Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
As we know, the thieves in the “theft of the century” entered through a second-floor window of the Louvre Museum, but the museum had other problems besides unprotected windows.
Although Culture Minister Rachida Dati stated that “the museum’s security systems did not fail,” there are indications that some cybersecurity breaches did occur .
According to confidential documents seen by the newspaper Libération, in 2014, simply typing ” LOUVRE ” accessed the server responsible for video surveillance at France’s most famous museum. Or typing ” THALES ” accessed the software published by the company of the same name.
These passwords, which in technical jargon are called “default” or “predictable passwords,” were already defined by the ANSSI (French National Agency for Information Security) as a serious risk. They reported that “the Louvre Museum’s office network also includes obsolete systems” such as Windows 2000 —which no longer guaranteed session locking or antivirus updates.
ANSSI verified all of this with an internal audit in 2014. Microsoft had stopped providing security updates for Windows 2000 as early as July 2010. The audit contained very specific recommendations: use more complex passwords, migrate software to supported versions, and fix vulnerabilities . But the museum did not respond to whether it actually followed these recommendations.
A second audit was conducted in 2017 by the INHESJ (National Institute for Advanced Studies on Security and Justice) and found that “some workstations have obsolete operating systems (Windows 2000 and Windows XP) that no longer guarantee effective security (no antivirus updates, no passwords or session locks, etc.).” Microsoft discontinued extended support for Windows XP in 2014.
Twenty years of technical debt have weighed heavily on the Louvre’s security, with the continuous accumulation of analog video surveillance, digital video surveillance, intrusion detection, and access control systems, some with dedicated servers or proprietary applications. Some of these systems have become obsolete over time and would require updates or replacement.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
