Schneier on Security
A blog covering security and security technology.
« Clever Micro-Deposit Scam |
| Schneier Interview »
June 6, 2008
Clever Museum Theft
Some expensive and impressive stuff was stolen from the University of British Columbia's Museum of Anthropology:
A dozen pieces of gold jewelry designed by prominent Canadian artist Bill Reid were stolen from the museum sometime on May 23, along with three pieces of gold-plated Mexican jewelry. The pieces that were taken are estimated to be worth close to $2 million.
Of course, it's not the museum's fault:
But museum director Anthony Shelton said that elaborate computer program printouts have determined that the museum's security system did not fail during the heist and that the construction of the building's layout did not compromise security.
Um, isn't having stuff get stolen the very definition of security failing? And does anyone have any idea how "elaborate computer program printouts" can determine that security didn't fail? What in the world is this guy talking about?
A few days later, we learned that security did indeed fail:
Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line.
Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off.
Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News.
Meanwhile surveillance cameras that were still operating captured poor pictures of what was going on inside the museum because of a policy to turn the lights off at night.
Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in, wearing gas masks and spraying bear spray to slow down anyone who might stumble across them.
It's a particular kind of security failure, but it's definitely a failure.
Posted on June 6, 2008 at 5:04 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Particular"? More like "Spectacular".
I wonder whether Anthony Shelton would call a knife cut, 3-4 mm deep into his own neck at the jugular, a 'flesh wound'?
The theft of Bill Reid's works is a major loss.
@Bruce: "Anthony Shelton said that elaborate computer program printouts have determined..."
I speculate that this wording is down to the journalist mocking him, rather than his exact words.
Of course he may well have managed to mock himself. And the article has disappeared, so I'm only commenting on what's quoted here.
Sounds like the thieves have watched a lot of heist movies.
The details demonstrate that it was precisely a security failure, made possible by human engineering. You'd think they could have put motion sensors on at least some of their lights, or installed IR cameras. Or have a protocol that requires police to respond when part of the system goes down, no matter what the helpful person on the phone tells you...
Perhaps some inquiries can be made about folks who've purchased bear spray recently It might be different in BC, but down my way that's a specialty item.
He's either full of shit or extremely thick-skinned to try to claim security didn't fail when almost EVERYTHING about their security was broken...
What cracks me up is that the surveillance video was useless because of a policy to turn the lights off when the place is closed.
Actually, he's right; the security system didn't fail (other than the cameras); alarms did sound, and the building design wasn't at fault. The security PEOPLE failed. This is a social engineering attack.
A social engineering attack is still an attack on the security system. In this case, the attack was on the response.
If the system had been 100% reliable for years, I doubt their staff would have fallen for the attack.
@John Ridley: security encompasses more than security technology. Duh.
Also, what is "bear spray"?
@Roy: Light damages things, a lot of musea turn lights off. Furthermore most of them prohibit flash photography for that reason (although those that prohibit ALL photography are just cheapskates wanting to sell you THEIR photos of the collections).
@Muffin: I'm with you; what's "bear spray", like mace or something? Or does it have little bells in it?
Bear spray is plain old pepper spray.
In a container designed to deliver more spray at a longer range than the "spray directly in the face" stuff.
The overall security failed. The hardware part of the security system did not fail. If they learn from that properly, they'll fix what's actually broken; the people.
First, the security company should have some way to verify who they are when talking to the guards. Second, if the security system is malfunctioning, they should automatically start patrolling the area to cover.
Bear spray is a lot more potent than what you use on people. More capsaicin. In fact it's generally illegal to use bear spray on people. That's not to say that if I were being attacked, and I had some bear spray in my hand, I wouldn't use it.
"the security company should have some way to verify who they are when talking to the guards."
Had an electrician working on my premises last week. Phoned the alarm monitoring company to let them know the alarm might report that it had lost mains power and was running on battery. They didn't bother to ask for my password.
I'm now looking for a new monitoring company.
Why did the thieves use bear spray when they entered if no one was there? Strange. Something tells me there's an insider involved.
"the security company should have some way to verify who they are when talking to the guards."
Alternatively, the guards could refuse any request to ignore the alarms, no matter who they think they're from. Investigating false alarms is cheap compared with ignoring a real ones, provided that false alarms aren't too common.
If you believe the alarm system is faulty, you have two options:
1) Sit in your campus security room or continue what you were otherwise doing, ignoring any messages, bells, sirens, etc.
2) Be more watchful, perhaps bring in additional guards, to compensate for the loss of the functionality normally provided by the alarm system.
The museum's procedures probably should have chosen a trade-off closer to (2) than (1). Especially since it wasn't just the alarm system: cameras had gone down too.
(2) is more expensive, but it saves your stuff getting nicked. Even if the alarm system really has failed, and the call from the company is genuine, if your procedure is (1) then criminals will be highly motivated to find out about or cause genuine alarm failures. The alarm is all that stands between them and the loot, leading to a fragile security system.
Even (2) can be exploited, of course, in that an attacker might report/cause a failure in one area to draw attention away from another area. That possibility also must be taken into account in a rational response to equipment failure: you can't simply pile everyone to the affected area. But having no response at all to failure of part of your security system is looking for trouble. Systems need to fail safe where possible, not fail by leaving millions of dollars of stuff completely unguarded.
"Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in..."
Meh. Inside job. Entirely too much knowledge of the place's security systems and where they could fail. Start looking at the guard(s).
"an attacker might report/cause a failure in one area to draw attention away from another area."
An acquaintance of mine had his machine shop robbed - not cleaned out, but most of his small, high-value tools were stolen. At the time the robbery was taking place, the police of this small suburb were responding to a call across town; someone had thrown a railroad tie through the plate glass window of a video store. The police believed the two incidents were related. No one was ever caught.
There may be a couple of simple explanation as to why he claimed that the security did not fail, and it's all to do with insurance liability.
1) The pieces did not belong to the museum and there might well have been a clause about the technical security in either the loan agreament or insurance cover.
1) the Guards where from another organisation (they failed they pay not the museum)
I think for a saving of +2million for his employer and his job the avarage joe would quite happely say something in a peculiar way even though it sounded silly.
Money is a strange mistress we love her abilities whilst cursing her inconveniance 8)
Brilliant. I appreciate talent when I see it :) it was genial, simple (or so it seems after it's done) and it worked.
According to infamous satanic bible, stupidity is a sin. While I not always agree with it, this robbery is definitely the case. Starting with lights turned off and ending with security people who ignore alarms because they were kindly asked to.
The museum and Reid's widow are quite concerned that the art pieces - which are made from gold - might be melted down and sold as precious metal only. Of course, that would severely reduce their value. That being said, gold would be easier to sell than famous stolen artwork. Thieves face security trade-offs as well.
> Why did the thieves use bear spray when they entered if no one was there?
If it wasn't an inside job, because they didn't know for certain no-one was there (or that no-one would come back while they were still there). (And if it was and they knew they would be undisturbed, to give the impression they didn't know, presumably. Or in case the Watch has a werewolf tracking them :-) )
Sure, any system has a maximum capacity. There are only so many cops in a small town, and only so many guards on campus. If an attacker can genuinely overwhelm your available resources then you just lose, regardless of how you deploy them.
Sounds like the museum normally has an alarm system, CCTV, and a guard on duty most of the time (by "most" I mean "except when he's smoking"). After a technical failure of the alarm system and some CCTV cameras (not counting the ones in dark rooms which never worked in the first place, there are the three which 'mysteriously' went down), a rational evaluation would probably suggest that the value of having more than 95% of a guard in there has increased.
I guess (with hindsight, admittedly) that their best bet was either to move someone there from elsewhere on campus to cover at least the first guard's breaks, or else to pay for an extra shift.
Cameras in dark rooms, normally speaking, might not be completely stupid. They might be there primarily for use during opening hours, when the alarm system is off and it's not dark. At night, maybe anything which would appear on the CCTV would be expected to trigger the alarm, so the CCTV is redundant and hence less valuable.
Turning lights off at night may have some security benefit, in that intruders will have to use flashlights, and a flashlight in a dark room is that bit easier to spot from outside than a person in a lit room. Even with the lights off, it does no harm to leave the cameras running. It's unlikely they'll do any good, but they're already there, so they're cheap, and you never know. No such luck this time.
I'm totally with you that ignoring the alarms is a plain mistake. At the very least, if what I say above is true, then when the alarm system is down the value of the CCTV increases. Even if you don't post extra guards, you could at least turn the lights back on so that you get the value of the CCTV back.
What is it about positions of authority nowadays that the first response to any sort of massive failure is, "It's not my/our fault?"
Now you look foolish twice over; once for failing, and once for pretending your failure never occurred.
Bear spray link in my URL
Canada hasn;t become so paranoid that we require registration of people who purchase bear spray.
And given the number of hikers and outdoors enthusiasts in the Vancouver area, I'd venutre there are quite a few purchase of bear spray per day. Not to mention that as a potential "lead" the bear spray could have ben purchased anywhere, not necessarily locally. I'll even venture the theives weren't from the area...
I find myself strangely hopeful that someone putting in this much effort actually stole the pieces because of their artistic value, not to melt them down.
I must be getting naive as I grow older.
"I guess (with hindsight, admittedly) that their best bet was either to move someone there from elsewhere on campus to cover at least the first guard's breaks, or else to pay for an extra shift."
...or hire non-smoking guards in the first place? But seriously single points of failure are never good for availability.
Could be a 'theft to order' for a wealthy patron with loose morals. Bill Reid is a famous artist and it would be exceedingly difficult to sell the pieces on, and as mentioned in the article the value of the gold itself is around $15K, which I suspect is not enough payback if the criminal in question is really the 'mastermind' art thief they suspect....
"...or hire non-smoking guards in the first place? "
That would have to be a non-smoking guard who never needs to go to the bathroom, or take breaks, or eats, I guess.
Isn't that what the alarm system was supposed to be?
Interesting sidebar on the theft: The artist's widow was very worried that the gold was stolen for its 'meltdown' value, rather than artistic value. The museum wisely chose a reward value that exceeded the meltdown value.
There has been considerable debate in Vancouver about whether the theft was by dumb junkies or by savvy art thiefs. I don't know enough about the case to distinguish, but that is a very interesting question. (Vancouver has one of the highest property crime rates in North America. You're unlikely to get shot here; you are very likely to have your car broken into . . .)
The system did fail. What was lacking was verification that the person claiming to be a representative of the alarm company was, in fact, a representative of the alarm company.
True, it wasn't a failure of the cameras, or the electronics, or the computers, but a security system includes the human processes, it's not just the electronics.
Either there wasn't a verification mechanism in place (call back, or challenge/response passwords, or whatever), or the training of the employees in the use of that mechanism was lacking.
But either of those failings is a failing of the security system.
When Friendster was having XSS vulnerabilities and whatnot up the ying-yang, they issued a press release with one of my favorite quotes: "We have a policy that we're not being hacked." I use it often.
I think "elaborate computer program printouts have determined that the [...] security system did not fail" will now join it.
"Elaborate computer program printouts" sounds like audit logs to me. The guy probably looked at the logs, saw that the alarm did sound and concluded that the automated security system worked as designed. It was just the human part that failed...
It did fail--failed procedures and implementations all over the place. PLUS if it was only the PEOPLE that failed -- well, PEOPLE are the most important part of a security system.
I liked that the reward for information was increased above $50,000. But they won't say by how much. What's the point of that? It either means they won't prosecute (because no perp will otherwise risk exposure by communicating with them to negotiate), or that they are idiots.
I wonder how their insurance company will respond, seeing that gross negligence was likely involved in correct security.
If the insurance agency declines to cover because of failures, then the reward might reach pretty high, as it become worth the money to recover vs pay out.
Bruce: I suppose that you would classify this as a "movie plot theft"?
I liked that the reward for information was originally set to $50,000, then increased above $50,000. But they won't say by how much. What's the point of that? It either means they won't prosecute (because no perp will otherwise risk exposure by communicating with them to negotiate), or that they are idiots. Why else not say what the reward is?
Annoying. Real alarm monitoring points insist on verification codes. This is why campus security and police (love them dearly) should NEVER be allowed to be a point source failure for their own alarms. Always third party it.
"But having the campus security monitor it is so much cheaper..." Not this time it wasn't.
As for false alarms, you can't dispatch the police every time a sensor point packs it in. Otherwise you're awash in false alarm fees. What you look for is patterns of alarms, inconsistent with mechanical failure but consistent with unlawful entry.
Lighting is cheap security. Making sure that the lighting is up in the camera protected areas is a basic checklist item. Someone muffed the security audit. I sense insurance company refusal to pay off.
As for the smoking guard, this is the hidden vulnerability in so many places I can't begin to tell you. Smoking doors are a reliable point of entry into every highly secure facility I know of, including the military and government ones. Only where adequate facilities for smokers exist is this hole plugged.
Last but not least, this is certainly a case where the bad guys cased the place. Review of past surveillance camera footage might be fruitful in catching the bandits. The guard can expect to be a focus of the investigation as well. Sorry, dude, it's the nature of the business.
> Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in...
Couldn't the burglars restrict their robberies to times when the guard isn't taking a break?
> offering a $50,000 reward
Cool! Here's my submission: "You were robbed because you were stupid"
The museum and Reid's widow are quite concerned that the art pieces - which are made from gold - might be melted down and sold as precious metal only. Of course, that would severely reduce their value.
But probably increase the the value to thieves (and the people they deal with.)
Consider that there are people who will steal telephone cable and even manhole covers. Gold is rather more valuable than either copper or cast iron.
Turning lights off at night may have some security benefit, in that intruders will have to use flashlights, and a flashlight in a dark room is that bit easier to spot from outside than a person in a lit room.
As well as being very obvious to a camera anyway many cameras are perfectly capable of producing an image using a fairly low level of infrared light. You can even buy cameras which come fitted with suitable lamps.
Lighting is cheap security. Making sure that the lighting is up in the camera protected areas is a basic checklist item. Someone muffed the security audit.
It could even work out cheaper if you use infrared too. The light source can then be narrow in spectrum and you can use lamps such as LEDs which are very efficient at converting electrical energy into photons.
Probably the director and security guard are in on it.
With our new torture and arrest rights we could beat it out of them in a couple seconds. Canada,
can you send them over like you did to that middle east guy? Plus, if they did not do it we can just beat them anyway to keep our boys and girls sharp.
Seems like the thieves checked out the heist movies but the guards didn't. They really ought to make certain movies mandatory for security guards. "Mallrats", and "The Italian Job", and a few others....
I once accidentally triggered the alarm in the office when I was leaving (it was 8pm, I had worked late). I quickly called the number of the security company who asked for the password. Luckily for me, another member of staff had stuck a Post-It to the alarm panel with the password written on it.....
I see several comments here that seem to miss a few basic points that I'd like to cover here.
1. The museum's director *did not say that security didn't fail.* This is a severe distortion of what he said, so severe that I am seriously disappointed in Bruce for implying otherwise. A *newspaper reporter* said that he was told the "security system" didn't fail, but it was quite clearly not a quote. Taking Anthony Shelton to task for a statement by a newspaper reporter is unfair. Further, it is absolutely clear that this statement is specifically about the automated alarm, and is quite true *when taken in this context*. If someone clearly talking about automated alarms says they didn't fail, and printouts clearly show they went off when they should have, then the "security system" didn't fail, just as was claimed.
2. A number of people have commented on the "stupidity" of turning off the lights. This is wrong; it isn't stupid, it is *absolutely necessary*. Museums *have to* turn off the lights. Lights damage museum exhibits. Any museum manager who suggests leaving on bright lights to catch thieves should be replaced as soon as possible. Further, Bruce himself has pointed out in the past that there are a long chain of studies that show that places with lights on get more robberies, not fewer.
3. While I wouldn't rule out an inside job, it is unlikely. Inside jobs are characterized by thieves who exploit weaknesses in a system that only insiders know, and these thieves didn't do this. Everything that we have evidence that they knew (the guard took smoke breaks, how to disable two or three cameras, and the name of the alarm company) is easily obtained without an inside man. Further, the fact that they were still caught on camera, set off alarms, and sprayed bear spray on non-existent guards all firmly imply that they were short on exactly the sort of information that an inside man would give.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.