* Posts by Steve Keller

2 publicly visible posts • joined 9 Dec 2007

Personal data for 650,000 customers vanishes into thin air

Steve Keller

Other people Secure Their Stuff

I'm a physical security consultant specializing in museum and fine art security, mostly in the US but also abroad. We have firms here that advertise themselves as "museum quality" storage facilities and they store inventory from museums, commercial art galleries, auction houses and private collectors. One or two are good and the rest are frauds. Hard assets like museum collections can't be encrypted to prevent their use by thieves but computer tapes probably can be without breaking anyone's budget. When museum assets burn up in a fire or blow away in a hurricane they are lost forever but when back up tapes are lost, more can be made. But even when the loss is critical it seems that many companies won't take their responsibility seriously and provide the security they advertise so what do we expect when the assets that disappear are replaceable and lack direct intrinsic value? They're only tapes, some might say.

The only answer is to impose serious liability simply for the act of losing the data and not just if you can prove damages. Repeated convictions in civil court for carelessness in caring for assets of others in your charge should result in criminal charges against the CEO of the company responsible. Then and only then will we get their attention. Hacking publication "2600" has a letter from a hacker who stole thousands of credit card records from Target, a major US retailer, by breaking the WEP code on their wireless network used for the inventory system then entering a folder on the server that stored the week's credit card data. He claims they stored all data on the customer's credit card, not just the data they needed, making the loss more critical. When breaches like this occur, if someone was held personally accountable, more effort would be made to provide better security. Why are financial records on the same system and network as inventory? Because computer professionals feel everything on the planet should have a machine address and should be on a network--the same network. Economy and efficiency are not the primary goals of management.

The warehouses in the US that provide true museum quality security for fine arts differ from those that don't in that they employ the better consulting firms to constantly test their system, have developed standards of quality, and have gone the extra mile to provide only top quality security. The others make compromises to make more profit.

The museums in the US are now developing standards and a rating system for all off site storage facilities and insurers may not insure those who don't achieve a high rating. The standard being developed is comprehensive, from not locating a storage facility on an airport flight path or flood zone to not placing the building's access control system on the company wide network where it can be breached.

Computer security however is different from physical security. We are a paranoid lot in physical security. I know hundreds of network administrators and every one argues that his network is secure and his procedures sound. Most insist they cannot be hacked and would never get a virus. There are no standards for real security of data because all they understand is computer security and not physical security and it takes an understanding of both to provide effective security. (Perhaps that's why I'm on a computer security forum trying to learn but i rarely if ever see a computer security person on a physical security forum).

Standards are needed and safeguards developed like requiring that back up tapes be encrypted but the standards must be developed by a team with a wide range of experiences and a lot of paranoia. My identity information is VERY important whether you think so or not.

Steve Keller

Data centre looted in multimillion pound overnight heist

Steve Keller

Isabella Stewart Gardner Museum Theft--Same MO

In March of 1990 the largest art heist in US history occurred in Boston at the Isabella Stewart Gardner Museum when two men dressed in Boston police uniforms came to the door and asked to be let in to deal with college students running through the interior courtyard. This was a common event since the museum was located across the street from a college, but this time it was not true. Once inside the fake cops tied up the two guards, robbed the museum, took the CCTV system tapes of the event, and left. The case remains unsolved. Museum employees everywhere now know to verify the identity of police before letting them in by call the police dispatcher unless they called for them personally for a known issue. Physical security should be part of every data center employee's training and this should include access control procedures.

Steve Keller

Museum Security Consultant