In February 2003, Notarbartolo was arrested for heading a ring of Italian thieves. They were accused of breaking into a vault two floors beneath the Antwerp Diamond Center and making off with at least $100 million worth of loose diamonds, gold, jewelry, and other spoils. The vault was thought to be impenetrable. It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can’t explain exactly how it was done.
James Duncan Davidson describes his frightening experience with “A Postmodern Crime at TED2009“. Davidson, a professional photographer, was assaulted outside the conference by someone demanding his pass. I think it’s interesting to note that it was an “all-access pass to the show and to its attendees”.
I’ve put some thought over the last year or so into “personal threat modeling”, and have knocked around ideas for a presentation of some sort with friends.
What can we know about how very specific behavior exposes us to new threats? My context is as a technologist, and so the threat includes my personal technology, and the information/data I have spread between myself and my various toys.
Suppose that I wanted to steal information on Black & Decker’s latest electric screwdriver design. I might do my homework, and see when a B&D employee from their design group was giving a conference presentation, possibly easy task given that conference schedules are usually online. This might tell me useful things, like:
- Who my target is, often with a brief bio that may give me other useful intelligence.
- Where they will be at a specific time.
- Bonus: When they will have their laptop with them.
My challenge at this point, is to get into the conference and separate him from his laptop. Many opportunities exist in such high-distraction environments, and an all-access pass only makes this much, much easier. (For example, the “Speaker’s Lounge” is usually deliberately off in some quiet corner of the facility.)
Stealing such a laptop, with whatever email or other info I might find, is obviously just one sort of motive. I can imagine an attacker having a variety of goals that might make it well worth the time and risk of physically assaulting someone, particularly someone bearing a particularly privileged access pass. Industrial espionage is just the start of a long list of evil possibilities here.