The recent high-profile email dumps from Wikileaks appear to be obtained through an email “Phishing” scheme that is pervasive. I recieved the same email around the same time as the target of on of the most visible leaks. Here is how to minimize your risk.Read More
The Washington Post published an article from earlier this month titled “A quintessentially American crime declines: Robbing banks doesn’t pay as it used to.” It is a reminder that electronic security can leave us more vulnerable than physical security -- at least as far as financial loss.
Last week I heard about an associate who wrote about his recent experience as the victim of a “Whaling” cyber attack and consequently lost $400K. This morning our accounting staff received a email from a hacker spoofing one of our executives requesting accounting wire funds to a “vendor”.
Physical security systems are important. However, just as we need to be alert in the physical world, we need to recognize that the internet is a dodgy neighborhood. We need to be alert and vigilant or we will eventually find ourselves the victim of one of these attacks.
Some steps we can take to protect ourselves from this sort of security breach:
- Always use 2-factor authentication. This is critical to the point that any of our customers who need assistance setting this up should reach out to us. Your bank should offer this type of security as well.
- Follow set procedures -- In the case of the $400K theft from Verne Harnish, the hacker was able to accomplish their objective because his travel and other circumstances resulted in a deviation from their standard procedure. In the case of the whaling email we received today, the issue was escalated because our accounting person pushed back that they would need to submit the request using our set procedures.
Keep in mind the standard warnings about email security and attachments:
- Don’t download any Microsoft documents are executable files even if you know who they are coming from- (easy to spoof!)
- Keep software and OS versions current and patched.
- Use good passwords and make sure they are different and complex for anything sensitive.
If you are an Urban Alarm customer and would like assistance assessing your computer security situation and tools please let us know. We would be happy to help secure your personal online security as well as the physical security of your home and business.
The DMP Virtual Keypad app, which allows users to control their security systems remotely, has just released its latest version and is now a clear leader in the mobile alarm application space.
The latest update released last week provides a customizable home screen that allows users to quickly access their most used security cameras, thermostats, and other systems. The application is not available on Apple Watch for the first time.
Urban Alarm often recommends DMP security alarm panes because of the application’s high levels of security, manufacturer quality and support, and multiple communication paths direct to our monitoring station.
While the DMP mobile application has, at times, lagged behind many others, it is now on par or exceeds the quality and functionality of other mobile alarm applications.
Features of the DMP Virtual Keypad application
For consumers who want remote control over their security system, the application provides the ability to:
- Control your systems via your Apple Watch
- Lock or unlock doors
- Arm or disarm security alarms
- Turn on or off lights
- Control thermostats and other in-home systems
The application provides real-time alerts when alarms are triggered, showing the user an image of the area in question. The user can then confirm or dismiss whether the disturbance is a legitimate threat.
This update will allow users to more easily view or control key areas of their home. The expansion to Apple Watch also increases the user’s assurance that they will always know what is happening in their secured home.
Keep security in mind when selecting an IoT app
DMP’s high standards for security and constant rollout of upgrades are positive signs for the Internet of Things application. It’s important consumers consider potential security vulnerabilities whenever selecting IOT products.
Among the most common vulnerabilities include poor mechanisms to rollout system updates, unsecure connections when passing information from device to backend network, and holes in user account security.
It’s always advisable to vet a potential application and find out how it’s securing its data before fully investing in the product.
Consumers buy Internet of Things (IoT) devices like Ring Doorbell Pro to see instant videos of their doorsteps and keep their homes safe.
So imagine their surprise when some began seeing videos from other houses. The company had been merging databases with user information and some ID numbers were accidentally overridden, leading to a mixup of user accounts. Ring contested that the error rate was extremely small — fewer than 10 out nearly 84 million calls.
Still, the security error demonstrates the vulnerability of IoT security systems. There’s a lot of areas where things can go wrong — from the backend network that keeps everything running, to the web or mobile app screens where users view information, and even the physical devices themselves.
And although the Ring case was seemingly an internal error which was caught relatively quickly, the real danger is if a hacker can break into a system and use it damage people.
OWASP (Open Web Application Security Project) is currently working on a project that analyzes the security of IoT applications. The project highlights some major vulnerabilities that can occur:
Easy collection of usernames— Any time there is something that needs to authenticate users (make sure it’s who they say they are), there's a chance that an attacker can view and collect a list of valid usernames.
Weak passwords — If they system allows weak passwords (e.g. “1234”) people may be tempted to choose them, allowing attackers to easily guess and obtain access to the account.
Lack of account lockout — Does the system let users guess passwords an infinite amount of times? Systems that do are prime real estate for attackers.
Unencrypted services — There is a lot of information being passed between the physical device, a device on the user side (e.g. a computer or mobile phone), and a backend network that is keeping everything runner. If that communication between devices is unencrypted, attackers can eavesdrop into the system and learn sensitive information.
Poor update mechanisms — All good systems should have the ability to securely install update files and clearly mark when the last update occurred. If this process is not stable, attackers can break into the update files and do damage — either by installing malicious updates or overriding other security measures.
These security vulnerabilities aren’t just hypothetical; some systems have already shown failures in the real world.
Observer.com published a list of eight of the biggest IoT security fails. Number one on the list was Target, the company that suffered a major breach of credit card information at the hands of hackers.
To pull it off, the attackers entered through a security vulnerability in Target’s IoT heating and cooling system. After gaining access to that system, the attackers were recognized as legitimate users and were able to access Target’s point of sale system — installing software on credit card readers that allowed them to see personal information every time a card was swiped.
In another case on Observer’s list, a presenter at a security conference demonstrated how easy it was to install code onto Nest thermostats.
The ability to tamper with the physical devices meant that attackers could buy tons of Nest devices, install malicious code, and then resell them to the general public. The attackers would then be able to access secure information from the unknowing consumers.
* Illustration re-posted under Creative Commons License from www.nesta.org.uk
Wired Magazine is back to remind us that most of the security alarm systems installed are easily hacked. In 2014 Wired reported on the vulnerabilities of alarm systems installed by ADT, Vivent, and others; and today reported on similar vulnerabilities of security alarm system installed by Xfinity:
In response to their reporting CERT (Computer Emergency Response Teams, sponsored by the US Department of Homeland Security) issued a “Vulnerability Note” echoing this warning.
This is not news. The majority of consumer intrusion alarm manufacturers operate under the assumption that intruders are not going to be knowledgeable or do their homework. And they are largely correct.
Most break-ins are opportunistic and perpetrated by someone looking for the easy way in, and a quick way out. Intrusion Alarm Systems do not need to be sophisticated to address this threat. The wireless vulnerability is just one of many deficiencies of most security alarm systems.
Basic encryption, standard in any consumer WiFi router, is extremely rare and generally only implemented in the most secure DOD level intrusion alarm systems (e.g., Sensitive Compartmented Information Facility or SCIF’s).
I have never heard a major consumer-oriented alarm company mention issues around social engineering much less have a strategy for mitigating those risks.
Wired cited a Comcast spokesperson responding to today’s article: “Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers,” the spokesperson said. “The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate.”
Well, yes and no. It is shockingly true that systems sold by most security alarm manufacturers are vulnerable to this same problem. However, there are security alarm systems that are proactive in addressing these issues, and much less vulnerable. Security alarm installers that put security ahead of cost and some “nice to have” features can talk about these trade-offs, and offer options that significantly address these problems.
I recently discussed “high security alarm systems” with a customer who was looking for the absolute state of the art in security. And while most major alarm companies would suggest such systems center around “smart homes” and “internet of things” the most secure systems are not always the coolest systems (or at least the systems that look cool in an advertisement).
What makes a high security intrusion alarm system? There is a range, from the DIY and mass market systems covered in these Wired articles, to the uber high security systems that are defined by UL standards and are the cornerstone of security for the intelligence and defense agencies.
Most of the systems Urban Alarm installs address the specific wireless vulnerabilities covered in the articles with two-way wireless, wireless jamming detection, higher frequency spread-spectrum technology, and variable time duration supervision. Some customers want the alarm system to sound a warning when interference jams the wireless signal for a moment. Others are less concerned and would prefer an uninterrupted night’s sleep to a false warning from innocuous stray wireless signals.
Characteristics of a high security intrusion alarm system (this technical list is for illustration and scope so I will not get into detailed explanation of each here):
- High frequency spread-spectrum wireless
- Two-way wireless with variable timeframe supervision
- Anti-jamming detection and notification
- End of line resistors (at the end of line, not in the alarm panel)
- Multiple communication paths for monitoring signal transmission
- Aggressive supervision of a security panel’s communication from the central station (e.g., the alarm panel performs a communications test every few minutes and a failure triggers a warning or alarm)
- Encrypted communication with an alarm monitoring central station
- IP restricted reporting and/or VPN tunneling to central monitoring station
- Tamper detection on panels, wires, and other elements of the alarm system
- Biased (balanced) magnetic reed contact
- Two-Factor Authorization with Central Station Dispatchers
- Social Engineering defeat strategies
It is not practical or cost effective to implement all of these strategies in every installation. Threat assessments are a part of designing a good security alarm systems. Installing a security system where there is a specific targeted threat may be different than for someone whose primary concern is the most likely scenario: the 99% opportunistic threat.
The security industry needs to do better. The near industry-wide “security through obscurity” model is going to get worse as naive mass market providers try to compete with creative feature innovation coming from Silicon Valley and manufacturers (the good ones) are pushed beyond their focus on pure security.
Vacant properties are a major contributor to community safety and security. The recent discussion around fixing DC's Vacant Property Laws is an excellent step.
Missing from 4D-04 ANC Commissioner David Sheon’s report is a requirement to secure the property to avoid unwelcome occupants and nefarious activity. No neighbor should have to live next door to a property that is open to use for illicit activity at any time of day or night. This should be a priority to protect neighboring residents while the property is vacant and in the early stages of construction where crews are often not on site daily.
Vacant properties and construction sites can be very effectively secured. Fencing is already a requirement as part of most building permit processes, but effective intrusion security should be specified as well.
Security Alarm Systems installed and monitored by Urban Alarm on construction sites in DC have resulted in multiple arrests in 2015. We see these sites going from frequent regular issues to none once an effective system is deployed.
Urban Alarm’s approach to these systems is motion activated surveillance with video verification. When an alarm is triggered, the dispatcher reviews a video clip to determine the cause of the alarm and takes appropriate action including dispatching the police.
If your car or cell phone is not working, you will know it the moment you try to use it. If an alarm system is not working, you may not know for weeks or months or until the next time you NEED it. Alarm systems must communicate with the central monitoring station in order to be effective. And in many cases, they only communicate with the central monitoring station when there is an alarm.Read More
Up until recently, the 120VAC detectors were required to meet most code requirements (click here for more information on fire and electrical code). 12VDC monitored smoke detectors were not an option for code and inspections. However, effective with the International Residential Code (IRC) 2009 version, hard-wired 12VDC smoke detectors are now accepted to meet code and inspections.Read More
The District of Columbia has taken the lead from Maryland and will require sales tax be paid on alarm monitoring, effective October 1, 2011. This change will affect security and fire alarm monitoring for commercial and residential properties located in DC.Read More
With Hurricane Irene making its way up the East Coast, today it will leave in its wake, among other destruction, a trail of beeping security alarm panels. The most likely cause of security alarm issues during this time will be...Read More
On December 12th, hackers were able to compromise and download the user names and passwords from a highly visible and respected blog media network. The account database itself was only for the login information to the commenting functions of these sites. In itself, there was very little that could be exploited with the information. However, it called out the widespread practice of using poor quality passwords, and worse, using the same passwords on multiple sites.Read More