On the internet every day there´s really a staggering amount of information generated and to keep up with all this, businesses are being forced to stock up on new equipment to be able to store it all. For example, IBM´s new server that can process 100 cyber monday’s worth of transactions a day.

James Hamilton, VP and a prominent engineer for Amazon shared some pretty mind-blowing stats about the current state of data storage. Two stats especially telling from the article:
-Every day, Amazon Web Services AWS adds enough new server capacity to support all of Amazon´s global infrastructure when it was a $7b annual revenue enterprise (in 2004).
-S3 has a 132% year-over-year growth in data transfer.

Accordingto Facts Hunt, in 2014 there were:

14.3 billion web-pages on the internet.
48 billion web pages indexed by Google.
14 billion web pages indexed by Microsoft Bing.
672 Exabytes or 672,000,000,000 Gigabytes (GB) of accessible data
43,639 Petabytes of global internet traffic in 2013
More than 900,000 servers in Google
More than 1 Yotta-byte ( thats septillion byte) of total stored information on the internet (it also isn´t related to a small green star wars character that talks backwards in anyway).

Note: Currently Microsoft leads the industry in number of servers with 1,000,000 which is 100,000 more than Google.

In December 2012, IDC and ECM estimated that the digital size of the universe (this would be all the digital data created, replicated and consumed this year) was 2,837 exabytes (EB) and they predicted that number growing to 40,000 EB by 2020. Just so you have an idea of what a ridiculous amount of data that is, it´s the equivalent of a million terabytes (TB) or a billion gigabytes (GB). This means, according to IDC and EMC´s prediction every person on the planet on average will contribute 5,200 GB to the digital universe (or 325 16gb iphones).
Looking at this from a security perspective, it becomes increasingly clear that with so much information generated there will be a lot of sensitive data. Whether it be your own, your friends or your relatives´, it´s coming from everyone and is being sent to a lot of different places. An unfortunate consequence of this huge influx of data, is the much publicized rise of cyber-crime. Unfortunately , far from being something that people find out about quickly and get it taken care of easily, it can go on for months or years without people even realizing they were the victim of an attack. Once people realize that a cyber-crime has occurred, it can be a long and arduous process to correct all the resultant problems.

Anyone that wants to rob something valuable, only has to find one fault in the system while ¨the good guys¨ have to think of all the different places and variations of possible attacks (a slightly more difficult task one might say). With all this in mind, it´s vital to maintain a sensible balance between security, practicality, budget and intellect.

The idea of this investigation series is to show that seemingly harmless public information on the internet can be used for illicit personal gain and criminal activity.


Not all losses of information or goods are what we would call ¨cyber/ IT¨ security breaches. Using a couple of examples, we´re going to analyze a very interesting type of robbery; that of the bank tunnel. 

These are not something that can be made on a whim and require a huge amount of planning and investment of both time and money.

Why, you might ask? Because bank tunnels are one of the thefts with the greatest impact from a physical security viewpoint and many times, they carry large financial implications as well.

¨Okay, I get that they can be a problem, but what does this have to do with IT security¨?

For a couple of reasons. First, it's important to remember the physical and the IT realm are never far apart. Second, we're going to show below how we can exploit public information to assist us with one of the most difficult part of planning a tunnel (the location).

Just so we have a little context, we are going to talk about bank tunnels (or holes) that have been utilized to extract valuables from different places, focusing primarily on banks and safes. With this in mind, we tried to be as thorough as possible. While, we found different examples in a number of different countries. We decided to go into a little more depth for countries in the Americas region.

Below we are going to list some of the more exceptional cases that we were able to find (listed by country).

United Kingdom
A visual summary of all the examples we mentioned:

ArgentinaBanco Galicia

AR$5.000.00050kg of Jewelery
ArgentinaBanco Mercantil

200 safe boxes
ArgentinaBanco Credito
50 mtsAR$5.000.000
ArgentinaBanco Río

AR$8.000.0008kg+ of jewelery
ArgentinaBanco Macro

ArgentinaBanco Provincia
30 mtsAR$10.000.000
ArgentinaBanco Galicia
20 mtsAR$500.000
170 mts$12.400.000
BerlinBerliner Volksbank
30 mtsL$8.300.000
BrasilBanco Central
200 mtsR$160.000.000
CanadaRoyal Bank
6 mtsUS$196.000
ColombiaBanco de la República de Pasto
50 mtsAR$82.000.000
ColombiaCaja Agraria
20 mts

EEUUCobb Exchange Bank
42 mtsUS$1.000
EEUUFirst Interstate Bank
30 mtsUS$270.000
EEUUBank of Quitman
20 mtsUS$20.000
EEUUBank of America
20 mtsUS$91.000
FranciaSociété Générale bank
8 mtsL$6.000.000Jewels
FranciaSociété Générale bank

FranciaBanco Río
46 mts
300 Deposit Boxes
FranciaCrédit Lyonnais

ThailandThai Bank
15 mtsUS$100.000
UKLloyds Bank
15 mtsL$1.500.000260 Safes
12 mtsL$6.000
UKTesco Store
30 mtsL$100.000+

Technical research

One of the most important decisions when deciding to build a tunnel, is like most brick and mortar business endeavors, a matter of location. The different variables one should keep in mind are: proximity, movement, waste elimination, sound, etc.

Looking at it from a security perspective, we had the idea one day to see how difficult it would be to develop a system that recommends (given a target using GPS coordinates or address) an optimal place to start digging a tunnel. To start off, first we are going to search places reasonably close, as a way of starting to filter our results. For the moment, we´re not going to consider other variables.

To begin the search we will need the following_
- Public information of the banks
- Information of Real Estate rentals and sales

The map below shows only some of the cases mentioned above:


Bank Information
For public information on banks we searched the different bank branches on their websites,  or well-known sites and online directories. The searches we did, were restricted to Argentina, Brazil and the United States, but of course any country could be included. Some of the information was extracted a little more by hand than others, but generally we used a process called scrapping in most cases.

For the part concerning buildings or possible sites to start constructing the tunnels, we used a number of different sites. In Argentina we used zonaprop, sumavisos and mercadolibre. The first two it turns out didn't have APIs (or at least not accessible to third party users), but MercadoLibre fortunately did have a library in python making it quite easy to make requests or find things we wanted.

In other Latin American countries, such as Brazil, we can also use MercadoLibre. Although it might not be the best possible search engine for real estate, it provided sufficient information for our purposes. Thus, for Brazil we used the same API. (we only had to change a couple of characters to get it working the same as in Argentina).

In the US it was a little more complicated. The APIs that are out there, didn't give out so much information and what they could do was quite limited. They showed estimated prices in an address database (or in another database with buildings categorized by ID (which you can get to through other means) or simple mortgage prices. Only Zillow gave us any ¨useful¨ data that would be useful to automate our search.

Geopositioning (GPS)
The answer for this was pretty easy. Google maps provides us with a function in it's API whereby by simply giving an address we can obtain the geographic coordinates of the location. This is similar to what is regularly done using the navigator but more automated.

No hay comentarios.

Imágenes del tema de enot-poloskun. Con tecnología de Blogger.