Centralized systems are the Achilles Heel of security
Away from the grand Flemish Renaissance buildings in a rather average-looking office building is the Antwerp World Diamond Centre (AWDC), the public/private corporation responsible for facilitating the importing and exporting of precious stones. Its subterranean vault will house hundreds of millions of dollars worth of diamonds and other precious stones and metals at any one time. It is protected by at least ten security mechanisms, including a lock with 100 million possible combinations, infrared heat detectors, a seismic sensor, Doppler radar, and a magnetic field. The building itself has a private security force and is located in the heart of the heavily guarded and monitored Antwerp diamond district.
"What is the status of the alarm?" Agim De Bruycker, a lead detective in the world’s only police force specialized in diamonds, asks early on a chilly February morning in 2003.
"Fully functional. The vault is secure," the Securelink operator responds, monitoring the signals coming in from the Antwerp World Diamond Center.
"Then how is it that the door is wide open and I'm standing inside the vault?" De Bruycker decried.
On this Monday morning, De Bruycker was calling from just outside the vault, its door now standing ajar, with more than 100 of the 189 safe-deposit boxes pried opened and strewn about the floor. Officer De Bruycker waded through piles of cash and velvet pouches and winced at the occasional sound of the crunch of diamonds underfoot. There was so much loot, that the thieves simply could not take it all with them. All in all, it is estimated that $100 million dollars worth of diamonds, precious metals and other spoils were stolen, none of which has since been recovered.
In the year 1467, Antwerp developed the first spinning diamond polishing wheel, greatly improving the craft of cutting and polishing diamonds begun on the Indian subcontinent. Subsequently, centuries of Indian and other traders have brought their uncut gems to Antwerp, creating one of the world’s very first competence centers, which continues to exist to this day. For more than five hundred years, Antwerpen has been the center of the international diamond trade, where some 85% of the world’s uncut diamonds pass through, usually via secretive and deep generational, ethnic, and religious connections of the diamantaires and generating an annual turnover of around $54 billion USD.
Leonardo Notarbartolo, a charming diamond trader from the city of Turin, arrived in Antwerpen in 2001 to join the ranks of the diamantaires and rented a humble $700/month office in the nondescript AWDC. One amenity included in the office rental was a safe deposit box in this very safest of vaults. Notarbartolo was not, however, a gems dealer: Despite his mother’s best efforts, from a young age Notarbartolo developed and fine-tuned a skill set in thievery and became a world-class thief, the likes of which we may never see again. He likely also has relationships with the Sicilian mafia.
Notarbartolo, together with a skilled team sporting noms du guerre straight out of a Hollywood writers’ room–Speedy, The Monster, The Genius and The King of Keys–plotted, planned, practiced and eventually pulled off the Century’s Greatest Heist. While the heist was indeed an accomplishment of great cunning and skill by The Monster, et. al., there were undoubtedly two overarching huge contributing factors: 1) centralization and 2) access through the front door.
Current data repositories are not much different from the AWDC vault: secure, sure, but everybody knows where the data repository is located and with just the right skills and effort, the fortifications can be breached. Our Internet, in fact, is little more than about a million Linux servers operating on open source code, a heap of goodwill and strung together with tenuous trust. The limits of this goodwill were recently tested when an individual or group of individuals likely backed by a malicious foreign actor opened a backdoor on millions of Linux servers. This individual or group, “Giatan,” walked in “through the front door” and were able to ingratiate themselves with the volunteer XZ Utils team. XZ is a general-purpose data compression format present in nearly every Linux distribution, in both community projects as well as commercial product distributions. XZ Utils is a set of tools needed for efficient transmission of large data sets. They are found on thousands of Linux servers and used by millions. Should a backdoor vulnerability in XZ be exploited, a nefarious actor could, for example, remotely code as a logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Imagine a state-sponsored actor being able to log on as any user on almost any computer linked to the Internet. The risk to governments and businesses large and small is immeasurable.
XZ is cornerstone software. It is both open source and maintained by a group of volunteers. Well, actually, until recently just one volunteer. That one volunteer met Giaton, a user who offered their assistance to lighten the load. Over time, Giaton proved their mettle and provided excellent service in maintaining the libraries. Giaton came to be seen as a trusted and committed personae. With their colleagues’ guard effectively down, Giaton walked through the front door to introduce some malicious code creating a backdoor within XZ. By the time the breach was disclosed on March 29th, this backdoor had reached approximately 2% of the world’s Linux servers, leaving millions of Internet users completely exposed to the whims of a malicious actor.
And now let’s go back to Antwerp in 2003, or rather to a 2009 Wired Magazine interview with Notarbartolo about his tenure in Antwerp in 2003. Recall, the vast majority of the $100 million in loot was never recovered. Notarbartolo says that is because the diamonds were never stolen–or rather, never removed from the AWDC. Investigators theorized that the Sicilian mafia was behind the heist’s planning, execution and ultimate scattering of diamonds to the four winds. Notarbartolo, for his part, alleges it was a diamantaire insider who approached Notarbartolo, recruited the motley monikered crew and even built a mock-up of the vault in an abandoned warehouse on which to practice. In a brilliant double-cross, this diamond trade insider (allegedly) alerted his diamond trading colleagues, who in the weeks prior (allegedly) removed their diamonds from the vault and into their own private office safes (as is common practice when buying and selling on the daily). And subsequently and confidently committing a gigantic insurance fraud upon news of the break-in (allegedly). This diamond trading insider has never been identified and no one has corroborated this account. Of course, those who could corroborate this conspiracy would have participated, so those lips, should they exist, are certainly sealed.
And now let me remind you that current data frameworks are not particularly dissimilar from the AWDC vault–centralized and centrally managed. Data is used via the Internet network, held together with open source software and goodwill, much like the generational, ethnic and religious relationships which undergird the Antwerp diamond market. Furthermore, there will always be insiders such as Giaton or the mysterious diamantaire who (allegedly) plotted with Notarbartolo. With data spaces, we have an opportunity to have our own “diamond safes,” an opportunity to squirrel away our information from central use and also rely less on the goodwill of nameless, faceless insiders. Furthermore, data spaces offer the opportunity to bring together different elements for a specific task and then have them separate upon completion.
In July 2023, Mr. Cooper, one of American’s largest mortgage lenders servicing some 18 million homeowners, disclosed a data breach that occurred due to unauthorized access to their network. Hackers infiltrated the company's systems and gained access to customer information, including names, addresses, social security numbers, and loan details. This breach left millions of homeowners vulnerable to identity theft and fraud. This breach was followed up in October and again in December with additional breaches, the last of which was caused by the front door being left open, namely an open Google Cloud bucket.
The impact on Mr. Cooper’s customers was significant. In addition to those who had their identities stolen, the remaining customers were faced with the stress, anxiety and inconvenience of monitoring their credit reports and taking additional security measures to protect themselves. Millions of Americans are still wading through the fallout when applying for credit cards, loans and when background checks are run. Compounding the frustration of many victims is the fact that Mr. Cooper was not their original mortgage company. When purchasing their homes, customers chose a mortgage lender they trusted, only to have their loan sold to Mr. Cooper to manage. That would be like the AWDC telling the owners of the diamonds in their care that they moved them to another vault across town.
The Mr. Cooper breach highlights the challenges of securing sensitive data in an age of advanced cyber threats. Like the Antwerp Diamond Heist, the breach occurred despite existing security measures.
Data spaces offer a solution to enhance data security and protect against breaches like the one at Mr. Cooper. Data spaces are collaborative environments where data can be shared securely among authorized parties. Here's how data spaces could have thwarted the breach:
Data Encryption: Data spaces prioritize the encryption of data at rest and in transit, making it much more difficult for hackers to access or use the data even if they breach the network. Each “diamond” would have its own secure vault around it.
Access Control: Data spaces provide robust access control mechanisms, allowing only authorized parties to access specific data. This reduces the risk of unauthorized access to sensitive information.
Data Fragmentation: By breaking down data into smaller, encrypted fragments and storing them across multiple secure locations, data spaces make it challenging for hackers to piece together valuable information. Imagine for a minute that the valuables entrusted to the AWDC were scattered across thousands of vaults. Notarbartolo and friends would have only found a tiny fraction of the jewels.
Real-Time Monitoring: Data spaces enable continuous monitoring and auditing of data access and usage. Any suspicious activity can be detected and addressed promptly, minimizing the potential damage from a breach. Notarbartolo’s frequent visits to the vault coupled with a lack in actual sales would have raised red flags. As would the prior removal of diamonds from the vault (if that is what indeed happened).
Secure Collaboration: Data spaces enable secure collaboration between parties by using data-sharing agreements and protocols. This ensures that sensitive information is only shared with authorized users for specific purposes.
The breach at Mr. Cooper serves as a stark reminder of the importance of
implementing robust data security measures. By using data spaces, organizations can significantly enhance their data protection strategies and mitigate the risk of breaches. Like the Antwerp Diamond Heist, modern data breaches require a proactive approach to security, and data spaces offer a viable solution to safeguard sensitive information and protect customers' trust.
Comments