Infosec in brief There’s no indication that the brazen bandits who stole jewels from the Louvre attacked the famed French museum’s systems, but had they tried, it would have been incredibly easy.

CheckNews, the investigative arm of French news outlet Libération, got its hands on a series of security audits from the Louvre going back to 2014, which reveal a decade-long history of extremely poor infosec at the museum, and suggest the former home of jewels once owned by French royalty doesn’t take security seriously. Hopefully that’s changed.

According to the outlet’s digging, the museum was guilty of basic security failures such as using the word “LOUVRE” as the password for its video surveillance server, and the password “THALES” as the password for a software platform provided by French vendor Thales.

Experts who tested the resilience of Louvre computer systems found them easy to break into by relying on the easily-guessable passwords, and were able to gain access to other supposedly secure systems after using those passwords. Pen-testers were reportedly also able to gain access to a system used to control access badges at the Louvre and modify access rights for individual badges.

“All of these attacks could potentially be carried out by an attacker located outside the Louvre, who would have gained access to the museum’s various networks,” CheckNews reported.

A second audit, conducted in 2017, found similar problems, including the continued presence of Windows 2000 and Windows XP systems on the Louvre network long after Microsoft stopped supporting and providing security updates for the products. A later writeup from this past summer found that the software managing video surveillance was not only outdated, but running on a Windows Server 2003 machine.

Whether anything was done about those various failings is a mystery, the French outlet said. It approached the Louvre for comments, but museum management declined to say anything about the audit reports, which were marked confidential and for restricted distribution.

The bandits, meanwhile, have mostly been apprehended; the stolen jewels remain unaccounted for, aside from one dropped during getaway.

Congress concedes shutdown cramping US cybersecurity posture

Wouldn’t you know it? The US House of Representatives is finally starting to realize that shutting the government down might have a negative impact on the state of national cybersecurity.

The House Committee on Homeland Security last week warned that China and other adversaries continue to target US government systems, and are likely thrilled with the fact that cybersecurity threat sharing has ground to a halt since the government closed up shop at the beginning of October.

Case in point: the Congressional Budget Office is already claiming a foreign threat actor broke into its systems and exposed research data used to help lawmakers craft legislation.

“The current federal government shutdown, coupled with the lapse of the Cybersecurity Information Sharing Act of 2015, is significantly constraining the federal government’s ability to coordinate with industry and execute its defensive cyber mission,” the Committee said.

• Attackers targeting unpatched Cisco kit notice malware implant removal, install it again
• Shaq’s new ride gets jaq’ed in haq attaq
• A simple AI prompt saved a developer from this job interview scam
• Leak suggests US government is fibbing over FEMA security failings

CISA layoffs proceed despite courts

A number of layoffs in the federal government were blocked by court order last month, but the Cybersecurity and Infrastructure Security Agency said this week in a court filing that it didn’t care what the court said - it was going to lay off 54 employees anyway.

CISA justified the cuts to its Stakeholder Engagement Division (SED), responsible for coordinating threat sharing and incident response between the government and private industry in the US and beyond, by saying that it sent layoff notices to affected employees before the injunction was issued.

Additionally, acting CISA director Madhu Gottumukkala said in the filing, the injunction (which barred layoffs on or after October 1, when the shutdown began) didn’t apply to the SED employees it targeted, because only union members were protected by the order, and those employees aren’t union members.

Chinese court passes death sentence on cyber-scam camp bosses

The Chinese government has sentenced five people to death for their role in operating cyberscam operations in the neighboring country of Myanmar.

China has waged a years-long campaign against operators of cyberscam camps located in Myanmar, Laos, Cambodia and other countries. Beijing wants the camps gone because they lure Chinese citizens to work there as slaves, then look for victims to fleece in China.

The scam centers are thought to have helped criminals to earn billions.

The condemned in this case are senior members of the Bai crime family. In September, Chinese courts passed death sentences for members of the Ming family, another group thought to operate scam camps that use forced labor.

Security camera firm has seriously Flocked security, say elected officials

Flock Security, makers of license plate scanning cameras, gunshot detectors, and other law enforcement apparatus, are deserving of a federal investigation into their failure to properly secure their systems, say a pair of Democratic lawmakers.

US Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL) last week called on the Federal Trade Commission to launch an investigation, citing multiple leaks of law enforcement customer credentials that, when combined with poor security practices, endanger US citizens’ data.

Flock, the pair wrote, doesn’t require customers to use multi-factor authentication, and has had at least 35 customer accounts compromised as of late last week.

“Flock’s cavalier attitude towards cybersecurity needlessly exposes Americans to the threat of hackers and foreign spies tapping this data,” the pair wrote. “Accordingly, we urge the FTC to hold Flock accountable for its negligent cybersecurity practices.”

There’s precedent for such a reckoning too, the pair said, citing FTC decisions in security lapses at companies including Drizzly, Uber, Blackbaud and others. Those cases were decided under Democratic and Republican administrations, including Trump’s first term, suggesting such reckless practices may be of interest to both parties. ®