HID Signo Reader Shortage

As most people in the security industry know by now, Motorola HID has been having supply chain issues for months now for readers.  As a temporary solution, they are offering a new product line, “Signo Priority” readers, which lack the 125Khz Proximity function.

Signo Priority Features
 
– Same lifetime warranty as the traditional Signo readers
– Current lead time is 7 days (Sept 2022)
– Configured by profiles: Standard, Smart, Seos and Custom
– IP65 certified
– Automatic self-calibration when nearby metal surfaces are detected
– Factory equipped with Bluetooth (BLE Smarts) and NFC
 
Differences from traditional Signo Readers
 
– Lead time > 180 days (Sept 2022)
– Signo Priority will not read 125 Khz Proximity
 
If 125Khz reading is not needed, only 13.56 Mhz,  please consider the Signo Priority Reader X0NKS-T0-000000 as a substitute for the Signo Traditional X0NKS-00-000000 readers.

 

 

Posted in: Company News

Leave a Comment (0) →

Leaked Database of over 1 billion Chinese Civilians for Sale

The Shanghai National Police (SHGA) database of over 1 billion Chinese citizens is apparently up for sale for 10 Bitcoin (~USD $200,000 ).   This represents terabytes of personal data including full name, address, birthplace, age, birth year, nationality, photo information, national ID number, mobile number, and any committed crimes and case details for the individuals.   (Source link has been obscured, sorry.)

Included in the for sale ad were samples of the data to verify authenticity.  The alleged leak was apparently from a contract software developer that had errantly posted the database login credentials to a project blog some months earlier. 

The leak has been verified by several people and posted online, but Western media has not really picked up on the impact of such an event.  If legitimate, it represents the largest data leak ever reported.


Oddly enough, there doesn’t seem to be anything called the “Shanghai National Police”, only the “Shanghai Municipal Police” returns any search results as a legitimate entity in major search engines.  Still, regardless if this is a translation error or some other mis-identification, the validity of the data appears to be proven.  We attempted to connect to the sample link provided through a VM and VPN and were able to download the 110mb compressed gzip sample file and view the sample files.  When uncompressed, the files were several hundred megabytes each in JSON format in English language and Chinese characters (multi-byte format), consisting of personal information, police record case data files, and an address merge with cell phone data.   Here’s an example of the personal detail record file:

 

The police case record data appears to be of the most concern,  with the actual data content consisting of detailed police reports of the charged offense, including the date/time and specific location of the criminal events.  Deciphering the information is difficult for most westerners since most of the text is in traditional Chinese, but it would be trivial to use automated translating to get the gist of the content when inserting into a database.

With the horse already having left the barn, there doesn’t appear much that the Chinese government can do to mitigate this leak.  Addresses and phone numbers can of course be changed by the individuals, but having these records open to the public (particularly the police reports) is a massive blow to individual privacy (such that it is in PRC), and will likely cause problems for millions of people for years.

 

 

 

 

Posted in: Company News

Leave a Comment (0) →

SP-FA/LV Exam Prep Class (Zoom) on May 11, 2022, 8:00 AM – 5:00 PM

“Preparing for the North Carolina SP-FA/LV Electrical Examination”

NCBEEC Approved CE Course #CEC.03912
Course Instructor: Kile Unterzuber
NC License #10173-SP-FA/LV

Don’t miss this opportunity to prepare yourself for this critical exam!  The virtual class format save you time and money.  Register now at https://nationaltrainingcenter.com/event/nc-sp-fa-lv/.  For more information download our SP-FA/LV Exam class description and FAQ PDF files!

Course Description: This course reviews subject areas of the National Electrical Code (NFPA 70-2020) applicable to the North Carolina SP-FA/LV (Special Fire Alarm/Low-Voltage) license classification examination, as well as the administrative requirements of the NCBEEC and the use of the National Fire Alarm and Signaling Code (NFPA 72-2013). The course emphasizes Code requirements that may not be familiar to the typical installer of low-voltage and power-limited circuits for security and fire alarm systems, but that are important for successfully taking the qualifying examination. These topic areas include:
• Review of basic requirements of Title 21 NCAC 18B;
• General requirements for all electrical work;
• Grounding and bonding for power-limited and associated branch circuits;
• Calculating conductor ampacity;
• Calculating box fill;
• Identifying conductors for specific applications;
• Identifying and providing overcurrent protection for power-limited circuits; and
• Calculating resistance in simple circuits; and
• Requirements of National Fire Alarm and Signaling Code (NFPA 72-2013)

 

Posted in: Company News

Leave a Comment (0) →

Another installment of (in)secure Cloud storage

Chinchero Airport, Peru | EJAtlas

We know we sound like a broken record when we tell our clients “If you don’t own your server, you don’t own your data. Don’t put anything in the cloud you don’t want potentially exposed to the public.”, but time after time we show examples of why we keep repeating this mantra.

What Happened:

A major data leak by Securitas that affected several Latin American airports and other related companies was discovered by a cybersecurity firm called SafetyDetectives. In late January a team discovered that an Amazon S3 bucket had been left unsecured and exposed to public access, and contained over 1 million files relating to airport and security personnel.

Securitas, a large, well known multinational security company that has been in business for almost a century, has not made any public statements around the incident as of this posting. This isn’t the first time Securitas has had cybersecurity issues. In 2017 the Securitas CEO Alf Göransson had his personal identification stolen at the end of March, when someone applied for a loan in his name. The Stockholm District Court then declared Göransson bankrupt without informing the CEO prior to its decision.

The Breach (From SafetyDetectives briefing):

Securitas left its Amazon S3 bucket open and accessible, without any authentication procedures in place. The misconfigured bucket has therefore exposed almost 1.5 million files, equating to about 3TB of data.

The bucket’s exposed information included employee Personally Identifying Information and sensitive company data of at least four airports in Colombia and Peru: El Dorado International Airport (Bogota D.C, COL), Alfonso Bonilla Aragón International Airport (Valle del Cauca, COL), José María Córdova International Airport (Antioquia, COL), and Aeropuerto Internacional Jorge Chávez (Lima, PE). As mentioned, unobserved files may have exposed other airports and places throughout Colombia, the rest of Latin America, or even the rest of the world.

They observed two main datasets containing the information of Securitas employees and airport employees: photos of ID cards and other unmarked photos.

Photos of ID cards featured on the bucket. There were an estimated 1 million files of this type on the Securitas misconfigured bucket. These files revealed the personal information of employees at the four aforementioned airports that are using Securitas’ services.

Photos of ID cards reveal several forms of employee Personally Identifying Information, including:

  • Full names, incl. first names and surnames
  • Photos of employees
  • Occupations
  • National ID Number

What Was Leaked?

Other unmarked photos featured among the bucket’s content too. There were about 300,000 files of this type. These photos leaked the data of airports, airport employees, and associated companies.

Specifically, these files exposed employees’ personal data, sensitive client data (airports), and the sensitive data of associated companies, such as airlines. Exposed data includes:

  • Photos of employees
  • Photos of planes
  • Photos of fueling lines
  • Photos of luggage being loaded/unloaded

What Was Leaked?

 In addition to the information mentioned above, the two primary datasets analyzed on the bucket (photos of ID cards and other unmarked photos) contained Exchangeable Image File Format (EXIF) data that exposed specific information related to each photo.   Exposed EXIF data includes:

  • Device models (of the cameras used)
  • GPS locations of photos, incl. coordinates and GPS maps
  • Time & date of photos

What Was Leaked?

What it Means to Us

It may be some time before there is any assessment of the extent of damage the data breach, but this obviously serves as an example of how careless data management can cause serious security implications for your firm or those of your clients.   In evaluating software application strategies for our clients, we always ask these simple questions:

  1. What is the criticality if this information if it is leaked to the public?
  2. Can the solution be self-hosted on the Client’s own private network?
  3. Does it really NEED to be a cloud application?
  4. If so, how can we mitigate the potential damage if there is a breach?

Additional measures like a Type I or Type II SOC report are helpful, but likely wouldn’t have prevented the Securitas data breach discussed above.  Regular and ongoing security audits, along with well defined and enforced data management and security policies and procedures are the only real defense against these kinds of mishaps.

This won’t be the last time we see this either, as the Cloud becomes more and more integrated into corporate IT strategies, it will happen again, and again, and again.

 

 

 

Posted in: Security Consulting, Security Technology

Leave a Comment (0) →

More Cloud Woes for Security

Once again a cloud solution has been hacked, this time Verkada, a fairly new entry into the security arena.  Verkada offers a turnkey solution using proprietary hardware and hosted video management solutions for a monthly fee.  They aren’t unique to the industry, but they are the most recent to be hacked and be spotlighted in the news.

The key takeaway from the Bloomberg article is something we’ve been telling our clients for a while:  Cloud and SaaS solutions typically have a “super-admin” or overall management account access that lets the provider “see” all of their customer’s account and account information.  This varies of course depending upon the service provider and the service type, but in general if you don’t own the server, someone else does and has to manage and support the data coming into it and on it.

Madison County Jail seen through a Verkada camera.

“A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.”

We strongly urge to our clients that sensitive data and physical controls should be hosted on premise, and don’t belong in the cloud.   This could be devastating for Verkada and other cloud based solutions that are dedicated 100% to SAAS (software as a service) solutions.   You can read the full article from Bloomberg here:

https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?srnd=premium

 

Posted in: Company News

Leave a Comment (0) →

SolarWinds Hacked – Or “Another Example of Why Putting Security in the Cloud Might Not Be Safe”

The supply chain giant SolarWinds, used by every major branch of the government, all military branches, and almost all of the Fortune 500 companies, has been hacked by a Russian hacking group that gained access to sensitive emails, APIs, and SSO tokens and user accounts since as far back as March of 2020.   See a summary from Krebs here: https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

This is a classic example of why outsourcing  your security and sensitive operations isn’t always a good idea. 

One of the most frequent discussions we have with our clients is why we are generally opposed to putting security operations “in the cloud”.  After all, it’s offered by just about every IT supplier, and the security software vendors are all jumping on board as well.  Sure they are, because it’s a great recurring revenue source for them, as opposed to buying a traditional perpetual software license that you install on your premises computer(s).

To be sure, there are obviously Cloud deployments that can be done safely and securely; then again, that’s probably what SolarWinds thought too.  Security, and especially Cyber Security, is a never ending game of cat-and-mouse, with the mousetrap always getting better and the mouse always getting smarter.  

We will see this again, whether it’s another twitter hack where celebrities posting for bitcoin submissions (https://www.pandasecurity.com/en/mediacenter/mobile-news/twitter-celebrities-hacked) or maybe a service provider like Workday or Okta getting hacked and exposing sensitive client data to be sold on the darkweb or nation states for further exploitation. 

For certain clients or situations, using cloud based security application makes sense, but in general we advise against using the cloud for access control and video surveillance for sensitive locations or enterprise applications.

Caveat Emptor.

Posted in: Company News

Leave a Comment (0) →

Securing Ubuntu Linux with ufw and tcpwrapper

Nerd Title:  Security Ubuntu Server with tcpwrappers and ufw.

We don’t write many cybersecurity related articles because there are plenty of other people out there also doing it, and well… we can’t be experts at everything. 

Still, once in a while we come up with a problem that has a solution so clean and elegant that we have to share it.  This article will quickly explain how to setup tcpwrappers and a firewall to automatically ban users attempting to connect from unauthorized IP addresses.   The process is simple, every modern linux distribution comes with a firewall of some kind, Ubuntu currently uses ufw.  It also supports a package called ‘tcpd’, or tcpwrappers. The solution we used was to install a base ufw rule limiting only ports for SSH, HTTP, and HTTPS traffic and block everything else.  It looks something like this:

root@acme.com:/root/# ufw status
Status: active

To Action From
-- ------ ----
22/tcp LIMIT Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

This is a common configuration, but the downside is that everybody can knock on your door and attempt to login.  You can limit how much/how fast, but basically it’s open to the public.  This is where tcpwrappers comes in. You can search the internet about tcpwrappers, there are many online explanations and guides about it. Tcpwrappers has been around a long time, and they never changed the goofy name, but essentially it works by checking two files: /etc/hosts.allow and /etc/hosts.deny to see if you’re a good guy or a bad guy, and what to do with you.  This is where the fun comes in. (Note, you’ll need root permissions to do this.)

First you have to install tcpwrappers – “sudo apt install tcpd”

Then edit the /etc/hosts.allow file and add the services you would use, something like this (change your own hostnames or IP addresses you want to allow in):

ALL: 127.0.0.1
smtps: ALL
imaps: ALL
ALL: 43.79.214.93                 # Work Server
ALL: 71.60.242.15                 # Home
ALL: rockhouse.mynetgear.com      # Home
ALL: 172.210.145.232              # Testing Cloud Server

The IP addresses or hostnames with ALL: in front are allowed into the server for whatever port or service they connect to, as long as the firewall rule allows it. This is your “whitelist” of good guys to let in the door.  The big difference here is that unlike firewall rules, tcpwrappers allows for hostnames, so if you have a dynamic IP address using a hostname (like dyndns.org), you don’t  have to update the firewall rules each time.  Need to add a new remote host that should be allowed to access ssh? Add it here.

Next, edit the /etc/hosts.deny file and add the following string (it should all be on one line):

ALL: ALL: spawn ((/usr/local/bin/banip.sh %h; /bin/echo -ne "client = %h; server = %H; process = %d; PID = %p date = "; /bin/date) >> /var/log/tcpwrappers.log &)

This single line blocks everybody from everything that isn’t in the whitelist above.  Notice also here tcpwrappers calls a shell script called /usr/local/bin/banip.sh.  This script calls “ufw” to write a firewall rule to ban the remote attacker forever.  You can put this wherever you want, but the script should look something like this:

#!/bin/bash
#This script attempts to ban ip addresses using Ubunutu's UFW
#
if [ `whoami` != "root" ]; then
echo "you must be root to run $ME"
fi
if [ "$1" = "" ];
then
echo -n "Enter the IP Address: "
read IP
echo -n "You entered $IP, correct? (Y/N) "
read ans
if [ "$ans" = "y" -o "$ans" = "Y" ]; then
echo "Blocking $IP"
ufw insert 1 deny from $IP port 22
exit
else
echo "Ok, quitting."
fi
else
echo "Blocking $1"
ufw insert 1 deny from $1 port 22
fi

This is a very simple script that takes an IP address and tries to ban it on port 22 for access using ufw.  If you run it manually without any arguments it will ask you for an IP address to ban.

This script will also create a logfile in /var/log/tcpwrappers.log that you can see where people have tried to gain access to your server and been shut out. 

Blocking 106.75.251.140
Skipping adding existing rule
client = 106.75.251.140; server = 45.33.101.254; process = sshd; PID = 78110 date = Fri 13 Nov 2020 04:54:48 AM UTC
Blocking 84-255-249-179.static.t-2.net
client = 84-255-249-179.static.t-2.net; server = 45.33.101.254; process = sshd; PID = 78153 date = Fri 13 Nov 2020 04:55:19 AM UTC
Blocking ns3268691.ip-5-39-81.eu
client = ns3268691.ip-5-39-81.eu; server = 45.33.101.254; process = sshd; PID = 78167 date = Fri 13 Nov 2020 04:55:36 AM UTC
Blocking 118.24.48.15

You can also see a list of banned IP addresses by typing “ufw status”.  If you’ve accidentally banned an IP you didn’t mean to, then you can unban it by using “ufw delete rule#”, where rule# is the actual line from “ufw status numbered” that you want to unban.  Note that this list can get rather long, as there are people with nothing better to do than write scripts to try to break into whatever servers they can find.  In the short time I wrote up this article, I had 32 attempts on my demo server alone.  If you need to reset, you can just type “ufw reset”, but that resets everything back to factory defaults.  You can use a quick script to do this also:

sudo ufw --force disable \
&& sudo ufw --force reset \
&& sudo ufw default deny incoming \
&& sudo ufw default allow outgoing \
&& sudo ufw allow 22/tcp \
&& sudo ufw limit ssh \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp \
&& sudo ufw --force enable

This has been a very fundamental explanation of how to easily allow remote access while also keeping the bad guys out at the same time, using a blend of the old  (tcpwrappers was written in the 1990’s) and the new.

Posted in: Company News

Leave a Comment (0) →

Coronavirus COVID-19 Disinfection on the Cheap

Coronavirus (COVID-19) has gathered significant attention worldwide because of how dangerous the virus is, how easily it spreads, and how difficult it is to detect.   So most people, whether government, professional, or civilian, are looking for an easy way to protect themselves and others as best they can.   Things like facial and toilet tissue, surgical masks, and hand sanitizers are selling out in stores and online.   As the number of cases in the US increase, so will the panic.  

But the military has dealt with this kind of thing for a long time, and the number one thing they rely upon for disinfecting is good old fashioned Sodium or Calcium Hypochlorite, also known as “bleach”.   There are many kinds of bleach, but Sodium Hypochlorite is typically referred to “Clorox” bleach. Both Sodium and Calcium Hypochlorite are widely available, but we prefer Calcium Hypochlorite because it typically contains more available chlorine per volume than Sodium Hypochlorite.  Bleach is a generic term which describes a chemical with the inherent properties of removing color, whitening, and disinfecting.   It does this by oxidation, which with “Clorox” is by a chemical reaction which causes the proteins in germs to lose their cellular structure, thus destroying them.

“So what?”  Everybody knows that bleach kills germs.   Yes, but did you know that even a small concentration of bleach kills germs?  You don’t need to dump a gallon of Clorox on everything to kill germs.   You can dilute it down to as little as .5% and still effectively kill germs on contact.  You can even dilute down to .05% and still be effective, but the exposure time becomes much longer.   So what do we (“not-healthcare professionals”) suggest for every day people to use this solution?  

Something as simple as a mini-spray bottle (think travel size pump hair spray bottle) with a .5% solution of Calcium Hypochlorite in water will be easily portable and moderately effective for most uses.   The dilution ratio doesn’t have to be exact, but it should be close.  If it’s a little higher that’s okay, but don’t go crazy.  The concentration will determine HOW LONG you must maintain contact with the solution, so start with a known concentration and then blend down.  Bleach is a reactive chemical, and deteriorates over time in higher concentrations, so choose a product that is individually sealed and use as needed.  The lower concentration of .5% should last for months in a sealed container.  For our mixture, we liked something like this pool product from Amazon.com.  It is 68% concentration in powder form in 1lb packs.  To make a 55 gallon drum of .5% solution, mix approximately 3 1/4 lbs of powder to 55 gallons of water.   Or for each gallon, add ~1 oz of Calcium Hypochlorate and mix thoroughly.    Remember that because it’s a solid powder it won’t mix easily in water, so if possible use warm water to help it dissolve more quickly and thoroughly.

So, fill the spray pump bottles and toss them in your pocket, your office drawer, your glove box, or backpack.  Spray on anything you want to touch, or on your hands after you’ve touched something you shouldn’t have.  Rub in thoroughly.  The .5% concentration shouldn’t discolor most fabrics or materials, but will definitely have a slight chlorine odor to it.  You can add scents to the mixture if desired to make it more tolerable for those sensitive to chloramine smells, but don’t add so much that it dilutes the solution to be ineffective.   

For more information see the US Army Public Health Command bulletin on Preparing and Measuring High Chlorine Concentration Solutions for Disinfection:  TIP_No_13-034-1114_Prepare_Measure_High_Chlorine_Solutions

Posted in: Company News

Leave a Comment (0) →

HID Signo Readers Announced.

HID announced an entirely new reader line today, called Signo.  What’s immediately noticeable is they are more sleek and stylish than the iClass R or RP models, but looking further, we found that there are some distinct differences that might just make switching to this new reader platform sensible.

For starters, the keypad reader model looks more functional, and the mullion keypad reader is a definite necessity.  The keypads are capacitive  touch style which should make them more reliable in harsh environments.

Dimensions for the readers is almost identical, with the Signo readers being a little slimmer, but probably not by very much.  See Feature Comparison Matrix.

What’s missing though, like in the RP series, is a long range parking lot reader like the R90.  This is a needed technology that should be added in the future (are you listening, HID?).

The Signo series seems to lump all the reader technologies in together, making the product selection a little less confusing than previous iClass reader selections.  This is most welcomed.  Supported technologies are 125Khz proximity, iClass, SEOS, Mifare, plus mobile credentials via Bluetooth and NFC, plus Apple’s Enhanced Contactless Polling technology for apple wallet credentials.  

Other features are better support for crypto keys (no more base encryption key in the wild, for now), automatic tuning/detuning for optimized read range, and OSDP support out of the box.  Reader tamper is now a dry contact relay (THANK YOU).   But the biggest thing installers are going to enjoy is that the Signo readers support remote management.  No more configuration cards to go around to every reader just to turn of the 125Khz prox read feature set.  This should have been done LONG AGO.   Firmware updates, configuration, and reader management can be done via mobile device or over OSDP (assuming your PACS supports it).

From our take, these readers appear to have been developed largely for the Campus environment (the Apple ECP is a dead giveaway), but certainly have the feature sets that would make them desirable in the commercial, government, and industrial markets as well.  We don’t  have any evaluation copies yet, but will definitely be looking at these for new projects where they fit and offer additional security, style, and convenience.

Feature Comparison Matrix

Reader RP40 Signo 40
Dimensions 3.3″ x 4.8″ x 1.0″ 3.15″ x 4.78″ x 0.77″
Read Range (typ)

iCLASS: 2.4″

125Khz Prox: 2.8″ to 4.3″

iCLASS: 1.6″ to 4″

125Khz Prox: 2.4″ to 4″

Power 85ma @ 16VDC 75ma @ 12VDC
Comm Wiegand & (optional) OSDP  Wiegand & OSDP
Reader Tamper Open Collector Output Dry Contact Relay
Configuration Programming Cards Mobile Device or OSDP
Weatherproof If optional gasket installed Yes
Certifications UL294, EAL5+ UL294, EAL6+
Price ~$200.00 ~$200.00

 

 

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →

Why You Should Be Skeptical of Security Apps in the Cloud

The “Cloud” for most people has become an integral part of our daily lives.  It’s everywhere, yet many people couldn’t tell you what the cloud really is if you asked them.  It’s just there. 

In a nutshell, the cloud could be defined as “an internet server you don’t own, yet hosts your data”.   All this means is you’re using Software As a Service (SAAS), and someone else has developed the application, hosts it on their server, and you use it, or maybe even pay for it via subscription (like Ring or Canary).

Yet all too often, when we really closely inspect these services or applications we tend to find flaws, or sometimes downright intentional abuse, that leads to exposing more of our personal data than we would like.  In the case of  many apps for home or personal use, we can choose to accept some loss of privacy in exchange for the free or bundled software and storage.   However, in the business world this is rarely tolerated, and in some cases it’s against the law. 

For a fantastic example of this abuse, the Electronic Frontier Foundation has published an excellent article about Ring and its application that exposes multiple abuses of privacy.    The biggest takeaway from the article for us was that Ring appears to be using pinned certificates in a way that prevented data security experts from analyzing encrypted traffic generated from the application itself.   Now imagine an app from a state sponsored corporate entity like Huawei sending images, stored files, GPS data, voice recordings, or video from your phone or tablet to some server in another country.  See how big the risk is?

Click the link below to read the full article, but this summary puts it best:

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system.”

https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers

 

Posted in: Company News

Leave a Comment (0) →
Page 1 of 4 1234