the technology exploits or, toyour point throughout the whole
story, like simple people thingand if we can trick the human,
the good controls that might bearound that might be defeated
because that human had fullaccess.
(36:57):
So I think those are, those arekind of my thoughts on the
parallel learnings and, you know, kind of the testing and not
being in the situation where youwish you would have had an
insurance review and you wishyou would have invested in the
control gaps that it sounds likethey knew they had and was why
they were avoiding having to gothrough all that.
So corner cutting and simpleand cheaper often lead to the
(37:21):
wish I would have post-hasteanalysis.
That's tough to undo onceyou're past that point.
Speaker 2 (37:27):
Yeah, exactly yeah.
I think that's well said forsure, and the truth is is like
we all I think everybody that'sworked as a security
professional there were thingsthat you knew that were there,
that you just couldn't get tofor some reason, or you had to
deprioritize.
Speaker 1 (37:41):
I mean, that's the reality of it.
Speaker 2 (37:43):
You have to prioritize what to get done.
But I think, yeah, I mean,unfortunately, it's sort of like
never getting comfortable right, Never putting too much faith
in one thing.
Speaker 1 (37:52):
Yep.
Good point.
Speaker 2 (37:54):
Yeah, so we've got one more measure.
They've got to get through thesafety deposit boxes themselves.
Also had a combination lock onthere and then also a key.
Any guesses on how they gotinto those safety deposit boxes?
Speaker 1 (38:09):
Well, now I'm going to first say smash it with a
hammer, because you know thesimple things.
I've never had a safety.
I've accessed a safety depositbox, but if it has a combination
and a key picking the lock orhaving a copy of the key and
having to have studied if it's acombination, either defeating
the combination control orhaving that combination ahead of
(38:31):
time those are the top lineintuitive options.
Speaker 2 (38:35):
Yeah, I think you're on track with that first one.
It's kind of a combination ofboth of what you said.
It was a brute force method.
What they did is they made atool that was like kind of a
cranking tool and it had twosteel prongs on the end of it.
So those two steel prongs wouldgo into the keyhole and then
they would just basically I'mnot sure exactly if I can
(38:56):
picture exactly how it wouldwork get enough torque to put
pressure on the faceplate andjust pop off that faceplate and
a little bit of context on that.
And then I want to get yourreaction and not to put too fine
a point on the sort ofcomplacency cost that we've been
talking about.
But there were about a dozenboxes that did not get breached
and we know they tried on atleast a couple of them.
(39:18):
Those were boxes that the sortof locksmith on call had
reinforced with steel.
I think those boxes, like, hadneeded maintenance or they broke
or something.
So when he replaced them hereinforced the faceplate with
steel because he knew it wasjust the inner workings of that
faceplate was just thin plastic.
(39:38):
So it was a vulnerability andhe did mention multiple times to
the building manager and thebuilding owner that they needed
to replace all the boxes and thedecision was just made that it
wasn't.
So your reaction to that?
Speaker 1 (39:54):
Makes sense.
Yeah, sometimes the cost ofreplacing all the boxes at once
are kind of like replacing allthe Windows NT machines that
exist in your manufacturingplant.
That would cost way too muchmoney for anybody to contemplate
, but probably less than theheist itself, which is again
always hindsight.
2020, wish I would have type ofanalysis.
Speaker 2 (40:15):
Yeah, and that is one of the things that I wanted to
hit on too is, you know,assessing risk, and a lot of
people think about likelihood.
I'm guessing when they thoughtabout this, they thought a thief
would have to get into thebuilding, into the vault, defeat
all the censors, and they'reright.
It's not likely that that wouldhave happened.
(40:35):
They really encountered somemaster thieves, but the impact
was that it was a $100 millionloss, confirmed, and likely more
.
Speaker 1 (40:47):
That's a lot of cheddar.
That's a lot of cheddar,Rebecca.
Speaker 2 (40:51):
It is still in the Guinness Book of World Records
as the largest diamond heistever.
So that impact piece, becauseif we're introducing our clients
to a risk register, we talkabout likelihood and impact and
I think a lot of people considerlikelihood and put a lot of
weight on that and either don'tconsider impact or don't put a
lot of weight on it.
You know, $100 millionuninsured and most of the people
(41:16):
with safety deposit boxesdidn't have insurance on those
either.
They thought it was theirinsurance.
Speaker 1 (41:21):
So the low likelihood , high impact and because it was
so likelihood, dollars wentelsewhere or, if they had a risk
, register effort went elsewhere.
Other, bigger problems orbusiness impact Yep, absolutely
Yep.
Makes sense.
Speaker 2 (41:39):
So that's it.
They get in through, theydefeat all these security
measures measures.
They have more diamonds thanthey can carry.
That's why there's some leftbehind they are able to get out
of belgium that night and backto italy, but they actually have
a little bit of a stroke ofthat luck.
Um, they had all stayed in innotabartolo's apartment in the
week leading up and they had had, you know, trash and then some
(42:01):
evidence that they like thevideotapes and stuff that they
collected and they dispersed.
They got rid of the trash andlike a nature preserve just off
of the highway in belgium, whichactually would have been a
perfect place.
Um, a lot of people dumpedtrash there.
It was illegal but a lot ofpeople did it, a lot of
teenagers like partying thereand stuff and usually doesn't
(42:23):
get noticed and probablywouldn't have gotten noticed
before the elements destroyed it.
They happened to choose the onepart of the land that was owned
by a man that was justabsolutely fed up with everybody
littering on his piece of thenature reserve and he patrolled
it regularly.
So he didn't see it happen, butwithin, I think, 24 hours of
(42:44):
them dumping the evidence, hewas able to find it.
The heist was all over the newsby that point.
So they called the police andthat evidence eventually led to
Noda Bartolo and several of hisaccomplices, although not
identified, unidentified.
(43:05):
Amazingly, noda Bartolo.
Knowing that they had found thetrash but still thinking he was
good to go, he actually droveback to Belgium.
He returned a rental car andthen he actually went into the
Diamond Center as well andencountered the building manager
.
She stalled him and he ended upbeing arrested at the Diamond
Center.
He ended up getting about 10years.
(43:26):
They were able to extradite andarrest at least a couple of his
accomplices.
They got five years.
And then I want to make a quicknote that the sources for all
of this are in our show notesand I wanted to get your final
thoughts on this diamond heistand what we can learn from it as
cybersecurity professionals.
Speaker 1 (43:43):
I was hoping for a Scooby-Doo ending.
You know we would have gottenaway with it if it wasn't for
those darn kids.
So maybe, I don't know, likewait, can we do the and then
maybe switch the ending tosomething more Hollywood-esque?
No, no, I'm just kidding.
No, I think the study you didis good.
It articulates not always thecomplex, you know, very
(44:11):
sophisticated attacks and thethings maybe that we strive to,
you know, go after because it'sthe threat of the day.
Sometimes the simplest thingscan be the things that make it
easy for the criminals to dowhat they want.
So even the boring stuff likepatching servers, like some of
the cyber attacks that stillhappen today, are still focusing
(44:33):
on the most boring things, andhere you're talking about a lot
of physical controls.
So I think the specific thingwas they didn't have lasers and
sharks and like a bunch ofstatistics.
They had simple tools andsimple hacks and they had
clearly had enough experience toput those into use, but they
didn't have maybe enough forHollywood, which back to your
(44:55):
point of why the story has beenembellished to make it more sexy
and appealing to a consumeraudience.
That's kind of a key takeawayfor me.
Speaker 2 (45:05):
Yeah, I agree with all of that.
Do the basics.
People in process are just asimportant as technology.
I think the only other thingthat I would add is from the
time that I started in IT noteven cybersecurity, but IT I
have heard the feedback frompeople that they don't want to
do security controls personallyor the organization, because if
(45:29):
there's a well-funded group outthere and they really want to
get at your stuff, they're goingto do it, and I think one of
the things that we learned Ilearned from this case study is
like there are so many stepsfrom the time that Notabartolo
signed that lease up until theday before the heist, when he's
in the vault full view of thecamera spraying hairspray on the
(45:51):
censor.
There are so many opportunitieswhere just the slightest bit of
due diligence would have foiledthe fees.
That's what I really wantpeople to think about as they
take it as a takeaway from thestory.
As well.
Speaker 1 (46:06):
So takeaways how to action that?
Thinking through process,walking it, whether you're an
auditor, whether you're acontrol operator, thinking that
through not taking for grantedwhat you have and then having
outsiders and tests and thingslike that to simulate it, it
kind of comes together.
You know, maybe if they had anaudit it might not caught all
(46:27):
these flaws that that we'retaking advantage of.
But really that combination ofprocess mindset and and testing
really comes together um to inany situation related to
controls here, just like you'redemonstrating absolutely,
absolutely.
Speaker 2 (46:42):
So I have a confession to make I have
actually never seen the Rock, soI think we should end it here,
because I think I'm going to gohome and watch the Rock tonight
(47:04):
disappointment for me for amovie that in high school was
you know it was so memorable andthen to not have it the way.
Speaker 1 (47:07):
It's kind of like a movie not being as good as the
book or the book not being asgood as the movie.
It's usually a movie not beingas good as a book for a good
book reader, but sometimes youget the story in your mind and
then it's not the way it was.
Speaker 2 (47:20):
So yeah, have you seen Escape from Alcatraz?
Speaker 1 (47:24):
I don't know if I've seen that.
Speaker 2 (47:26):
Clint Eastwood movie from the 60s or 70s.
I think Very good.
That story is reallyinteresting.
Speaker 1 (47:32):
Cool, awesome, well, yeah, thanks for putting this
together.
It was really fun and I did notknow what to expect.
I have not seen much about thiscase.
I knew of it, but it was fun tounpack it with you and think
through some analogies to whatwe do on a day-to-day basis or,
more importantly, what otherindividuals that are in
positions of responsibility oroversight might be able to do
(47:55):
differently based upon theinsights.
Speaker 2 (47:58):
Absolutely.
Yeah, thanks for being game forthis.
We did keep it a secret fromyou and I'm sure that was a
little nerve-wracking cominginto this not knowing what to
expect.
So I appreciate you being gameand I think your insights were
really great.
Speaker 1 (48:10):
Awesome.
Thanks for doing it.
Appreciate it, had fun.
Speaker 2 (48:13):
All right, thank you, bye.
Welcome back to Simplify and Cyber.
I'm Aaron Pritz and today wehave an extremely special
mystery episode.
It's actually so extremelyspecial and secret that I don't
even know what's going to happen.
So today I'm joined by Rebecca,one of our senior cybersecurity
consultants here at Reveal Riskand she's the origin of this
surprise episode.
And just to give you a littlebit of background, basically our
(00:28):
producer informed me via my owncalendar actually that we were
about to do a secret, supersecret episode, mystery episode
with Rebecca and she'd be takingme through it.
What it is shall be determined,allowing me to take some
reaction time to make someguesses about whatever it is.
I'm now stalling to furtherguess, but Rebecca has given no
(00:50):
indication, so I'm going to turnit over to her to unveil what
is about to happen to me.
Gulp.
Speaker 2 (00:57):
Yep, yep, I'm actually just going to actually
dive right into the story.
So for those of you who don'tknow, I'm still somewhat new to
Reveal Risk.
One of the things that Ilearned very early on is that
Aaron is one of the first peopleinto the office in the morning,
and we are actually going tohave you guys keep that in mind
during the story, because thisstory starts out in a typical
(01:18):
office building, monday morning,6.15 am, and the first person
in the office is a securityguard.
He's going on about three hoursof sleep we're not sure why,
but I would guess that he is onautopilot, so he does a couple
of things and then he has to gosee to his main morning duty,
which is actually opening up ahuge vault in the sub-basement,
(01:41):
because this is actually not atypical office building.
This is an office building inthe Diamond District in Antwerp,
belgium.
Speaker 1 (01:49):
I've always wanted to go to Belgium, so you're taking
me to.
Speaker 2 (01:52):
Belgium, rebecca, I know, and you just got back from
Switzerland, right I?
Speaker 1 (01:55):
did, I, did I should have just went straight there,
but I'm virtually nowteleporting back to Europe to
undertake this adventure.
Speaker 2 (02:03):
There you go.
So he's heading down theelevator, notices that the vault
door is open.
Doesn't think too much of it.
There may be another securityguard got there earlier than he
did, but when he walks into thevault he will see what is later
described as a scene lookinglike a bomb has gone off.
There are the face plates ofsafety deposit boxes scattered
(02:26):
everywhere.
There are diamonds scatteredeverywhere.
There are gems, emeralds, cashof all different currencies,
family heirlooms thrown on thefloor, watches, lockets.
Speaker 1 (02:38):
Doesn't sound like a clean job.
Definitely not the Italian jobwith such precision.
A bit of a mess, if I'minterpreting the scenario right.
Speaker 2 (02:46):
Yeah, it's interesting you say that,
because I think one of thethings we're going to explore
with the story is Hollywoodversus reality, right, when it
comes to heists, and when itcomes to cybersecurity as well.
And actually, what thatsecurity guard doesn't know, as
he's standing there probablytrying to process what he's
seeing, is the culprit probablytrying to process what he's
(03:07):
seeing?
Is the culprit?
The mastermind of this heist isa man that he has seen and
spoken to regularly for over twoyears.
This is the story of the 2003Antwerp Diamond Heist.
Speaker 1 (03:17):
And am I the security guard in this setting, or do I
play myself?
Speaker 2 (03:21):
I just wanted to kind of put you in the mind frame of
walking into work in themorning and then finding
everything that you're supposedto protect just kind of splayed
out in front of you.
I would imagine that is apretty interesting experience to
have, probably not a verypositive one.
Speaker 1 (03:37):
Right, it's not going to be a good day for me as a
security guard if I am.
Speaker 2 (03:40):
Oh, no, no.
So what we're going to do withthis is I'm going to give you a
little bit more context aroundthe story, but then we are going
to walk through each of thesecurity measures that this
building had just from a highlevel and talk about how it's
similar or not similar tocybersecurity and how we think
this could have been prevented.
So are you ready?
Speaker 1 (04:00):
I'm ready, let's do it.
Speaker 2 (04:02):
All right.
So you might be wondering whythis particular building in
Hungary has a big giant diamondvault in the basement.
Hungary actually has a prettyinfamous diamond district where
80% of the world's roughdiamonds pass through there.
So it's a huge center forpolishing, cutting diamonds,
(04:24):
trading diamonds as well.
And then actually within thatfull diamond district is about a
three block radius called thesecure Antwerp diamond area.
That is a totally.
Cars cannot go through there.
There's ballasts at all theentrances, there's a 24 hour
police presence and there's over60 CCTV cameras there.
(04:46):
So already really secure.
And then this particularbuilding, the Diamond Center
building, is also considered tobe very, very secure.
It's had comparisons to FortKnox.
Speaker 1 (04:58):
Got it, got it.
Speaker 2 (05:00):
So it's in this context that, in the fall of
2000, a man named Leonardo NotoBartolo applies to rent an
office building in the DiamondCenter, which is the building.
He is able to get that, noproblem.
He also gets a safety depositbox down in the vault and he
(05:20):
essentially spends two yearsdoing reconnaissance.
He is not well known.
Speaker 1 (05:25):
As a good insider would right.
Speaker 2 (05:28):
Exactly, exactly, and he is very charismatic, so the
social engineering part is veryeasy for him.
He gets to know the guardsreally well.
He does things like he staysafter hours to see if anybody
will kick him out, becausethey're supposed to.
When they don't, he goesexploring around the building.
Similarly, he'll go into thevault five minutes because
they're supposed to.
When they don't, he goesexploring around the building.
(05:50):
Similarly, he'll go into thevault five minutes before it's
supposed to be closed and then,when they do come to kick him
out, he can watch the procedureas they lock up the vault.
And what nobody knows in Antwerpbut a lot of people know in
Italy, is Noda Bartolo isactually a really well-known
jewel thief and he works with acrew of people.
This part of it, I will say, issomewhat similar to a Hollywood
movie like Ocean's Eleven.
(06:10):
He has, you know, accomplices.
Some are alarms expert, there'sa keys expert, so everybody has
their role.
And he's actually walkingaround with, like, a bag that
has a camera in it, and so he'srecording things and sending
these back to his accomplices.
Speaker 1 (06:27):
They're known as the school of does he have a quirky
hacker guy in this case, or wasthis predating the?
The coolness of the hacker?
Speaker 2 (06:34):
I think you would say the alarms expert is probably
the cool hacker guy.
But um, but yeah, they do somethings that are are pretty
ingenious, uh, but not highlytechnical, I would say.
And then Valentine's Dayweekend 2003, on Saturday night
they carry out this heist.
So that is the backstory.
(06:55):
And then let's dive into thesecurity measures, and I think
how I see this going is.
I'll tell you kind of thesecurity measures that they have
to overcome.
I'll let you guess as to howthey did it.
I'll talk through how they didit and what we can kind of learn
from that.
My own adventure Choose yourown adventure.
Speaker 1 (07:13):
I'll now switch from my role of the security guard to
the role of the jewel thief.
Speaker 2 (07:18):
Exactly yeah.
Put your hacker hat and yourjewel thief hat on for sure
Great hat and your jewel thiefhat on for sure.
Great.
I will say that there's a lotto discuss here, so if we start
to run low on time, I mightstart to crib this a little bit
with the guessing and everything, but other than that, let's
dive on in here.
So, starting with getting in thebuilding Now, noda Bartolo did
(07:38):
have a badge to get into thebuilding, obviously, but at
night and in off hours, like theweekends, the building was
totally locked down.
There were metal, corrugatedmetal doors that came down in
front of all the entrances.
There is a garage access to getinto the building.
Corrugated metal doors camedown there.
There's alarms on the windowsand there is a actually a
(07:58):
private apartment in thebuilding where an on-call guard
would stay.
So they're not necessarilypatrolling, but they're there as
an added security presence, butthen also if a tenant did need
to be let in for some reason inauthor.
So any guesses there on howmaybe they get in?
Speaker 1 (08:17):
It's tough without seeing the visual experience,
but you mentioned that theyalready had some access during
normal ways and there were hoursand they were able to see how
the controls work.
So if I was in this role or ona team trying to recreate the
situation, I'd be looking attimes of gaps of the controls or
(08:38):
areas, times when the sensorswere off, alarms were off, just
to understand those patterns.
I think when you mentioned thatthey were doing reconnaissance,
obviously you're trying tostudy the weaknesses.
So I don't know that I'vespotted any specific weaknesses
from what you're telling me, butI think I'm keenly looking for
those.
Speaker 2 (08:58):
So Noda Bartolo gave an interview to Wired Magazine,
actually in 2009.
This is how he says it happened.
He said that the thievesstashed a ladder in the back of
the building.
They climbed up to the secondfloor and there was a terrace on
the second floor.
There was actually a body heatdetector on that terrace.
Speaker 1 (09:18):
They said they used a homemade polyester shield to
block that heat sensor and thenthey disabled the alarm so you
think that's like a polyestersuit, like a nice crushed velvet
polyester blend, or what are wetalking about here?
Speaker 2 (09:33):
I will tell you you're zeroing in, I think, on
the right thing okay, okay Idon't know.
He did not give more detailthan essentially what I just
said, so I don't know what itlooked like.
Uh, he did describe it, though,as a shield.
Any other other quick reactionsto that?
Speaker 1 (09:47):
So, ladder, second floor, defeating a sensor based
upon something that masked thevisibility to that sensor.
I think I'm following along sofar.
Speaker 2 (09:56):
So it's interesting.
What I think I kind of heard isthat, you know, maybe the
polyester shield didn't quiteadd up for you or maybe it was
like a little bit confusing,which I would expect, because it
is that story that I just toldyou almost certainly is not how
they got into the building.
So a little bit of context onNoda Bartolo.
(10:18):
That is how he says it happenedAt the time that he's giving
this interview to wired.
He is jumping around this storyto hollywood studios to get a
review, so this interview ishighly suspect.
There are also a laundry listof other reasons why his story
on a lot of this, andspecifically this, does not work
(10:39):
, including some physicalevidence.
So let me tell you how they didget in the building and then
I'm gonna get your reaction yep,and actually a quick aside from
a Hollywood standpoint, one ofmy favorite long time movies.
Speaker 1 (10:51):
I don't know that it's held up, but the Rock, you
know, sneaking into Alcatraz.
You know, after seeing themovie, 10 years later, I was in
San Francisco and I finally sawAlcatraz and I was looking for,
you know, the setting from theshower scene, right where there
was an elevated level, and youknow, as they were coming up
through the floor, the enemy hadthe drop on them and they were,
(11:12):
you know, aiming down, and thenthere was the standoff.
And when I got to Alcatraz anddid the tour it's a one story
shower there's an example oflike yeah exactly.
You had to change the story, somaybe I, if you're trying to
pitch Hollywood, I see maybe theintent of you know the ladder
and the polyester suit and thetop hat that inevitably had to
(11:32):
go with it.
Speaker 2 (11:33):
Yeah, I mean, and you know you can imagine it's like
undercover of night, you know,sneaking up a ladder, absolutely
.
And one of the things that I dowant to get your reaction to as
well, after we talk about whatmost likely happened is, I think
, for cybersecurity too, thereis the Hollywood version of what
a hacker is, and then there'sthe reality of what a hacker is,
(11:53):
and you've kind of alreadytouched on that a little bit.
So most likely, like I said, hehad access to the building.
He had access to it after hours.
And we know two things.
One is that the doors from thebuilding to the garage, they all
had badge you had a badge inwhich would have left a digital
footprint except one wasessentially a garage door opener
(12:15):
with a key, and he likelyfigured out that that operated
on a radio frequency.
I don't know how much you knowabout radio frequencies, but
apparently there were only likea thousand or four combination.
(12:38):
I mean you think the analog isencryption, that's child's play,
essentially.
Speaker 1 (12:43):
So they were able to figure that out I may know from
our penetration test team and arecent study the exact condition
you're talking about in a smallnumber of codes to try through
on fairly common physicalsecurity badge readers maybe the
outdated ones yeah, yeah, um,and they did find a duplicate
like physical key in the safethat had been dropped by one of
(13:06):
the thieves, so it pretty muchindicates they were going in
through the garage one way oranother.
Yeah, no, that's fair.
And in hacking most of that,even if you're not that
technical, you might rememberDOS or command line prompts.
It's not 3D GUI displays, it'sa lot of command line
interactiveness.
It can be interesting whatthey're getting into, but the
(13:29):
optics of it you know SandraBullock, the nets and
visualizing that on a MacDefinite some artist's
creativity to make that moremeaningful than watching command
lines be typed.
Speaker 2 (13:40):
Absolutely, absolutely.
All right, let's head into thereal fun stuff.
So now we're, like you said,we're wearing the Thief Hat, we
are in the building and we arenow standing in front of the
vault.
So the vault actually had whatI would call multi-factor
authentication.
They had two ways that youneeded to unlock it, and we know
multi-factor authentication iswhat you know, what you have,
those kinds of things.
So there was one thing which iswhat you know and have those
(14:02):
kinds of things.
So there was one thing which iswhat you know, and that was a
um, a combination.
So this is not a digitalcombination, it is a manual dial
and if you looked over the dial, there's a little window that
had numbers from 1 to 99, soit's a four number code, and
then you would turn it one wayyou know know turn it to go to
(14:24):
44 and then turn it back to 15.
Speaker 1 (14:27):
Are we going to put on our virtual stethoscopes to
listen to what we'll fix orwhat's going on here?
Speaker 2 (14:35):
I mean, is that your guess?
Like that's a good guess.
Speaker 1 (14:38):
That'd be old school.
I have a feeling it's maybemore complicated than that, but
let's see.
I have a feeling it's maybemore complicated than that, but
let's see.
Speaker 2 (14:45):
So again, we're not positive.
And, by the way, the reasonthat we're not positive on a lot
of these some are confirmed isbecause the security cameras
that were actually within thebuilding all went to VHS tapes
that were all at like a guardstation and Noda Bartolo
obviously knew exactly wherethat was.
So we have no security camerafootage from this night.
(15:06):
We do have footage.
Speaker 1 (15:07):
Meaning the tapes were missing or the recordings
didn't happen.
Speaker 2 (15:14):
The tapes were missing.
They took the tapes.
There was a recovery of part ofa tape that was damaged.
They tried to restore it, butit didn't show anything.
So there's three possibleoptions.
So I will walk through all ofthem and then I want you to tell
me what you think is mostplausible and, teasing it a
little bit here, what sounds themost familiar to you, because I
have a feeling a couple ofthese are going to sound
familiar.
So first we have what NotoBartolo says.
Again, this is highly soundslike from a heist movie.
(15:37):
He says they placed a fingertipsized video camera on the safe
or on the safe door just abovethe guard's head.
Video camera on the safe or onthe safe door, just above the
guard's head.
That video camera sent thefootage to a hard drive that was
disguised as a fireextinguisher, and he made sure
to note that it was a workingfire extinguisher and this is uh
, when vhs was still the medium.
Speaker 1 (15:59):
So we're talking physical wires, no bluetooth.
Speaker 2 (16:03):
At that point it would have been wirelessly.
It's 2003, so would have beenwirelessly.
Speaker 1 (16:09):
I mean, that's certainly possible at the point
right, that's pretty early daysyeah, it's, and it's very.
Speaker 2 (16:17):
It's a lot of footage that you would have too, so I
don't know how big that.
You know in that time how bigthe r drive would have had to
been.
There's other issues with that.
I mean, even if you're placingit in a way that can't be seen,
if it's above the guard's headand the guard is looking down at
the knob, it's probablyblocking his view, the view from
the camera.
Also, the guy that installedthe door said that that lens,
(16:41):
when you were up close to it youcould see the numbers, but the
further away you got, it wasdistorted.
So that's a possibility, butthere are issues.
There's two other possibilities.
One of the guards and I knowthis is going to shock you
admitted that he had troubleremembering the code and that he
had, on at least one occasion,wrote it down.
Speaker 1 (16:57):
Oh, the post-it note.
Was it under e-board?
Was it nailed to the door?
What are we talking about here?
Speaker 2 (17:04):
well in his pocket he says but this is, you know,
nota barcelona is a guy that'sbeen stealing stuff since he was
like nine years old, so I wouldimagine that picking a pocket
would be pretty easy.
The third one is so, sofascinating.
I think we could do like anentire episode just on this
theory, some that has beenposited by an expert in the
field the possibility.
(17:25):
So if you go to, you know ifyou've ever had like a high
school locker, or you go to thegym and you use your own locker,
you know that you type, you putthe code in, unlock, and then
when you go to lock it back up,sometimes it bounces back at you
, right, because you haven'tcleared out the code, right.
So this particular vault did nothave a feature that a lot of
(17:47):
vaults have, which is called anauto-scrambler.
And what an auto-scrambler doesis once you get the code in and
you close the door, itautomatically clears out the
code.
So you have to lock, you haveto re-enter the code, but this
door didn't have that.
And the thought is, is thatmaybe the guards got complacent,
(18:07):
they got sick of forgetting thecode, and so they would enter
the code in in the morning andnever clear it out and just let
it out and write as long as theycould.
Opening and closing.
Those are the three theories.
What are your thoughts on?
Speaker 1 (18:22):
Yeah, the camera one at the technology at the time
does seem not probable, I thinkmaybe the third one seems most
interesting to me.
Speaker 2 (18:34):
Me too, and actually before we move on, can you just
talk about, because you used tobe an auditor, in your
experience, how much of an issueis complacency?
Speaker 1 (18:44):
Complacency, I think boredom, complacency, routine
compensating measures, writingdown a password or using the
same password over and overagain because it's easy.
So I do think sometimeslaziness can be, even if you
know better.
It's just the convenience ofyour day, and sometimes that's
(19:07):
where good intentions go by thewayside.
Speaker 2 (19:11):
Yep, I would agree with that.
Yeah, I think I've seen that alot and I think it's interesting
the reputation of the buildingcompared to what was actually
being done.
And sometimes I think you know,optimism bias just kicks in a
little bit.
Nobody's gonna why would we,you know, work too hard,
nobody's gonna really be able toget in here.
So the second part of this MFAis actually a key lock.
(19:33):
So once you get the combinationin, then you have to insert a
key.
It's a specially made key, it'sabout a foot long and it
separates.
So the process is you wouldunlock the vault and you would
separate the key into two pieces.
One is just basically like thebig long kind of shaft of the
key.
The other is what's called thestamp and that's what's got all
(19:55):
the nodules and stuff in it thatturns the pins, and then the
stamp is pretty small.
So the stamp would go into theguard's pocket and then you
would have the two piecesseparated at all times.
Any guesses on how theycircumvented this?
Speaker 1 (20:10):
Sounds like the only thing that's truly the key is
the thing in the pocket.
So if you had a separate longpole that you could attach,
could you pick the pocket of thespecific key if you've not
already made a clone, and thenyou'd have one less thing that
you'd have to obtain in realtime.
Speaker 2 (20:26):
It's a good guess, potentially, so the answer is
even more kind of silly.
The thieves were, so this isnot disputed, although there's
some details that are a littlebit disputed.
But everybody agrees thatsitting next to the vault in a
locked storage room was theentirety of the key that had
just been stored there.
So they just took a crowbar tothat storage room and got the
(20:49):
key and were able to get in.
Speaker 1 (20:51):
So just go straight through the door, just bust it.
Speaker 2 (20:54):
Yeah, but the process was supposed to be that the
only thing that was there wasthe shaft and the entire key was
there.
So at some point the processbroke down and the guards were
not carrying that stamp of thekey with them.
So, again, complacency.
And then I think this is a goodtime to introduce something
that we kind of preach at revealrisk, which is people in
(21:15):
process are just some right.
So there's a we'll see a littlebit more.
There's a lot of technology inthis building, but the people in
process are breaking down um,and it's easy to be hard on the
guards here, but there'sobviously not a lot of
governance taking place as wellyep, yep, complacency can drive
(21:36):
that as well.
Speaker 1 (21:37):
Not only the original , but even the oversight.
So two levels of complacencyissues cool, um.
Speaker 2 (21:43):
So one question I want to ask before we move on to
the next measure here is wetalked about how there's
complacency involved, kind of atall levels.
What's the best way?
If you're an organization thathas cybersecurity concerns and
that's a concern for you, what'sthe best way to go?
Speaker 1 (22:00):
They always say like rotating duties, like if
somebody is so bored and routineon their job they're going to
miss the little things andthey're just phoning it in.
So in audit that you know whenpeople are on vacations, like
you're, you're having anotherperson check things.
So like rotations are good.
I think also like having areview of the review or an
(22:22):
external audit itself to kind ofmake sure that you're not only
relying on the primarymechanisms of whatever the
control be, even if it's once ortwice a year, just to kind of
make sure everything's working.
Lessons learned, processimprovement I was in Six Sigma
in one of my jobs, so just kindof process reviews, making it
simpler, reducing theopportunities for human error
(22:45):
through simple learning aprocess All of those can be good
options.
Speaker 2 (22:49):
Yeah, I would agree with all of that.
All right, so let's move on to.
Before they open this vaultdoor, they have to also defeat a
magnetic alarm.
So magnetic alarm, they'repretty common these days.
You probably see them on like.
Sometimes people have them evenin their home security to like
little pieces of plastic thatare magnets.
One's on the doorframe, one'son the actual door, and if you
(23:12):
open the door it breaks themagnetic field.
Speaker 1 (23:14):
Yes, I was.
I was coming along on aphysical penetration test with
our team and we were facedagainst some physical security
controls that we were told wouldnot be there.
Were faced against somephysical security controls that
we were told would not be there.
And I remember when we weregoing up the exterior stairs
there were some magnetic alarmsthat I saw.
I'm like we're supposed we'reauthorized to do this, but
(23:38):
what's the chance this is goingto external, silent alarm to,
and then we'd have to deal withthat.
So I've seen those intensesituations where you're like Ooh
, is that activated?
Is it going to work All that?
Speaker 2 (23:47):
Yeah, yeah, did you try to?
You didn't try to defeat thatmagnetic alarm, or?
Speaker 1 (23:53):
anything we tried.
Oh yeah, these specific locks.
We got in through other ways,but these specific locks were
very, very sophisticated.
It would have taken more timethan I think we were afforded to
, and there was easier pathsthen.
So don't start with the hardestoptions.
Speaker 2 (24:10):
Gotcha Any guests?
Well, let me tell you a littlebit.
So the only difference here isthat these are like a little bit
more heavy duty.
So they're instead of twolittle plastic pieces, they're
kind of brick sized metal pieceson either side of the door.
So that's the only differencethere in terms of the alarms.
But otherwise they work theexact same way as what you
(24:31):
encountered.
Any guesses on how theydefeated this?
Speaker 1 (24:36):
Maybe magnet systems to be able to open the door
without the pressure or themagnetic field being released.
Or, since we've already smashedsome doors, could I just cut
through the door?
Speaker 2 (24:47):
obviously that'd leave a pretty pretty good trail
yeah or or like my story of thepenetration test, that if that
option was too hard, maybe I'dpivot right I think they it
sounds like they did explorekind of a similar option to, I
think, what you brought up first, which is they explored some
like heavy, like physics way,way of maintaining the magnetic
(25:10):
field.
But what they actually did is Imean, I hate to be, you know,
people lost family heirlooms.
I always have to remind myselfbut I hate to be impressed.
But first they did some socialengineering which is an
accomplice of Notabar's clothesin the week leading up Badges in
with Notabar's clothes badgeand then shows the security
guard a work order, he gets togo down into the vault.
(25:31):
He likely put like a bag orsomething over the cameras in
the vault.
Why that didn't raise alarms Idon't know.
But then what he does is hetakes like a metal plate that
they had custom made based offof what they knew.
They were able to fit it inbetween the bolts on both
magnetic pieces and then he justvery carefully unscrewed a
(25:54):
little bit of each of the boltsand then in between the sensor
and the door he took a hacksawand hacked off the lower part of
the bolt and then he replacedthat with double-sided tape and
then removed the magnetic plate.
So everything looked the sameright.
Got it.
Then on the night of the heist,they were able to just put that
(26:16):
same plate back on it, pull offboth magnets keeping them
together, set them to the otherside, because it's double-sided
tape, and stick them there, andthen they could just open the
door and there's no um got it,so it was still connected to the
cords.
It was just placed, uh to theside stuck to the side so it
would not trip, okay yeah, andagain, I think you know this is
(26:40):
where it's an extremely smartperson doing something that is
incredibly resourceful, but heshould have never been allowed
in the building.
Somebody should have raised analarm, checked on the work order
, compared the work order to thefact that he was able to badge
in with just a random tenant'sbadge.
(27:00):
Alarm bells should have beenraised, like I said, the fact
that the cameras were gettingcovered and, yeah, I don't know,
I mean, what are your thoughtson it?
It's kind of mind boggling tome, to be honest.
Speaker 1 (27:11):
Yeah, I think basic background checks sometimes are
foregone because you assume, hey, you trust people.
I've worked at companies thathave a culture of trust and they
believe that everyone's good.
But in most organizations,large small, there's always
personal stressors, lifestressors.
You know the volume game ofeveryone probably at some point
(27:33):
had good intentions, butsometimes people go astray.
So I know of one company thathired somebody that didn't have
a background check and they had.
There was a murder, they were amurderer, but that had not been,
and I won't go into too muchdetail there.
But well, those types ofstories are real and they exist.
And and then there's the otherthing of like sometimes
background checks don't revealthings that are not public
(27:55):
record, right?
Yeah, so in this case it seemslike this person had already
been in jail, or they had beenarrested, or they were unknown.
And if and if he was going byhis actual identity, then a
background check or somethinglike that could have stopped it.
If, if he was, you know fakepassports and things like that,
perhaps you know, living a lifeof a different identity, it
(28:17):
might be tougher yeah, I meanyeah, no to bartolo.
Speaker 2 (28:22):
A background check would have certainly revealed
something.
And then the added on idea ofhis accomplice.
His accomplice is able to comein with a work order and not be
questioned.
There's no reason.
Like you know, I don't think hebrought up Notabartolo's name
other than using his ID to badgein.
But a tenant wouldn't be ableto vouch for a maintenance man
(28:43):
on the building.
That doesn't make sense.
Speaker 1 (28:51):
It seems like you know, know, you think, the fort
knox of diamonds.
It seems like a classic case ofa lot of effort going into the
technology and the physicalcontrols but not enough time
spent on the human element orthe process work.
You know, flaws, things likethat.
So, yeah, I think maybe theemphasis is there's a lot of
good effort put in place.
It just wasn't holistic enoughand with enough time any
controller system or company orwhatnot usually can be defeated.
Speaker 2 (29:14):
Yeah, yeah, yeah, absolutely, and just to put a
little bit of a button on thatand we'll move into the last two
measures here.
So one thing about thisbuilding is, although it did
have a great reputation and itwas fort knox, they did not have
insurance on like theftinsurance or insurance, and
(29:34):
there were other buildingswithin the district that did and
they said, like one of thereasons that they they didn't do
it is because they knew thatthe insurance investigator would
tell them you need to havebackground checks on your
tenants and you need to, youknow, do upgrades here, things.
Speaker 1 (29:51):
So so cost constraints, wanting to shortcut
things hindsight's 2020, theyprobably would have got that,
but they didn't for thosereasons yeah, and that's fair.
Speaker 2 (30:03):
I mean it is important to say, like you know,
these are real people theguards and the building manager
and the owner.
I mean I think the buildingmanager really kind of ruined
her life, this heist thathappened.
So definitely empathy there.
But I think there's so muchthat we can, fortunately some of
the complacency that justwasn't raised.
So there's another alarm thatthey need to disable, another
couple of alarms they need todisable before they can actually
(30:23):
step into the vault.
So the one we're going to focuson is it's a combined heat and
motion sensor.
So it measures when you walkinto the vault, it measures the
body heat change and then italso separately, using
microwaves, measures temperature.
Speaker 1 (30:41):
um, any guesses and I will give you a little bit of a
hint, at least an element ofhow they defeated this has a
very similar, is very similar,to a youtube video that we had
that went a little bit yep, sothe body heat and motion, and
you're referring to the usingthe canned air to trip the
motion on a an automatic exitthat shows people coming out,
(31:03):
unlocks the door but doesn'tobviously let you in unless you
have a stick or canned air orwhatever to sensor that.
So I mean I wanted to say youknow Tom Cruise coming down on a
pulley system and you know, butthat was a pressure sensor in
the floor.
So I mean I guess I would say Imean the earlier body sensor,
they use the polyester.
(31:24):
Say I mean the earlier bodysensor, they used the polyester.
So was there something then tokeep a consistent temperature or
something to wrap around thesensor so it would maintain
consistency while they werecoming in or out on that?
Speaker 2 (31:38):
It's a good callback.
It's even simpler than that.
The day before the heist, nodaBartolo walks into the vault, as
he has so many times before,which he is allowed to, but I
think he'd established enoughrapport that he felt pretty
comfortable.
He wouldn't be flagged orwatched.
Really, he's got a can ofhairspray in his hand and at
least one documentary that Iwatched on this I don't know if
(32:01):
they're speculating on this ornot, but they kind of indicate
that he maybe kind of stretchesout like, pretends that he's
stretching, and he sprays a bitof hairspray on the sensor and
what that does is it temporarilymasks the heat sensor.
So from there, once they are,then it's the night of the heist
(32:26):
and they're about to step intothe vault.
All they would really have todo, at least according to the
sources that I read, isinitially, as they're walking in
, they would kind of walk inslow motion to kind of fool the
motion sensor, which is kind offunny to think about.
Um, and then they had a bit ofstyrofoam on a broomstick that
they were able to just hang offof the motion sensor and it
blocked both the heat and themotion sensor got it there both
the heat and the motion sensor.
Got it.
There was an additional lightsensor elsewhere in the vault.
(32:49):
They were able to just take acouple of strips of rubber
electrical tape and put thatover the light sensor and so,
yeah, I mean, like I said, thebook that I read was like it's
20 euro worth of hardwareequipment I'm defeating this
Probably very expensive worth ofhardware equipment defeating
this probably very expensiverebecca, do you think that they
had similar equipment to testall these macgyver type of hacks
(33:11):
on, or do you think that theyjust had enough experience that
they were able to contrive thiswithout testing my hunches?
Speaker 1 (33:20):
one single failure would have maybe tripped an
alarm that would have foiled themission.
Speaker 2 (33:26):
So the answer is most probably yes.
They did have a similar alarmlike heat motion sensor alarm.
That being said, it was wellknown that heat sensors of this
kind could be masked and therewas actually a law put in place
in 2002, so before the heist inBelgium that any new sensors
(33:47):
going in had to have like ananti-masking capability, so that
this hairspray check would help.
Got it.
So, yes, they were.
Yeah, they definitely hadsomebody that was an absolute
alarms expert, and they probablydid have at least a similar
sensor that they could messaround with.
It's funny, Noto Bartolo sayshis story is like the heist
(34:11):
wasn't even his idea.
He was approached by a shadowyfigure to do it for him, and
that shadowy figure provided afull-on replica of Volt, which
is likely untrue, and also, Ithink, straight out of Ocean's
Eleven.
Speaker 1 (34:24):
I think that's he's literally lifting a scene from
or we're going to pivot to aRussell Crowe movie and his
other personality was talking tohis personality and it was
really him yeah.
Speaker 2 (34:35):
Yeah, the wired article is very interesting to
read, but you just got to readit with a grain of salt.
So yeah, to answer yourquestion, I think they did have
copies, a copy of it or areplica or a similar sensor that
they used At the same time.
It wasn't the first timesomebody had been able to
disable a heat sensor usingeither Vaseline or a hairspray
(34:58):
or something.
Got it.
Yeah.
So I mean, I think there'sanalog here to obviously
vulnerability patching right andvulnerabilities, but can you
talk a little bit about theimportance of like penetration
testing and just testing out?
Speaker 1 (35:13):
You've got all this fancy equipment that you trust
but just testing it regularlyand making sure it's doing what
it's physical penetration testor logical or social engineering
, all controls like eventhinking about multi-factor
multi-factor still is a very,very good control.
(35:33):
It was two-factor.
And then the cell phone, like,controls continue to evolve
because threat actors orcriminals do find ways to defeat
the controls, do find ways todefeat the controls.
So I think any kind of test,whether it's a penetration test,
a physical inspection, awalkthrough, controls review, an
(35:55):
audit, all of them are gutchecking the reality of the
controls that you believe arestill effective and new and
different ways that they mightbe able to be defeated, and the
goal is to come to theconclusion of these gaps,
internally or with external help, before the real crime happens
or the real incident happens.
So all of it is, you know, oneof the auditor slogans from when
(36:16):
, as you mentioned when I was inaudit way back in my career on
the corporate side is trust butverify.
Ultimately, people typicallyintend well.
People don't grow up as one andtwo-year-olds looking to become
a jewel heist or whatnot.
Things happen.
But I think, process, mindset,building things that are not
(36:37):
singularly required, cryingfocus only on one thing, like
technology, or over-focusing onphysical but not thinking about
the technology exploits or, toyour point throughout the whole
story, like simple people thingand if we can trick the human,
the good controls that might bearound that might be defeated
because that human had fullaccess.
(36:57):
So I think those are, those arekind of my thoughts on the
parallel learnings and, you know, kind of the testing and not
being in the situation where youwish you would have had an
insurance review and you wishyou would have invested in the
control gaps that it sounds likethey knew they had and was why
they were avoiding having to gothrough all that.
So corner cutting and simpleand cheaper often lead to the
(37:21):
wish I would have post-hasteanalysis.
That's tough to undo onceyou're past that point.
Speaker 2 (37:27):
Yeah, exactly yeah.
I think that's well said forsure, and the truth is is like
we all I think everybody that'sworked as a security
professional there were thingsthat you knew that were there,
that you just couldn't get tofor some reason, or you had to
deprioritize.
Speaker 1 (37:41):
I mean, that's the reality of it.
Speaker 2 (37:43):
You have to prioritize what to get done.
But I think, yeah, I mean,unfortunately, it's sort of like
never getting comfortable right, Never putting too much faith
in one thing.
Speaker 1 (37:52):
Yep.
Good point.
Speaker 2 (37:54):
Yeah, so we've got one more measure.
They've got to get through thesafety deposit boxes themselves.
Also had a combination lock onthere and then also a key.
Any guesses on how they gotinto those safety deposit boxes?
Speaker 1 (38:09):
Well, now I'm going to first say smash it with a
hammer, because you know thesimple things.
I've never had a safety.
I've accessed a safety depositbox, but if it has a combination
and a key picking the lock orhaving a copy of the key and
having to have studied if it's acombination, either defeating
the combination control orhaving that combination ahead of
(38:31):
time those are the top lineintuitive options.
Speaker 2 (38:35):
Yeah, I think you're on track with that first one.
It's kind of a combination ofboth of what you said.
It was a brute force method.
What they did is they made atool that was like kind of a
cranking tool and it had twosteel prongs on the end of it.
So those two steel prongs wouldgo into the keyhole and then
they would just basically I'mnot sure exactly if I can
(38:56):
picture exactly how it wouldwork get enough torque to put
pressure on the faceplate andjust pop off that faceplate and
a little bit of context on that.
And then I want to get yourreaction and not to put too fine
a point on the sort ofcomplacency cost that we've been
talking about.
But there were about a dozenboxes that did not get breached
and we know they tried on atleast a couple of them.
(39:18):
Those were boxes that the sortof locksmith on call had
reinforced with steel.
I think those boxes, like, hadneeded maintenance or they broke
or something.
So when he replaced them hereinforced the faceplate with
steel because he knew it wasjust the inner workings of that
faceplate was just thin plastic.
(39:38):
So it was a vulnerability andhe did mention multiple times to
the building manager and thebuilding owner that they needed
to replace all the boxes and thedecision was just made that it
wasn't.
So your reaction to that?
Speaker 1 (39:54):
Makes sense.
Yeah, sometimes the cost ofreplacing all the boxes at once
are kind of like replacing allthe Windows NT machines that
exist in your manufacturingplant.
That would cost way too muchmoney for anybody to contemplate
, but probably less than theheist itself, which is again
always hindsight.
2020, wish I would have type ofanalysis.
Speaker 2 (40:15):
Yeah, and that is one of the things that I wanted to
hit on too is, you know,assessing risk, and a lot of
people think about likelihood.
I'm guessing when they thoughtabout this, they thought a thief
would have to get into thebuilding, into the vault, defeat
all the censors, and they'reright.
It's not likely that that wouldhave happened.
(40:35):
They really encountered somemaster thieves, but the impact
was that it was a $100 millionloss, confirmed, and likely more
.
Speaker 1 (40:47):
That's a lot of cheddar.
That's a lot of cheddar,Rebecca.
Speaker 2 (40:51):
It is still in the Guinness Book of World Records
as the largest diamond heistever.
So that impact piece, becauseif we're introducing our clients
to a risk register, we talkabout likelihood and impact and
I think a lot of people considerlikelihood and put a lot of
weight on that and either don'tconsider impact or don't put a
lot of weight on it.
You know, $100 millionuninsured and most of the people
(41:16):
with safety deposit boxesdidn't have insurance on those
either.
They thought it was theirinsurance.
Speaker 1 (41:21):
So the low likelihood , high impact and because it was
so likelihood, dollars wentelsewhere or, if they had a risk
, register effort went elsewhere.
Other, bigger problems orbusiness impact Yep, absolutely
Yep.
Makes sense.
Speaker 2 (41:39):
So that's it.
They get in through, theydefeat all these security
measures measures.
They have more diamonds thanthey can carry.
That's why there's some leftbehind they are able to get out
of belgium that night and backto italy, but they actually have
a little bit of a stroke ofthat luck.
Um, they had all stayed in innotabartolo's apartment in the
week leading up and they had had, you know, trash and then some
(42:01):
evidence that they like thevideotapes and stuff that they
collected and they dispersed.
They got rid of the trash andlike a nature preserve just off
of the highway in belgium, whichactually would have been a
perfect place.
Um, a lot of people dumpedtrash there.
It was illegal but a lot ofpeople did it, a lot of
teenagers like partying thereand stuff and usually doesn't
(42:23):
get noticed and probablywouldn't have gotten noticed
before the elements destroyed it.
They happened to choose the onepart of the land that was owned
by a man that was justabsolutely fed up with everybody
littering on his piece of thenature reserve and he patrolled
it regularly.
So he didn't see it happen, butwithin, I think, 24 hours of
(42:44):
them dumping the evidence, hewas able to find it.
The heist was all over the newsby that point.
So they called the police andthat evidence eventually led to
Noda Bartolo and several of hisaccomplices, although not
identified, unidentified.
(43:05):
Amazingly, noda Bartolo.
Knowing that they had found thetrash but still thinking he was
good to go, he actually droveback to Belgium.
He returned a rental car andthen he actually went into the
Diamond Center as well andencountered the building manager
.
She stalled him and he ended upbeing arrested at the Diamond
Center.
He ended up getting about 10years.
(43:26):
They were able to extradite andarrest at least a couple of his
accomplices.
They got five years.
And then I want to make a quicknote that the sources for all
of this are in our show notesand I wanted to get your final
thoughts on this diamond heistand what we can learn from it as
cybersecurity professionals.
Speaker 1 (43:43):
I was hoping for a Scooby-Doo ending.
You know we would have gottenaway with it if it wasn't for
those darn kids.
So maybe, I don't know, likewait, can we do the and then
maybe switch the ending tosomething more Hollywood-esque?
No, no, I'm just kidding.
No, I think the study you didis good.
It articulates not always thecomplex, you know, very
(44:11):
sophisticated attacks and thethings maybe that we strive to,
you know, go after because it'sthe threat of the day.
Sometimes the simplest thingscan be the things that make it
easy for the criminals to dowhat they want.
So even the boring stuff likepatching servers, like some of
the cyber attacks that stillhappen today, are still focusing
(44:33):
on the most boring things, andhere you're talking about a lot
of physical controls.
So I think the specific thingwas they didn't have lasers and
sharks and like a bunch ofstatistics.
They had simple tools andsimple hacks and they had
clearly had enough experience toput those into use, but they
didn't have maybe enough forHollywood, which back to your
(44:55):
point of why the story has beenembellished to make it more sexy
and appealing to a consumeraudience.
That's kind of a key takeawayfor me.
Speaker 2 (45:05):
Yeah, I agree with all of that.
Do the basics.
People in process are just asimportant as technology.
I think the only other thingthat I would add is from the
time that I started in IT noteven cybersecurity, but IT I
have heard the feedback frompeople that they don't want to
do security controls personallyor the organization, because if
(45:29):
there's a well-funded group outthere and they really want to
get at your stuff, they're goingto do it, and I think one of
the things that we learned Ilearned from this case study is
like there are so many stepsfrom the time that Notabartolo
signed that lease up until theday before the heist, when he's
in the vault full view of thecamera spraying hairspray on the
(45:51):
censor.
There are so many opportunitieswhere just the slightest bit of
due diligence would have foiledthe fees.
That's what I really wantpeople to think about as they
take it as a takeaway from thestory.
As well.
Speaker 1 (46:06):
So takeaways how to action that?
Thinking through process,walking it, whether you're an
auditor, whether you're acontrol operator, thinking that
through not taking for grantedwhat you have and then having
outsiders and tests and thingslike that to simulate it, it
kind of comes together.
You know, maybe if they had anaudit it might not caught all
(46:27):
these flaws that that we'retaking advantage of.
But really that combination ofprocess mindset and and testing
really comes together um to inany situation related to
controls here, just like you'redemonstrating absolutely,
absolutely.
Speaker 2 (46:42):
So I have a confession to make I have
actually never seen the Rock, soI think we should end it here,
because I think I'm going to gohome and watch the Rock tonight
(47:04):
disappointment for me for amovie that in high school was
you know it was so memorable andthen to not have it the way.
Speaker 1 (47:07):
It's kind of like a movie not being as good as the
book or the book not being asgood as the movie.
It's usually a movie not beingas good as a book for a good
book reader, but sometimes youget the story in your mind and
then it's not the way it was.
Speaker 2 (47:20):
So yeah, have you seen Escape from Alcatraz?
Speaker 1 (47:24):
I don't know if I've seen that.
Speaker 2 (47:26):
Clint Eastwood movie from the 60s or 70s.
I think Very good.
That story is reallyinteresting.
Speaker 1 (47:32):
Cool, awesome, well, yeah, thanks for putting this
together.
It was really fun and I did notknow what to expect.
I have not seen much about thiscase.
I knew of it, but it was fun tounpack it with you and think
through some analogies to whatwe do on a day-to-day basis or,
more importantly, what otherindividuals that are in
positions of responsibility oroversight might be able to do
(47:55):
differently based upon theinsights.
Speaker 2 (47:58):
Absolutely.
Yeah, thanks for being game forthis.
We did keep it a secret fromyou and I'm sure that was a
little nerve-wracking cominginto this not knowing what to
expect.
So I appreciate you being gameand I think your insights were
really great.
Speaker 1 (48:10):
Awesome.
Thanks for doing it.
Appreciate it, had fun.
Speaker 2 (48:13):
All right, thank you, bye.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com