Protective Resources

Author Archive

Facial Recognition for Access Control?

Posted by on January 23, 2015

Several years ago,  I worked on a project prototype for a major group of sea ports that had an interest to use the state’s drivers license image database for facial recognition/verification of TWIC applicants and the eventual use for identity verification for critical card access points.  The main focus of the project was to ensure that the person applying for the TWIC card was indeed who they claimed to be, and not an imposter.   Neither the CCTV system nor the card access system had the built in software to do this, much less do it together, so we had to write the interface and the software to manage it.  It worked, but not as well as we would have liked.   We used a GPL’d algorithm for the facial recognition, which while good, would have some false positives and false negatives from time to time.   Ultimately to me, it served as a proof of concept.  It did work, and could be made as a serviceable monitoring and investigation tool for security.  (Later we used that same GPL software to create a tool that would scrounge through the card access database and crop the cardholder photos to a uniform size.  THAT worked really well.)

Years later, as far as I know there is still not an off-the-shelf system that provides a true facial recognition monitoring capability for access control violations.  This seems like something very straightforward to do, and as most companies or government branches have an actively maintained photo database of their cardholder personnel, and most often have video cameras monitoring locations where access control is used.

The biggest limitation we found was the quality of the CCTV images against the badge database photos.   Both were of rather poor quality, but if we used the software as just a pre-filtering tool for security operators, the margins of error were more tolerable.  The idea was to still have a security guard doing the verification, but not for every photo, just the ones the software couldn’t handle well.

Cardholder with back to camera.

Poor camera angle doesn’t allow for good facial recognition

With Megapixel IP cameras replacing low resolution analog cameras, the probability improves of having a photo with an acceptable number of unique data points to match against an image database with a high degree of confidence.  This means more information data points to compare, and fewer false positives and negatives.   There are still other considerations such as angle of view, proper lensing, lighting, face concealment/alteration issues, and image database accuracy.  And you must have most, if not all of these considerations to have a usable image.  As shown here, even if you have good lighting and resolution, if you don’t have a good angle and lensing, you will not have a usable image for facial recognition of the cardholder.

Currently, there are about a dozen corporations world wide that offer some type of facial recognition software.   Many of their larger customers are government agencies or the financial industry.  It is used in some border crossings, passport identification, and high profile monuments.   The FBI may be the most famous consumer of this technology, but it is not used in a widespread fashion as far as I know.  Naturally, this isn’t something that is widely advertised by these agencies.

Still, as such a highly technically savvy country as the USA supposedly is, I’ve often wondered why we don’t have facial recognition with a national database at all critical locations like border crossings, airports, bus stations, train stations, embassies, and hospitals.  I realize there’s a modest invasion of privacy, and nobody likes the thought of having “big brother” monitor your whereabouts, especially putting your name to your face in a specific location and time.   It’s kind of creepy.  But the other side of the coin is that if we maintain a central photographic database of active criminals and terrorists (which we do), then having feeds from certain cameras in certain high traffic locations might allow us to not only apprehend said criminals/terrorists in a timely manner, but even allow us to gain intelligence regarding their commuting patterns, associations, and personal habits.  This is beneficial information that can reduce crime and terrorism.

Keep in mind, the government already has a very large database of photos, probably including you, even if you don’t have a mug shot in the NCIC.  Facebook, Twitter, Instagram, LinkedIn, are all repositories available that most likely link your face with your name.   The FBI has said that by 2015, it plans to have 52 million photos in its NGI facial recognition database.   The FBI will include non-criminal information as well as criminal.  Where’d they get those?!    So, you may already be in the database, and maybe me too.  Obviously, some people will object to this idea, some even quite profusely.  But the genie is already out of the bottle.  Getting him stuffed back in is going to be difficult, if not impossible.

So the natural progression on this “big brother” concern just may be to license the database.   For a fee, allow vetted customers to have access to the database via an API to use this centralized database for government and limited private commercial purposes.  Want to know if your daughter or son is in the NGI database?  Maybe there’s a background check service company that can tell you.   But for financial institutions, or the port authority I mentioned in the beginning of this article, it would be a boon of intelligence data.   Not only would they have their own employees and contractors in their own database, they could also have access to a national database of “persons of interest” that could assist them in determining if a potential applicant is a criminal, or maybe even just a high risk.  That has the simultaneous possibility of reducing their own risks, and providing timely information to Homeland Security about a potential threats whereabouts and possible intentions.

Facial recognition of employees at work

Facial recognition in the workplace.

I think the future of this technology is already headed in this direction, and there may already be entities that are doing exactly what I’ve described, but I believe the technology will become more pervasive as some of the technological (and sociological) barriers are broken down.

Pin It

Tags: , ,

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →

Hacking Sony – Corporate culture broken from the top down

Posted by on December 17, 2014

One of the questions I keep asking myself as I keep reading the dozens of recent articles about how Sony got hacked by “North Korea” is, why does Image left on screens for 2014 Sony HackSony KEEP getting hacked?

The short answer is “because they can”.  But the longer answer points to a corporate culture that doesn’t understand the need for protection of information assets, or the people who are constantly after those assets.

On November 24, Sony discovered that its corporate network had been hacked. The attackers took terabytes of data, deleted the original copies from Sony computers, and left messages threatening to release the information if Sony didn’t comply with the attackers’ demands.  But it was really much worse, not only was work disrupted as Sony’s IT professionals scrambled to recover lost data and restore data services, much of the proprietary information of Sony Corp. was released into the public domain for everyone to see.  Unreleased movies, private email conversations, celebrity contact information, social security numbers, passwords, and salary information were released into the wild.  The damage will be felt for years to come.

I’m uncertain of the actual number of cyber attacks on Sony (and only Sony knows the real number), but this latest attack has to put it somewhere in the high teens.  This attack was the latest of a string of attacks that has been happening since 2003, mostly related to Sony’s DRM policies and certain lawsuits over “hacking” the Sony PS3 platform.  At least, that’s where I think it all began.  Since then, it’s become the “hip” thing to do for black  hats, Hack Sony.  The notion that North Korea is behind this latest attack as claimed seems pretty thin to us, and also to the FBI in their official statements so far.

But what really is the cause of this?  From what I have read, it looks like it stems from a top down culture of a lack of respect for information security.   Their IT security department is woefully thin, understaffed for a company of Sony’s stature, security equipment and software was not properly installed, policies not enforced, and even simple things like compartmentalization of data, like keeping performer contracts or salary information separate from other data sources, were apparently not properly implemented.   This seems odd, since much of the technology Sony has developed (or bought) for DRM and copyright protection is fairly sophisticated, and expensive to develop.

Skipping the technical aspects of what Sony should have done or should now do to protect itself from cyber security, I will just propose in simple layman’s terms what a company in Sony’s position should consider across their corporate footprint.

  1. A top down philosophy of information security starting with corporate officers.
  2. Increased IT security staff and technology solutions to better identify, insulate and protect from cyber threats.
  3. Corporate wide training in information security, compartmentalization, best practices for data security and user authentication.
  4. Mandatory periodic password audits for all personnel (no Prima donnas who can’t remember a password).
  5. Two step authentication for most or all access, especially to sensitive information repositories.
  6. Regular security audits for physical and IT security.
  7. Personnel background checks, exit interviews with binding nondisclosure agreements.
  8. Active content filtering for incoming and outgoing internet traffic, strict VPN use for remote sites, and GEO IP security filtering at the desktop level.
  9. Active enforcement of corporate policies and legal prosecution for data breach events by employees or contractors.

Meanwhile, the media will be poring over mountains of sensitive information they shouldn’t have, hoping to find the next juicy bit of “Sony Dirt” to release in it’s next news cycle.

 

 

Pin It

Tags: ,

Posted in: Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Do You Know Where Your Power Supply Is?

Posted by on December 15, 2014

Altronix Eflow16 Low Voltage Power SupplyWe’ve all had it happen: either a bad battery or a blown fuse in a security power supply.   It causes cameras to fail, a card access door to stop working, or a whole panel to fail.

Power supplies in their simplest sense do a very basic thing:  They turn 120 volts AC power to low voltage DC power for low voltage security devices such as cameras, card readers, alarm panels, or detection devices.   And while they have become more sophisticated, adding fused outputs, relay contacts for fire alarm disconnects (life safety egress for maglocks), and smart battery chargers, until recently it was up to the security integrator or maintenance staff to maintain the power supply by testing power and replacing batteries periodically.

In the IT world, just about everything is monitored – Computer servers, network switches, server room air conditioning and filtration units, UPS battery backup systems, even cameras in the data closet monitoring temperature, humidity, and noise levels.  Much of this information is sent via the Simple Network Management Protocol (SNMP).  This protocol is monitored by software that notifies console operations of the exact conditions or problems that may arise with hardware or software in the footprint.

Enter the power supply network module.  The Altronix LINQ2 is a new product that offers the same kind of monitoring capability used in the computer industry.

The Altronix LINQ2 network module is designed to interface with eFlow and MaximalF power supply/chargers. It enables power supply status monitoring and control of two (2) eFlow power supply/chargers over a LAN/WAN or USB connection. LINQ2 provides values on demand for AC fault status, DC current and voltage, as well as Battery fault status and reports conditions via SNMP.

Now security operations can be notified of potential problems and critical failures as they happen, or maybe even before.

For more information visit http://www.altronix.com/products/product.php?name=LINQ2

Altronix linq2 SNMP module

The Altronix LINQ2 SNMP Network Module

Pin It

Tags: , ,

Posted in: Fire and Life Safety, New Equipment and Gadgets, Security Technology

Leave a Comment (0) →

Layers – Not just for Onions and Ogres

Posted by on December 1, 2014

Security has been thought of and taught to others as a “layered approach” for centuries, and as such is not a new concept.   The Romans used layered concepts in their infantry tactics as well as their defensive fortifications.   With all due respect to “Shrek“, security is like an onion, and is a complex layer of countermeasures that make up a suite of hurdles that, presumably, are so confounding or problematic that the opponent gives up, gets caught, or never attempts anything in the first place.

The layers of security

Layers of security are a simple concept, but the concept is often overused by security professionals in discussion and even trivialized as not very important.  As Americans, we tend to rely very heavily on technology.  We understand technology, and we’re pretty good at it.   But while having thermal night vision cameras, fiber optic sensing cables, and CCTV drones flying over your campus are an impressive security posture, sometimes just a plain old chain link fence or dense thornbush hedge are enough to deter the would be criminal.  The most effective barrier I ever saw was a dense hedge of thorns called a  “living wall”.   It was 6 feet tall (and still growing), and you couldn’t climb it, cut it, or burn through it.

We once worked with a client that had installed a $4500.00 bullet proof door with a card access proximity reader installed behind Lexan (to protect it too) on the wall.  It we very impressive, until we learned that the wall it was installed  in was only sheetrock and metal studs, and you could kick through it and completely bypass the door.

Security layers mean from the outside in, with each layer adding to the increased security profile.   But security profiles are different for different companies, buildings, or campuses.  It depends upon the corporate philosophy, culture, and threat profile.  What may be reasonable for a chemical company manufacturing DOD explosives may not be suitable for a quarry.

Start with the outside, what are the threats from the street, the site perimeter, or even from the air?  Then work to the building perimeter, where are points of entry, access control weaknesses, or blind spots?  Internally you should look at the lobbies, common areas, break rooms, stairwells, and vestibules.  Then finally to policies and procedures relating to security, safety, and employee awareness.  Each of these areas will generate questions, to which you should generate answers in the forms of layers of security to add to your security profile.

Pin It

Tags: ,

Posted in: CPTED, Security Consulting

Leave a Comment (0) →

PINs Matter

Posted by on November 29, 2014
scramblepad

Hirsch Scramblepad

When working with a client once, they asked us to help harden their biological research labs by recommending additional security measures they could install. We did an initial and very casual walkthrough with them of the labs and how they were used. They were particularly proud of the Hirsch Scramblepads they had installed for access controlled doors. For those unfamiliar with these, they are an ingenious type of PIN pad where the numbers change each time you begin to enter your PIN sequence. This way, someone cannot peek merely at where your fingers were and assume that if you were at the bottom right of the pad, it was a 9. Anyway, they were (and still are in some circles) the Cadillac of PIN pads for access control.

As we began interviewing some of the lab staff, we asked how well they liked the keypads and how they were used. Most responded that they felt the keypads worked very well and were kind of “Star Wars” like because of their technology. We soon learned however, that the PINs used were 4 digit pins, and that there were a couple of hundred people who had access to these labs. To make it worse, departmental policy was that the individual was allowed to select their own PIN.  Yikes.

So, I promptly walked up to a PIN pad, and entered “1234”.

“Click”.  The door opened.

Okay, “1379”.  “Click”.

Yep.  Hmmm, one more, “2468”.  “Click”.   Okay, I see the biggest problem…

The good news, is it was a cheap fix.  That doesn’t mean easy, it was just cheap.  The long term fix was to add card access with CARD+PIN readers to enhance security; but in the mean time, we just increased the number of digits in the PIN, and assigned the PINs to the staff instead of letting them pick their own.  That’s why it wasn’t easy.  Some of the staff complained because now they had to learn a new PIN, and sometimes they forgot it, locking themselves out of the lab until they could remember it or get it reset.   Memorizing a new number (don’t we have enough numbers, passwords, etc. to learn already?!) is not fun and shouldn’t be necessary just to get into work.

Reading this now, this all probably seems like common sense to you, and it is.  It’s just that sometimes common sense isn’t used in practical applications the way we would always expect.  Security is a hassle, an inconvenience.  So, someone decided to make it easier on people and let them pick their own PIN.   This is were Security Policy and Procedures come into play.  They should be developed, implemented, maintained, and tested.  Had a proper policy been conceived and applied to the issuance of access control PINs, our job wouldn’t have been so easy.

PINs Matter

Just like passwords, a weak PIN is worse than NO PIN at all, because it gives you a false sense of security when there really is none.  If you still use only PINs, pick unique PIN of at least 8 digits, and ensure that they are unique for each user.  But better still, couple a PIN with an additional level of access control such as card access or biometrics.  After all, two levels of security are always better than one.

 

 

Pin It

Tags: , , ,

Posted in: Access Control, Security Technology

Leave a Comment (0) →

Analog to IP Camera Technology Migration

Posted by on November 25, 2014

In a recent project, PR was contracted to assist a client in the migration of a multi-campus, traditional analog closed circuit TV system to a modern IP digital network based camera and recording system. This is a growing trend in the industry as clients realize the benefits not only increased camera resolution and recording capabilities, but also leveraging corporate infrastructure costs to reduce the overall total cost of ownership for their company.

It goes like this:

Traditional CCTV systems use analog NTSC (or PAL in some countries) cameras which connect via coaxial cable or fiber optic cable to an analog recording device, matrix switcher, and/or monitor. Sometimes the recorders are digital video recorders, but there are still alot of VCRs out there recording to plain old VHS tape. All of the equipment is still using or manipulating an analog video signal in some way.

The conversion requires new field devices, new infrastructure, new recording equipment, and new monitoring equipment. It can be expensive to install. However, the paybacks are big. With the advent of megapixel IP cameras, it is now possible to get very high resolution images that can be recorded and monitored anywhere your corporate network can go, and beyond. Factor in digital PTZ technology that allows for continuous monitoring of 360° from a single camera in high resolution, and you can now replace multiple cameras with only one. There are some limitations however, as outdoor PTZ cameras in parking lots or on poles aren’t necessarily good applications for IP PTZ cameras just yet. But eventually technology will catch up.

Hybrid compromises are available too, where analog cameras can be converted to IP encoded H.264 streams and sent to network video recorders (NVR) which record network video streams. The resolution is only as good as the analog camera (usually no more than about 500 lines, or 704 x 480 resolution). This pales in comparison to 1080p cameras or even higher resolution megapixel cameras on the market today, but it is a good way to leverage some legacy hardware with new recording and transmission technology.

The biggest advantage of digital IP video is the flexibility it affords. Need to move a video stream to a different recorder? Just change the IP settings. Need to monitor the video in multiple locations? Just pull down multiple streams from different PC workstations. Need to move the monitoring to a remote location or disaster recovery site? No problem, just connected to the video servers from the alternate location. All of these features were MUCH more difficult with legacy analog video.

In short, digital IP camera technology affords a suite of new and enhanced features that give security operations response and investigation tools that previously were nonexistent or too expensive to implement. There is a cost to this technology, but the power and flexibility is well worth the price.

Pin It

Tags: , ,

Posted in: Security Technology

Leave a Comment (0) →

PR Invited to Participate in State and Local Fire Marshal Policy Meeting

Posted by on November 24, 2014

Meeting with North Carolina state and local fire marshals, Protective Resources has been invited to participate in a discussion of how the State and local code officials are going to be educated/trained in the new requirements for fire alarm system communications to comply with the 2010 and 2013 Fire Alarm Code. These new requirements are complex and will require the code officials to have a better understanding of data networks, Internet Service Providers, and Voice Over IP communication services.

Pin It

Tags: ,

Posted in: Company News

Leave a Comment (0) →
Page 5 of 5 12345