Can Your Physical Security System Leak Private Data?

The endless and widespread announcements of new network security vulnerabilities raises serious data security and physical security concerns. In a commercial environment your security devices can contribute to that data leakage. As physical security technology progresses it increasingly has more data about you and your organization's habits and actions.

In the security control room of The Belagio Hotel in Oceans 11

In the security control room of The Belagio Hotel in Oceans 11

It is a cliche in heist movies -- The Hacker, Gadget Guy, or Mission Control Coordinator will hack into the targets security camera system turning the tables giving the heist crew all of the info and feeding the security guard misleading images. While heist movies are full of far fetched plots, and the simplicity that they present the CCTV takeover is somewhat far fetched, the reality is hackers anywhere on the internet can gain access to the cameras of many vulnerable organization. Once In they can manipulate cameras for the benefit of a heist or just turn all of your cameras and network devices into crypto currency miners or bandwidth eating DDoS attack bots. 

Less dramatic than a casino heist but far more frequent are hackers that are, mostly recreationally, accessing security cameras. The recent Mirai virus is an example where security cameras and servers are turned into bots taking direction from a hacker or hacker network. The Mirai malware is one of many leaving these networks and devices vulnerable.

The actions you can take a minimize your risk:

  1. Make your network security an integral aspect of any physical security roll out.
  2. Keep the firmware on firewalls and appliances (including security cameras, alarm panels, and iot devices) up to date at all times.
  3. Use well supported and business class of firewall. Open source is great if managed by knowledgeable engineers and the distribution is well supported with regular security patches.
  4. Do not open ports through your firewall; use VPN’s to access remote cameras or resources. Use modern and well accepted encryption on your devices. 
  5. Use 2-factor where a physical key (e.g., Yubikey) so that resources are restricted to users with the correct passphrase AND the correct physical key.

Related Resources

Your Email is Filled with Attacks

Your Email is Filled with Attacks

The recent high-profile email dumps from Wikileaks appear to be obtained through an email “Phishing” scheme that is pervasive. I recieved the same email around the same time as the target of on of the most visible leaks. Here is how to minimize your risk.

Read More

How Surveillance Cameras can Help Grow Retail Sales

If you own a retail business and utilize cameras only for security purposes, you’re missing out on their full potential to contribute to your company’s growth.

A number of technology companies are now using surveillance cameras — previously considered primarily as a way to deter or catch thieves — to help retail businesses learn about their customers’ shopping habits.

Video analytics, heat maps, and dynamic data can help companies perform A/B tests to see whether customers better respond to one campaign versus another. It allows retail firms to gather powerful data about customers without the need for surveys or other disruptive techniques.

How it works

MOBOTIX sells a security camera and analytics package that “can capture an entire room with no blind spots.”

The software captures the movement of people in the video image and then displays the results via heat map to allow business owners the areas that had the highest traffic. Companies will be able to see the most popular products or exhibition booths at a show, identify the most visited shelves in a store, or even show the patterns of how people enter or exit a particular location in the store.

This information can easily be presented in daily, weekly, or monthly reports for management.

Like MOBOTIX, other companies such as Prism and Prayas stress that video analysis is a better way to capture data without violating privacy rights of customers. An older method of gathering data had involved identifying and storing a unique identification code of a customer’s smartphone.

Instead, Prism CEO Steve Russell said his software doesn’t capture any identifying information about the customers; in fact, the video feed it presents back to businesses is completely void of humans. Instead the video analytics shows trends and the areas with the highest traffic.

Prayas Analytics, in the same vein, doesn’t include any facial recognition or personal identification functionality in its software to promote privacy.

Low cost to entry

The companies all try to make it easy for companies get started, all touting low costs to entry.

Prayas says that companies can keep their existing security system and only need to purchase access to the analytics software. Prayas can connect to the retail store’s surveillance cameras and get started immediately in analyzing its traffic patterns.

Prism also says its analytics software can overlay over existing video feed; they even say their high-quality imagery requires a low bandwidth of network in order to be successful.

Mobotix does require customers to purchase cameras. But the company argues that this can save money in the long run: Each camera includes its own high-speed computer with memory, preventing the need to have a computer or network server record, analyze, and store the information. All of the analysis power happens right in the camera, reducing the amount of network bandwidth the security system will need to use.

Online Security Can Leave us More Vulnerable than Physical Security

The Washington Post published an article from earlier this month titled “A quintessentially American crime declines: Robbing banks doesn’t pay as it used to.” It is a reminder that electronic security can leave us more vulnerable than physical security -- at least as far as financial loss.

Last week I heard about an associate who wrote about his recent experience as the victim of a “Whaling” cyber attack and consequently lost $400K. This morning our accounting staff received a email from a hacker spoofing one of our executives requesting accounting wire funds to a “vendor”.

SOURCE: Washington Post

SOURCE: Washington Post

Physical security systems are important. However, just as we need to be alert in the physical world, we need to recognize that the internet is a dodgy neighborhood. We need to be alert and vigilant or we will eventually find ourselves the victim of one of these attacks.

Some steps we can take to protect ourselves from this sort of security breach:

  • Always use 2-factor authentication. This is critical to the point that any of our customers who need assistance setting this up should reach out to us. Your bank should offer this type of security as well.
  • Follow set procedures -- In the case of the $400K theft from Verne Harnish, the hacker was able to accomplish their objective because his travel and other circumstances resulted in a deviation from their standard procedure. In the case of the whaling email we received today, the issue was escalated because our accounting person pushed back that they would need to submit the request using our set procedures. 

Keep in mind the standard warnings about email security and attachments:

  • Don’t download any Microsoft documents are executable files even if you know who they are coming from- (easy to spoof!)
  • Keep software and OS versions current and patched.
  • Use good passwords and make sure they are different and complex for anything sensitive.

If you are an Urban Alarm customer and would like assistance assessing your computer security situation and tools please let us know. We would be happy to help secure your personal online security as well as the physical security of your home and business.

DMP Virtual Keypad Provides Expanded Control and Apple Watch Support

The latest app update for brings Apple Watch support and a new customizable Home screen.

The DMP Virtual Keypad app, which allows users to control their security systems remotely, has just released its latest version and is now a clear leader in the mobile alarm application space.

The latest update released last week provides a customizable home screen that allows users to quickly access their most used security cameras, thermostats, and other systems. The application is not available on Apple Watch for the first time.

Urban Alarm often recommends DMP security alarm panes because of the application’s high levels of security, manufacturer quality and support, and multiple communication paths direct to our monitoring station.

While the DMP mobile application has, at times, lagged behind many others, it is now on par or exceeds the quality and functionality of other mobile alarm applications.

Features of the DMP Virtual Keypad application

For consumers who want remote control over their security system, the application provides the ability to:

  • Control your systems via your Apple Watch
  • Lock or unlock doors
  • Arm or disarm security alarms
  • Turn on or off lights
  • Control thermostats and other in-home systems

The application provides real-time alerts when alarms are triggered, showing the user an image of the area in question. The user can then confirm or dismiss whether the disturbance is a legitimate threat.

This update will allow users to more easily view or control key areas of their home. The expansion to Apple Watch also increases the user’s assurance that they will always know what is happening in their secured home.

Keep security in mind when selecting an IoT app

DMP’s high standards for security and constant rollout of upgrades are positive signs for the Internet of Things application. It’s important consumers consider potential security vulnerabilities whenever selecting IOT products.

Among the most common vulnerabilities include poor mechanisms to rollout system updates, unsecure connections when passing information from device to backend network, and holes in user account security.

It’s always advisable to vet a potential application and find out how it’s securing its data before fully investing in the product.

The Future of Access Control Credentials

Brivo's Pass Wallet Access Control Applications eliminates the FOB / Card so you can access all of your doors with your phone.

Brivo's Pass Wallet Access Control Applications eliminates the FOB / Card so you can access all of your doors with your phone.

Everything related to mobile devices is changing. Credentials for access control systems is no exception.

Most people who have lived in an apartment building or worked in a commercial office have used a FOB or keycard to unlock an electronic door. And with mobile pay apps, many people also find more and more of the physical items they have carried in the past have now moved to their mobile devices (e.g., membership cards, boarding passes, and credit cards).

Access control FOBs and cards will soon be as obsolete as paper boarding passes with newer systems emphasizing mobile apps, bluetooth, and/or location based beacons. For the past ten years sticker dots have been available to put the physical credential on the back of a badge or on your phone. But now the physical badge is going away completely.

The most common approach to these systems with physical access is a mobile app that talks to the bluetooth-ready unit by the door. These units allow the user to be authorized for access. This is how HID has implemented their bluetooth compatible readers and is a useful approach, as it allows users with mobile devices -- with the app installed -- to unlock an electronic door they are authorized for.

Bluetooth readers are an interim step however, as once we use our mobile devices for physical access control we can get rid of the reader altogether. The phone “knows” where we are and presumably knows who we are. As a result, approaching a door can either release the door (for low security entry points) and prompt us for a code or fingerprint on the phone in order to release the door.

Different doors will have different levels of permission. Accessing a door to an airport tarmac may require the mobile device to communicate with a sensor at the door and verify the fingerprint of the mobile device user, while the bathroom at Starbucks may simply verify that the holder of mobile device is a customer with their mobile app installed and is within five feet of the entry door.

As mobile devices know where we are, know who we are, and communicate with the systems around us, physical access control management will be absorbed into the existing networks --providing new opportunities for convenience, security, and customized features.

or more about our access control installation and management services visit our website or contact us now for an informative and no cost consultation.

What to do in a Terrorist Attack - Report Following Paris Attack

A new report released by the UK National Counter-Terrorism Security Office (Nactso) responds, in part, to the 13 November 2015 ISIS attacks in Paris. The report characterizes the recommended response for individuals finding themselves in a similar fast moving shooter attack as that which occurred in Paris.

The four page report summarizes a Dynamic Lockdown approach which that may be implemented in most organizations through careful planning and security systems deployment. The report includes:

  1. What is dynamic lockdown? 

  2. Why develop dynamic lockdown? 

  3. How to achieve dynamic lockdown 

  4. How to let people know what’s happening 

  5. Training your staff 

The ‘Stay Safe’ principles of Run, Hide, and Tell are detailed and the report is an excellent resource for K-12 Schools, Universities, Theaters, Hotels, Restaurants, and other businesses that may be exposed the an active shooter terrorist attack. 

For more information on Urban Alarm's Video Surveillance, Mobile Guard Patrol, Intrusion Alarm, Access Control, and other security systems design and installation please visit our website or contact us to arrange a consultation.

 

Those seeking to conduct attacks often undertake a level of planning including hostile reconnaissance. All opportunities to detect and deter threats at the attack planning phase should be taken.
— www.gov.uk
A memorial to the victims of the Paris attacks. (Creative Commons photo by  Franck Schneider )

A memorial to the victims of the Paris attacks. (Creative Commons photo by Franck Schneider)