HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Diamond heist holds infosec lessons, too

Wired is running the story “The Untold Story of the World's Biggest Diamond Heist” on their site and in the next issue. You may have already read it, since it’s pretty popular on the tubes right now. If you haven’t—while it’s pretty long—it’s an interesting read on physical security, criminals, capers and exploitation of weaknesses.


Below is a fairly spoiler-iffic view on the heist and how I think it relates to the information security world—so if you want all the gory details without my summary, head over to wired.com first.  Here’s a high-level synopsis: in an Italian Job like caper, a group of thieves do the seemingly impossible by robbing a massive vault in Antwerp’s diamond district. This is no ordinary vault—it holds most of the district’s diamonds and other valuables, and has a significant amount of security, including the following (there is also a diagram of this):   


  A 3 ton steel door with:

  • Combination dial (0-99)
  • Keyed lock
  • Seismic sensor (built-in)
  • Locked steel grate
  • Magnetic sensor
  • External security camera

 And inside the vault:

  • Light sensor
  • Security camera
  • Heat/motion sensor

This vault is also located in the basement of a guarded and monitored building, and in the middle of a diamond district that is blanketed with security cameras and has its own specialized police force.   


 Seems impossible to break into, right? Of course not.   


The story, as told by Leonardo Notarbartolo (serving 10 years in jail for his part in the crime), tells of how a small group of men exploited minor weaknesses in the various layers of security, and walked away with an unknown amount of wealth (read the article as to why it’s unknown)… and very nearly got away with it.   


While this isn’t directly web/network/data security related, their tactics, from reconnaissance to exploitation, have a lot of parallels to the computer security realm. The methods they use are the same pen-testers and criminals are using against our networks and applications.   




Notarbartolo used a small “spy” camera to document the building and vault. They studied the monitoring systems, vault, building, surrounding buildings, entrances (conventional and otherwise) and habits of the guards. They sneaked in a small spy camera to capture the vault combination (key logger, anyone?) which went to a transmitter hidden inside a fully functional fire extinguisher.   


Social Engineering

Notarbartolo set himself up as a dealer in the building, and rented a box in the vault. After a time, the guards came to recognize and almost ignore him, which gave him a critical opening to disable a heat detector inside the vault.  



The thieves set up a fake vault to practice in and to look for new weaknesses (pretty sure this was in one of the Ocean’s <insert number here> movies). Professional testers make no secret of the work they do against “fake vaults” (ok, lab systems) looking for 0day vulnerabilities to use in their products and future engagements.  


Exploiting Small Weaknesses

There was no single, major flaw in the security. There was no brute force attack (portions of the movie Heat come to mind). Like gaining access to a less-secure and less important “system” (an adjacent building with a courtyard), they had unmonitored access to the secure building’s exterior. They used a little stealth with a home-made polyester shield to defeat a heat and motion sensor, a piece of aluminum and duct tape to defeat a magnetic sensor, and while they had a duplicate key crafted based on the video tape they’d made (which smacks of SNEAKY), they found the actual key in a nearby room (password under the keyboard, or console access?). Black bags covered video cameras which were expected to show darkened stairways. Hairspray defeated a motion and heat sensor long enough for them to disable it completely.  


All of these tiny weaknesses and crafty exploits combined into a massive heist. The tiny chinks in the armor turned into a significant financial loss for the owners of the lockboxes and their insurers.   



So what lessons can be gleaned from the physical-security weaknesses, and translated into the digital world? Plenty.  


First off, no vulnerability or weakness can be completely ignored. Decisions based on risk and cost can be made, and fixes prioritized, but everything should be discovered, catalogued and tracked—at some point that “minor” flaw could be very important. Knowing every weakness and monitoring for exploit attempts could be critical in stopping a massive breach.  


Secondly, there is no such thing as an unimportant application or system on your perimeter (maybe even your internal network). Just because your Job Listing application doesn’t hold customer data doesn’t mean it isn’t critical to your perimeter security. Even if the app runs on a different web server, what if there is a flaw that gives someone system access? Is the root password the same one as in on your banking systems? Does the system give the attacker access to the same DMZ that your critical data traverses? Is your security staff monitoring the IDS as closely for the “ATM Locator” system as the bank login?  


Thirdly, security is not a one-time effort. Your security efforts may be baked in from planning to implementation, but they don’t stop there. Threats, attacks and techniques are constantly being discovered and are always evolving. Since the criminals knew, it seems possible the manufacturer of the heat and motion sensor knew of the “hairspray exploit” but didn’t bother to warn their customers and issue a “patch”—or maybe they did, and the operators of the vault chose not to implement a fix.  


And lastly, to the best of your ability, you have to think like a criminal. You may even consider hiring someone (permanently or on contract) that can do that pretty well (I won’t debate hiring actual criminals). Would someone used to breaking into vaults ask “Why the heck is the magnetic sensor mounted on the outside of the vault door?”  I’d hope so. Would they have scouted the nearby buildings looking for an attack vector? Perhaps. Would they have questioned the wisdom of having video cameras watching completely dark rooms? Any one of those questions, posed to site security or management, could have triggered a corrective action that might have stopped this entire heist in the planning phase.   


So, the next time you think you have better things to do than fix that minor cross-site scripting issue on that little loan calculator application—reconsider—and wonder if Leonardo Notarbartolo learned any computer hacking skills in prison.


And, I mentioned that Notarbartolo is in jail, which means they didn’t get away clean. Check out the full article as to why… that interesting bit, and a lot of other details and theories that I didn’t get into, make it a good read even after skimming this.


Another analysis of Larry Suto's comparative review

IBM/Watchfire released their analysis of Larry Suto's web scanner comparative review, which was released in October.  If you recall, we wrote one as well.  IBM/Watchfire questioned Suto's methodology just like we did; they also found discrepancies between their own testing and the scan files Suto provided them (yes, that's right--Suto's reported results apparently don't match Suto's own scan files).  Interesting is their discussion on how vulnerabilities are counted (issues vs. instances), and their knowledge of how NTOSpider apparently counts its findings (it counts instances), causing a higher/inflated vulnerability finding count.

Overall, Suto's analysis illustrates an important concept: testing and product comparisons are not trivial to perform.  You need a sound methodology, and you need to make sure your numbers and math make sense.

Analysis of Larry Suto's comparative case study


In October 2007, Larry Suto released a case study entitled “Analyzing the Effectiveness and Coverage of Web Application Security Scanners,” available for reading at http://www.stratdat.com/webscan.pdf.  The study compared the results of three commercial web application security scanners, including WebInspect.  There has been much discussion in the industry about this study (for a good example, see the “Coverage and a recent paper by L. Suto” thread at http://lists.immunitysec.com/pipermail/dailydave/2007-October/thread.html).  Part of the discussion focuses on Suto’s questionable methodology & conclusions relating to application coverage, and the vagueness of his results.

Since any solid science experiment should be repeatable, SPI Labs set out to re-create Suto’s study to reasonably verify his conclusions and methodology.  In doing so we discovered significant discrepancies between our results and the results reported by Suto.  Attached is our final report (Suto_review_FINAL.pdf), where we indicate the results we received when we tested the same applications.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Top Kudoed Posts
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.