The recent high-profile email dumps from Wikileaks appear to be obtained through an email “Phishing” scheme that is pervasive. I recieved the same email around the same time as the target of on of the most visible leaks. Here is how to minimize your risk.Read More
If you own a retail business and utilize cameras only for security purposes, you’re missing out on their full potential to contribute to your company’s growth.
A number of technology companies are now using surveillance cameras — previously considered primarily as a way to deter or catch thieves — to help retail businesses learn about their customers’ shopping habits.
Video analytics, heat maps, and dynamic data can help companies perform A/B tests to see whether customers better respond to one campaign versus another. It allows retail firms to gather powerful data about customers without the need for surveys or other disruptive techniques.
How it works
MOBOTIX sells a security camera and analytics package that “can capture an entire room with no blind spots.”
The software captures the movement of people in the video image and then displays the results via heat map to allow business owners the areas that had the highest traffic. Companies will be able to see the most popular products or exhibition booths at a show, identify the most visited shelves in a store, or even show the patterns of how people enter or exit a particular location in the store.
This information can easily be presented in daily, weekly, or monthly reports for management.
Like MOBOTIX, other companies such as Prism and Prayas stress that video analysis is a better way to capture data without violating privacy rights of customers. An older method of gathering data had involved identifying and storing a unique identification code of a customer’s smartphone.
Instead, Prism CEO Steve Russell said his software doesn’t capture any identifying information about the customers; in fact, the video feed it presents back to businesses is completely void of humans. Instead the video analytics shows trends and the areas with the highest traffic.
Prayas Analytics, in the same vein, doesn’t include any facial recognition or personal identification functionality in its software to promote privacy.
Low cost to entry
The companies all try to make it easy for companies get started, all touting low costs to entry.
Prayas says that companies can keep their existing security system and only need to purchase access to the analytics software. Prayas can connect to the retail store’s surveillance cameras and get started immediately in analyzing its traffic patterns.
Prism also says its analytics software can overlay over existing video feed; they even say their high-quality imagery requires a low bandwidth of network in order to be successful.
Mobotix does require customers to purchase cameras. But the company argues that this can save money in the long run: Each camera includes its own high-speed computer with memory, preventing the need to have a computer or network server record, analyze, and store the information. All of the analysis power happens right in the camera, reducing the amount of network bandwidth the security system will need to use.
The Washington Post published an article from earlier this month titled “A quintessentially American crime declines: Robbing banks doesn’t pay as it used to.” It is a reminder that electronic security can leave us more vulnerable than physical security -- at least as far as financial loss.
Last week I heard about an associate who wrote about his recent experience as the victim of a “Whaling” cyber attack and consequently lost $400K. This morning our accounting staff received a email from a hacker spoofing one of our executives requesting accounting wire funds to a “vendor”.
Physical security systems are important. However, just as we need to be alert in the physical world, we need to recognize that the internet is a dodgy neighborhood. We need to be alert and vigilant or we will eventually find ourselves the victim of one of these attacks.
Some steps we can take to protect ourselves from this sort of security breach:
- Always use 2-factor authentication. This is critical to the point that any of our customers who need assistance setting this up should reach out to us. Your bank should offer this type of security as well.
- Follow set procedures -- In the case of the $400K theft from Verne Harnish, the hacker was able to accomplish their objective because his travel and other circumstances resulted in a deviation from their standard procedure. In the case of the whaling email we received today, the issue was escalated because our accounting person pushed back that they would need to submit the request using our set procedures.
Keep in mind the standard warnings about email security and attachments:
- Don’t download any Microsoft documents are executable files even if you know who they are coming from- (easy to spoof!)
- Keep software and OS versions current and patched.
- Use good passwords and make sure they are different and complex for anything sensitive.
If you are an Urban Alarm customer and would like assistance assessing your computer security situation and tools please let us know. We would be happy to help secure your personal online security as well as the physical security of your home and business.
The DMP Virtual Keypad app, which allows users to control their security systems remotely, has just released its latest version and is now a clear leader in the mobile alarm application space.
The latest update released last week provides a customizable home screen that allows users to quickly access their most used security cameras, thermostats, and other systems. The application is not available on Apple Watch for the first time.
Urban Alarm often recommends DMP security alarm panes because of the application’s high levels of security, manufacturer quality and support, and multiple communication paths direct to our monitoring station.
While the DMP mobile application has, at times, lagged behind many others, it is now on par or exceeds the quality and functionality of other mobile alarm applications.
Features of the DMP Virtual Keypad application
For consumers who want remote control over their security system, the application provides the ability to:
- Control your systems via your Apple Watch
- Lock or unlock doors
- Arm or disarm security alarms
- Turn on or off lights
- Control thermostats and other in-home systems
The application provides real-time alerts when alarms are triggered, showing the user an image of the area in question. The user can then confirm or dismiss whether the disturbance is a legitimate threat.
This update will allow users to more easily view or control key areas of their home. The expansion to Apple Watch also increases the user’s assurance that they will always know what is happening in their secured home.
Keep security in mind when selecting an IoT app
DMP’s high standards for security and constant rollout of upgrades are positive signs for the Internet of Things application. It’s important consumers consider potential security vulnerabilities whenever selecting IOT products.
Among the most common vulnerabilities include poor mechanisms to rollout system updates, unsecure connections when passing information from device to backend network, and holes in user account security.
It’s always advisable to vet a potential application and find out how it’s securing its data before fully investing in the product.
When a truck plowed into a crowd celebrating Bastille Day in Nice, France earlier this month, it was another painful reminder that a criminal or terrorist attack can happen at any point.
Although we should live our lives as normally as possible, it’s important that each of us is prepared to take personal safety measures if an incident occurs.
Taking stock of your surroundings
Whenever you go to a public place — like a movie theater, shopping mall, restaurant, or sports arena — take the time to identify the closest two exits. It’s important to find a second exit in case your first option is cut off.
If you can sit closer to an exit (like in a movie theater), take the opportunity to do so. If you’re out at a restaurant, take note of the kitchen’s location since there’s usually an exit route nearby. Some stores in shopping malls will have storage areas that will also provide back-door exits.
Avoid looking down at your phone while you’re walking; instead, swivel your head from side to side so you see everything around you.
You don’t need to be on high alert at all times, but getting into a routine of constantly taking in your surroundings will let you quickly identify something that’s amiss.
If a shooter emerges, first try to evacuate
How should you respond if an active shooter is in your area? The Department of Homeland Security recommends following the “run, hide, fight” approach. That means first trying to evacuate.
If you’re unsure where the shooter is, it’s important to not run around blindly. Pick an escape route and stick to it.
There will be a commotion as the large crowd of people all tries to escape the area at the same time. Try to stay as low to the ground as possible, but be sure to have full control of your balance to avoid falling.
Don’t bring any belongings with you as that may slow you down. Keep your hands visible at all times.
Hide if you need to, fight as last resort
If running is not an option, then hide in an area outside the shooter’s line of sight, DHS recommends.
If possible, block entry to the location and lock the doors. Silence all cell phones.
In a restaurant, you may need to drop to the ground immediately and use your table as a cover. If you’re in a public office, then close and lock your doors and turn off the lights.
Take action against the shooter only as a very last resort. The Department of Homeland Security recommends throwing items and the shooter or trying to incapacitate the person in some other way.
This should be seen as a last possible option — only when your life is danger, and evacuation and hiding options have been exhausted.
Be prepared, even if you’re not at scene
Even if you’re not in the immediate location where a criminal or terrorist act occurs, the Red Cross recommends taking steps to ensure your safety.
Turn on the radio or TV to hear news and instructions, and follow the advice of local responders and public officials.
Smell for any gas leaks. If you suspect there is one, turn off the valve right away, open all windows, and leave the building.
Don’t light any matches or turn on light switches; instead, use your phone or a flashlight to check for damages to utilities and wiring. Be on the lookout for fires or fire hazards.
Make sure your family has an emergency plan. Practice it often so you’re ready to act if an incident does occur.
Everything related to mobile devices is changing. Credentials for access control systems is no exception.
Most people who have lived in an apartment building or worked in a commercial office have used a FOB or keycard to unlock an electronic door. And with mobile pay apps, many people also find more and more of the physical items they have carried in the past have now moved to their mobile devices (e.g., membership cards, boarding passes, and credit cards).
Access control FOBs and cards will soon be as obsolete as paper boarding passes with newer systems emphasizing mobile apps, bluetooth, and/or location based beacons. For the past ten years sticker dots have been available to put the physical credential on the back of a badge or on your phone. But now the physical badge is going away completely.
The most common approach to these systems with physical access is a mobile app that talks to the bluetooth-ready unit by the door. These units allow the user to be authorized for access. This is how HID has implemented their bluetooth compatible readers and is a useful approach, as it allows users with mobile devices -- with the app installed -- to unlock an electronic door they are authorized for.
Bluetooth readers are an interim step however, as once we use our mobile devices for physical access control we can get rid of the reader altogether. The phone “knows” where we are and presumably knows who we are. As a result, approaching a door can either release the door (for low security entry points) and prompt us for a code or fingerprint on the phone in order to release the door.
Different doors will have different levels of permission. Accessing a door to an airport tarmac may require the mobile device to communicate with a sensor at the door and verify the fingerprint of the mobile device user, while the bathroom at Starbucks may simply verify that the holder of mobile device is a customer with their mobile app installed and is within five feet of the entry door.
As mobile devices know where we are, know who we are, and communicate with the systems around us, physical access control management will be absorbed into the existing networks --providing new opportunities for convenience, security, and customized features.
or more about our access control installation and management services visit our website or contact us now for an informative and no cost consultation.
Consumers buy Internet of Things (IoT) devices like Ring Doorbell Pro to see instant videos of their doorsteps and keep their homes safe.
So imagine their surprise when some began seeing videos from other houses. The company had been merging databases with user information and some ID numbers were accidentally overridden, leading to a mixup of user accounts. Ring contested that the error rate was extremely small — fewer than 10 out nearly 84 million calls.
Still, the security error demonstrates the vulnerability of IoT security systems. There’s a lot of areas where things can go wrong — from the backend network that keeps everything running, to the web or mobile app screens where users view information, and even the physical devices themselves.
And although the Ring case was seemingly an internal error which was caught relatively quickly, the real danger is if a hacker can break into a system and use it damage people.
OWASP (Open Web Application Security Project) is currently working on a project that analyzes the security of IoT applications. The project highlights some major vulnerabilities that can occur:
Easy collection of usernames— Any time there is something that needs to authenticate users (make sure it’s who they say they are), there's a chance that an attacker can view and collect a list of valid usernames.
Weak passwords — If they system allows weak passwords (e.g. “1234”) people may be tempted to choose them, allowing attackers to easily guess and obtain access to the account.
Lack of account lockout — Does the system let users guess passwords an infinite amount of times? Systems that do are prime real estate for attackers.
Unencrypted services — There is a lot of information being passed between the physical device, a device on the user side (e.g. a computer or mobile phone), and a backend network that is keeping everything runner. If that communication between devices is unencrypted, attackers can eavesdrop into the system and learn sensitive information.
Poor update mechanisms — All good systems should have the ability to securely install update files and clearly mark when the last update occurred. If this process is not stable, attackers can break into the update files and do damage — either by installing malicious updates or overriding other security measures.
These security vulnerabilities aren’t just hypothetical; some systems have already shown failures in the real world.
Observer.com published a list of eight of the biggest IoT security fails. Number one on the list was Target, the company that suffered a major breach of credit card information at the hands of hackers.
To pull it off, the attackers entered through a security vulnerability in Target’s IoT heating and cooling system. After gaining access to that system, the attackers were recognized as legitimate users and were able to access Target’s point of sale system — installing software on credit card readers that allowed them to see personal information every time a card was swiped.
In another case on Observer’s list, a presenter at a security conference demonstrated how easy it was to install code onto Nest thermostats.
The ability to tamper with the physical devices meant that attackers could buy tons of Nest devices, install malicious code, and then resell them to the general public. The attackers would then be able to access secure information from the unknowing consumers.
* Illustration re-posted under Creative Commons License from www.nesta.org.uk
Of the more than 30,000 security cameras in Washington, D.C., many are analog cameras installed using older wiring. These cameras are no longer meeting the high-resolution image demands of 2016.
If you have a security system that relies on analog coaxial cable wiring, what's the best path forward?
There are two main options:
- Use a converter. Converters (like this one from Network Video Technologies) allow you to run IP (Internet protocol) over COAX and/or two conductor wires.
With this approach, you can:
- Use higher resolution cameras with 3-5x the resolution of analog HD cameras.
- Zoom in on important information, without losing clarity.
- Rely on a single cable for data and power for multiple cameras.
The downside? The converter may be more expensive than the actual camera significantly increasing the per-camera costs.
- Add HD analog and phase in IP cameras. Keep your COAX cable and hook it up with HD resolution analog cameras. Over time, you can expand it to include IP cameras, as well.
While they don't have as high resolution as IP cameras, HD analog cameras can still hold their own. The cameras:
- Offer good image quality.
- Have minimal configuration requirements compared to IP cameras.
- Can transmit video up to 1600' exceeding most network wire distances.
- Work off network, so they won't take up bandwidth or clash with others resources.
- Have zero latency.
While HD analog cameras have recently been around half the cost of IP cameras, that difference is closing and and some IP cameras are more or less the same cost. Start off with HD analog cameras right away, and work in new IP cameras over time.
A new security camera rebate program is making it easier for D.C. residents to buy and install private security cameras.
Residents, businesses, and religious organizations in several D.C. wards can now apply for rebates to purchase and install security cameras on their buildings, as a part of the government’s Private Security Camera Incentive Program.
The D.C. camera initiative will allow some owners and tenants to receive up to $200 per individual camera (there is a cap of $500 total per residence or $750 for commercial properties).
Offering security camera rebates is “another step to deter crime and assist police during investigations,” said Mayor Muriel Bowser in a statement. Police will be able to request video footage from camera owners to investigate crimes, but will not have access to live video feeds, the mayor’s office said.
In addition to capturing crime as it happens, the mere presence of video surveillance can deter intrusion altogether. Some systems also work like a motion detector to alert owners when something may be amiss.
The program will roll out first to applicants who live in these Police Service Areas (PSAs):
- MPD First District: 104, 105, 107, 108
- MPD Second District: 202, 207, 208
- MPD Third District: 302, 303, 305
- MPD Fourth District: 402, 403, 405, 409
- MPD Fifth District: All PSAs
- MPD 6th District: 602, 603, 604, 608
- MPD 7th District: All PSAs
Applicants can identify their property’s PSA online. Only those in the priority PSAs can apply for now, but it will be opened up to anyone after August 1 — provided the program’s $500,000 budget has funding remaining.
Security cameras must be installed on the exterior of the building and need to meet minimum requirements — including 250 GB of storage for digital cameras (125 GB for analog) and 1280x720 screen resolution (640x480 for analog).
Recommended specifications are even higher. The ideal digital security camera will feature:
- High video quality and at 15 frames per second
- Camera resolution of 3 Megapixels
- Screen resolution of 2048x1536 screen resolution
- 2.5 TB of storage
The security cameras must have been purchased and set up after September 22, 2015. The property owner must also register the cameras with the Metropolitan Police Department in order to qualify for the rebate.
Qualified property owners or tenants can apply online for the rebate. The application requires:
- Proof of purchase of the cameras
- Proof of registration with MPD
- Proof of installation
- If the applicant is the tenant, proof that the property owner consents to the security cameras and rebate application
After the application is approved, it make take up to 45 days to process and send the rebate to the applicant.
Councilmember Charles Allen (Ward 6) authored the bill that ultimately led to the rebate program. He hopes the video surveillance will deter crime “by adding extra eyes on the street.”
Wired Magazine is back to remind us that most of the security alarm systems installed are easily hacked. In 2014 Wired reported on the vulnerabilities of alarm systems installed by ADT, Vivent, and others; and today reported on similar vulnerabilities of security alarm system installed by Xfinity:
In response to their reporting CERT (Computer Emergency Response Teams, sponsored by the US Department of Homeland Security) issued a “Vulnerability Note” echoing this warning.
This is not news. The majority of consumer intrusion alarm manufacturers operate under the assumption that intruders are not going to be knowledgeable or do their homework. And they are largely correct.
Most break-ins are opportunistic and perpetrated by someone looking for the easy way in, and a quick way out. Intrusion Alarm Systems do not need to be sophisticated to address this threat. The wireless vulnerability is just one of many deficiencies of most security alarm systems.
Basic encryption, standard in any consumer WiFi router, is extremely rare and generally only implemented in the most secure DOD level intrusion alarm systems (e.g., Sensitive Compartmented Information Facility or SCIF’s).
I have never heard a major consumer-oriented alarm company mention issues around social engineering much less have a strategy for mitigating those risks.
Wired cited a Comcast spokesperson responding to today’s article: “Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers,” the spokesperson said. “The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate.”
Well, yes and no. It is shockingly true that systems sold by most security alarm manufacturers are vulnerable to this same problem. However, there are security alarm systems that are proactive in addressing these issues, and much less vulnerable. Security alarm installers that put security ahead of cost and some “nice to have” features can talk about these trade-offs, and offer options that significantly address these problems.
I recently discussed “high security alarm systems” with a customer who was looking for the absolute state of the art in security. And while most major alarm companies would suggest such systems center around “smart homes” and “internet of things” the most secure systems are not always the coolest systems (or at least the systems that look cool in an advertisement).
What makes a high security intrusion alarm system? There is a range, from the DIY and mass market systems covered in these Wired articles, to the uber high security systems that are defined by UL standards and are the cornerstone of security for the intelligence and defense agencies.
Most of the systems Urban Alarm installs address the specific wireless vulnerabilities covered in the articles with two-way wireless, wireless jamming detection, higher frequency spread-spectrum technology, and variable time duration supervision. Some customers want the alarm system to sound a warning when interference jams the wireless signal for a moment. Others are less concerned and would prefer an uninterrupted night’s sleep to a false warning from innocuous stray wireless signals.
Characteristics of a high security intrusion alarm system (this technical list is for illustration and scope so I will not get into detailed explanation of each here):
- High frequency spread-spectrum wireless
- Two-way wireless with variable timeframe supervision
- Anti-jamming detection and notification
- End of line resistors (at the end of line, not in the alarm panel)
- Multiple communication paths for monitoring signal transmission
- Aggressive supervision of a security panel’s communication from the central station (e.g., the alarm panel performs a communications test every few minutes and a failure triggers a warning or alarm)
- Encrypted communication with an alarm monitoring central station
- IP restricted reporting and/or VPN tunneling to central monitoring station
- Tamper detection on panels, wires, and other elements of the alarm system
- Biased (balanced) magnetic reed contact
- Two-Factor Authorization with Central Station Dispatchers
- Social Engineering defeat strategies
It is not practical or cost effective to implement all of these strategies in every installation. Threat assessments are a part of designing a good security alarm systems. Installing a security system where there is a specific targeted threat may be different than for someone whose primary concern is the most likely scenario: the 99% opportunistic threat.
The security industry needs to do better. The near industry-wide “security through obscurity” model is going to get worse as naive mass market providers try to compete with creative feature innovation coming from Silicon Valley and manufacturers (the good ones) are pushed beyond their focus on pure security.
A new report released by the UK National Counter-Terrorism Security Office (Nactso) responds, in part, to the 13 November 2015 ISIS attacks in Paris. The report characterizes the recommended response for individuals finding themselves in a similar fast moving shooter attack as that which occurred in Paris.
The four page report summarizes a Dynamic Lockdown approach which that may be implemented in most organizations through careful planning and security systems deployment. The report includes:
What is dynamic lockdown?
Why develop dynamic lockdown?
How to achieve dynamic lockdown
How to let people know what’s happening
Training your staff
The ‘Stay Safe’ principles of Run, Hide, and Tell are detailed and the report is an excellent resource for K-12 Schools, Universities, Theaters, Hotels, Restaurants, and other businesses that may be exposed the an active shooter terrorist attack.
For more information on Urban Alarm's Video Surveillance, Mobile Guard Patrol, Intrusion Alarm, Access Control, and other security systems design and installation please visit our website or contact us to arrange a consultation.
Enterprise physical security has technology advances every year but it is most often only loosely connected, and often falling behind, the innovation coming out of Silicon Valley.
The lagging innovation coming out of the historically slow moving enterprise security and commercial life safety industries is increasingly making those companies vulnerable to the creativity and disruption coming from the Maker culture of new technology.
We deploy many newer products and services in the operations of Urban Alarm. Slack (www.slack.com) has become a primary platform for our internal communications around projects and operations. Between Slack for real-time communication and Asana (www.asana.com) for task based collaboration we have all but eliminated internal email.
This integration can be a quick and simple opportunity to integrate physical security technologies with a modern workflow. For our offices we have created a Slack channel where door access control and video security alerts feed in via email or direct IP integrations. Email based integration is quick and simple however the feed can be better customized with webhooks or a more direct API.
Other ways to leverage integration with Slack or other modern cloud based services:
- Send video from off-hours access to Asana or another task management system so operations to "check" all accesses as valid.
- Track all alarm system arming and disarming of the alarm system in a slack channel.
- Send all video events (or some subset of video events) into Slack, Asana, and any other system that fits your organization's workflow.
The Zapier Integration Zapbook is a good place to start for ideas even if you don't end up using Zapier to accomplish the integration.
Vacant properties are a major contributor to community safety and security. The recent discussion around fixing DC's Vacant Property Laws is an excellent step.
Missing from 4D-04 ANC Commissioner David Sheon’s report is a requirement to secure the property to avoid unwelcome occupants and nefarious activity. No neighbor should have to live next door to a property that is open to use for illicit activity at any time of day or night. This should be a priority to protect neighboring residents while the property is vacant and in the early stages of construction where crews are often not on site daily.
Vacant properties and construction sites can be very effectively secured. Fencing is already a requirement as part of most building permit processes, but effective intrusion security should be specified as well.
Security Alarm Systems installed and monitored by Urban Alarm on construction sites in DC have resulted in multiple arrests in 2015. We see these sites going from frequent regular issues to none once an effective system is deployed.
Urban Alarm’s approach to these systems is motion activated surveillance with video verification. When an alarm is triggered, the dispatcher reviews a video clip to determine the cause of the alarm and takes appropriate action including dispatching the police.
Video surveillance cameras have come a long way in their ability to show meaningful images in low light. Infrared lights are a common feature of every the lowest priced cameras. Low light cameras can show a reasonable image in extremely low light conditions. But none of these come close to the images from a thermal camera and their effectiveness in video surveillance and outdoor intrusion detection.Read More
Access control credentials can be copied and duplicated. The simple solution is a “2-factor” access control system where access is generated based on something you have (e.g., an access control FOB), and something you know, (e.g., a PIN code).Read More
Commercial fire alarm systems are a necessary component of most commercial properties. Selecting a company and a system can be a challenge. One of Urban Alarm’s core values is that customers should be able to choose who they work with and not be locked into a single provider. If you are not happy with the vendor you should have the right to choose another.Read More
Working closely with DC-area fire and police response teams is something we do on a regular basis. And as with any great working relationship, it’s nice to converse outside of normal business hours. As a sponsor of MPD’s 2nd District Citizens Advisory Council Awards Benefit, this past October, we were honored to chat and dine with some of DC’s distinguished police officers.Read More
Urban Alarm is pleased to have been selected for and to have completed the deployment of a security system for Brivo Systems. Urban Alarm has worked with Brivo for more then five years, installing their product for our mutual customers. As you would expect from the leader in access control, their office features a state of the art cloud-based access control and video security system.Read More