Archive for Company News

Why You Should Be Skeptical of Security Apps in the Cloud

The “Cloud” for most people has become an integral part of our daily lives.  It’s everywhere, yet many people couldn’t tell you what the cloud really is if you asked them.  It’s just there. 

In a nutshell, the cloud could be defined as “an internet server you don’t own, yet hosts your data”.   All this means is you’re using Software As a Service (SAAS), and someone else has developed the application, hosts it on their server, and you use it, or maybe even pay for it via subscription (like Ring or Canary).

Yet all too often, when we really closely inspect these services or applications we tend to find flaws, or sometimes downright intentional abuse, that leads to exposing more of our personal data than we would like.  In the case of  many apps for home or personal use, we can choose to accept some loss of privacy in exchange for the free or bundled software and storage.   However, in the business world this is rarely tolerated, and in some cases it’s against the law. 

For a fantastic example of this abuse, the Electronic Frontier Foundation has published an excellent article about Ring and its application that exposes multiple abuses of privacy.    The biggest takeaway from the article for us was that Ring appears to be using pinned certificates in a way that prevented data security experts from analyzing encrypted traffic generated from the application itself.   Now imagine an app from a state sponsored corporate entity like Huawei sending images, stored files, GPS data, voice recordings, or video from your phone or tablet to some server in another country.  See how big the risk is?

Click the link below to read the full article, but this summary puts it best:

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system.”

https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers

 

Posted in: Company News

Leave a Comment (0) →

Quantum Resistant Encrypted Communications

If quantum computing can reduce previous calculation times of decades down to seconds, then what does that spell for current military, government, and corporate technologies that rely on encryption algorithms?   The current idea is that encryption isn’t unbreakable, it’s just not practical because by the time the message is encrypted, it’s no longer relevant and most likely the encryption key (or even mechanism) has changed.   With Quantum computing, this all goes out the window, as now brute force decryption could theoretically be done in real time.  This terrifies everyone, and rightfully so.  

What about Blockchain?   Under the bitcoin blockchain algorithm concept, the encryption difficulty is adjusted after every 2016 blocks are mined.  This is typically an incremental increase or decrease as more or fewer hardware resources are thrown at mining bitcoin.   Thus, if you added a super quantum computer (or cluster of quantum computers), the difficulty would proportionally (and drastically) increase with the number of blocks that were mined (just in a much shorter time frame).

On October 23, 2019, Bitcoin’s price fell from around $8200 per bitcoin to under $7400 in a matter of minutes, because Google announced that Sycamore, its quantum computing platform, had achieved “quantum supremacy” and passed an impossible test.  The premise is that it completed a test calculation in 200 seconds that would take the world’s most powerful supercomputer 10,000 years to finish.   While the claim is somewhat questionable, there is no doubt that quantum computing has taken a foothold and will only advance from here.

Google Sycamore Quantum Computer

Google Sycamore Quantum Computer

The problem here is that someone trying to break the encryption isn’t likely to be actively participating in the blockchain.  They’re just going to be trying to decrypt packets or streams, or whatever they are intercepting and trying to decrypt.  So unless the encrypted blockchain communications platform changed the encryption difficulty to a level that it couldn’t actively mine itself (thus defeating the point of encryption to begin with), the communications would always be deciphered by the quantum computer.   Thus… all encrypted communications would have to be done with quantum computers.   It’s another round of keeping up with the bad guys, and technology has to step up to meet the challenge.

The downside is that this is financially well outside the possibility for most businesses and private individuals, meaning we are back to the equivalent of clear text passwords and messages as well as unencrypted financial transactions.   This would be disastrous for the financial and credit industries, as well as creating havoc in terms of privacy act enforcement, worldwide (think GDPR). 

How this plays out is anybody’s guess right now and the technology isn’t quite there, but in the mean time, all one can do is hope that Google really means it when they say “Don’t Be Evil”.

 

Posted in: Company News

Leave a Comment (0) →

NSA Warns: Update Windows Or Else

For the first time I’ve ever seen, the National Security Agency has made a public announcement about a private company’s product, warning that all Windows users that are still using older versions of Microsoft Windows XP, Vista, Windows Server 2003/2008, or Windows 7 should upgrade or face serious remote exploit risks. Their advisory can be found here: https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/

Honestly though, if you’re still using Windows XP or Windows 2000 and it’s connected to the internet, you kinda deserve everything you get. I get it, there are still some ancient programs out there that never got upgraded and you just “can’t live without it”. And I can even understand if you’re still using Windows 7 (by the way, patch that too), but really, it’s been 18 years since Windows XP was released… stop clinging and move on.

Further information from the Microsoft CVE-2019-0708 security advisory:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used by the Remote Desktop Protocol (RDP) and will block attempts to establish a connection.
  • Enable Network Level Authentication. With NLA enabled, attackers would first have to authenticate to RDS in order to successfully exploit the vulnerability. NLA is available on the Windows® 7, Windows Server® 2008 and Windows Server® 2008 R2 operating systems.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
  • Note that Windows® 10 systems are already protected from this vulnerability, as it only affects the older versions of Windows® listed above.

Posted in: Company News

Leave a Comment (0) →

2019 Q3 and Q4 Class Schedule

The following North Carolina SP-FA/LV Exam Prep classes are set for the remainder of the 2019 calendar:

  • August 14, 2019 8:00A – 5:00P Greensboro ADI, 4500 Green Point Dr #103, Greensboro, NC 27410
  • October 16, 2019 8:00A – 5:00P Raleigh ADI, 2741 Noblin Rd # 101, Raleigh, NC 27604
  • December 11, 2019 8:00A – 5:00P Greensboro ADI, 4500 Green Point Dr #103, Greensboro, NC 27410

For additional information or registrations, contact National Training Center at (702) 648-8899 or sales@nationaltrainingcenter.net. Or register on-line at http://www.nationaltrainingcenter.net/index.xml.
Full NTC class schedule link: http://www.nationaltrainingcenter.net/instructor-led-training.xml

Posted in: Company News

Leave a Comment (0) →

Bitcoin Hacked! Hackers steal $70M dollars! And Other Sensational Journalism…

Bitcoin…  Another story.   The mainstream media, in their usual quest for drama and ratings, is in a fever pitch about the December 5 hack of Nicehash.com that resulted in the theft over over 4736 bitcoins (~$77M dollars as of this writing).  See here for what is claimed to be the blockchain identifier for the transfer:  https://blockchain.info/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq

The claim that seems the most ridiculous is that “Bitcoin is NOT safe, and is hackable!”.   This is nonsense, and it is like saying that the US dollar isn’t safe because your neighborhood Bank of America was robbed.  The fact is, nicehash.com didn’t have adequate security measures in place to prevent the hack (even with the most annoying Captcha I’ve ever used), and it probably has ruined the company.

Nicehash is was a very popular and easy to use mining service where people (including myself) can mine for Bitcoin (and other cryptocurrencies) using their PC or specialized hardware built for mining. Nicehash pays miners a “fee” for mining cryptocurrencies, and pays them on a round basis.  The nice thing was they paid in bitcoin, no matter what coin you were actually mining.  Naturally, they had to have a pretty large amount bitcoin to be able to make these payments, and they advertised it regularly on the web.

Nicehash also had a policy of not making payments to external wallets (meaning, under the control of the individual miner, and not on nicehash.com) unless they had a mining balance of .01 bitcoin or more. That’s about $170.00 and many miners had just slightly less than that balance that was stolen from the community wallet that nicehash.com paid miners from. And because Bitcoin transfers are generally not traceable to an individual, the money is gone. In short, everybody loses.

The trouble sets in when someone, somehow, found a way to get into their Bitcoin wallet and transfer the coins out to themselves.  The FBI is almost certainly involved, as well Interpol, Europol, and possibly some other European or Slovenian police agencies.

So why still invest in Bitcoin? Because Bitcoin is based on a blockchain technology that is very reliable and secure.  The concept of bitcoin and it’s blockchain is not hackable in itself. Rather, nicehash.com was hacked and lost their bitcoin.  There are different types of blockchain strategies, and some are more efficient, quick, secure, and anonymous than others.  Bitcoin was the first cryptocurrency to use this concept, and while you can “see” what address funds are transferred to and from, you cannot see “where” physically (geographically) or any other identifying information for who or where the funds were sent to or from.

So what is blockchain? Google is your friend here, as there are tons of videos and wikis about blockchain and how the different types all work.   But in a (very simplistic) nutshell, blockchain is the concept that all transactions in an ecosystem are using a distributed cryptographic ledger, and most importantly, the SAME ledger. This means that if Zack, Sally, Mike and Kim are all in a trading club and are sending money to each other, they each have a copy of the ledger, and when Mike sends Zack funds, it is recorded on all four ledgers and the ledgers all have to agree (using a cryptographic algorithm) on the transaction date/time, amount, and transferees bitcoin address. If they don’t agree, the transaction is invalid and the transaction is rejected, thereby preventing someone from just inserting a million dollar credit to their own ledger.  As you can also imagine, for something like Bitcoin that’s been logging and recording all these transactions around since 2009, that ledger can be quite large… about 2 gigabytes large… and still growing.

The cool thing is this technology can be applied to other types of transactions, such as deed transfers, contracts, information exchanges, or gaming, to name a few. Because the transaction is secure, encrypted, and shared, it is virtually “hackproof”.  What isn’t “hackproof” is anything stored online, like Nicehash’s wallet,  or any other online wallet that you yourself don’t have the private keys for and can transfer to cold storage.   Online wallets are very convenient.  Coindesk.com is very popular and has exploded in recent weeks due to the popularity and price spike for Bitcoin, but it’s generally not considered a good idea to keep large sums of Bitcoin stored there unless you have an immediate need for it.  Keep it in an offline wallet and use cold storage.

So in short, Bitcoin is just like any other fiat cash currency, the bearer holds the value, and if you don’t take steps to protect it, someone else can (and probably will) steal it.

 

 

 

Posted in: Company News

Leave a Comment (0) →

Door Handedness

One of the questions that comes up all the time in access control design layouts is door handedness.  It’s not a hard concept to understand once you see it graphically, but it’s sometimes tough to remember in the field if you’re not accustomed to working with door hardware on a daily basis.

While we would typically prefer security doors to swing into the secured space (easier to barricade if needed in an emergency and the hinges are typically on the secured side), usually the handedness of a door isn’t left up to security and is based more upon building code and/or the function of the space.

The following graphic explains it better than I’ve seen it anywhere, and shows you the door swing based upon being on the Outside (or “unsecured” side where the card reader or key would be).

 

Courtesy of Specialtydoors.com

Also, note from the table below that a Left Hand door isn’t the same as a Right Hand Reverse door, as the lock hardware has to change in order to be able to latch properly.

  • Left Hand:  Door swings inward to the Left, uses LH Hinge, LH Strike, LH Lock.
  • Right Hand: Door swings inward to the Right, uses RH Hinge, RH Strike, and RH Lock.
  • Left Hand Reverse:  Door swings outward to left, uses RH Hinge, RH Strike, and LH Lock.
  • Right Hand Reverse: Door swings outward to Right, uses LH Hinge, LH Strike, and RH Lock.

 

So next time someone says that a door is a “Right Hand Reverse” door, you’ll know that they really mean the door swings out to the right towards you if you’re standing on the outside.

 

 

Posted in: Company News

Leave a Comment (0) →

Kile Unterzuber Receives NCESA President’s Award

We are proud to announce Kile Unterzuber has received the 2017 President’s Award by the North Carolina Electronic Security Association.

“The recipient of the 2017 President’s Award has been an outstanding leader to the NCESA for many years.  His exceptional ability to lead the industry in educational advancement has been respected and admired for many years.  His leadership passion has provided direction and pathways for the organizations through top level education.    The never-ending work of this volunteer has earned him the reputation of an unselfish and highly accountable industry advocate.  With many years of industry experience, Kile has proven through his honorable and ethical character that community and industry service is essential. He has always dedicated himself to better the world around him and the industries he serves.” — Chris Lohr, President NCESA

Posted in: Company News

Leave a Comment (0) →

LED Street Lighting for Security Purposes

Drive down any US city street these days, and the led-lightsold, yellow street lights now shine bright white and bright with the latest in modern street lights, LEDs.  LED lights are popular because of their tremendous energy savings, about 80-90% energy efficiency, when compared to a traditional incandescent light bulb. This means the LED lamp has about 80% of the energy used to illuminate actually goes into making the light, with the remaining 20% given off as thermal energy.   Compared with the highly inefficient incandescent bulb, which is about 25% converted to light, and 75% given off as heat.   So for any business, residence, or municipality, a huge savings in operating costs can be found by switching to LED lighting, and with federal subsidies for energy savings, the capital costs are partially offset as well.

But a small wrinkle has developed as the American Medical Association (AMA) has adopted guidance for communities on selecting among LED lighting options to minimize potential harmful human and environmental effects.   People are complaining about driving under the blue-white lights, or trying to sleep with one newly installed on the street outside their bedroom window.  According to the AMA:  “High-intensity LED lighting designs emit a large amount of blue light that appears white to the naked eye and create worse nighttime glare than conventional lighting. Discomfort and disability from intense, blue-rich LED lighting can decrease visual acuity and safety, resulting in concerns and creating a road hazard.  In addition to its impact on drivers, blue-rich LED streetlights operate at a wavelength that most adversely suppresses melatonin during night. It is estimated that white LED lamps have five times greater impact on circadian sleep rhythms than conventional street lamps. Recent large surveys found that brighter residential nighttime lighting is associated with reduced sleep times, dissatisfaction with sleep quality, excessive sleepiness, impaired daytime functioning and obesity.”   So the AMA is recommending that LED street lamps that are installed turn the color temperature down from 5000K or 4000K to at least 3000K, or a “warm-white” color that more mimics natural sunlight.

For the last 30 or 40 years, most street lamps have been high pressure sodium or mercury vapor lamps.  These are high intensity gas discharge (HID) lamps that operate by forcing an electric arc through vaporized mercury or sodium to produce light. The arc discharge is generally confined to a small fused quartz arc tube mounted within a larger borosilicate glass bulb.   The color is the big difference:  mercury vapor lamps usually produce a bluish/purple color when operating, and sodium lamps produce a yellowish/brown color.   Sodium is the most common type lamp until just recently because it was more efficient than mercury.

So what difference does this make from a security standpoint?  The color mostly…  Oddly from a security standpoint the color can make a difference from a psychological and electronic security perspective.   In the past we have generally recommended Metal Halide HID lamps instead of mercury or sodium, even though they operate similarly, because the color is a much more true white and allows for proper color identification in low light situations.  Mercury and Sodium lamps can make greens and reds look like different colors, and navy and black almost impossible to differentiate.  Enter LED lamps.  They look very similar to metal halide from a color perspective, and allow better color rendition for both human eyes and electronic eyes such as video surveillance cameras, most of which see in color these days even at night (if the lighting is good enough).  Below you can see the major difference between an older style sodium vapor lamp and a newer LED.

Old and New

Both lamps give off ample light, but there is an obvious color difference.  And while it’s not terribly easy to see from this photo, true accurate color renderings are harder with the yellow sodium lamps.   The LED lamp here is a hotter color temperature, around 4000K and has that bluish tint that is being complained about.   Lowering the temperature to 3000K would make it slightly more amber, but not anywhere near the color of the sodium lamp.

So if your business, facility, or municipality has LED lamps being planned, it may be prudent to push for a 3000K color temperature not only for security camera color rendering accuracy, but also from a psychological and health perspective, and you have the AMA helping make your case for you.

 

 

Posted in: Company News, CPTED

Leave a Comment (0) →

Facial Recognition for Access Control?

Several years ago,  I worked on a project prototype for a major group of sea ports that had an interest to use the state’s drivers license image database for facial recognition/verification of TWIC applicants and the eventual use for identity verification for critical card access points.  The main focus of the project was to ensure that the person applying for the TWIC card was indeed who they claimed to be, and not an imposter.   Neither the CCTV system nor the card access system had the built in software to do this, much less do it together, so we had to write the interface and the software to manage it.  It worked, but not as well as we would have liked.   We used a GPL’d algorithm for the facial recognition, which while good, would have some false positives and false negatives from time to time.   Ultimately to me, it served as a proof of concept.  It did work, and could be made as a serviceable monitoring and investigation tool for security.  (Later we used that same GPL software to create a tool that would scrounge through the card access database and crop the cardholder photos to a uniform size.  THAT worked really well.)

Years later, as far as I know there is still not an off-the-shelf system that provides a true facial recognition monitoring capability for access control violations.  This seems like something very straightforward to do, and as most companies or government branches have an actively maintained photo database of their cardholder personnel, and most often have video cameras monitoring locations where access control is used.

The biggest limitation we found was the quality of the CCTV images against the badge database photos.   Both were of rather poor quality, but if we used the software as just a pre-filtering tool for security operators, the margins of error were more tolerable.  The idea was to still have a security guard doing the verification, but not for every photo, just the ones the software couldn’t handle well.

Cardholder with back to camera.

Poor camera angle doesn’t allow for good facial recognition

With Megapixel IP cameras replacing low resolution analog cameras, the probability improves of having a photo with an acceptable number of unique data points to match against an image database with a high degree of confidence.  This means more information data points to compare, and fewer false positives and negatives.   There are still other considerations such as angle of view, proper lensing, lighting, face concealment/alteration issues, and image database accuracy.  And you must have most, if not all of these considerations to have a usable image.  As shown here, even if you have good lighting and resolution, if you don’t have a good angle and lensing, you will not have a usable image for facial recognition of the cardholder.

Currently, there are about a dozen corporations world wide that offer some type of facial recognition software.   Many of their larger customers are government agencies or the financial industry.  It is used in some border crossings, passport identification, and high profile monuments.   The FBI may be the most famous consumer of this technology, but it is not used in a widespread fashion as far as I know.  Naturally, this isn’t something that is widely advertised by these agencies.

Still, as such a highly technically savvy country as the USA supposedly is, I’ve often wondered why we don’t have facial recognition with a national database at all critical locations like border crossings, airports, bus stations, train stations, embassies, and hospitals.  I realize there’s a modest invasion of privacy, and nobody likes the thought of having “big brother” monitor your whereabouts, especially putting your name to your face in a specific location and time.   It’s kind of creepy.  But the other side of the coin is that if we maintain a central photographic database of active criminals and terrorists (which we do), then having feeds from certain cameras in certain high traffic locations might allow us to not only apprehend said criminals/terrorists in a timely manner, but even allow us to gain intelligence regarding their commuting patterns, associations, and personal habits.  This is beneficial information that can reduce crime and terrorism.

Keep in mind, the government already has a very large database of photos, probably including you, even if you don’t have a mug shot in the NCIC.  Facebook, Twitter, Instagram, LinkedIn, are all repositories available that most likely link your face with your name.   The FBI has said that by 2015, it plans to have 52 million photos in its NGI facial recognition database.   The FBI will include non-criminal information as well as criminal.  Where’d they get those?!    So, you may already be in the database, and maybe me too.  Obviously, some people will object to this idea, some even quite profusely.  But the genie is already out of the bottle.  Getting him stuffed back in is going to be difficult, if not impossible.

So the natural progression on this “big brother” concern just may be to license the database.   For a fee, allow vetted customers to have access to the database via an API to use this centralized database for government and limited private commercial purposes.  Want to know if your daughter or son is in the NGI database?  Maybe there’s a background check service company that can tell you.   But for financial institutions, or the port authority I mentioned in the beginning of this article, it would be a boon of intelligence data.   Not only would they have their own employees and contractors in their own database, they could also have access to a national database of “persons of interest” that could assist them in determining if a potential applicant is a criminal, or maybe even just a high risk.  That has the simultaneous possibility of reducing their own risks, and providing timely information to Homeland Security about a potential threats whereabouts and possible intentions.

Facial recognition of employees at work

Facial recognition in the workplace.

I think the future of this technology is already headed in this direction, and there may already be entities that are doing exactly what I’ve described, but I believe the technology will become more pervasive as some of the technological (and sociological) barriers are broken down.

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →

PR Invited to Participate in State and Local Fire Marshal Policy Meeting

Meeting with North Carolina state and local fire marshals, Protective Resources has been invited to participate in a discussion of how the State and local code officials are going to be educated/trained in the new requirements for fire alarm system communications to comply with the 2010 and 2013 Fire Alarm Code. These new requirements are complex and will require the code officials to have a better understanding of data networks, Internet Service Providers, and Voice Over IP communication services.

Posted in: Company News

Leave a Comment (0) →
Page 2 of 2 12