@FaradaySec OPENING MINDS: BANK TUNNELING 101
On the internet every day there´s really a staggering amount of information generated and to keep up with all this, businesses are being forced to stock up on new equipment to be able to store it all. For example, IBM´s new server that can process 100 cyber monday’s worth of transactions a day.
James Hamilton, VP and a prominent engineer for Amazon shared some pretty mind-blowing stats about the current state of data storage. Two stats especially telling from the article:
-Every day, Amazon Web Services AWS adds enough new server capacity to support all of Amazon´s global infrastructure when it was a $7b annual revenue enterprise (in 2004).
-S3 has a 132% year-over-year growth in data transfer.
Accordingto Facts Hunt, in 2014 there were:
14.3 billion web-pages on the internet.
48 billion web pages indexed by Google.
14 billion web pages indexed by Microsoft Bing.
672 Exabytes or 672,000,000,000 Gigabytes (GB) of accessible data
43,639 Petabytes of global internet traffic in 2013
More than 900,000 servers in Google
More than 1 Yotta-byte ( thats septillion byte) of total stored information on the internet (it also isn´t related to a small green star wars character that talks backwards in anyway).
Note: Currently Microsoft leads the industry in number of servers with 1,000,000 which is 100,000 more than Google.
In December 2012, IDC and ECM estimated that the digital size of the universe (this would be all the digital data created, replicated and consumed this year) was 2,837 exabytes (EB) and they predicted that number growing to 40,000 EB by 2020. Just so you have an idea of what a ridiculous amount of data that is, it´s the equivalent of a million terabytes (TB) or a billion gigabytes (GB). This means, according to IDC and EMC´s prediction every person on the planet on average will contribute 5,200 GB to the digital universe (or 325 16gb iphones).
In December 2012, IDC and ECM estimated that the digital size of the universe (this would be all the digital data created, replicated and consumed this year) was 2,837 exabytes (EB) and they predicted that number growing to 40,000 EB by 2020. Just so you have an idea of what a ridiculous amount of data that is, it´s the equivalent of a million terabytes (TB) or a billion gigabytes (GB). This means, according to IDC and EMC´s prediction every person on the planet on average will contribute 5,200 GB to the digital universe (or 325 16gb iphones).
Looking at this from a security perspective, it becomes increasingly clear that with so much information generated there will be a lot of sensitive data. Whether it be your own, your friends or your relatives´, it´s coming from everyone and is being sent to a lot of different places. An unfortunate consequence of this huge influx of data, is the much publicized rise of cyber-crime. Unfortunately , far from being something that people find out about quickly and get it taken care of easily, it can go on for months or years without people even realizing they were the victim of an attack. Once people realize that a cyber-crime has occurred, it can be a long and arduous process to correct all the resultant problems.
Anyone that wants to rob something valuable, only has to find one fault in the system while ¨the good guys¨ have to think of all the different places and variations of possible attacks (a slightly more difficult task one might say). With all this in mind, it´s vital to maintain a sensible balance between security, practicality, budget and intellect.
The idea of this investigation series is to show that seemingly harmless public information on the internet can be used for illicit personal gain and criminal activity.
History
Not all losses of information or goods are what we would call ¨cyber/ IT¨ security breaches. Using a couple of examples, we´re going to analyze a very interesting type of robbery; that of the bank tunnel.
These are not something that can be made on a whim and require a huge amount of planning and investment of both time and money.
Why, you might ask? Because bank tunnels are one of the thefts with the greatest impact from a physical security viewpoint and many times, they carry large financial implications as well.
¨Okay, I get that they can be a problem, but what does this have to do with IT security¨?
For a couple of reasons. First, it's important to remember the physical and the IT realm are never far apart. Second, we're going to show below how we can exploit public information to assist us with one of the most difficult part of planning a tunnel (the location).
Just so we have a little context, we are going to talk about bank tunnels (or holes) that have been utilized to extract valuables from different places, focusing primarily on banks and safes. With this in mind, we tried to be as thorough as possible. While, we found different examples in a number of different countries. We decided to go into a little more depth for countries in the Americas region.
Below we are going to list some of the more exceptional cases that we were able to find (listed by country).
Argentina
- Banco Galicia in Buenos Aires in 1976: 5 million ARG pesos y 50 kilos (110 lbs) of jewelery.
- Banco Mercantil Argentino, in Buenos Aires/12/1992. 200 safe deposit boxes.
- Banco Provincia de Belgrano, 2011. 130 security deposit boxes , $10 million ARG pesos, 6.5 million dolars. 30 meters tunnel.
USA
Apr 24, 1964, Marietta, Georgia, Cobb Exchange Bank. They ended up losing money because they had gotten confused in the vaults and went to the Safety deposit vault instead of the main one. They only were able to steal 1,000 dollars (they had rent offices for $1,000 for two months building the 136 foot tunnel (42 meters).- March 18, 1968, Quitman, Georgia , Bank of Quitman. $20,000 dollars, 20 meters tunnel.
- June 9 , 1986, Hollywood, (7700 Sunset Blvd) (Spaulding Avenue and Sunset Boulevard.) First Interstate Bank. $270,000 dólares, 36 security boxes 30 meter tunnel. Article from 1986, link review 2009.
- August 6, 2005, Banco Central, Fortaleza. 160 million Reales. 200 meters in 3 months. Wikipedia
- 25 may 1986. Royal Bank of Canada. 36 boxes, $196.000 dollars, 6 meters.
- April 26 1977, Carretera 25 N 18-97, Banco de la república de Pasto. 82 million COL pesos, 50 meters.
- November 1991, Caja agraria bank. Millions in dollars and jewelery, 20 meter tunnel.
- July 1976, Société Générale bank. 400 safe boxes, £6 million and jewels. 8 meters tunnel.
- August 1976, Société Générale ban. 191 safe boxes and 5 million from the vault
- Marseille, Caisse d'Epargne, Banco Rí. 46 meters, 300 safes
- 30 Mar 2010 - (Credit Lyonnais).). 24 millions euros, 200 deposit boxes.
- June 27th, 1995 - Berlin, City Zehlendorf, Commerzbank. 400 safe boxes, $12.4 millions.
- Jan. 14, 2013- Berlin - City Steglitz - Berliner Volksbank. 100 safe boxes. £8.3 million, 30 meters.
- 11 September 1971, Lloyds Bank, Baker Street and Marylebone Road, Lond 15 meters, £1.5 million (2010: £16.5 million), y 260 safe boxes, in total £3 million (2010: £33.1 million) - Google Map
- January 3 2012, Blockbusters, Fallowfield, Manchester. £6,000, 12 meters.
- Friday, March 14, 2014, "Tesco store" in Eccles, Greater Manchester. Consecutive robbaries, 15 meters, 30 meters. Tens of thousands of pounds.
- May 24, 1994 - BANGKOK, Thailand, Thai Bank. 15 meters, $100,000 dollars.
- Also, we were able to find some failed attempts.
- March 13,1932, Los Angeles, Security First National Bank, Six foot
- March 31, 1967 Canada, montreal, 53-foot Montreal City and District Savings Bank's Decarie Boulevard
- Colombia: carrera 19, entre calles 20 y 21, trujillo - Banco Agrario
- Georgia city, 200-foot, The Citizens & Southern Bank
- May 14, 1995, SAN JUAN, Puerto Rico, 68-foot-long tunnel
- Banco piano
- Luego intentaron de nuevo
- Santander Río en Monte Grande, Sábado 25 de Enero de 2014
- José María Moreno 40, robo de ropa
- Correo Argentino, La Rioja al 1800.
| Country | Bank | Year | Distance | Money | Valuables |
| Argentina | Banco Galicia |
1976
| AR$5.000.000 | 50kg of Jewelery | |
| Argentina | Banco Mercantil |
1992
| 200 safe boxes | ||
| Argentina | Banco Credito |
1997
| 50 mts | AR$5.000.000 | |
| Argentina | Banco Río |
2006
| AR$8.000.000 | 8kg+ of jewelery | |
| Argentina | Banco Macro |
2011
| US$3.000.000+ | ||
| Argentina | Banco Provincia |
2011
| 30 mts | AR$10.000.000 | |
| Argentina | Banco Galicia |
2011
| 20 mts | AR$500.000 | |
| Berlin | Commerzbank |
1995
| 170 mts | $12.400.000 | |
| Berlin | Berliner Volksbank |
2013
| 30 mts | L$8.300.000 | |
| Brasil | Banco Central |
2005
| 200 mts | R$160.000.000 | |
| Canada | Royal Bank |
1986
| 6 mts | US$196.000 | |
| Colombia | Banco de la República de Pasto |
1977
| 50 mts | AR$82.000.000 | |
| Colombia | Caja Agraria |
1991
| 20 mts | ||
| EEUU | Cobb Exchange Bank |
1964
| 42 mts | US$1.000 | |
| EEUU | First Interstate Bank |
1986
| 30 mts | US$270.000 | |
| EEUU | Bank of Quitman |
1986
| 20 mts | US$20.000 | |
| EEUU | Bank of America |
1987
| 20 mts | US$91.000 | |
| Francia | Société Générale bank |
1976
| 8 mts | L$6.000.000 | Jewels |
| Francia | Société Générale bank |
1976
| $5.000.000 | ||
| Francia | Banco Río |
1987
| 46 mts | 300 Deposit Boxes | |
| Francia | Crédit Lyonnais |
2010
| EU$24.000.000 | ||
| Thailand | Thai Bank |
1994
| 15 mts | US$100.000 | |
| UK | Lloyds Bank |
1971
| 15 mts | L$1.500.000 | 260 Safes |
| UK | Blockbusters |
2012
| 12 mts | L$6.000 | |
| UK | Tesco Store |
2014
| 30 mts | L$100.000+ |
Technical research
One of the most important decisions when deciding to build a tunnel, is like most brick and mortar business endeavors, a matter of location. The different variables one should keep in mind are: proximity, movement, waste elimination, sound, etc.
Looking at it from a security perspective, we had the idea one day to see how difficult it would be to develop a system that recommends (given a target using GPS coordinates or address) an optimal place to start digging a tunnel. To start off, first we are going to search places reasonably close, as a way of starting to filter our results. For the moment, we´re not going to consider other variables.
To begin the search we will need the following_
- Public information of the banks
- Information of Real Estate rentals and sales
- GPS
Results:
The map below shows only some of the cases mentioned above:
Bank Information
For public information on banks we searched the different bank branches on their websites, or well-known sites and online directories. The searches we did, were restricted to Argentina, Brazil and the United States, but of course any country could be included. Some of the information was extracted a little more by hand than others, but generally we used a process called scrapping in most cases.
Buildings
For the part concerning buildings or possible sites to start constructing the tunnels, we used a number of different sites. In Argentina we used zonaprop, sumavisos and mercadolibre. The first two it turns out didn't have APIs (or at least not accessible to third party users), but MercadoLibre fortunately did have a library in python making it quite easy to make requests or find things we wanted.
In other Latin American countries, such as Brazil, we can also use MercadoLibre. Although it might not be the best possible search engine for real estate, it provided sufficient information for our purposes. Thus, for Brazil we used the same API. (we only had to change a couple of characters to get it working the same as in Argentina).
In the US it was a little more complicated. The APIs that are out there, didn't give out so much information and what they could do was quite limited. They showed estimated prices in an address database (or in another database with buildings categorized by ID (which you can get to through other means) or simple mortgage prices. Only Zillow gave us any ¨useful¨ data that would be useful to automate our search.
Geopositioning (GPS)
The answer for this was pretty easy. Google maps provides us with a function in it's API whereby by simply giving an address we can obtain the geographic coordinates of the location. This is similar to what is regularly done using the navigator but more automated.
No hay comentarios.