Protective Resources

Archive for Security Technology

Playing Around with the PinPoint Survey Application using Amazon Data

Posted by on November 14, 2022

We put together a quick demo of the PinPoint Survey Application using some public data scraped from the web for all the US Amazon sites.  The equipment names and photos are all generated, so don’t get too excited about thinking there are real Amazon security equipment details being posted on the web.

Some of the reporting features are turned off, but the overall objective was to show off the speed and utility of the site data and geospatial mapping capabilities for relating sites and equipment within those sites.

Using the application from a tablet, you can use the built-in GPS to map the device lat/lon data to the database, along with any photos, notes, and punch list information that might be relevant.  This is particularly useful for large external sites like ports, refineries, mines/quarries, or power generation/transmission facilities.

GIF Movie of PinPoint Survey Application using demonstration data for Amazon sites

PinPoint Survey Application Short Demo

Pin It

Posted in: Access Control, Application Development, CPTED, Premises Liability, PSIM, Security Consulting, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Another installment of (in)secure Cloud storage

Posted by on February 5, 2022

Chinchero Airport, Peru | EJAtlas

We know we sound like a broken record when we tell our clients “If you don’t own your server, you don’t own your data. Don’t put anything in the cloud you don’t want potentially exposed to the public.”, but time after time we show examples of why we keep repeating this mantra.

What Happened:

A major data leak by Securitas that affected several Latin American airports and other related companies was discovered by a cybersecurity firm called SafetyDetectives. In late January a team discovered that an Amazon S3 bucket had been left unsecured and exposed to public access, and contained over 1 million files relating to airport and security personnel.

Securitas, a large, well known multinational security company that has been in business for almost a century, has not made any public statements around the incident as of this posting. This isn’t the first time Securitas has had cybersecurity issues. In 2017 the Securitas CEO Alf Göransson had his personal identification stolen at the end of March, when someone applied for a loan in his name. The Stockholm District Court then declared Göransson bankrupt without informing the CEO prior to its decision.

The Breach (From SafetyDetectives briefing):

Securitas left its Amazon S3 bucket open and accessible, without any authentication procedures in place. The misconfigured bucket has therefore exposed almost 1.5 million files, equating to about 3TB of data.

The bucket’s exposed information included employee Personally Identifying Information and sensitive company data of at least four airports in Colombia and Peru: El Dorado International Airport (Bogota D.C, COL), Alfonso Bonilla Aragón International Airport (Valle del Cauca, COL), José María Córdova International Airport (Antioquia, COL), and Aeropuerto Internacional Jorge Chávez (Lima, PE). As mentioned, unobserved files may have exposed other airports and places throughout Colombia, the rest of Latin America, or even the rest of the world.

They observed two main datasets containing the information of Securitas employees and airport employees: photos of ID cards and other unmarked photos.

Photos of ID cards featured on the bucket. There were an estimated 1 million files of this type on the Securitas misconfigured bucket. These files revealed the personal information of employees at the four aforementioned airports that are using Securitas’ services.

Photos of ID cards reveal several forms of employee Personally Identifying Information, including:

  • Full names, incl. first names and surnames
  • Photos of employees
  • Occupations
  • National ID Number

What Was Leaked?

Other unmarked photos featured among the bucket’s content too. There were about 300,000 files of this type. These photos leaked the data of airports, airport employees, and associated companies.

Specifically, these files exposed employees’ personal data, sensitive client data (airports), and the sensitive data of associated companies, such as airlines. Exposed data includes:

  • Photos of employees
  • Photos of planes
  • Photos of fueling lines
  • Photos of luggage being loaded/unloaded

What Was Leaked?

 In addition to the information mentioned above, the two primary datasets analyzed on the bucket (photos of ID cards and other unmarked photos) contained Exchangeable Image File Format (EXIF) data that exposed specific information related to each photo.   Exposed EXIF data includes:

  • Device models (of the cameras used)
  • GPS locations of photos, incl. coordinates and GPS maps
  • Time & date of photos

What Was Leaked?

What it Means to Us

It may be some time before there is any assessment of the extent of damage the data breach, but this obviously serves as an example of how careless data management can cause serious security implications for your firm or those of your clients.   In evaluating software application strategies for our clients, we always ask these simple questions:

  1. What is the criticality if this information if it is leaked to the public?
  2. Can the solution be self-hosted on the Client’s own private network?
  3. Does it really NEED to be a cloud application?
  4. If so, how can we mitigate the potential damage if there is a breach?

Additional measures like a Type I or Type II SOC report are helpful, but likely wouldn’t have prevented the Securitas data breach discussed above.  Regular and ongoing security audits, along with well defined and enforced data management and security policies and procedures are the only real defense against these kinds of mishaps.

This won’t be the last time we see this either, as the Cloud becomes more and more integrated into corporate IT strategies, it will happen again, and again, and again.

 

 

 

Pin It

Tags: , , ,

Posted in: Security Consulting, Security Technology

Leave a Comment (0) →

HID Signo Readers Announced.

Posted by on March 2, 2020

HID announced an entirely new reader line today, called Signo.  What’s immediately noticeable is they are more sleek and stylish than the iClass R or RP models, but looking further, we found that there are some distinct differences that might just make switching to this new reader platform sensible.

For starters, the keypad reader model looks more functional, and the mullion keypad reader is a definite necessity.  The keypads are capacitive  touch style which should make them more reliable in harsh environments.

Dimensions for the readers is almost identical, with the Signo readers being a little slimmer, but probably not by very much.  See Feature Comparison Matrix.

What’s missing though, like in the RP series, is a long range parking lot reader like the R90.  This is a needed technology that should be added in the future (are you listening, HID?).

The Signo series seems to lump all the reader technologies in together, making the product selection a little less confusing than previous iClass reader selections.  This is most welcomed.  Supported technologies are 125Khz proximity, iClass, SEOS, Mifare, plus mobile credentials via Bluetooth and NFC, plus Apple’s Enhanced Contactless Polling technology for apple wallet credentials.  

Other features are better support for crypto keys (no more base encryption key in the wild, for now), automatic tuning/detuning for optimized read range, and OSDP support out of the box.  Reader tamper is now a dry contact relay (THANK YOU).   But the biggest thing installers are going to enjoy is that the Signo readers support remote management.  No more configuration cards to go around to every reader just to turn of the 125Khz prox read feature set.  This should have been done LONG AGO.   Firmware updates, configuration, and reader management can be done via mobile device or over OSDP (assuming your PACS supports it).

From our take, these readers appear to have been developed largely for the Campus environment (the Apple ECP is a dead giveaway), but certainly have the feature sets that would make them desirable in the commercial, government, and industrial markets as well.  We don’t  have any evaluation copies yet, but will definitely be looking at these for new projects where they fit and offer additional security, style, and convenience.

Feature Comparison Matrix

Reader RP40 Signo 40
Dimensions 3.3″ x 4.8″ x 1.0″ 3.15″ x 4.78″ x 0.77″
Read Range (typ)

iCLASS: 2.4″

125Khz Prox: 2.8″ to 4.3″

iCLASS: 1.6″ to 4″

125Khz Prox: 2.4″ to 4″
Power 85ma @ 16VDC 75ma @ 12VDC
Comm Wiegand & (optional) OSDP  Wiegand & OSDP
Reader Tamper Open Collector Output Dry Contact Relay
Configuration Programming Cards Mobile Device or OSDP
Weatherproof If optional gasket installed Yes
Certifications UL294, EAL5+ UL294, EAL6+
Price ~$200.00 ~$200.00

 

 

Pin It

Tags:

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →

Simple Home Security Tips

Posted by on April 14, 2019

For the most part and except for the rare high net worth executive or celebrity, our firm does not actively engage in home security consulting for residential properties.   We typically just aren’t cost effective, and there are plenty of other very good sources of information out there that can provide good service for your needs.   Still, I find that I get asked this advice from time to time, and even though we don’t typically provide this service, here are some ideas that can be helpful in protecting your loved ones and your home:

  • Have a Security Mindset.   A simple rule I learned from my father as a kid, “Leave your place the way you want to find it when you return”.   This applies to home security very easily.
  • Use Lighting. Leave the lights on if you’re coming home after dark (or have automatic lights that turn on a schedule or at dusk). 
  • Smart Lights. For techies, get light switches or sockets that can be controlled by Google Home or Amazon Alexa. Then set schedules or use voice commands to turn lights on/off. This helps make the home appear to be occupied.
  • Outdoor Lights.   Keep a light on the porch or in the yard.  Lights are a great deterrent for criminal behavior. Motion detection lights are useful too, although they tend to false quite a bit and may come on more than necessary.
  • Be Neat. Leave the house neat and orderly (it’s hard to tell if someone has ransacked your house if it’s already a mess…). There’s also a little bit of the “broken window mindset” here, that people won’t respect your home as a sovereign domain if it’s unkempt and in disrepair. Plus, don’t leave items in your yard that may help burglars or vandals break into or damage your home (ladders, tools, bricks/lumber, gas cans, etc).
  • Lock Doors.  Lock the doors before you leave.  If keys are a hassle, install a PIN pad for your deadbolt on your main or side entrance door.  They are easily installed and inexpensive.  Oh, and make sure you have a deadbolt lock on all doors.  Install one if not.
  • Use door barricades if needed. Metal exterior doors are best. For use when you are at home, using simple devices that function as a night latch are very helpful in supplementing deadbolts (you did get a deadbolt, right?). Be sure to install the night latch at least one foot higher or lower than the deadbolt, to add more strength and resist kick ins. By the way, forget the chains and use at least 3″ screws to fasten to the door frame and studs behind. Here’s a suggestion https://www.amazon.com/dp/B00D2K367Y/
  • Use Your Alarm.  Arm the alarm system if you have one.  Many people have alarm systems, but never actually use them.  Use it!  (A great feature I’ve added to my house is a “go away light”, that is a little red light that turns on if the alarm has been tripped and can be seen as I’m driving up to the house.  If it’s on, nobody goes inside, we call the police.)
  • Get an Alarm.  If you don’t have an alarm system, get one.  Most any commercially available alarm system is sufficient for home use.  Large companies like ADT and CPI market themselves as inexpensive, but tend to have high monitoring fees.  Otherwise they’re all about the same.   PRO TIP:  If you get an alarm system, get smoke detectors connected to it and pay for the monitoring fee.   The fire department will automatically be called whether you’re home or away.
  • Get a dog.   This age old burglar deterrent really does work pretty well.  And no, it doesn’t really matter what kind of dog, although a Chihuahua might not be the most intimidating.
  • Lock Windows.  Use your window locks, even on the second floor (criminals have ladders too).  If your windows are the older double-hung wooden type, an easy trick to secure them is to drill a ¼” hole in the far left or right side side of both sashes, and then insert a 10 gauge nail through both sashes.  Even if they managed to unlock from the outside, the window can’t be raised or lowered.
  • Cut Back Shrubs.  Keep shrubs cut back and trees limbed up so you can see your house windows and doors from the street.  Shrubs near the house should be trimmed neatly and cut back.   Hedges should be trimmed so they don’t offer an advantage to a stalker or potential burglar.
  • Fences.  If your property would benefit from the use of a fence, they provide a natural barrier and boundary to your property.  Most houses don’t have them, but for some homes they might be a good fit.
  • Cell Charger by Your Bed.  Most people don’t have a home telephone anymore, so make sure to have your cell phone charger at your bed at night.  If you need the phone in a hurry because of a break in, you don’t want it in another room.
  • Night Lights.  Most grown adults don’t want or need night lights, but they are very helpful for night time navigation in events where you’ll likely have the advantage of night vision and know the layout of your home.
  • Flashlight.  Having an alternate source of light is critical in emergency situations.  There should be one flashlight per person in the household.  The nightstand is an obvious place to keep it.
  • Have a plan.   Have a plan what to do in case of an emergency, a fire, or home invasion.  If you have children, discuss the plan with them too.  Keep it simple so everyone will remember it.
  • Owning a Gun.  Owning a weapon like a gun is a personal choice, and for some may not be right, or even legal.  If you do have a lethal weapon, make sure it is stored and locked up securely, and that you can get to it quickly and safely if needed.  Otherwise, you’re better off not having it or not using it in the case of a home invasion (you don’t want it used against you or your family).  Training and regular practice with the weapon is also strongly recommended.
  • Non-Lethal Weapons.  If a firearm is not for you, other non-lethal options such as Pepper Spray, Blunt Weapons, or Tasers may be used in the case of home invasion, but still also carry the responsibility of choosing to use them appropriately and have proper training.  Don’t use pellet guns, air-soft guns, or the like as a means of self-defense. In the event the intruder also has a gun, he’s more likely to use it if he believes you also have a gun.
  • Handcuffs.  A final consideration is what you’re going to do with the intruder if you’ve managed to stop them.  How will you hold them for police?  Having a set or two of handcuffs in a drawer is a safer and easier alternative to tying them or trying to lock them in a room.

These are but a few ideas for home safety and security that can be easily adopted by most people.  If you need more detailed information or want a thorough security plan developed, contact a professional security consultant to help you determine your needs and the best plan to make sure you are prepared and protected.

Pin It

Tags: , , , ,

Posted in: CPTED, Fire and Life Safety, Security Technology

Leave a Comment (0) →

Alarm Circuit Supervision – Why You Should Care

Posted by on September 12, 2017
EOL resistors installed at panel instead of terminating device.

                  The wrong place for EOL resistors.

Nearly every project we work on, we recommend that alarm initiating devices, especially door contacts, are to be configured using end of line (EOL) resistors for 4-state supervisory circuits.  The actual resistance value and configuration can vary by system manufacturer, but typically it involves wiring a 1K Ohm resistor in series and another in parallel with the switch, at the terminating device itself (not in the panel or junction box above the door).   This ensures that we have circuit supervision from the alarm panel (or card reader panel) all the way down to the device termination, so we know if the device is in a normal state (1), an alarm state (2), shorted state (3), or cut state (4).   This is known as 4-state supervision, because it distinguishes between 4 possible scenarios for the supervised device.

For an example of why you need device supervision, I recently had a high profile client contract me to do a security survey of their research building.  One of the basement doors had a door contact on it that was not supervised and had been cut and shorted about 30 feet away from the door.  The card access system monitoring the door didn’t use 4-state monitoring and the door appeared to be “closed” all the time, even though it was commonly known that maintenance staff actively used the door for that area.  It had been in that state for several years before it was identified and later repaired.

This simple addition offers greater security to the system, yet often gets omitted by vendors in the installation because it requires extra time and expense, and even causes confusion with some installers (really).  Worse, we sometimes end up with installations like the picture above that adds the EOL resistors to the panel with Dolphin connectors.  This type of installation does not offer any real security, and potentially introduces the opportunity for spurious connections inside the panel.  Thankfully, vendors like GRI manufacture magnetic contacts that come pre-assembled with the resistor array included.  They include 1K, 2K, 3.3K, 5.6K, 10K, and 33K resistors in a variety of contact packages, and also sell resistor packs for retrofit installations.

Years ago, one of the best explanations I ever read about alarm circuit supervision was from an Andover Controls card access panel installation guide.  I had learned already about 4-state supervision and why you should do it, but the following illustration shows it more clearly than anywhere else I ever saw it.  I ran across it again the other day and decided I would put it in an article here on the site.  The illustration below shows how the first two iterations of EOL resistors do not offer any significant line supervision, and could easily be defeated.  The third configuration offers 4 unique resistance values that correspond with the 4 possible state conditions.

Credit to Schneider Electric / Andover Controls for the illustration.

Pin It

Posted in: Security Technology, Training

Leave a Comment (0) →

Video Surveillance System Best Practices – The Right Way to Use CCTV

Posted by on August 20, 2017

One of the most common questions we are asked by clients when starting a new project is if they should use Closed Circuit Television (CCTV) cameras for video surveillance.

As we work the the programmatic stage of the project, we try to apply some industry best practices with the client on HOW the cameras will be used on the property.  Here’s a quick rundown on some of the concepts we try to apply:

  1. Identify the purpose of the system and the objective of the surveillance.  This should be a detailed statement that originates in the project’s Basis of Design document.  The objectives should be detailed and achievable.  For example, “providing a view of the entire parking lot” is not a good performance objective, while “identifying the license plates of each vehicle entering or leaving the lot, along with a digital time-date identifier” is an effective performance objective.
  2. Minimize the number of cameras in the system. While this obviously has an impact on the initial cost of installation, it also enables the owner to utilize the system more effectively with fewer personnel and technical resources.  It helps to reduce the overall operating and maintenance costs as well.  A side benefit is that it encourages the system designer to “task” the cameras.
  3. “Task” each camera. Cameras must be placed so that each camera has a dedicated field of view.  The field of view should be directly related to one of the performance objectives.  Once a field of view has been defined, a camera and lens that meet the general performance requirements for the task can be specified. As with Item #1 above, the purpose of each camera should be identified in the design documents.
  4. Avoid new or unproven technologies. Select equipment and a system topology that uses proven technologies.  The shift in video cameras from analog cameras that use coaxial cable for NTSC composite video signals to IP cameras that use Cat 5e or Cat 6 data cable is an example of a technology that was slow to be adopted, but has proven itself to be a reliable improvement.  On the other hand, owners who have adopted unusual technologies, such as 360º digital PTZ cameras that require special software to render a viewable image, sometimes find that they are locked into a platform that may not be supported long term.  A helpful analogy is to consider cameras to be similar to telephones.  A good design allows the cameras to be replaced or upgraded as required while continuing to use the same cabling and infrastructure.
  5. Invest more heavily in the cabling and infrastructure than you might otherwise. The infrastructure that serves the cameras includes cabling, power cabling, power supplies, fiber-optic conductors, adapters, and hardware.  The main components of the infrastructure should last at least 20 years or more.  Cameras, however, will last significantly less than that period.  Therefore, be sure to invest wisely in the basics, as they will outlast three camera generations or more.
  6. Maintain the system properly after installation. Ongoing maintenance after the initial installation is a critical component of an effective surveillance system.   One of the key issues in a wrongful death lawsuit brought against Sumitomo, Inc., for a murder that occurred at their Research Triangle Park, NC, site in the early 1990s was whether or not certain video cameras were operational at the time of the incident.  While it is doubtful that a malfunctioning camera would have been a significant contributing factor, it was nonetheless an issue that was uncovered during the discovery phase.  The camera had been out of order for at least six months and the defendant produced work orders for the repair.  Unfortunately, some of the work orders had been delayed by a facilities manager who kept putting the repairs off until a later budget period.  An owner cannot be expected to guarantee that all parts of a system will be operational at all times, but it is expected that repairs will be made in a timely manner and that the owner exercises due care.
  7. Develop a written Appropriate Use and Retention policy for archived video. A surprising number of owners do not have any written policy regarding the appropriate use and retention of recorded video. A proper policy should be developed in conjunction with corporate counsel and should conform to the records retention policy of the organization. The policy should specify for what purposes the video images may be used and what type of authorization is necessary to access or copy them.  It should identify them as to the appropriate level of confidentiality.  It should specify what constitutes inappropriate use and what disciplinary action may be taken if personnel violate the policy.  And, as with all such policies, it should be disseminated to the personnel who have access to the video to ensure they are aware of their responsibilities.
  8. Archived video should not be retained beyond the specified retention period without proper authorization. Archived video is a company record and may be subject to discovery or subpoena.  Once the retention period, which is usually 30 days for most applications, has expired, the video should be deleted.  Corporate counsel can provide guidance on what would constitute a duty to retain specific video in connection with an incident or ongoing investigation, but video should never be retained beyond the limit specified.  We are aware of at least two instances in the past in which an owner has been asked to go through ALL videocassettes in their possession because an employee stated to an attorney that they “sometimes” kept some of the video for other purposes.  This is an expensive and time-consuming process and usually doesn’t produce anything of value.
  9. Leverage technology where it makes sense.  Using software technologies that are easily applied or even come included with the IP camera or Video Management System (VMS) can increase the overall effectiveness of your surveillance system and your security operation.   While one-off, proprietary hardware technologies might be so unique they are not supported later, software technologies are usually less painful to resolve if they don’t work as desired.  Software technologies like Axis Technologies’ “ZipStream” video compression or video analytics features such as face detection or autotracking are a more recent inclusions to camera and VMS software that can improve the effectiveness of video surveillance by making your operation more efficient and capturing and storing meaningful video clips instead of empty scenes that offer no value.
  10. Be sure you can record audio.  Many IP cameras come with audio microphones and recording capability built in.  Before you deploy these types of cameras with audio enabled, check with Corporate counsel to make sure that you are not violating any state or local statues prohibiting the recording of audio on your premises.  Some shy away completely from audio recording because of a broad interpretation of 18 U.S. Code § 2511, otherwise known as the Wiretap Act, which states that it is illegal to intentionally or purposefully intercept, disclose, or use the contents of any wire, oral, or electronic communication through the use of a “device”.  While video is not specifically mentioned in the statute, and a camera is not specifically mentioned as a “device”, it certainly fits a broad interpretation.  When in doubt, don’t record audio; but if permitted, audio recording can significantly enhance the evidentiary benefits of video surveillance.

There are many factors to consider when laying out a video surveillance system, but applying the above principles when considering the scope and size of your CCTV system will help avoid some of the of the more common problems and pitfalls that can arise from poor planning.

 

 

 

Pin It

Posted in: Premises Liability, Security Technology

Leave a Comment (0) →

Cat 6a cabling, do you really need it for IP Video?

Posted by on May 16, 2017

In security, modern IP video CCTV camera systems inevitably involve support from the IT/Data Communications departments now, and we often get asked about “how much” bandwidth is needed and what cabling types we need for the cameras, switches, and servers.  Often our advice is in conflict with the IT corporate standards, and we end up explaining the practical use for video in security.  This article attempts to discuss in layman’s terms the differences in the cabling types, and how they relate to IP video security.  The actual physics behind the IEEE 802-series specifications are complicated and beyond the scope of this document (fair warning: that rabbit hole goes deep).

In order to understand the basic question, some explanation is needed on the different types Ethernet cabling, and their capabilities and limitations. It’s mostly about increasing the frequency capabilities of the cable.  Cat 5e is built to meet the specification requirements of up to 100 MHz, Cat 6 takes the spec to 250 MHz, and Cat 6a takes it all the way up to 500 MHz. The main difference between these cabling standards is the amount of insulation for the conductors and the rate of twist, although there is also a slight increase in the gauge size for Cat 6 also.   The net effect of these modifications is to reduce crosstalk, attenuation, and EMI.  This can also have the effect of reducing propagation delay and delay skew, which can be measured in millisecond increases in transmission times in some cases.  Delay is known in all types of transmission media, even fiber optics, and is the amount of time that passes between the transmission of a signal and when it is received at the other end of the data link.  In collision based networks like Ethernet using TCP/IP, minimizing propagation delay and skew can have an increased effect on the efficiency of the network and the net amount of data that can be transmitted upon any given network.  Dropped packets mean re-transmission, and bandwidth gets eaten up by repeating data information that’s already been sent (at least) once before.

Cabling Standard Limitations

Cable Type Max Distance Max Data Rate
Cat 5e 100 Meters 1 Gbps
Cat 6 50 Meters 10 Gbps
Cat 6a 100 Meters 10 Gpbs

Cat 6 was the first entry into copper based 10Gpbs data transmission at a commercial scale. The problem with Cat 6 is that after 50 meters the data rate is essentially 1Gpbs, or no better than Cat 5e.   Cat 6a was later introduced and will do the full data rate of 10Gbps for the full rated distance for Ethernet (100 meters).  However, Cat 6a cabling is significantly larger in diameter than Cat 5e and has a stiffer jacket, making cable installation more difficult.  It’s also more expensive, about 33% more expensive than Cat 5e.

But do you really need 10Gbps at the edge device?  Probably not for most applications.  Even current high resolution cameras would not be able to fully utilize a 10Gpbs network, never mind that the server hardware on the other end processing a couple dozen full rate video streams would be overwhelmed.  Currently, high resolution 3 megapixel (MP) cameras are widely available on the commercial market.  At 30 frames per second (fps) and at full resolution, it would consume a maximum data rate of 15,000 kilobits per second (Kbps), or 15 Mbps, and more likely it would consume quite less.  In most security applications, resolution and data rates are throttled not because of bandwidth limitations as much as for storage limitations on the server.  Exceptions to that would be the gaming industry and congested high speed traffic areas such as toll booths.  But for most of our applications, we typically find 2MP cameras at 10fps a reasonable compromise that consumes less bandwidth (and disk space) while still providing adequate video information for surveillance, response, and investigation.

Common Camera Resolution and Bitrates

Resolution (MP)
 Pixels Frame Rate (fps)
 Bitrate (Mbps)
1.0 1280 x 720 30 6
2.0 1920 x 1080 30 10
3.0 2048 x 1536 30 15

Even at full resolution and frame rate, you could theoretically put eighty-three (83) 3MP cameras (1250 Mbps/15 Mbps) on one 10GBase-T network cable. Of course in reality it would be considerably less, but you get the idea.

So where is 10Gpbs Ethernet really needed?  For now, backbones.  Those connections from network switch to network switch that are relaying end device connectivity to other devices, clients, or servers.  Often these are fiber optic links, but more and more they are being made available as copper links and using Cat 6a.

So what do we recommend?  Given the additional cost and current technical capabilities of IP cameras, we typically recommend Cat 6a cabling as sufficient for all IP video cameras where the 100m distance limitation is held and special conditions that require fiber optic cable or special media converters don’t apply.  There are also some technical concerns on the terminations and number of cycles for insertion/reinsertion that can come into play due to the cable’s rigidity.  Cat 6a is readily available, inexpensive, offers much easier cable handling and termination than Cat 6A, and still offers 10Gbps data rates on shorter runs.

Still, if the objective is to “future proof” your installation, Cat 6a is among the latest and greatest and should ensure that even 100+ MP cameras of the future would be handled without re-cabling.

Pin It

Posted in: Security Technology

Leave a Comment (0) →

The Impact of Closed Circuit Television

Posted by on December 29, 2016

Almost 30 years ago when I was first entering the security industry, closed circuit television (CCTV) cameras weren’t terribly different from the cameras that were being used to for movie and television production.  They were smaller, typically had less resolution and no audio, but the basic principles were the same.   Charged Coupled Device (CCD) cameras were fairly new, and if you wanted low light performance, you were resigned to use tube cameras.  Yes, tubes.  As in vacuum tubes.  Tube cameras actually used a vacuum tube for the imager, and the tradeoff for low light sensitivity was a shorter life span, higher power requirements, and reduced reliability.   Later, Complementary metal–oxide–semiconductor (CMOS) cameras came into play and helped overcome some of the limitations of both tube and CCD technologies.

Vidicon Imaging Tube for Old Style CCTV Camera

Since then, digital Internet Protocol (IP) cameras have come into play.    These newer cameras offer increased light sensitivity, much higher resolution, and new enhancements like video analytics and flexible communications options.

While all of these advancements make for better security, the most important enhancements are the video analytics and IP communications.   These two technology advances increase the likelihood of detecting activity and being able to monitor and record that activity from almost any location.

For most small and medium sized businesses or municipalities, the thought of a comprehensive video management system seems not only unnecessary, but impractical from a monitoring and timely intervention standpoint.  “Video cameras don’t stop crimes, all they do is record it”, we often hear.  This is not necessarily true.  CCTV video serves three important roles in security:

  1. Deterrence – Sometimes just the sight of a video camera will deter criminal activity from ever happening in the first place. Because being watched means being held accountable, this is a strong enticement for on premises security cameras.  No, this doesn’t mean adding “dummy cameras” is a good idea.  In fact, installing dummy cameras can make matters worse in premises liability cases for incidents occurring on your property.
  1. Detection – Having all of the campus CCTV cameras monitored in a single location allows for an operator to spot potential negative events during or even prior to them actually happening. IP enabled cameras offer increased detection capability in two ways; first they allow for cameras to be placed anywhere within the corporate network infrastructure (or even further away via hybrid cabling or wireless networking), and second they permit remote monitoring from anywhere there is network or internet access, including smart phones and tablets.  This allows for remote monitoring and recording at an off-site or contract monitoring facility, and also allows the ability to feed recorded or live events to first responders almost in real-time.    It also means that cameras can be located just about anywhere in your corporate footprint, including on-board vehicles.
  1. Assessment – Being able to discern what, where, and when something is happening on camera is critical to determining how to respond to a particular event, and also aids in evidentiary requirements for later prosecution. With the advent of video analytics, that can now be taken a step further with things like video motion detection, face detection, traffic movement, object removal, and facial recognition.   These tools increase the reliability of the observer (or recording device) to actually capture useful video information for use in timely intervention or for evidence in prosecution.   For example, with the right software, imagine a disgruntled employee situation where the former employee’s photo is setup to trigger an alert if the video system “recognizes” his face when he tried to re-enter the campus.  The authorities can be notified and other emergency precautions can be taken much sooner than previously possible.

Each one of these roles is an important piece to the overall security strategy for a business or government entity, and when used with common sense security practices like Crime Prevention through Environmental Design (CPTED) and other industry best practices, CCTV video becomes a powerful tool to both deter, detect, and defend both persons and property in a timely and effective manner.

 

Pin It

Posted in: CPTED, Premises Liability, Security Consulting, Security Technology

Leave a Comment (0) →

A Theory on the Yahoo Security Breach and Your Instant Messenger Service

Posted by on October 21, 2016

In September of 2016, at least 500 million Yahooatb_yahoo_messenger accounts have been affected in one of the largest data breaches in history.  My Yahoo account was one of them, although I only used it as a personal dump account for registering on non-essential websites.  Luckily I kept no personal or financial information in any of the emails there.

Most people, including the media, seem to be concerned with how this will affect the Verizon deal acquiring Yahoo.  Indeed, I’m certain Verizon is VERY concerned with it.   But that’s not the interested thing.  The interesting thing is that Yahoo isn’t talking about HOW the data breach occurred, or if it’s connected with the prior data breach in August that stole 200 million accounts.  Or that the data breach seems to simultaneously occurred with a rather hastily put together service migration of the well used Yahoo Instant Messenger (IM) platform.

More importantly and much less publicized, in August of this year Yahoo completely abandoned the venerable and well documented Yahoo Instant Messenger service, instead offering a dumbed down, less feature-rich service by the same name.  Most transitions of this scale and magnitude would take months or years for the migration, but this happened very quickly, leaving 3rd party vendors (Pidgin comes to mind) without much recourse for their offerings.  After August 5th, anyone that was still using the legacy Messenger app (or the API) was no longer be able to log in or send messages.  You couldn’t even log in…

Yahoo IM is well known to have some security concerns, including the ability to “see” anonymously and remotely if someone is online using it, even in invisible mode.  It also had a very well liked and well used archival feature that recorded the entire text conversation for audit purposes.  Many brokers and traders used this platform to buy/sell products and put together deals very quickly.   They loved it.  But the new version does not support this feature (among others), and brokers have been forced to migrate to other platforms like ICE.

So what does all this tell us?  It tells me that there was likely a very serious security flaw in the Yahoo IM protocol, and that it likely had been exploited to gain access to millions of accounts without the users’ knowledge.   Any time a Fortune 500 company abruptly switches out a venerable product and substitutes it with a hastily deployed, inferior product, you can bet your hat that there was something significantly wrong with it.

Meanwhile, Yahoo is hush hush about it, not even mentioning the curious and spontaneous change to their IM platform that so many have relied upon for years.

Pin It

Posted in: Security Technology

Leave a Comment (0) →

Facial Recognition for Access Control?

Posted by on January 23, 2015

Several years ago,  I worked on a project prototype for a major group of sea ports that had an interest to use the state’s drivers license image database for facial recognition/verification of TWIC applicants and the eventual use for identity verification for critical card access points.  The main focus of the project was to ensure that the person applying for the TWIC card was indeed who they claimed to be, and not an imposter.   Neither the CCTV system nor the card access system had the built in software to do this, much less do it together, so we had to write the interface and the software to manage it.  It worked, but not as well as we would have liked.   We used a GPL’d algorithm for the facial recognition, which while good, would have some false positives and false negatives from time to time.   Ultimately to me, it served as a proof of concept.  It did work, and could be made as a serviceable monitoring and investigation tool for security.  (Later we used that same GPL software to create a tool that would scrounge through the card access database and crop the cardholder photos to a uniform size.  THAT worked really well.)

Years later, as far as I know there is still not an off-the-shelf system that provides a true facial recognition monitoring capability for access control violations.  This seems like something very straightforward to do, and as most companies or government branches have an actively maintained photo database of their cardholder personnel, and most often have video cameras monitoring locations where access control is used.

The biggest limitation we found was the quality of the CCTV images against the badge database photos.   Both were of rather poor quality, but if we used the software as just a pre-filtering tool for security operators, the margins of error were more tolerable.  The idea was to still have a security guard doing the verification, but not for every photo, just the ones the software couldn’t handle well.

Cardholder with back to camera.

Poor camera angle doesn’t allow for good facial recognition

With Megapixel IP cameras replacing low resolution analog cameras, the probability improves of having a photo with an acceptable number of unique data points to match against an image database with a high degree of confidence.  This means more information data points to compare, and fewer false positives and negatives.   There are still other considerations such as angle of view, proper lensing, lighting, face concealment/alteration issues, and image database accuracy.  And you must have most, if not all of these considerations to have a usable image.  As shown here, even if you have good lighting and resolution, if you don’t have a good angle and lensing, you will not have a usable image for facial recognition of the cardholder.

Currently, there are about a dozen corporations world wide that offer some type of facial recognition software.   Many of their larger customers are government agencies or the financial industry.  It is used in some border crossings, passport identification, and high profile monuments.   The FBI may be the most famous consumer of this technology, but it is not used in a widespread fashion as far as I know.  Naturally, this isn’t something that is widely advertised by these agencies.

Still, as such a highly technically savvy country as the USA supposedly is, I’ve often wondered why we don’t have facial recognition with a national database at all critical locations like border crossings, airports, bus stations, train stations, embassies, and hospitals.  I realize there’s a modest invasion of privacy, and nobody likes the thought of having “big brother” monitor your whereabouts, especially putting your name to your face in a specific location and time.   It’s kind of creepy.  But the other side of the coin is that if we maintain a central photographic database of active criminals and terrorists (which we do), then having feeds from certain cameras in certain high traffic locations might allow us to not only apprehend said criminals/terrorists in a timely manner, but even allow us to gain intelligence regarding their commuting patterns, associations, and personal habits.  This is beneficial information that can reduce crime and terrorism.

Keep in mind, the government already has a very large database of photos, probably including you, even if you don’t have a mug shot in the NCIC.  Facebook, Twitter, Instagram, LinkedIn, are all repositories available that most likely link your face with your name.   The FBI has said that by 2015, it plans to have 52 million photos in its NGI facial recognition database.   The FBI will include non-criminal information as well as criminal.  Where’d they get those?!    So, you may already be in the database, and maybe me too.  Obviously, some people will object to this idea, some even quite profusely.  But the genie is already out of the bottle.  Getting him stuffed back in is going to be difficult, if not impossible.

So the natural progression on this “big brother” concern just may be to license the database.   For a fee, allow vetted customers to have access to the database via an API to use this centralized database for government and limited private commercial purposes.  Want to know if your daughter or son is in the NGI database?  Maybe there’s a background check service company that can tell you.   But for financial institutions, or the port authority I mentioned in the beginning of this article, it would be a boon of intelligence data.   Not only would they have their own employees and contractors in their own database, they could also have access to a national database of “persons of interest” that could assist them in determining if a potential applicant is a criminal, or maybe even just a high risk.  That has the simultaneous possibility of reducing their own risks, and providing timely information to Homeland Security about a potential threats whereabouts and possible intentions.

Facial recognition of employees at work

Facial recognition in the workplace.

I think the future of this technology is already headed in this direction, and there may already be entities that are doing exactly what I’ve described, but I believe the technology will become more pervasive as some of the technological (and sociological) barriers are broken down.

Pin It

Tags: , ,

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →
Page 1 of 2 12