Archive for Company News

Lockset Functions

This article was taken from another website and modified to add some additional details. I was looking online for some simple definitions of lockset types and found this page by The Flying Locksmiths. I have no connection to this business and they don’t even know who I am, but I liked the information so much I decided to post it here with a credit to them for the good work.

Here is some common industry knowledge and terminology to help make you a more informed consumer:

(There are other functions outside these five, but they are far less common and only needed in special circumstances.)

1. Entry Lockset Function. This is the most common type of lock and chances are, you probably have them on your home or office now. An entry function lockset will have a small button or rotating lever on the inside of the knob/lever handle, allowing you to manually lock the door  when you choose. Most types will allow you to push the button in or push it in and turn the button, causing the lock to remain locked, even after a key is inserted and used. You will most commonly find them on residential homes, on front and back doors.  Deadbolt locks very common in homes and  are auxiliary type locks that have a bolt that extends into the strike plate and supporting door jamb, activated by rotating lever knob or a key.  Sometimes the key operation is on both sides of the lock. 

2. Storeroom Lockset Function. This particular lock, is always locked and requires a key to be used each time you want to enter. There is no button on the inside and does not come with an option to leave the door open. It’s perfect for commercial uses, on a supply closet, because it will ensure that the door is locked, as long as it’s closed. You don’t want anyone stealing those pens and papers!

3. Classroom Lockset Function. Classroom function is used for exactly what you would think, a classroom! Much like to the storeroom function lockset, this lock does not have a button on the inside. However, it DOES have the ability to be left unlock, but ONLY with a key. A full turn will lock or unlock the knob/lever, allowing only the person with the correct key to leave the door open. It’s a great lock for anyone who doesn’t want to leave a door open, unless they authorize it to be.

4. Privacy Lockset Function. This lockset is used primarily in bathrooms and/or bedrooms, intended for the purpose its name suggests; privacy. They will most often have a small hole on the outside, and a push button on the inside. The small hole on the outside can be opened with any kind of pin or paperclip, simply by pushing it in. They are not designed to be used as a main locking device, but just a means to keep someone from walking in when you are using the bathroom or getting dressed in a bedroom.

5. Passage Lockset Function. This is hardly a “real” lock at all! This knob lever doesn’t actually lock, it just keeps the door latched to the frame, so they don’t blow around in the wind. You will commonly find them on closets in a home or doors that just don’t need to be locked in general. Some people will also use them on bedrooms, so you can close the door, but not lock it.

 

Posted in: Access Control, Company News

Leave a Comment (0) →

NSA Releases Guidance on How to Protect Against Software Memory Safety Issues

C++ Code example of memory overrun.

When the NSA makes a post about software best practices to reduce hacking attempts, you know there’s a problem.  For the non-programmers, a memory safe programming language is one that has built-in features to reduce or eliminate the possibility of a poorly crafted program to be exploited (usually by malicious input) by causing a memory buffer overrun or similar failure that can corrupt data, run a malicious payload, or escalate privileges.  These problems have been around for years, and there are several programming languages that are common offenders (C and C++), but are ubiquitous and have long codebase history that makes it unattractive to rewrite.

Fortunately there are quite a few memory safe programming languages to choose from, such as C#, Go, Java, Ruby, Rust, and Swift.  Of course it’s not enough to just change programming languages, good security coding practices, hardening tools, safe compiler options, and thorough testing should also be used as well.

For the NSA full article, click here:  https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/

Posted in: Company News

Leave a Comment (0) →

HID Signo Reader Shortage

As most people in the security industry know by now, Motorola HID has been having supply chain issues for months now for readers.  As a temporary solution, they are offering a new product line, “Signo Priority” readers, which lack the 125Khz Proximity function.

Signo Priority Features
 
– Same lifetime warranty as the traditional Signo readers
– Current lead time is 7 days (Sept 2022)
– Configured by profiles: Standard, Smart, Seos and Custom
– IP65 certified
– Automatic self-calibration when nearby metal surfaces are detected
– Factory equipped with Bluetooth (BLE Smarts) and NFC
 
Differences from traditional Signo Readers
 
– Lead time > 180 days (Sept 2022)
– Signo Priority will not read 125 Khz Proximity
 
If 125Khz reading is not needed, only 13.56 Mhz,  please consider the Signo Priority Reader X0NKS-T0-000000 as a substitute for the Signo Traditional X0NKS-00-000000 readers.

 

 

Posted in: Company News

Leave a Comment (0) →

Leaked Database of over 1 billion Chinese Civilians for Sale

The Shanghai National Police (SHGA) database of over 1 billion Chinese citizens is apparently up for sale for 10 Bitcoin (~USD $200,000 ).   This represents terabytes of personal data including full name, address, birthplace, age, birth year, nationality, photo information, national ID number, mobile number, and any committed crimes and case details for the individuals.   (Source link has been obscured, sorry.)

Included in the for sale ad were samples of the data to verify authenticity.  The alleged leak was apparently from a contract software developer that had errantly posted the database login credentials to a project blog some months earlier. 

The leak has been verified by several people and posted online, but Western media has not really picked up on the impact of such an event.  If legitimate, it represents the largest data leak ever reported.


Oddly enough, there doesn’t seem to be anything called the “Shanghai National Police”, only the “Shanghai Municipal Police” returns any search results as a legitimate entity in major search engines.  Still, regardless if this is a translation error or some other mis-identification, the validity of the data appears to be proven.  We attempted to connect to the sample link provided through a VM and VPN and were able to download the 110mb compressed gzip sample file and view the sample files.  When uncompressed, the files were several hundred megabytes each in JSON format in English language and Chinese characters (multi-byte format), consisting of personal information, police record case data files, and an address merge with cell phone data.   Here’s an example of the personal detail record file:

 

The police case record data appears to be of the most concern,  with the actual data content consisting of detailed police reports of the charged offense, including the date/time and specific location of the criminal events.  Deciphering the information is difficult for most westerners since most of the text is in traditional Chinese, but it would be trivial to use automated translating to get the gist of the content when inserting into a database.

With the horse already having left the barn, there doesn’t appear much that the Chinese government can do to mitigate this leak.  Addresses and phone numbers can of course be changed by the individuals, but having these records open to the public (particularly the police reports) is a massive blow to individual privacy (such that it is in PRC), and will likely cause problems for millions of people for years.

 

 

 

 

Posted in: Company News

Leave a Comment (0) →

SP-FA/LV Exam Prep Class (Zoom) on May 11, 2022, 8:00 AM – 5:00 PM

“Preparing for the North Carolina SP-FA/LV Electrical Examination”

NCBEEC Approved CE Course #CEC.03912
Course Instructor: Kile Unterzuber
NC License #10173-SP-FA/LV

Don’t miss this opportunity to prepare yourself for this critical exam!  The virtual class format save you time and money.  Register now at https://nationaltrainingcenter.com/event/nc-sp-fa-lv/.  For more information download our SP-FA/LV Exam class description and FAQ PDF files!

Course Description: This course reviews subject areas of the National Electrical Code (NFPA 70-2020) applicable to the North Carolina SP-FA/LV (Special Fire Alarm/Low-Voltage) license classification examination, as well as the administrative requirements of the NCBEEC and the use of the National Fire Alarm and Signaling Code (NFPA 72-2013). The course emphasizes Code requirements that may not be familiar to the typical installer of low-voltage and power-limited circuits for security and fire alarm systems, but that are important for successfully taking the qualifying examination. These topic areas include:
• Review of basic requirements of Title 21 NCAC 18B;
• General requirements for all electrical work;
• Grounding and bonding for power-limited and associated branch circuits;
• Calculating conductor ampacity;
• Calculating box fill;
• Identifying conductors for specific applications;
• Identifying and providing overcurrent protection for power-limited circuits; and
• Calculating resistance in simple circuits; and
• Requirements of National Fire Alarm and Signaling Code (NFPA 72-2013)

 

Posted in: Company News

Leave a Comment (0) →

More Cloud Woes for Security

Once again a cloud solution has been hacked, this time Verkada, a fairly new entry into the security arena.  Verkada offers a turnkey solution using proprietary hardware and hosted video management solutions for a monthly fee.  They aren’t unique to the industry, but they are the most recent to be hacked and be spotlighted in the news.

The key takeaway from the Bloomberg article is something we’ve been telling our clients for a while:  Cloud and SaaS solutions typically have a “super-admin” or overall management account access that lets the provider “see” all of their customer’s account and account information.  This varies of course depending upon the service provider and the service type, but in general if you don’t own the server, someone else does and has to manage and support the data coming into it and on it.

Madison County Jail seen through a Verkada camera.

“A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.”

We strongly urge to our clients that sensitive data and physical controls should be hosted on premise, and don’t belong in the cloud.   This could be devastating for Verkada and other cloud based solutions that are dedicated 100% to SAAS (software as a service) solutions.   You can read the full article from Bloomberg here:

https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?srnd=premium

 

Posted in: Company News

Leave a Comment (0) →

SolarWinds Hacked – Or “Another Example of Why Putting Security in the Cloud Might Not Be Safe”

The supply chain giant SolarWinds, used by every major branch of the government, all military branches, and almost all of the Fortune 500 companies, has been hacked by a Russian hacking group that gained access to sensitive emails, APIs, and SSO tokens and user accounts since as far back as March of 2020.   See a summary from Krebs here: https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

This is a classic example of why outsourcing  your security and sensitive operations isn’t always a good idea. 

One of the most frequent discussions we have with our clients is why we are generally opposed to putting security operations “in the cloud”.  After all, it’s offered by just about every IT supplier, and the security software vendors are all jumping on board as well.  Sure they are, because it’s a great recurring revenue source for them, as opposed to buying a traditional perpetual software license that you install on your premises computer(s).

To be sure, there are obviously Cloud deployments that can be done safely and securely; then again, that’s probably what SolarWinds thought too.  Security, and especially Cyber Security, is a never ending game of cat-and-mouse, with the mousetrap always getting better and the mouse always getting smarter.  

We will see this again, whether it’s another twitter hack where celebrities posting for bitcoin submissions (https://www.pandasecurity.com/en/mediacenter/mobile-news/twitter-celebrities-hacked) or maybe a service provider like Workday or Okta getting hacked and exposing sensitive client data to be sold on the darkweb or nation states for further exploitation. 

For certain clients or situations, using cloud based security application makes sense, but in general we advise against using the cloud for access control and video surveillance for sensitive locations or enterprise applications.

Caveat Emptor.

Posted in: Company News

Leave a Comment (0) →

Securing Ubuntu Linux with ufw and tcpwrapper

Nerd Title:  Security Ubuntu Server with tcpwrappers and ufw.

We don’t write many cybersecurity related articles because there are plenty of other people out there also doing it, and well… we can’t be experts at everything. 

Still, once in a while we come up with a problem that has a solution so clean and elegant that we have to share it.  This article will quickly explain how to setup tcpwrappers and a firewall to automatically ban users attempting to connect from unauthorized IP addresses.   The process is simple, every modern linux distribution comes with a firewall of some kind, Ubuntu currently uses ufw.  It also supports a package called ‘tcpd’, or tcpwrappers. The solution we used was to install a base ufw rule limiting only ports for SSH, HTTP, and HTTPS traffic and block everything else.  It looks something like this:

root@acme.com:/root/# ufw status
Status: active

To Action From
-- ------ ----
22/tcp LIMIT Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

This is a common configuration, but the downside is that everybody can knock on your door and attempt to login.  You can limit how much/how fast, but basically it’s open to the public.  This is where tcpwrappers comes in. You can search the internet about tcpwrappers, there are many online explanations and guides about it. Tcpwrappers has been around a long time, and they never changed the goofy name, but essentially it works by checking two files: /etc/hosts.allow and /etc/hosts.deny to see if you’re a good guy or a bad guy, and what to do with you.  This is where the fun comes in. (Note, you’ll need root permissions to do this.)

First you have to install tcpwrappers – “sudo apt install tcpd”

Then edit the /etc/hosts.allow file and add the services you would use, something like this (change your own hostnames or IP addresses you want to allow in):

ALL: 127.0.0.1
smtps: ALL
imaps: ALL
ALL: 43.79.214.93                 # Work Server
ALL: 71.60.242.15                 # Home
ALL: rockhouse.mynetgear.com      # Home
ALL: 172.210.145.232              # Testing Cloud Server

The IP addresses or hostnames with ALL: in front are allowed into the server for whatever port or service they connect to, as long as the firewall rule allows it. This is your “whitelist” of good guys to let in the door.  The big difference here is that unlike firewall rules, tcpwrappers allows for hostnames, so if you have a dynamic IP address using a hostname (like dyndns.org), you don’t  have to update the firewall rules each time.  Need to add a new remote host that should be allowed to access ssh? Add it here.

Next, edit the /etc/hosts.deny file and add the following string (it should all be on one line):

ALL: ALL: spawn ((/usr/local/bin/banip.sh %h; /bin/echo -ne "client = %h; server = %H; process = %d; PID = %p date = "; /bin/date) >> /var/log/tcpwrappers.log &)

This single line blocks everybody from everything that isn’t in the whitelist above.  Notice also here tcpwrappers calls a shell script called /usr/local/bin/banip.sh.  This script calls “ufw” to write a firewall rule to ban the remote attacker forever.  You can put this wherever you want, but the script should look something like this:

#!/bin/bash
#This script attempts to ban ip addresses using Ubunutu's UFW
#
if [ `whoami` != "root" ]; then
echo "you must be root to run $ME"
fi
if [ "$1" = "" ];
then
echo -n "Enter the IP Address: "
read IP
echo -n "You entered $IP, correct? (Y/N) "
read ans
if [ "$ans" = "y" -o "$ans" = "Y" ]; then
echo "Blocking $IP"
ufw insert 1 deny from $IP port 22
exit
else
echo "Ok, quitting."
fi
else
echo "Blocking $1"
ufw insert 1 deny from $1 port 22
fi

This is a very simple script that takes an IP address and tries to ban it on port 22 for access using ufw.  If you run it manually without any arguments it will ask you for an IP address to ban.

This script will also create a logfile in /var/log/tcpwrappers.log that you can see where people have tried to gain access to your server and been shut out. 

Blocking 106.75.251.140
Skipping adding existing rule
client = 106.75.251.140; server = 45.33.101.254; process = sshd; PID = 78110 date = Fri 13 Nov 2020 04:54:48 AM UTC
Blocking 84-255-249-179.static.t-2.net
client = 84-255-249-179.static.t-2.net; server = 45.33.101.254; process = sshd; PID = 78153 date = Fri 13 Nov 2020 04:55:19 AM UTC
Blocking ns3268691.ip-5-39-81.eu
client = ns3268691.ip-5-39-81.eu; server = 45.33.101.254; process = sshd; PID = 78167 date = Fri 13 Nov 2020 04:55:36 AM UTC
Blocking 118.24.48.15

You can also see a list of banned IP addresses by typing “ufw status”.  If you’ve accidentally banned an IP you didn’t mean to, then you can unban it by using “ufw delete rule#”, where rule# is the actual line from “ufw status numbered” that you want to unban.  Note that this list can get rather long, as there are people with nothing better to do than write scripts to try to break into whatever servers they can find.  In the short time I wrote up this article, I had 32 attempts on my demo server alone.  If you need to reset, you can just type “ufw reset”, but that resets everything back to factory defaults.  You can use a quick script to do this also:

sudo ufw --force disable \
&& sudo ufw --force reset \
&& sudo ufw default deny incoming \
&& sudo ufw default allow outgoing \
&& sudo ufw allow 22/tcp \
&& sudo ufw limit ssh \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp \
&& sudo ufw --force enable

This has been a very fundamental explanation of how to easily allow remote access while also keeping the bad guys out at the same time, using a blend of the old  (tcpwrappers was written in the 1990’s) and the new.

Posted in: Company News

Leave a Comment (0) →

Coronavirus COVID-19 Disinfection on the Cheap

Coronavirus (COVID-19) has gathered significant attention worldwide because of how dangerous the virus is, how easily it spreads, and how difficult it is to detect.   So most people, whether government, professional, or civilian, are looking for an easy way to protect themselves and others as best they can.   Things like facial and toilet tissue, surgical masks, and hand sanitizers are selling out in stores and online.   As the number of cases in the US increase, so will the panic.  

But the military has dealt with this kind of thing for a long time, and the number one thing they rely upon for disinfecting is good old fashioned Sodium or Calcium Hypochlorite, also known as “bleach”.   There are many kinds of bleach, but Sodium Hypochlorite is typically referred to “Clorox” bleach. Both Sodium and Calcium Hypochlorite are widely available, but we prefer Calcium Hypochlorite because it typically contains more available chlorine per volume than Sodium Hypochlorite.  Bleach is a generic term which describes a chemical with the inherent properties of removing color, whitening, and disinfecting.   It does this by oxidation, which with “Clorox” is by a chemical reaction which causes the proteins in germs to lose their cellular structure, thus destroying them.

“So what?”  Everybody knows that bleach kills germs.   Yes, but did you know that even a small concentration of bleach kills germs?  You don’t need to dump a gallon of Clorox on everything to kill germs.   You can dilute it down to as little as .5% and still effectively kill germs on contact.  You can even dilute down to .05% and still be effective, but the exposure time becomes much longer.   So what do we (“not-healthcare professionals”) suggest for every day people to use this solution?  

Something as simple as a mini-spray bottle (think travel size pump hair spray bottle) with a .5% solution of Calcium Hypochlorite in water will be easily portable and moderately effective for most uses.   The dilution ratio doesn’t have to be exact, but it should be close.  If it’s a little higher that’s okay, but don’t go crazy.  The concentration will determine HOW LONG you must maintain contact with the solution, so start with a known concentration and then blend down.  Bleach is a reactive chemical, and deteriorates over time in higher concentrations, so choose a product that is individually sealed and use as needed.  The lower concentration of .5% should last for months in a sealed container.  For our mixture, we liked something like this pool product from Amazon.com.  It is 68% concentration in powder form in 1lb packs.  To make a 55 gallon drum of .5% solution, mix approximately 3 1/4 lbs of powder to 55 gallons of water.   Or for each gallon, add ~1 oz of Calcium Hypochlorate and mix thoroughly.    Remember that because it’s a solid powder it won’t mix easily in water, so if possible use warm water to help it dissolve more quickly and thoroughly.

So, fill the spray pump bottles and toss them in your pocket, your office drawer, your glove box, or backpack.  Spray on anything you want to touch, or on your hands after you’ve touched something you shouldn’t have.  Rub in thoroughly.  The .5% concentration shouldn’t discolor most fabrics or materials, but will definitely have a slight chlorine odor to it.  You can add scents to the mixture if desired to make it more tolerable for those sensitive to chloramine smells, but don’t add so much that it dilutes the solution to be ineffective.   

For more information see the US Army Public Health Command bulletin on Preparing and Measuring High Chlorine Concentration Solutions for Disinfection:  TIP_No_13-034-1114_Prepare_Measure_High_Chlorine_Solutions

Posted in: Company News

Leave a Comment (0) →

HID Signo Readers Announced.

HID announced an entirely new reader line today, called Signo.  What’s immediately noticeable is they are more sleek and stylish than the iClass R or RP models, but looking further, we found that there are some distinct differences that might just make switching to this new reader platform sensible.

For starters, the keypad reader model looks more functional, and the mullion keypad reader is a definite necessity.  The keypads are capacitive  touch style which should make them more reliable in harsh environments.

Dimensions for the readers is almost identical, with the Signo readers being a little slimmer, but probably not by very much.  See Feature Comparison Matrix.

What’s missing though, like in the RP series, is a long range parking lot reader like the R90.  This is a needed technology that should be added in the future (are you listening, HID?).

The Signo series seems to lump all the reader technologies in together, making the product selection a little less confusing than previous iClass reader selections.  This is most welcomed.  Supported technologies are 125Khz proximity, iClass, SEOS, Mifare, plus mobile credentials via Bluetooth and NFC, plus Apple’s Enhanced Contactless Polling technology for apple wallet credentials.  

Other features are better support for crypto keys (no more base encryption key in the wild, for now), automatic tuning/detuning for optimized read range, and OSDP support out of the box.  Reader tamper is now a dry contact relay (THANK YOU).   But the biggest thing installers are going to enjoy is that the Signo readers support remote management.  No more configuration cards to go around to every reader just to turn of the 125Khz prox read feature set.  This should have been done LONG AGO.   Firmware updates, configuration, and reader management can be done via mobile device or over OSDP (assuming your PACS supports it).

From our take, these readers appear to have been developed largely for the Campus environment (the Apple ECP is a dead giveaway), but certainly have the feature sets that would make them desirable in the commercial, government, and industrial markets as well.  We don’t  have any evaluation copies yet, but will definitely be looking at these for new projects where they fit and offer additional security, style, and convenience.

Feature Comparison Matrix

Reader RP40 Signo 40
Dimensions 3.3″ x 4.8″ x 1.0″ 3.15″ x 4.78″ x 0.77″
Read Range (typ)

iCLASS: 2.4″

125Khz Prox: 2.8″ to 4.3″

iCLASS: 1.6″ to 4″

125Khz Prox: 2.4″ to 4″

Power 85ma @ 16VDC 75ma @ 12VDC
Comm Wiegand & (optional) OSDP  Wiegand & OSDP
Reader Tamper Open Collector Output Dry Contact Relay
Configuration Programming Cards Mobile Device or OSDP
Weatherproof If optional gasket installed Yes
Certifications UL294, EAL5+ UL294, EAL6+
Price ~$200.00 ~$200.00

 

 

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →
Page 1 of 2 12