Playing Around with the PinPoint Survey Application using Amazon Data

We put together a quick demo of the PinPoint Survey Application using some public data scraped from the web for all the US Amazon sites.  The equipment names and photos are all generated, so don’t get too excited about thinking there are real Amazon security equipment details being posted on the web.

Some of the reporting features are turned off, but the overall objective was to show off the speed and utility of the site data and geospatial mapping capabilities for relating sites and equipment within those sites.

Using the application from a tablet, you can use the built-in GPS to map the device lat/lon data to the database, along with any photos, notes, and punch list information that might be relevant.  This is particularly useful for large external sites like ports, refineries, mines/quarries, or power generation/transmission facilities.

GIF Movie of PinPoint Survey Application using demonstration data for Amazon sites

PinPoint Survey Application Short Demo

Posted in: Access Control, Application Development, CPTED, Premises Liability, PSIM, Security Consulting, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

NSA Releases Guidance on How to Protect Against Software Memory Safety Issues

C++ Code example of memory overrun.

When the NSA makes a post about software best practices to reduce hacking attempts, you know there’s a problem.  For the non-programmers, a memory safe programming language is one that has built-in features to reduce or eliminate the possibility of a poorly crafted program to be exploited (usually by malicious input) by causing a memory buffer overrun or similar failure that can corrupt data, run a malicious payload, or escalate privileges.  These problems have been around for years, and there are several programming languages that are common offenders (C and C++), but are ubiquitous and have long codebase history that makes it unattractive to rewrite.

Fortunately there are quite a few memory safe programming languages to choose from, such as C#, Go, Java, Ruby, Rust, and Swift.  Of course it’s not enough to just change programming languages, good security coding practices, hardening tools, safe compiler options, and thorough testing should also be used as well.

For the NSA full article, click here:  https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/

Posted in: Company News

Leave a Comment (0) →

HID Signo Reader Shortage

As most people in the security industry know by now, Motorola HID has been having supply chain issues for months now for readers.  As a temporary solution, they are offering a new product line, “Signo Priority” readers, which lack the 125Khz Proximity function.

Signo Priority Features
 
– Same lifetime warranty as the traditional Signo readers
– Current lead time is 7 days (Sept 2022)
– Configured by profiles: Standard, Smart, Seos and Custom
– IP65 certified
– Automatic self-calibration when nearby metal surfaces are detected
– Factory equipped with Bluetooth (BLE Smarts) and NFC
 
Differences from traditional Signo Readers
 
– Lead time > 180 days (Sept 2022)
– Signo Priority will not read 125 Khz Proximity
 
If 125Khz reading is not needed, only 13.56 Mhz,  please consider the Signo Priority Reader X0NKS-T0-000000 as a substitute for the Signo Traditional X0NKS-00-000000 readers.

 

 

Posted in: Company News

Leave a Comment (0) →

Leaked Database of over 1 billion Chinese Civilians for Sale

The Shanghai National Police (SHGA) database of over 1 billion Chinese citizens is apparently up for sale for 10 Bitcoin (~USD $200,000 ).   This represents terabytes of personal data including full name, address, birthplace, age, birth year, nationality, photo information, national ID number, mobile number, and any committed crimes and case details for the individuals.   (Source link has been obscured, sorry.)

Included in the for sale ad were samples of the data to verify authenticity.  The alleged leak was apparently from a contract software developer that had errantly posted the database login credentials to a project blog some months earlier. 

The leak has been verified by several people and posted online, but Western media has not really picked up on the impact of such an event.  If legitimate, it represents the largest data leak ever reported.


Oddly enough, there doesn’t seem to be anything called the “Shanghai National Police”, only the “Shanghai Municipal Police” returns any search results as a legitimate entity in major search engines.  Still, regardless if this is a translation error or some other mis-identification, the validity of the data appears to be proven.  We attempted to connect to the sample link provided through a VM and VPN and were able to download the 110mb compressed gzip sample file and view the sample files.  When uncompressed, the files were several hundred megabytes each in JSON format in English language and Chinese characters (multi-byte format), consisting of personal information, police record case data files, and an address merge with cell phone data.   Here’s an example of the personal detail record file:

 

The police case record data appears to be of the most concern,  with the actual data content consisting of detailed police reports of the charged offense, including the date/time and specific location of the criminal events.  Deciphering the information is difficult for most westerners since most of the text is in traditional Chinese, but it would be trivial to use automated translating to get the gist of the content when inserting into a database.

With the horse already having left the barn, there doesn’t appear much that the Chinese government can do to mitigate this leak.  Addresses and phone numbers can of course be changed by the individuals, but having these records open to the public (particularly the police reports) is a massive blow to individual privacy (such that it is in PRC), and will likely cause problems for millions of people for years.

 

 

 

 

Posted in: Company News

Leave a Comment (0) →

SP-FA/LV Exam Prep Class (Zoom) on May 11, 2022, 8:00 AM – 5:00 PM

“Preparing for the North Carolina SP-FA/LV Electrical Examination”

NCBEEC Approved CE Course #CEC.03912
Course Instructor: Kile Unterzuber
NC License #10173-SP-FA/LV

Don’t miss this opportunity to prepare yourself for this critical exam!  The virtual class format save you time and money.  Register now at https://nationaltrainingcenter.com/event/nc-sp-fa-lv/.  For more information download our SP-FA/LV Exam class description and FAQ PDF files!

Course Description: This course reviews subject areas of the National Electrical Code (NFPA 70-2020) applicable to the North Carolina SP-FA/LV (Special Fire Alarm/Low-Voltage) license classification examination, as well as the administrative requirements of the NCBEEC and the use of the National Fire Alarm and Signaling Code (NFPA 72-2013). The course emphasizes Code requirements that may not be familiar to the typical installer of low-voltage and power-limited circuits for security and fire alarm systems, but that are important for successfully taking the qualifying examination. These topic areas include:
• Review of basic requirements of Title 21 NCAC 18B;
• General requirements for all electrical work;
• Grounding and bonding for power-limited and associated branch circuits;
• Calculating conductor ampacity;
• Calculating box fill;
• Identifying conductors for specific applications;
• Identifying and providing overcurrent protection for power-limited circuits; and
• Calculating resistance in simple circuits; and
• Requirements of National Fire Alarm and Signaling Code (NFPA 72-2013)

 

Posted in: Company News

Leave a Comment (0) →

Another installment of (in)secure Cloud storage

Chinchero Airport, Peru | EJAtlas

We know we sound like a broken record when we tell our clients “If you don’t own your server, you don’t own your data. Don’t put anything in the cloud you don’t want potentially exposed to the public.”, but time after time we show examples of why we keep repeating this mantra.

What Happened:

A major data leak by Securitas that affected several Latin American airports and other related companies was discovered by a cybersecurity firm called SafetyDetectives. In late January a team discovered that an Amazon S3 bucket had been left unsecured and exposed to public access, and contained over 1 million files relating to airport and security personnel.

Securitas, a large, well known multinational security company that has been in business for almost a century, has not made any public statements around the incident as of this posting. This isn’t the first time Securitas has had cybersecurity issues. In 2017 the Securitas CEO Alf Göransson had his personal identification stolen at the end of March, when someone applied for a loan in his name. The Stockholm District Court then declared Göransson bankrupt without informing the CEO prior to its decision.

The Breach (From SafetyDetectives briefing):

Securitas left its Amazon S3 bucket open and accessible, without any authentication procedures in place. The misconfigured bucket has therefore exposed almost 1.5 million files, equating to about 3TB of data.

The bucket’s exposed information included employee Personally Identifying Information and sensitive company data of at least four airports in Colombia and Peru: El Dorado International Airport (Bogota D.C, COL), Alfonso Bonilla Aragón International Airport (Valle del Cauca, COL), José María Córdova International Airport (Antioquia, COL), and Aeropuerto Internacional Jorge Chávez (Lima, PE). As mentioned, unobserved files may have exposed other airports and places throughout Colombia, the rest of Latin America, or even the rest of the world.

They observed two main datasets containing the information of Securitas employees and airport employees: photos of ID cards and other unmarked photos.

Photos of ID cards featured on the bucket. There were an estimated 1 million files of this type on the Securitas misconfigured bucket. These files revealed the personal information of employees at the four aforementioned airports that are using Securitas’ services.

Photos of ID cards reveal several forms of employee Personally Identifying Information, including:

  • Full names, incl. first names and surnames
  • Photos of employees
  • Occupations
  • National ID Number

What Was Leaked?

Other unmarked photos featured among the bucket’s content too. There were about 300,000 files of this type. These photos leaked the data of airports, airport employees, and associated companies.

Specifically, these files exposed employees’ personal data, sensitive client data (airports), and the sensitive data of associated companies, such as airlines. Exposed data includes:

  • Photos of employees
  • Photos of planes
  • Photos of fueling lines
  • Photos of luggage being loaded/unloaded

What Was Leaked?

 In addition to the information mentioned above, the two primary datasets analyzed on the bucket (photos of ID cards and other unmarked photos) contained Exchangeable Image File Format (EXIF) data that exposed specific information related to each photo.   Exposed EXIF data includes:

  • Device models (of the cameras used)
  • GPS locations of photos, incl. coordinates and GPS maps
  • Time & date of photos

What Was Leaked?

What it Means to Us

It may be some time before there is any assessment of the extent of damage the data breach, but this obviously serves as an example of how careless data management can cause serious security implications for your firm or those of your clients.   In evaluating software application strategies for our clients, we always ask these simple questions:

  1. What is the criticality if this information if it is leaked to the public?
  2. Can the solution be self-hosted on the Client’s own private network?
  3. Does it really NEED to be a cloud application?
  4. If so, how can we mitigate the potential damage if there is a breach?

Additional measures like a Type I or Type II SOC report are helpful, but likely wouldn’t have prevented the Securitas data breach discussed above.  Regular and ongoing security audits, along with well defined and enforced data management and security policies and procedures are the only real defense against these kinds of mishaps.

This won’t be the last time we see this either, as the Cloud becomes more and more integrated into corporate IT strategies, it will happen again, and again, and again.

 

 

 

Posted in: Security Consulting, Security Technology

Leave a Comment (0) →

More Cloud Woes for Security

Once again a cloud solution has been hacked, this time Verkada, a fairly new entry into the security arena.  Verkada offers a turnkey solution using proprietary hardware and hosted video management solutions for a monthly fee.  They aren’t unique to the industry, but they are the most recent to be hacked and be spotlighted in the news.

The key takeaway from the Bloomberg article is something we’ve been telling our clients for a while:  Cloud and SaaS solutions typically have a “super-admin” or overall management account access that lets the provider “see” all of their customer’s account and account information.  This varies of course depending upon the service provider and the service type, but in general if you don’t own the server, someone else does and has to manage and support the data coming into it and on it.

Madison County Jail seen through a Verkada camera.

“A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.”

We strongly urge to our clients that sensitive data and physical controls should be hosted on premise, and don’t belong in the cloud.   This could be devastating for Verkada and other cloud based solutions that are dedicated 100% to SAAS (software as a service) solutions.   You can read the full article from Bloomberg here:

https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?srnd=premium

 

Posted in: Company News

Leave a Comment (0) →

SolarWinds Hacked – Or “Another Example of Why Putting Security in the Cloud Might Not Be Safe”

The supply chain giant SolarWinds, used by every major branch of the government, all military branches, and almost all of the Fortune 500 companies, has been hacked by a Russian hacking group that gained access to sensitive emails, APIs, and SSO tokens and user accounts since as far back as March of 2020.   See a summary from Krebs here: https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

This is a classic example of why outsourcing  your security and sensitive operations isn’t always a good idea. 

One of the most frequent discussions we have with our clients is why we are generally opposed to putting security operations “in the cloud”.  After all, it’s offered by just about every IT supplier, and the security software vendors are all jumping on board as well.  Sure they are, because it’s a great recurring revenue source for them, as opposed to buying a traditional perpetual software license that you install on your premises computer(s).

To be sure, there are obviously Cloud deployments that can be done safely and securely; then again, that’s probably what SolarWinds thought too.  Security, and especially Cyber Security, is a never ending game of cat-and-mouse, with the mousetrap always getting better and the mouse always getting smarter.  

We will see this again, whether it’s another twitter hack where celebrities posting for bitcoin submissions (https://www.pandasecurity.com/en/mediacenter/mobile-news/twitter-celebrities-hacked) or maybe a service provider like Workday or Okta getting hacked and exposing sensitive client data to be sold on the darkweb or nation states for further exploitation. 

For certain clients or situations, using cloud based security application makes sense, but in general we advise against using the cloud for access control and video surveillance for sensitive locations or enterprise applications.

Caveat Emptor.

Posted in: Company News

Leave a Comment (0) →

Securing Ubuntu Linux with ufw and tcpwrapper

Nerd Title:  Security Ubuntu Server with tcpwrappers and ufw.

We don’t write many cybersecurity related articles because there are plenty of other people out there also doing it, and well… we can’t be experts at everything. 

Still, once in a while we come up with a problem that has a solution so clean and elegant that we have to share it.  This article will quickly explain how to setup tcpwrappers and a firewall to automatically ban users attempting to connect from unauthorized IP addresses.   The process is simple, every modern linux distribution comes with a firewall of some kind, Ubuntu currently uses ufw.  It also supports a package called ‘tcpd’, or tcpwrappers. The solution we used was to install a base ufw rule limiting only ports for SSH, HTTP, and HTTPS traffic and block everything else.  It looks something like this:

root@acme.com:/root/# ufw status
Status: active

To Action From
-- ------ ----
22/tcp LIMIT Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

This is a common configuration, but the downside is that everybody can knock on your door and attempt to login.  You can limit how much/how fast, but basically it’s open to the public.  This is where tcpwrappers comes in. You can search the internet about tcpwrappers, there are many online explanations and guides about it. Tcpwrappers has been around a long time, and they never changed the goofy name, but essentially it works by checking two files: /etc/hosts.allow and /etc/hosts.deny to see if you’re a good guy or a bad guy, and what to do with you.  This is where the fun comes in. (Note, you’ll need root permissions to do this.)

First you have to install tcpwrappers – “sudo apt install tcpd”

Then edit the /etc/hosts.allow file and add the services you would use, something like this (change your own hostnames or IP addresses you want to allow in):

ALL: 127.0.0.1
smtps: ALL
imaps: ALL
ALL: 43.79.214.93                 # Work Server
ALL: 71.60.242.15                 # Home
ALL: rockhouse.mynetgear.com      # Home
ALL: 172.210.145.232              # Testing Cloud Server

The IP addresses or hostnames with ALL: in front are allowed into the server for whatever port or service they connect to, as long as the firewall rule allows it. This is your “whitelist” of good guys to let in the door.  The big difference here is that unlike firewall rules, tcpwrappers allows for hostnames, so if you have a dynamic IP address using a hostname (like dyndns.org), you don’t  have to update the firewall rules each time.  Need to add a new remote host that should be allowed to access ssh? Add it here.

Next, edit the /etc/hosts.deny file and add the following string (it should all be on one line):

ALL: ALL: spawn ((/usr/local/bin/banip.sh %h; /bin/echo -ne "client = %h; server = %H; process = %d; PID = %p date = "; /bin/date) >> /var/log/tcpwrappers.log &)

This single line blocks everybody from everything that isn’t in the whitelist above.  Notice also here tcpwrappers calls a shell script called /usr/local/bin/banip.sh.  This script calls “ufw” to write a firewall rule to ban the remote attacker forever.  You can put this wherever you want, but the script should look something like this:

#!/bin/bash
#This script attempts to ban ip addresses using Ubunutu's UFW
#
if [ `whoami` != "root" ]; then
echo "you must be root to run $ME"
fi
if [ "$1" = "" ];
then
echo -n "Enter the IP Address: "
read IP
echo -n "You entered $IP, correct? (Y/N) "
read ans
if [ "$ans" = "y" -o "$ans" = "Y" ]; then
echo "Blocking $IP"
ufw insert 1 deny from $IP port 22
exit
else
echo "Ok, quitting."
fi
else
echo "Blocking $1"
ufw insert 1 deny from $1 port 22
fi

This is a very simple script that takes an IP address and tries to ban it on port 22 for access using ufw.  If you run it manually without any arguments it will ask you for an IP address to ban.

This script will also create a logfile in /var/log/tcpwrappers.log that you can see where people have tried to gain access to your server and been shut out. 

Blocking 106.75.251.140
Skipping adding existing rule
client = 106.75.251.140; server = 45.33.101.254; process = sshd; PID = 78110 date = Fri 13 Nov 2020 04:54:48 AM UTC
Blocking 84-255-249-179.static.t-2.net
client = 84-255-249-179.static.t-2.net; server = 45.33.101.254; process = sshd; PID = 78153 date = Fri 13 Nov 2020 04:55:19 AM UTC
Blocking ns3268691.ip-5-39-81.eu
client = ns3268691.ip-5-39-81.eu; server = 45.33.101.254; process = sshd; PID = 78167 date = Fri 13 Nov 2020 04:55:36 AM UTC
Blocking 118.24.48.15

You can also see a list of banned IP addresses by typing “ufw status”.  If you’ve accidentally banned an IP you didn’t mean to, then you can unban it by using “ufw delete rule#”, where rule# is the actual line from “ufw status numbered” that you want to unban.  Note that this list can get rather long, as there are people with nothing better to do than write scripts to try to break into whatever servers they can find.  In the short time I wrote up this article, I had 32 attempts on my demo server alone.  If you need to reset, you can just type “ufw reset”, but that resets everything back to factory defaults.  You can use a quick script to do this also:

sudo ufw --force disable \
&& sudo ufw --force reset \
&& sudo ufw default deny incoming \
&& sudo ufw default allow outgoing \
&& sudo ufw allow 22/tcp \
&& sudo ufw limit ssh \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp \
&& sudo ufw --force enable

This has been a very fundamental explanation of how to easily allow remote access while also keeping the bad guys out at the same time, using a blend of the old  (tcpwrappers was written in the 1990’s) and the new.

Posted in: Company News

Leave a Comment (0) →

Coronavirus COVID-19 Disinfection on the Cheap

Coronavirus (COVID-19) has gathered significant attention worldwide because of how dangerous the virus is, how easily it spreads, and how difficult it is to detect.   So most people, whether government, professional, or civilian, are looking for an easy way to protect themselves and others as best they can.   Things like facial and toilet tissue, surgical masks, and hand sanitizers are selling out in stores and online.   As the number of cases in the US increase, so will the panic.  

But the military has dealt with this kind of thing for a long time, and the number one thing they rely upon for disinfecting is good old fashioned Sodium or Calcium Hypochlorite, also known as “bleach”.   There are many kinds of bleach, but Sodium Hypochlorite is typically referred to “Clorox” bleach. Both Sodium and Calcium Hypochlorite are widely available, but we prefer Calcium Hypochlorite because it typically contains more available chlorine per volume than Sodium Hypochlorite.  Bleach is a generic term which describes a chemical with the inherent properties of removing color, whitening, and disinfecting.   It does this by oxidation, which with “Clorox” is by a chemical reaction which causes the proteins in germs to lose their cellular structure, thus destroying them.

“So what?”  Everybody knows that bleach kills germs.   Yes, but did you know that even a small concentration of bleach kills germs?  You don’t need to dump a gallon of Clorox on everything to kill germs.   You can dilute it down to as little as .5% and still effectively kill germs on contact.  You can even dilute down to .05% and still be effective, but the exposure time becomes much longer.   So what do we (“not-healthcare professionals”) suggest for every day people to use this solution?  

Something as simple as a mini-spray bottle (think travel size pump hair spray bottle) with a .5% solution of Calcium Hypochlorite in water will be easily portable and moderately effective for most uses.   The dilution ratio doesn’t have to be exact, but it should be close.  If it’s a little higher that’s okay, but don’t go crazy.  The concentration will determine HOW LONG you must maintain contact with the solution, so start with a known concentration and then blend down.  Bleach is a reactive chemical, and deteriorates over time in higher concentrations, so choose a product that is individually sealed and use as needed.  The lower concentration of .5% should last for months in a sealed container.  For our mixture, we liked something like this pool product from Amazon.com.  It is 68% concentration in powder form in 1lb packs.  To make a 55 gallon drum of .5% solution, mix approximately 3 1/4 lbs of powder to 55 gallons of water.   Or for each gallon, add ~1 oz of Calcium Hypochlorate and mix thoroughly.    Remember that because it’s a solid powder it won’t mix easily in water, so if possible use warm water to help it dissolve more quickly and thoroughly.

So, fill the spray pump bottles and toss them in your pocket, your office drawer, your glove box, or backpack.  Spray on anything you want to touch, or on your hands after you’ve touched something you shouldn’t have.  Rub in thoroughly.  The .5% concentration shouldn’t discolor most fabrics or materials, but will definitely have a slight chlorine odor to it.  You can add scents to the mixture if desired to make it more tolerable for those sensitive to chloramine smells, but don’t add so much that it dilutes the solution to be ineffective.   

For more information see the US Army Public Health Command bulletin on Preparing and Measuring High Chlorine Concentration Solutions for Disinfection:  TIP_No_13-034-1114_Prepare_Measure_High_Chlorine_Solutions

Posted in: Company News

Leave a Comment (0) →
Page 2 of 5 12345