Archive for Company News

HID Signo Reader Shortage

As most people in the security industry know by now, Motorola HID has been having supply chain issues for months now for readers.  As a temporary solution, they are offering a new product line, “Signo Priority” readers, which lack the 125Khz Proximity function.

Signo Priority Features
 
– Same lifetime warranty as the traditional Signo readers
– Current lead time is 7 days (Sept 2022)
– Configured by profiles: Standard, Smart, Seos and Custom
– IP65 certified
– Automatic self-calibration when nearby metal surfaces are detected
– Factory equipped with Bluetooth (BLE Smarts) and NFC
 
Differences from traditional Signo Readers
 
– Lead time > 180 days (Sept 2022)
– Signo Priority will not read 125 Khz Proximity
 
If 125Khz reading is not needed, only 13.56 Mhz,  please consider the Signo Priority Reader X0NKS-T0-000000 as a substitute for the Signo Traditional X0NKS-00-000000 readers.

 

 

Posted in: Company News

Leave a Comment (0) →

Leaked Database of over 1 billion Chinese Civilians for Sale

The Shanghai National Police (SHGA) database of over 1 billion Chinese citizens is apparently up for sale for 10 Bitcoin (~USD $200,000 ).   This represents terabytes of personal data including full name, address, birthplace, age, birth year, nationality, photo information, national ID number, mobile number, and any committed crimes and case details for the individuals.   (Source link has been obscured, sorry.)

Included in the for sale ad were samples of the data to verify authenticity.  The alleged leak was apparently from a contract software developer that had errantly posted the database login credentials to a project blog some months earlier. 

The leak has been verified by several people and posted online, but Western media has not really picked up on the impact of such an event.  If legitimate, it represents the largest data leak ever reported.


Oddly enough, there doesn’t seem to be anything called the “Shanghai National Police”, only the “Shanghai Municipal Police” returns any search results as a legitimate entity in major search engines.  Still, regardless if this is a translation error or some other mis-identification, the validity of the data appears to be proven.  We attempted to connect to the sample link provided through a VM and VPN and were able to download the 110mb compressed gzip sample file and view the sample files.  When uncompressed, the files were several hundred megabytes each in JSON format in English language and Chinese characters (multi-byte format), consisting of personal information, police record case data files, and an address merge with cell phone data.   Here’s an example of the personal detail record file:

 

The police case record data appears to be of the most concern,  with the actual data content consisting of detailed police reports of the charged offense, including the date/time and specific location of the criminal events.  Deciphering the information is difficult for most westerners since most of the text is in traditional Chinese, but it would be trivial to use automated translating to get the gist of the content when inserting into a database.

With the horse already having left the barn, there doesn’t appear much that the Chinese government can do to mitigate this leak.  Addresses and phone numbers can of course be changed by the individuals, but having these records open to the public (particularly the police reports) is a massive blow to individual privacy (such that it is in PRC), and will likely cause problems for millions of people for years.

 

 

 

 

Posted in: Company News

Leave a Comment (0) →

SP-FA/LV Exam Prep Class (Zoom) on May 11, 2022, 8:00 AM – 5:00 PM

“Preparing for the North Carolina SP-FA/LV Electrical Examination”

NCBEEC Approved CE Course #CEC.03912
Course Instructor: Kile Unterzuber
NC License #10173-SP-FA/LV

Don’t miss this opportunity to prepare yourself for this critical exam!  The virtual class format save you time and money.  Register now at https://nationaltrainingcenter.com/event/nc-sp-fa-lv/.  For more information download our SP-FA/LV Exam class description and FAQ PDF files!

Course Description: This course reviews subject areas of the National Electrical Code (NFPA 70-2020) applicable to the North Carolina SP-FA/LV (Special Fire Alarm/Low-Voltage) license classification examination, as well as the administrative requirements of the NCBEEC and the use of the National Fire Alarm and Signaling Code (NFPA 72-2013). The course emphasizes Code requirements that may not be familiar to the typical installer of low-voltage and power-limited circuits for security and fire alarm systems, but that are important for successfully taking the qualifying examination. These topic areas include:
• Review of basic requirements of Title 21 NCAC 18B;
• General requirements for all electrical work;
• Grounding and bonding for power-limited and associated branch circuits;
• Calculating conductor ampacity;
• Calculating box fill;
• Identifying conductors for specific applications;
• Identifying and providing overcurrent protection for power-limited circuits; and
• Calculating resistance in simple circuits; and
• Requirements of National Fire Alarm and Signaling Code (NFPA 72-2013)

 

Posted in: Company News

Leave a Comment (0) →

More Cloud Woes for Security

Once again a cloud solution has been hacked, this time Verkada, a fairly new entry into the security arena.  Verkada offers a turnkey solution using proprietary hardware and hosted video management solutions for a monthly fee.  They aren’t unique to the industry, but they are the most recent to be hacked and be spotlighted in the news.

The key takeaway from the Bloomberg article is something we’ve been telling our clients for a while:  Cloud and SaaS solutions typically have a “super-admin” or overall management account access that lets the provider “see” all of their customer’s account and account information.  This varies of course depending upon the service provider and the service type, but in general if you don’t own the server, someone else does and has to manage and support the data coming into it and on it.

Madison County Jail seen through a Verkada camera.

“A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.”

We strongly urge to our clients that sensitive data and physical controls should be hosted on premise, and don’t belong in the cloud.   This could be devastating for Verkada and other cloud based solutions that are dedicated 100% to SAAS (software as a service) solutions.   You can read the full article from Bloomberg here:

https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?srnd=premium

 

Posted in: Company News

Leave a Comment (0) →

SolarWinds Hacked – Or “Another Example of Why Putting Security in the Cloud Might Not Be Safe”

The supply chain giant SolarWinds, used by every major branch of the government, all military branches, and almost all of the Fortune 500 companies, has been hacked by a Russian hacking group that gained access to sensitive emails, APIs, and SSO tokens and user accounts since as far back as March of 2020.   See a summary from Krebs here: https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

This is a classic example of why outsourcing  your security and sensitive operations isn’t always a good idea. 

One of the most frequent discussions we have with our clients is why we are generally opposed to putting security operations “in the cloud”.  After all, it’s offered by just about every IT supplier, and the security software vendors are all jumping on board as well.  Sure they are, because it’s a great recurring revenue source for them, as opposed to buying a traditional perpetual software license that you install on your premises computer(s).

To be sure, there are obviously Cloud deployments that can be done safely and securely; then again, that’s probably what SolarWinds thought too.  Security, and especially Cyber Security, is a never ending game of cat-and-mouse, with the mousetrap always getting better and the mouse always getting smarter.  

We will see this again, whether it’s another twitter hack where celebrities posting for bitcoin submissions (https://www.pandasecurity.com/en/mediacenter/mobile-news/twitter-celebrities-hacked) or maybe a service provider like Workday or Okta getting hacked and exposing sensitive client data to be sold on the darkweb or nation states for further exploitation. 

For certain clients or situations, using cloud based security application makes sense, but in general we advise against using the cloud for access control and video surveillance for sensitive locations or enterprise applications.

Caveat Emptor.

Posted in: Company News

Leave a Comment (0) →

Securing Ubuntu Linux with ufw and tcpwrapper

Nerd Title:  Security Ubuntu Server with tcpwrappers and ufw.

We don’t write many cybersecurity related articles because there are plenty of other people out there also doing it, and well… we can’t be experts at everything. 

Still, once in a while we come up with a problem that has a solution so clean and elegant that we have to share it.  This article will quickly explain how to setup tcpwrappers and a firewall to automatically ban users attempting to connect from unauthorized IP addresses.   The process is simple, every modern linux distribution comes with a firewall of some kind, Ubuntu currently uses ufw.  It also supports a package called ‘tcpd’, or tcpwrappers. The solution we used was to install a base ufw rule limiting only ports for SSH, HTTP, and HTTPS traffic and block everything else.  It looks something like this:

root@acme.com:/root/# ufw status
Status: active

To Action From
-- ------ ----
22/tcp LIMIT Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

This is a common configuration, but the downside is that everybody can knock on your door and attempt to login.  You can limit how much/how fast, but basically it’s open to the public.  This is where tcpwrappers comes in. You can search the internet about tcpwrappers, there are many online explanations and guides about it. Tcpwrappers has been around a long time, and they never changed the goofy name, but essentially it works by checking two files: /etc/hosts.allow and /etc/hosts.deny to see if you’re a good guy or a bad guy, and what to do with you.  This is where the fun comes in. (Note, you’ll need root permissions to do this.)

First you have to install tcpwrappers – “sudo apt install tcpd”

Then edit the /etc/hosts.allow file and add the services you would use, something like this (change your own hostnames or IP addresses you want to allow in):

ALL: 127.0.0.1
smtps: ALL
imaps: ALL
ALL: 43.79.214.93                 # Work Server
ALL: 71.60.242.15                 # Home
ALL: rockhouse.mynetgear.com      # Home
ALL: 172.210.145.232              # Testing Cloud Server

The IP addresses or hostnames with ALL: in front are allowed into the server for whatever port or service they connect to, as long as the firewall rule allows it. This is your “whitelist” of good guys to let in the door.  The big difference here is that unlike firewall rules, tcpwrappers allows for hostnames, so if you have a dynamic IP address using a hostname (like dyndns.org), you don’t  have to update the firewall rules each time.  Need to add a new remote host that should be allowed to access ssh? Add it here.

Next, edit the /etc/hosts.deny file and add the following string (it should all be on one line):

ALL: ALL: spawn ((/usr/local/bin/banip.sh %h; /bin/echo -ne "client = %h; server = %H; process = %d; PID = %p date = "; /bin/date) >> /var/log/tcpwrappers.log &)

This single line blocks everybody from everything that isn’t in the whitelist above.  Notice also here tcpwrappers calls a shell script called /usr/local/bin/banip.sh.  This script calls “ufw” to write a firewall rule to ban the remote attacker forever.  You can put this wherever you want, but the script should look something like this:

#!/bin/bash
#This script attempts to ban ip addresses using Ubunutu's UFW
#
if [ `whoami` != "root" ]; then
echo "you must be root to run $ME"
fi
if [ "$1" = "" ];
then
echo -n "Enter the IP Address: "
read IP
echo -n "You entered $IP, correct? (Y/N) "
read ans
if [ "$ans" = "y" -o "$ans" = "Y" ]; then
echo "Blocking $IP"
ufw insert 1 deny from $IP port 22
exit
else
echo "Ok, quitting."
fi
else
echo "Blocking $1"
ufw insert 1 deny from $1 port 22
fi

This is a very simple script that takes an IP address and tries to ban it on port 22 for access using ufw.  If you run it manually without any arguments it will ask you for an IP address to ban.

This script will also create a logfile in /var/log/tcpwrappers.log that you can see where people have tried to gain access to your server and been shut out. 

Blocking 106.75.251.140
Skipping adding existing rule
client = 106.75.251.140; server = 45.33.101.254; process = sshd; PID = 78110 date = Fri 13 Nov 2020 04:54:48 AM UTC
Blocking 84-255-249-179.static.t-2.net
client = 84-255-249-179.static.t-2.net; server = 45.33.101.254; process = sshd; PID = 78153 date = Fri 13 Nov 2020 04:55:19 AM UTC
Blocking ns3268691.ip-5-39-81.eu
client = ns3268691.ip-5-39-81.eu; server = 45.33.101.254; process = sshd; PID = 78167 date = Fri 13 Nov 2020 04:55:36 AM UTC
Blocking 118.24.48.15

You can also see a list of banned IP addresses by typing “ufw status”.  If you’ve accidentally banned an IP you didn’t mean to, then you can unban it by using “ufw delete rule#”, where rule# is the actual line from “ufw status numbered” that you want to unban.  Note that this list can get rather long, as there are people with nothing better to do than write scripts to try to break into whatever servers they can find.  In the short time I wrote up this article, I had 32 attempts on my demo server alone.  If you need to reset, you can just type “ufw reset”, but that resets everything back to factory defaults.  You can use a quick script to do this also:

sudo ufw --force disable \
&& sudo ufw --force reset \
&& sudo ufw default deny incoming \
&& sudo ufw default allow outgoing \
&& sudo ufw allow 22/tcp \
&& sudo ufw limit ssh \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp \
&& sudo ufw --force enable

This has been a very fundamental explanation of how to easily allow remote access while also keeping the bad guys out at the same time, using a blend of the old  (tcpwrappers was written in the 1990’s) and the new.

Posted in: Company News

Leave a Comment (0) →

Coronavirus COVID-19 Disinfection on the Cheap

Coronavirus (COVID-19) has gathered significant attention worldwide because of how dangerous the virus is, how easily it spreads, and how difficult it is to detect.   So most people, whether government, professional, or civilian, are looking for an easy way to protect themselves and others as best they can.   Things like facial and toilet tissue, surgical masks, and hand sanitizers are selling out in stores and online.   As the number of cases in the US increase, so will the panic.  

But the military has dealt with this kind of thing for a long time, and the number one thing they rely upon for disinfecting is good old fashioned Sodium or Calcium Hypochlorite, also known as “bleach”.   There are many kinds of bleach, but Sodium Hypochlorite is typically referred to “Clorox” bleach. Both Sodium and Calcium Hypochlorite are widely available, but we prefer Calcium Hypochlorite because it typically contains more available chlorine per volume than Sodium Hypochlorite.  Bleach is a generic term which describes a chemical with the inherent properties of removing color, whitening, and disinfecting.   It does this by oxidation, which with “Clorox” is by a chemical reaction which causes the proteins in germs to lose their cellular structure, thus destroying them.

“So what?”  Everybody knows that bleach kills germs.   Yes, but did you know that even a small concentration of bleach kills germs?  You don’t need to dump a gallon of Clorox on everything to kill germs.   You can dilute it down to as little as .5% and still effectively kill germs on contact.  You can even dilute down to .05% and still be effective, but the exposure time becomes much longer.   So what do we (“not-healthcare professionals”) suggest for every day people to use this solution?  

Something as simple as a mini-spray bottle (think travel size pump hair spray bottle) with a .5% solution of Calcium Hypochlorite in water will be easily portable and moderately effective for most uses.   The dilution ratio doesn’t have to be exact, but it should be close.  If it’s a little higher that’s okay, but don’t go crazy.  The concentration will determine HOW LONG you must maintain contact with the solution, so start with a known concentration and then blend down.  Bleach is a reactive chemical, and deteriorates over time in higher concentrations, so choose a product that is individually sealed and use as needed.  The lower concentration of .5% should last for months in a sealed container.  For our mixture, we liked something like this pool product from Amazon.com.  It is 68% concentration in powder form in 1lb packs.  To make a 55 gallon drum of .5% solution, mix approximately 3 1/4 lbs of powder to 55 gallons of water.   Or for each gallon, add ~1 oz of Calcium Hypochlorate and mix thoroughly.    Remember that because it’s a solid powder it won’t mix easily in water, so if possible use warm water to help it dissolve more quickly and thoroughly.

So, fill the spray pump bottles and toss them in your pocket, your office drawer, your glove box, or backpack.  Spray on anything you want to touch, or on your hands after you’ve touched something you shouldn’t have.  Rub in thoroughly.  The .5% concentration shouldn’t discolor most fabrics or materials, but will definitely have a slight chlorine odor to it.  You can add scents to the mixture if desired to make it more tolerable for those sensitive to chloramine smells, but don’t add so much that it dilutes the solution to be ineffective.   

For more information see the US Army Public Health Command bulletin on Preparing and Measuring High Chlorine Concentration Solutions for Disinfection:  TIP_No_13-034-1114_Prepare_Measure_High_Chlorine_Solutions

Posted in: Company News

Leave a Comment (0) →

HID Signo Readers Announced.

HID announced an entirely new reader line today, called Signo.  What’s immediately noticeable is they are more sleek and stylish than the iClass R or RP models, but looking further, we found that there are some distinct differences that might just make switching to this new reader platform sensible.

For starters, the keypad reader model looks more functional, and the mullion keypad reader is a definite necessity.  The keypads are capacitive  touch style which should make them more reliable in harsh environments.

Dimensions for the readers is almost identical, with the Signo readers being a little slimmer, but probably not by very much.  See Feature Comparison Matrix.

What’s missing though, like in the RP series, is a long range parking lot reader like the R90.  This is a needed technology that should be added in the future (are you listening, HID?).

The Signo series seems to lump all the reader technologies in together, making the product selection a little less confusing than previous iClass reader selections.  This is most welcomed.  Supported technologies are 125Khz proximity, iClass, SEOS, Mifare, plus mobile credentials via Bluetooth and NFC, plus Apple’s Enhanced Contactless Polling technology for apple wallet credentials.  

Other features are better support for crypto keys (no more base encryption key in the wild, for now), automatic tuning/detuning for optimized read range, and OSDP support out of the box.  Reader tamper is now a dry contact relay (THANK YOU).   But the biggest thing installers are going to enjoy is that the Signo readers support remote management.  No more configuration cards to go around to every reader just to turn of the 125Khz prox read feature set.  This should have been done LONG AGO.   Firmware updates, configuration, and reader management can be done via mobile device or over OSDP (assuming your PACS supports it).

From our take, these readers appear to have been developed largely for the Campus environment (the Apple ECP is a dead giveaway), but certainly have the feature sets that would make them desirable in the commercial, government, and industrial markets as well.  We don’t  have any evaluation copies yet, but will definitely be looking at these for new projects where they fit and offer additional security, style, and convenience.

Feature Comparison Matrix

Reader RP40 Signo 40
Dimensions 3.3″ x 4.8″ x 1.0″ 3.15″ x 4.78″ x 0.77″
Read Range (typ)

iCLASS: 2.4″

125Khz Prox: 2.8″ to 4.3″

iCLASS: 1.6″ to 4″

125Khz Prox: 2.4″ to 4″

Power 85ma @ 16VDC 75ma @ 12VDC
Comm Wiegand & (optional) OSDP  Wiegand & OSDP
Reader Tamper Open Collector Output Dry Contact Relay
Configuration Programming Cards Mobile Device or OSDP
Weatherproof If optional gasket installed Yes
Certifications UL294, EAL5+ UL294, EAL6+
Price ~$200.00 ~$200.00

 

 

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →

Why You Should Be Skeptical of Security Apps in the Cloud

The “Cloud” for most people has become an integral part of our daily lives.  It’s everywhere, yet many people couldn’t tell you what the cloud really is if you asked them.  It’s just there. 

In a nutshell, the cloud could be defined as “an internet server you don’t own, yet hosts your data”.   All this means is you’re using Software As a Service (SAAS), and someone else has developed the application, hosts it on their server, and you use it, or maybe even pay for it via subscription (like Ring or Canary).

Yet all too often, when we really closely inspect these services or applications we tend to find flaws, or sometimes downright intentional abuse, that leads to exposing more of our personal data than we would like.  In the case of  many apps for home or personal use, we can choose to accept some loss of privacy in exchange for the free or bundled software and storage.   However, in the business world this is rarely tolerated, and in some cases it’s against the law. 

For a fantastic example of this abuse, the Electronic Frontier Foundation has published an excellent article about Ring and its application that exposes multiple abuses of privacy.    The biggest takeaway from the article for us was that Ring appears to be using pinned certificates in a way that prevented data security experts from analyzing encrypted traffic generated from the application itself.   Now imagine an app from a state sponsored corporate entity like Huawei sending images, stored files, GPS data, voice recordings, or video from your phone or tablet to some server in another country.  See how big the risk is?

Click the link below to read the full article, but this summary puts it best:

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system.”

https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers

 

Posted in: Company News

Leave a Comment (0) →

Quantum Resistant Encrypted Communications

If quantum computing can reduce previous calculation times of decades down to seconds, then what does that spell for current military, government, and corporate technologies that rely on encryption algorithms?   The current idea is that encryption isn’t unbreakable, it’s just not practical because by the time the message is encrypted, it’s no longer relevant and most likely the encryption key (or even mechanism) has changed.   With Quantum computing, this all goes out the window, as now brute force decryption could theoretically be done in real time.  This terrifies everyone, and rightfully so.  

What about Blockchain?   Under the bitcoin blockchain algorithm concept, the encryption difficulty is adjusted after every 2016 blocks are mined.  This is typically an incremental increase or decrease as more or fewer hardware resources are thrown at mining bitcoin.   Thus, if you added a super quantum computer (or cluster of quantum computers), the difficulty would proportionally (and drastically) increase with the number of blocks that were mined (just in a much shorter time frame).

On October 23, 2019, Bitcoin’s price fell from around $8200 per bitcoin to under $7400 in a matter of minutes, because Google announced that Sycamore, its quantum computing platform, had achieved “quantum supremacy” and passed an impossible test.  The premise is that it completed a test calculation in 200 seconds that would take the world’s most powerful supercomputer 10,000 years to finish.   While the claim is somewhat questionable, there is no doubt that quantum computing has taken a foothold and will only advance from here.

Google Sycamore Quantum Computer

Google Sycamore Quantum Computer

The problem here is that someone trying to break the encryption isn’t likely to be actively participating in the blockchain.  They’re just going to be trying to decrypt packets or streams, or whatever they are intercepting and trying to decrypt.  So unless the encrypted blockchain communications platform changed the encryption difficulty to a level that it couldn’t actively mine itself (thus defeating the point of encryption to begin with), the communications would always be deciphered by the quantum computer.   Thus… all encrypted communications would have to be done with quantum computers.   It’s another round of keeping up with the bad guys, and technology has to step up to meet the challenge.

The downside is that this is financially well outside the possibility for most businesses and private individuals, meaning we are back to the equivalent of clear text passwords and messages as well as unencrypted financial transactions.   This would be disastrous for the financial and credit industries, as well as creating havoc in terms of privacy act enforcement, worldwide (think GDPR). 

How this plays out is anybody’s guess right now and the technology isn’t quite there, but in the mean time, all one can do is hope that Google really means it when they say “Don’t Be Evil”.

 

Posted in: Company News

Leave a Comment (0) →
Page 1 of 2 12