Online Banking Security Magazine

Analyzing the Biggest Bank Robbery in History:

Lessons in OSSTMM Analysis
Many banks have no idea what a powerful weapon against attacks they have in the OSSTMM. The Open Source Security Testing Methodology Manual is a free, collaborative project by the international, non-profit ISECOM that is years ahead of traditional security methods. The power and elegance of the OSSTMM became clear while I was at a cafe in Bern, Switzerland last year to meet with two other ISECOMers: Nick Mayencourt, a Board Director and Philipp Egli an ISECOM trainer and the talk turned to robbing banks. Thats not uncommon because Switzerland is very big on banking and also very big on security, especially the OSSTMM. So with the biggest diamond heist of the last century in the news again, you may have seen the movie based on it called Oceans Eleven, we took a look at the case through the eyes of an OSSTMM Analyst. This is how it went.

s the story goes, it was on a winter morning in February 2002 when a guard in the Antwerp Diamond Center got quite the surprise. He found the multi-ton, steel safe door wide open and the resulting chaos of a destroyed safety deposit boxes inside the vault. Yet no alarm had sounded. With a quick call to the alarm central he was informed that the system was running just fine and there were no notifications since it was armed the night before. There was no clear sign of a break-in yet $189 million in diamonds were missing (and still are).

We discussed this robbery in detail. While we didnt have clear details on how the robbery really went down, we did know the banks security measures. They were robbed despite that they were two floors underground, had a three-ton steel door, a steel gate, closed captioned cameras, heat sensors, light sensors, and a tremor sensor. So how could this happen? With so many diamonds at stake and ten layers of security, how did Defense in Depth fail them? This is exactly what this third, new version of the OSSTMM is great for. Unlike compliance objectives which

2/2011

Analyzing the Biggest Bank Robbery in History

focus on what you have and how its configured, the OSSTMM 3 scores operational effectiveness- how it works. Some will say that this is why many organizations employ penetration tests to get this kind of foresight. They say penetration testing will allow them to find the effective attacks before the attackers do. Too bad contemporary penetration tests are not as effective as the penetration testers want you to believe. The OSSTMM started as a penetration testing methodology back in 2001 because penetration testing was the best tool in the development of a process or system by making the big picture of operations. The concept was that while quality testing is great for determining how well a component works in a system, penetration testing will help you understand how well all the components work together in the system. Like a fire drill though, penetration tests must be done repeatedly because any changes in the environment, systems, people, or processes will affect the results. This is why fire drills are called drills because its of little good to do them just done once. So the occasional penetration test may work for the physical and human response testing of a bank with little change or low turn-over but not for electronic systems like e-banking web applications which are in a near constant state of development and improvement. This is why penetration testing during the development cycle when the environment is at a constant is it so critical to assuring interoperational security gets properly designed into the system. However, once a system is built and deployed however, penetration testing greatly loses effectiveness. So even a traditional penetration test of the Antwerp diamond vault would not have been enough. Back in 2001 when ISECOM first released the OSSTMM, penetration testing seemed like the best thing to evaluate operational security. The OSSTMM was created to address what were known as the main problems of penetration testing at the time such as the inconsistency of penetration testing services, no clear definition or deliverable, penetration testing the skills of the tester more so than the operations, the cultish promise to prove a negative (the logical fallacy that if a penetration tester didnt find problems then system was secure) and the use of a hidden, proprietary methodology which made it impossible for a client to really know which tests were performed where. It was these problems which encouraged a standard security testing methodology to improve transparency, consistency, and thoroughness. As time went on, it was clear this wouldnt solve all the problems. The biggest problem was that the researchers found there was no way to quantitatively and accurately measure security from penetration tests (because of the whole illogical problem of proving a negative and math being a logical thing). So while a penetration test can find some of the holes, even some of the big ones, there is no way they can find them all and certainly no way they can truthfully say they are finding the ones that hackers will. Another problem that exacerbated this was that thorough penetration testing required that the tester gain deep knowledge of the operations to be sure the right things were being tested the right way. This was likely the problem that the Antwerp diamond exchange learned the hard way: the winner of any security contest is the one who knows more and more deeply about the systems and operations. So in the development of the third version of the OSSTMM a new way of thinking about security emerged which not only corrected these problems with a better, extremely powerful framework but it took security testing and analysis far beyond penetration testing. This new way of thinking about security requires three main things: 1. Prioritize tests

by shifting the focus from guessing future threats to that which you have reason to trust; 2. Identify and verify all interactions and the protections for those interactions; 3. Optimize the balance between security and operations. It is in applying this new version of the methodology that the weaknesses of the Antwerp diamond vault become incredibly, bluntly obvious.

Analyzing Oceans Eleven

Spectacular bank robberies are part of the standard repertoire of Hollywood films. Of course realism isnt necessary required. However, in this case, the character played by George Clooney as the archetype of the sympathetic bank robber actually did exist. A year before the robbery of the century, Leonardo Notarbartolo drank an Espresso in the Antwerp diamond district. He rented an office there to trade in wholesale diamonds. He kept a regular schedule, smiled at the people who he saw each day, and was sure to be seen walking down the street with the Gazzetto dello Sport under his arm. He was one of the nicest and most clever thieves of the modern times. With a hidden miniature camera he entered the diamond vault two stories below ground. You see, he kept his diamonds stored there for safety. That gave him many opportunities to watch and record the operations of the bank, the personnel, and most

2/2011

Online Banking Security Magazine

importantly, its security. He kept his eyes open for the smallest details- including the entrance code to the vault.

What You Need to Know

Authentication alone can be overcome. This why OSSTMM recommends multiple, different controls for each point of interaction, described as Defense in Width.

Here well pause the story for a moment. What Leonardo is doing is the first step of an attacker: reconnaissance. Hes looking for all the points of interaction from outside the vault to the inside. According to the OSSTMM there are only 2 ways to take something: you either take it or you have somebody give it to you. These two different types of interactions are defined as Access and Trust. So why does Leonardo have access to the vault? Because hes a polite, well-known businessman in the area, who happens to be a client of the bank. In OSSTMM terminology, hes abusing operational trust.

Quality Security Defenses

Operational Trust

The OSSTMM 3 has integrated tests for operational trust. There are 10 properties which are logical reasons to trust someone or something. The easiest technique for using the Trust Properties is to create quantitative rules from the properties with which we can use to evaluate the target person, thing, or interaction. The rules are scored on a percentage and the percentages from all 10 properties are averaged. The closer to 100% you get the safer it is to extend trust. Its a very accurate way to analyze and extend trust free of bad intuition or unqualified gut instinct. One condition trust analysts tend to find in this process is that in day to day life, people are often satisfied with just one or two of these properties being met. This is likely because social context makes it uncomfortable for people to challenge untrusted properties and its considered offensive to challenge someone who successfully meets some of the properties, especially Transparency (like Leonardo whos a nice, known businessman in the area) and Consistency (hes a registered client who visits to vault with regularity and never causes problems). Meanwhile, he would score very low on the other 8 reasons to trust him marking him as an untrustworthy individual.

The vault was scrutinized for weeks before the robbery took place. The vault team included the Genius who was a master of disabling alarm systems, the King of Keys who was an expert key forger, and a man they called Monster, a huge, strong man who was also a monstrously good electrician, driver, lock pick, and mechanic. Each team member had a task befitting their skills which also coincided with the interaction points that Leonardo discovered. So what happened was that each team member knew more about a particular system within the operation than the bank personnel did. An OSSTMM analysis would have discovered that the operators of the security mechanisms knew little about how they worked and if they would have known what was required of them, maybe they wouldnt have left Leonardo, or anyone else, alone in the vault. One day before the robbery, Leonardo entered the vault on legitimate business. Left alone for privacy, as he knew he would be, he sprayed the motion and heat sensors with hairspray. Then he packed up his things and stepped out, thanking the guard and giving his regards to the wife and kids. Why not, he was a nice guy. The OSSTMM describes 10 operational controls. The concept provided is that the less reason you have to trust someone or something (trust properties) then the more varied controls you should have for protection- up to 10 per interaction. That is called making the perfect balance between operations and protection. These 10 controls are divided into two classes: interactive and process. Interactive controls react to direct contact with the threat where process controls do not. What you see here is that it is important to have controls which are different. As it is, most controls on their own are fairly ineffective. What you dont want is that two different security mechanisms, say heat and motion detectors, both providing incomplete Authentication and both susceptible to being nullified with the same can of hairspray. The bank had installed a heat and motion sensor at the entrance of the vault, both Authentication controls, an Interactive control, which were designed to sound an Alarm, a process control. Since the Alarm control was dependent on the Authentication sensors, no alarm could sound if they were blocked. This is calculated as a Limitation, a flaw defined not by impact or prevalence as with risk ratings but by what it does and what it affects. The value of the Limitation is calculated by which operational controls are in place as well as how many different types of interactions are allowed with the targets. This makes it a very flexible and unbiased way to measure any kind of vulnerability because, as you know, each flaw is fairly unique in how it affects different operations. Not all buffer overflow vulnerabilities will give root access if attacked- it depends on the protections in place. In addition to that, its also easy to categorize Limitations. For example, a Vulnerability is a flaw which provides Access to an asset, denies Access to an asset, or allows one to hide an asset within the scope. Its very straight-forward and requires no guessing about its ease to use or impact. Sometimes though a flaw will have more than one type of limitation. For example, a factory default login and password mechanism on a router would be a Weakness, which is any flaw that affects Interactive

Controls and Limitations

Safety vs. Security

A central theme to security is specifically the definition of security. The OSSTMM classifies security as a physical separation between an asset and a threat. Safety, on the other hand, is the means to control threats at the point of interaction. In this case, a vault falls close to the definition of security. It provides a physical separation between that outside the vault and the assets inside the vault. Except that you also need to be able to have some interaction with the vault to put new assets in or take assets out. To prove that, Leonardo the diamond thief is standing in a vault filled to the ceiling with diamonds. This is now where Safety comes in to play. Since interactions are required for successful operations, there must be some operational controls to protect the assets from unauthorized exit. The OSSTMM findings show 10 operational controls to protect against all threats. You cannot say one control is stronger than another since each protects against a different umbrella of attack types. However, one implementation of a control can certainly be weaker than another. One of the places this is obvious is Authentication. Whether its a lock and key, login and password, or a Do Not Fly List these Authentication controls require Identification to function correctly. If the threat can pass itself off as, say a legitimate diamond wholesaler, then it will receive Authorization for Access, bypassing the Authentication in place designed to prevent a criminal from just walking into the vault to size it up.

2/2011

Analyzing the Biggest Bank Robbery in History

controls, and a Vulnerability because it provides Access as well. See, its very straight forward. There are total of five classifications of Limitations in the OSSTMM. The last three are Concern, which is any flaw that affects Process Controls; an Exposure, which is any flaw that provides information of specific attack knowledge or opportunity, and Anomaly, which is not specifically a flaw however it is an unknown or uncontrolled interaction. One of the enlightening features of analyzing security according to this process is in seeing how poor Controls, that is Controls with inherent Limitations, like login and password schemes that provide no mechanism against brute forcing, add up to provide more protection AND more flaws. One can then see how layers of incomplete or poor controls will actually make something less secure, especially if the controls they provide are redundant like two firewalls in a row or just not reliable like blacklist controls.

finding the vulnerabilities known today to quickly patch up but about finding the perfect balance between security and controls so you are prepared for the vulnerabilities and threats of tomorrow as well. This is why Leonardo and his team studied the operation of each of the individual sensors as well as all the routines and processes of the bank. Doing so allowed them to penetrate the building unnoticed and still get out quickly and safely. So its not enough to know that the vault can be penetrated because one still needs to get away with it. This means the team needs to know the scope like an insider would, which includes the targets, the assets, the environment, and the points of interaction. That lets them know which skills they need to bring to the engagement, what is the best path to take, and with what means they attack the goal: 1. Target: These are the gateways to the assets or even the assets themselves. If you need to enter with stealth then the security mechanisms will be your first targets. Once those are neutralized, you switch targets to the next thing which prevents you from reaching the assets. 2. Scope: these are all the factors which act on the targets. This includes environmental factors, legalities, policies, and technical dependencies. These considerations form the basis for the definition of the attack vectors. 3. Vector: this is the angle of attack to the target. Is the target attacked from the outside or the inside? Should an attack take place from Department A to Department B? Does a satellite office first need to be compromised to attack the target indirectly? 4. Channel: This is the means with which to attack the target. This must be decided per attack vector. What are the possible channels available? Do we need to access physically by ourselves or can we trick someone via social engineering to access it for us? Is there a wireless network or do we need to attach ourselves via cable? Does it make sense to seek direct physical access.

What You Need to Do

The team led by Leonardo spared no expense. The bank was built in what was once a shopping center. The team analyzed the adjacent rooms and buildings to the vault. The story goes that the recreated the entire vault ante-room and the vault itself in a warehouse in order to study and practice disabling all the security. Once again, this is the key to security- knowing the operations at a more thorough and deeper level than those who apply them. This is what makes penetration testing tool frameworks with dedicated exploit research teams so valuable to an organization. Sure, these tools will also help the penetration tester cover more types of systems and applications more deeply however, these tools are best used in the hands of the those who really know the internal operations and processes, the internal employees. Why? Because just knowing how to find vulnerabilities means nothing if there is little understanding of the big picture in a complex environment. What are the operational needs? What are the directions? What are the requirements? These are things only an insider can and should know. However, to avoid being stuck in the vulnerability/patching routine indefinitely, a cat and mouse game at best, an organization needs to embrace the hacker role of deeply understanding how various operational security mechanisms and operational controls work together for greatest effectiveness. This is where the latest OSSTMM is strong. Security shouldnt be about just
Table 1.

Showtime

On the night of the robbery, the Genius and Monster entered a courtyard two blocks from the Diamond Center. With a shield made of polyester they made it passed the first heat and motion sensor to disable it. Cameras were covered with black garbage

Entering the Building: Security Mechanism Outside Heat and Motion Sensor Controls Authentication Alarm Hallway Motion Sensor Authentication Weakness Concern Weakness Concern Alarm Vault ante-room Cameras Identification (part of Authentication) Vulnerability Weakness Limitation What It Means The sensor can be bypassed with nylon sheet. The alarm can be deactivated manually on the device without tripping a tamper alarm. The sensor can be bypassed with nylon sheet. The alarm can be deactivated manually on the device without tripping a tamper alarm. Access to the vault is possible. The criminals acted at night and could easily cover their faces before they covered the cameras. With nobody watching there was nobody to be alerted or react to the robbery. Access to the vault is possible.

Concern Alarm Vulnerability

2/2011

Online Banking Security Magazine

bags. The second set of sensors in the Vault ante-room are then disabled the same way. They also bypassed multiple cameras undetected. Thats because cameras can only provide three controls: Identification, Non-repudiation and Alarm. For identification, cameras are extremely weak because they can be easily fooled. The lack of Identification also compromises Nonrepudiation because despite that the cameras record it can be
Table 3.

later determined what happened just not who was responsible, the basis for non-repudiation. Additionally, if cameras are being used to react to attacks, the Alarm control, then someone needs to be looking to react (Table 1). Inside the vault anteroom, the crew of diamond thieves turn on the light. Before them stands the mighty steel vault. Its protected by a key lock, a combination lock, a magnetic sen-

Entering the Building: Security Mechanism Light Sensor Controls Authentication Weakness Limitation What It Means This is a blacklist control which allows for many operations as long as they are not specifically what the sensor expects. The sensor lines were reachable and bridgeable to disable it. The cameras were in full working order however they didnt work in the dark nor could they work with black garbage bags tied over them. Since the cameras werent monitored at night, there was nobody to react to what could have been seen. The sensor was masked with hairspray the day before. The sensor lines were reachable and bridgeable to disable it. The locks were weak and easily broken open. The locks provided Access.

Alarm Vault Camera Authentication

Concern Weakness

Alarm

Concern

Heat/Motion Sensor

Authentication Alarm

Weakness Concern Weakness Concern

Safety Box Locks

Authentication

Table 2. Entering the Building: Security Mechanism Combination Lock Controls Authentication Weakness Limitation What It Means The process of dialing in the combination gave enough time and visibility for the numbers to be recorded. This lock provides Access. A key was forged but unnecessary since the process kept the real key available in the nearby vestibule. This lock provides Access. This is a blacklist control which allows for many operations as long as they are not specifically what the sensor expects. This may have functioned correctly had the thieves indeed used a drill. Weakness Vulnerability Magnetic Sensor Authentication Weakness The lock was picked. This lock provides Access. This is a blacklist control which allows for many operations as long as they are not specifically what the sensor expects. The Alarm did not trip upon dismounting, a flaw that prevents sensor integrity from recognizing sabotage. The cameras were in full working order however they didnt work in the dark nor could they work with black garbage bags tied over them. Since the cameras werent monitored at night, there was nobody to react to what could have been seen.

Vulnerability High Security Key Lock Authentication Weakness

Vulnerability Seismic (Tremor) Sensor Authentication Weakness

Alarm Internal Security Camera Authentication

Alarm

Concern

Internal Security Camera

Authentication

Weakness

Alarm

Concern

2/2011

Analyzing the Biggest Bank Robbery in History

sor, and a tremor sensor to defeat drilling of the door. These are all Authentication controls hooked to Alarm controls. The magnetic sensor that should have made it impossible for an unauthorized opening of the door was attached to the outside of the vault door. They mounted it to another piece of dense metal and removed it. That was one vault security mechanism gone. Leonardo had learned in his reconnaissance that the guard always visited a vestibule before opening the vault. On a hunch the team visits the vestibule and sure enough the key to the high security lock is hanging right there. They didnt even need the key they had forged from Leonardos photos. Thats two security mechanisms gone. They approach the combination lock capable of 100 million possible combinations. However since the combination dial lacked a hood, the numbers were visible for Leonardo to see and film with each visit to the vault. The numbers he had were still valid and the steel door unlocks. Thats three security mechanisms down. Now the men need to turn off the lights completely. There is a light sensor inside the vault. They carefully open the vault avoiding any vibration and the tremor sensor is defeated. Thats the last of the security mechanisms on the door. They still need to reach and disable the light sensor though. A steel gate inside the door blocks their way however the lock, another Authentication control, is easily picked. What they bypassed is typical Defense in Depth where the same type of control, in this case its Authentication, is layered. Its a classic mistake based on seeing each security mechanism as an island instead of their need to inter-operate and provide integrity for one another (Table 2). Once the steel gate was opened, they still had to deal with the sensors. The heat/motion sensor inside the safe area had been addressed the day before with the hairspray. Still it was unclear how long the hairspray would last before the sensor would detect their body temperature. The men acted cautiously and moved slowly to keep from generating too much heat. Monster went into the dark vault as practiced in the fake vault. He pulls down the sensor cables from the ceiling and bridges them to complete the circuit. Now even when they trip the sensor the circuit cant break and thus the alarm wont sound. Still, to be safe, they covered the sensors to blind them. With deep familiarity after having practiced countless times, they worked in the darkness with a hand-drill to break open the safety deposit boxes. The lockers have no additional controls beyond the locks and they revealed their contents without much resistance. With gloves still on, they leave no trace as they leave the way they came in (Table 3).

way vestibule or that the combination on the vault had not been changed for months, are conspicuous omissions that a security analyst would not have missed either. So we are left with this assessment of the situation. The goal of the diamonds in the vault is known and Visible. There are two approaches to the vault. The client entry area and the entry the thieves used through the side streets, back yards, and private apartments. This means that there are two Accesses. The Controls and Limitations we can transfer to the Attack Surface calculator sheet. A thorough OSSTMM 3 analysis would have clearly shown long before this robbery that the massive protection measures layered in Defense in Depth style are ineffective. With such a large attack surface, 18.52% unprotected, the analyst can easily show to the Board of Directors the imbalance in the security and then exactly where that imbalance lies- too heavy a reliance on on control - Authentication. (As a side note, what do you think a network protected by a firewall, IDS, anti-virus, and screening router looks like? Heres a hint: Authentication, Authentication, Authentication, Authentication.) Furthermore, while a full Attack Surface measurement wont tell you when the next attack will come, if it comes, but it will show you for sure where it will come from and based on which controls are missing, specifically what kinds of attacks would be successful. This is extremely useful for future planning, future-proofing, and future budgeting. If youre not using OSSTMM 3 security testing and analysis then its possible you might not be protecting the right interactions or for as long as you need to.

(Not) Happily Every After

Final Analysis

Looking at this through the eyes of an OSSTMM security analyst we can take this dissection of the security mechanisms and processes and measure the attack surface of the bank. This gives us a value which is similar to a Key Performance Index to measure the balance between Operational Security, Controls, and Limitations. We do this quickly using the available OSSTMM attack surface calculator which calculates the balance in ravs. Working like a percentage, the goal is to get to 100 for perfect balance. Anything over that is too much, possibly redundant or wasted security and anything under that is too little. For the Antwerp Diamond Center, both the attacker and the security analyst could reach the same conclusion for some of these security processes. That the vault key was kept in the hall-

The bank The story ends on a slightly unhappy note for our clever crew especially if you believe them that there was really little of value in the vault: While fleeing the Diamond Center, the men lose their nerve and left some bags of loot and documents in the forest. A citizen stumbles across the mess left behind and at first is just upset over the mess that he assumes teenagers left in the forest after a night of partying. He calls the police and while detailing the type of garbage there he mentions that there are envelopes that say Antwerp Diamond Center. This gets the police to investigate where they are able to piece together documents and discover stray gems. Among the scraps, they find a receipt for the miniature camera and Leonardos name is on it. When he returns to Belgium to drop off the rental car they used for the getaway and gets picked up by the police. With even more evidence they pull from the forest litter like mobile phone sim cards and DNA they found on adhesive tape in the vault, they pick up the rest of the crew. Only the King of Keys was never found. Leonardo claims he never made off with $189 million and that it was an inflated number for insurance fraud. He says the bank was in on the robbery and removed nearly all the legitimate gems and the illegal, black market gems, before the robbery. Then they received the insurance pay-out for their legitimate gems. He claims that him and his crew got almost nothing.

PETE HErzOg,
co-founder of ISECOM and project lead for the OSSTMM Further info: www.isecom.org www.osstmm.org

2/2011