Archive for Security Technology

Alarm Circuit Supervision – Why You Should Care

EOL resistors installed at panel instead of terminating device.

                  The wrong place for EOL resistors.

Nearly every project we work on, we recommend that alarm initiating devices, especially door contacts, are to be configured using end of line (EOL) resistors for 4-state supervisory circuits.  The actual resistance value and configuration can vary by system manufacturer, but typically it involves wiring a 1K Ohm resistor in series and another in parallel with the switch, at the terminating device itself (not in the panel or junction box above the door).   This ensures that we have circuit supervision from the alarm panel (or card reader panel) all the way down to the device termination, so we know if the device is in a normal state (1), an alarm state (2), shorted state (3), or cut state (4).   This is known as 4-state supervision, because it distinguishes between 4 possible scenarios for the supervised device.

For an example of why you need device supervision, I recently had a high profile client contract me to do a security survey of their research building.  One of the basement doors had a door contact on it that was not supervised and had been cut and shorted about 30 feet away from the door.  The card access system monitoring the door didn’t use 4-state monitoring and the door appeared to be “closed” all the time, even though it was commonly known that maintenance staff actively used the door for that area.  It had been in that state for several years before it was identified and later repaired.

This simple addition offers greater security to the system, yet often gets omitted by vendors in the installation because it requires extra time and expense, and even causes confusion with some installers (really).  Worse, we sometimes end up with installations like the picture above that adds the EOL resistors to the panel with Dolphin connectors.  This type of installation does not offer any real security, and potentially introduces the opportunity for spurious connections inside the panel.  Thankfully, vendors like GRI manufacture magnetic contacts that come pre-assembled with the resistor array included.  They include 1K, 2K, 3.3K, 5.6K, 10K, and 33K resistors in a variety of contact packages, and also sell resistor packs for retrofit installations.

Years ago, one of the best explanations I ever read about alarm circuit supervision was from an Andover Controls card access panel installation guide.  I had learned already about 4-state supervision and why you should do it, but the following illustration shows it more clearly than anywhere else I ever saw it.  I ran across it again the other day and decided I would put it in an article here on the site.  The illustration below shows how the first two iterations of EOL resistors do not offer any significant line supervision, and could easily be defeated.  The third configuration offers 4 unique resistance values that correspond with the 4 possible state conditions.

Credit to Schneider Electric / Andover Controls for the illustration.

Posted in: Security Technology, Training

Leave a Comment (0) →

Video Surveillance System Best Practices – The Right Way to Use CCTV

One of the most common questions we are asked by clients when starting a new project is if they should use Closed Circuit Television (CCTV) cameras for video surveillance.

As we work the the programmatic stage of the project, we try to apply some industry best practices with the client on HOW the cameras will be used on the property.  Here’s a quick rundown on some of the concepts we try to apply:

  1. Identify the purpose of the system and the objective of the surveillance.  This should be a detailed statement that originates in the project’s Basis of Design document.  The objectives should be detailed and achievable.  For example, “providing a view of the entire parking lot” is not a good performance objective, while “identifying the license plates of each vehicle entering or leaving the lot, along with a digital time-date identifier” is an effective performance objective.
  2. Minimize the number of cameras in the system. While this obviously has an impact on the initial cost of installation, it also enables the owner to utilize the system more effectively with fewer personnel and technical resources.  It helps to reduce the overall operating and maintenance costs as well.  A side benefit is that it encourages the system designer to “task” the cameras.
  3. “Task” each camera. Cameras must be placed so that each camera has a dedicated field of view.  The field of view should be directly related to one of the performance objectives.  Once a field of view has been defined, a camera and lens that meet the general performance requirements for the task can be specified. As with Item #1 above, the purpose of each camera should be identified in the design documents.
  4. Avoid new or unproven technologies. Select equipment and a system topology that uses proven technologies.  The shift in video cameras from analog cameras that use coaxial cable for NTSC composite video signals to IP cameras that use Cat 5e or Cat 6 data cable is an example of a technology that was slow to be adopted, but has proven itself to be a reliable improvement.  On the other hand, owners who have adopted unusual technologies, such as 360º digital PTZ cameras that require special software to render a viewable image, sometimes find that they are locked into a platform that may not be supported long term.  A helpful analogy is to consider cameras to be similar to telephones.  A good design allows the cameras to be replaced or upgraded as required while continuing to use the same cabling and infrastructure.
  5. Invest more heavily in the cabling and infrastructure than you might otherwise. The infrastructure that serves the cameras includes cabling, power cabling, power supplies, fiber-optic conductors, adapters, and hardware.  The main components of the infrastructure should last at least 20 years or more.  Cameras, however, will last significantly less than that period.  Therefore, be sure to invest wisely in the basics, as they will outlast three camera generations or more.
  6. Maintain the system properly after installation. Ongoing maintenance after the initial installation is a critical component of an effective surveillance system.   One of the key issues in a wrongful death lawsuit brought against Sumitomo, Inc., for a murder that occurred at their Research Triangle Park, NC, site in the early 1990s was whether or not certain video cameras were operational at the time of the incident.  While it is doubtful that a malfunctioning camera would have been a significant contributing factor, it was nonetheless an issue that was uncovered during the discovery phase.  The camera had been out of order for at least six months and the defendant produced work orders for the repair.  Unfortunately, some of the work orders had been delayed by a facilities manager who kept putting the repairs off until a later budget period.  An owner cannot be expected to guarantee that all parts of a system will be operational at all times, but it is expected that repairs will be made in a timely manner and that the owner exercises due care.
  7. Develop a written Appropriate Use and Retention policy for archived video. A surprising number of owners do not have any written policy regarding the appropriate use and retention of recorded video. A proper policy should be developed in conjunction with corporate counsel and should conform to the records retention policy of the organization. The policy should specify for what purposes the video images may be used and what type of authorization is necessary to access or copy them.  It should identify them as to the appropriate level of confidentiality.  It should specify what constitutes inappropriate use and what disciplinary action may be taken if personnel violate the policy.  And, as with all such policies, it should be disseminated to the personnel who have access to the video to ensure they are aware of their responsibilities.
  8. Archived video should not be retained beyond the specified retention period without proper authorization. Archived video is a company record and may be subject to discovery or subpoena.  Once the retention period, which is usually 30 days for most applications, has expired, the video should be deleted.  Corporate counsel can provide guidance on what would constitute a duty to retain specific video in connection with an incident or ongoing investigation, but video should never be retained beyond the limit specified.  We are aware of at least two instances in the past in which an owner has been asked to go through ALL videocassettes in their possession because an employee stated to an attorney that they “sometimes” kept some of the video for other purposes.  This is an expensive and time-consuming process and usually doesn’t produce anything of value.
  9. Leverage technology where it makes sense.  Using software technologies that are easily applied or even come included with the IP camera or Video Management System (VMS) can increase the overall effectiveness of your surveillance system and your security operation.   While one-off, proprietary hardware technologies might be so unique they are not supported later, software technologies are usually less painful to resolve if they don’t work as desired.  Software technologies like Axis Technologies’ “ZipStream” video compression or video analytics features such as face detection or autotracking are a more recent inclusions to camera and VMS software that can improve the effectiveness of video surveillance by making your operation more efficient and capturing and storing meaningful video clips instead of empty scenes that offer no value.
  10. Be sure you can record audio.  Many IP cameras come with audio microphones and recording capability built in.  Before you deploy these types of cameras with audio enabled, check with Corporate counsel to make sure that you are not violating any state or local statues prohibiting the recording of audio on your premises.  Some shy away completely from audio recording because of a broad interpretation of 18 U.S. Code § 2511, otherwise known as the Wiretap Act, which states that it is illegal to intentionally or purposefully intercept, disclose, or use the contents of any wire, oral, or electronic communication through the use of a “device”.  While video is not specifically mentioned in the statute, and a camera is not specifically mentioned as a “device”, it certainly fits a broad interpretation.  When in doubt, don’t record audio; but if permitted, audio recording can significantly enhance the evidentiary benefits of video surveillance.

There are many factors to consider when laying out a video surveillance system, but applying the above principles when considering the scope and size of your CCTV system will help avoid some of the of the more common problems and pitfalls that can arise from poor planning.

 

 

 

Posted in: Premises Liability, Security Technology

Leave a Comment (0) →

Cat 6a cabling, do you really need it for IP Video?

In security, modern IP video CCTV camera systems inevitably involve support from the IT/Data Communications departments now, and we often get asked about “how much” bandwidth is needed and what cabling types we need for the cameras, switches, and servers.  Often our advice is in conflict with the IT corporate standards, and we end up explaining the practical use for video in security.  This article attempts to discuss in layman’s terms the differences in the cabling types, and how they relate to IP video security.  The actual physics behind the IEEE 802-series specifications are complicated and beyond the scope of this document (fair warning: that rabbit hole goes deep).

In order to understand the basic question, some explanation is needed on the different types Ethernet cabling, and their capabilities and limitations. It’s mostly about increasing the frequency capabilities of the cable.  Cat 5e is built to meet the specification requirements of up to 100 MHz, Cat 6 takes the spec to 250 MHz, and Cat 6a takes it all the way up to 500 MHz. The main difference between these cabling standards is the amount of insulation for the conductors and the rate of twist, although there is also a slight increase in the gauge size for Cat 6 also.   The net effect of these modifications is to reduce crosstalk, attenuation, and EMI.  This can also have the effect of reducing propagation delay and delay skew, which can be measured in millisecond increases in transmission times in some cases.  Delay is known in all types of transmission media, even fiber optics, and is the amount of time that passes between the transmission of a signal and when it is received at the other end of the data link.  In collision based networks like Ethernet using TCP/IP, minimizing propagation delay and skew can have an increased effect on the efficiency of the network and the net amount of data that can be transmitted upon any given network.  Dropped packets mean re-transmission, and bandwidth gets eaten up by repeating data information that’s already been sent (at least) once before.

Cabling Standard Limitations

Cable Type Max Distance Max Data Rate
Cat 5e 100 Meters 1 Gbps
Cat 6 50 Meters 10 Gbps
Cat 6a 100 Meters 10 Gpbs

Cat 6 was the first entry into copper based 10Gpbs data transmission at a commercial scale. The problem with Cat 6 is that after 50 meters the data rate is essentially 1Gpbs, or no better than Cat 5e.   Cat 6a was later introduced and will do the full data rate of 10Gbps for the full rated distance for Ethernet (100 meters).  However, Cat 6a cabling is significantly larger in diameter than Cat 5e and has a stiffer jacket, making cable installation more difficult.  It’s also more expensive, about 33% more expensive than Cat 5e.

But do you really need 10Gbps at the edge device?  Probably not for most applications.  Even current high resolution cameras would not be able to fully utilize a 10Gpbs network, never mind that the server hardware on the other end processing a couple dozen full rate video streams would be overwhelmed.  Currently, high resolution 3 megapixel (MP) cameras are widely available on the commercial market.  At 30 frames per second (fps) and at full resolution, it would consume a maximum data rate of 15,000 kilobits per second (Kbps), or 15 Mbps, and more likely it would consume quite less.  In most security applications, resolution and data rates are throttled not because of bandwidth limitations as much as for storage limitations on the server.  Exceptions to that would be the gaming industry and congested high speed traffic areas such as toll booths.  But for most of our applications, we typically find 2MP cameras at 10fps a reasonable compromise that consumes less bandwidth (and disk space) while still providing adequate video information for surveillance, response, and investigation.

Common Camera Resolution and Bitrates

Resolution (MP)
Pixels Frame Rate (fps)
Bitrate (Mbps)
1.0 1280 x 720 30 6
2.0 1920 x 1080 30 10
3.0 2048 x 1536 30 15

Even at full resolution and frame rate, you could theoretically put eighty-three (83) 3MP cameras (1250 Mbps/15 Mbps) on one 10GBase-T network cable. Of course in reality it would be considerably less, but you get the idea.

So where is 10Gpbs Ethernet really needed?  For now, backbones.  Those connections from network switch to network switch that are relaying end device connectivity to other devices, clients, or servers.  Often these are fiber optic links, but more and more they are being made available as copper links and using Cat 6a.

So what do we recommend?  Given the additional cost and current technical capabilities of IP cameras, we typically recommend Cat 6a cabling as sufficient for all IP video cameras where the 100m distance limitation is held and special conditions that require fiber optic cable or special media converters don’t apply.  There are also some technical concerns on the terminations and number of cycles for insertion/reinsertion that can come into play due to the cable’s rigidity.  Cat 6a is readily available, inexpensive, offers much easier cable handling and termination than Cat 6A, and still offers 10Gbps data rates on shorter runs.

Still, if the objective is to “future proof” your installation, Cat 6a is among the latest and greatest and should ensure that even 100+ MP cameras of the future would be handled without re-cabling.

Posted in: Security Technology

Leave a Comment (0) →

The Impact of Closed Circuit Television

Almost 30 years ago when I was first entering the security industry, closed circuit television (CCTV) cameras weren’t terribly different from the cameras that were being used to for movie and television production.  They were smaller, typically had less resolution and no audio, but the basic principles were the same.   Charged Coupled Device (CCD) cameras were fairly new, and if you wanted low light performance, you were resigned to use tube cameras.  Yes, tubes.  As in vacuum tubes.  Tube cameras actually used a vacuum tube for the imager, and the tradeoff for low light sensitivity was a shorter life span, higher power requirements, and reduced reliability.   Later, Complementary metal–oxide–semiconductor (CMOS) cameras came into play and helped overcome some of the limitations of both tube and CCD technologies.

Vidicon Imaging Tube for Old Style CCTV Camera

Since then, digital Internet Protocol (IP) cameras have come into play.    These newer cameras offer increased light sensitivity, much higher resolution, and new enhancements like video analytics and flexible communications options.

While all of these advancements make for better security, the most important enhancements are the video analytics and IP communications.   These two technology advances increase the likelihood of detecting activity and being able to monitor and record that activity from almost any location.

For most small and medium sized businesses or municipalities, the thought of a comprehensive video management system seems not only unnecessary, but impractical from a monitoring and timely intervention standpoint.  “Video cameras don’t stop crimes, all they do is record it”, we often hear.  This is not necessarily true.  CCTV video serves three important roles in security:

  1. Deterrence – Sometimes just the sight of a video camera will deter criminal activity from ever happening in the first place. Because being watched means being held accountable, this is a strong enticement for on premises security cameras.  No, this doesn’t mean adding “dummy cameras” is a good idea.  In fact, installing dummy cameras can make matters worse in premises liability cases for incidents occurring on your property.
  1. Detection – Having all of the campus CCTV cameras monitored in a single location allows for an operator to spot potential negative events during or even prior to them actually happening. IP enabled cameras offer increased detection capability in two ways; first they allow for cameras to be placed anywhere within the corporate network infrastructure (or even further away via hybrid cabling or wireless networking), and second they permit remote monitoring from anywhere there is network or internet access, including smart phones and tablets.  This allows for remote monitoring and recording at an off-site or contract monitoring facility, and also allows the ability to feed recorded or live events to first responders almost in real-time.    It also means that cameras can be located just about anywhere in your corporate footprint, including on-board vehicles.
  1. Assessment – Being able to discern what, where, and when something is happening on camera is critical to determining how to respond to a particular event, and also aids in evidentiary requirements for later prosecution. With the advent of video analytics, that can now be taken a step further with things like video motion detection, face detection, traffic movement, object removal, and facial recognition.   These tools increase the reliability of the observer (or recording device) to actually capture useful video information for use in timely intervention or for evidence in prosecution.   For example, with the right software, imagine a disgruntled employee situation where the former employee’s photo is setup to trigger an alert if the video system “recognizes” his face when he tried to re-enter the campus.  The authorities can be notified and other emergency precautions can be taken much sooner than previously possible.

Each one of these roles is an important piece to the overall security strategy for a business or government entity, and when used with common sense security practices like Crime Prevention through Environmental Design (CPTED) and other industry best practices, CCTV video becomes a powerful tool to both deter, detect, and defend both persons and property in a timely and effective manner.

 

Posted in: CPTED, Premises Liability, Security Consulting, Security Technology

Leave a Comment (0) →

A Theory on the Yahoo Security Breach and Your Instant Messenger Service

In September of 2016, at least 500 million Yahooatb_yahoo_messenger accounts have been affected in one of the largest data breaches in history.  My Yahoo account was one of them, although I only used it as a personal dump account for registering on non-essential websites.  Luckily I kept no personal or financial information in any of the emails there.

Most people, including the media, seem to be concerned with how this will affect the Verizon deal acquiring Yahoo.  Indeed, I’m certain Verizon is VERY concerned with it.   But that’s not the interested thing.  The interesting thing is that Yahoo isn’t talking about HOW the data breach occurred, or if it’s connected with the prior data breach in August that stole 200 million accounts.  Or that the data breach seems to simultaneously occurred with a rather hastily put together service migration of the well used Yahoo Instant Messenger (IM) platform.

More importantly and much less publicized, in August of this year Yahoo completely abandoned the venerable and well documented Yahoo Instant Messenger service, instead offering a dumbed down, less feature-rich service by the same name.  Most transitions of this scale and magnitude would take months or years for the migration, but this happened very quickly, leaving 3rd party vendors (Pidgin comes to mind) without much recourse for their offerings.  After August 5th, anyone that was still using the legacy Messenger app (or the API) was no longer be able to log in or send messages.  You couldn’t even log in…

Yahoo IM is well known to have some security concerns, including the ability to “see” anonymously and remotely if someone is online using it, even in invisible mode.  It also had a very well liked and well used archival feature that recorded the entire text conversation for audit purposes.  Many brokers and traders used this platform to buy/sell products and put together deals very quickly.   They loved it.  But the new version does not support this feature (among others), and brokers have been forced to migrate to other platforms like ICE.

So what does all this tell us?  It tells me that there was likely a very serious security flaw in the Yahoo IM protocol, and that it likely had been exploited to gain access to millions of accounts without the users’ knowledge.   Any time a Fortune 500 company abruptly switches out a venerable product and substitutes it with a hastily deployed, inferior product, you can bet your hat that there was something significantly wrong with it.

Meanwhile, Yahoo is hush hush about it, not even mentioning the curious and spontaneous change to their IM platform that so many have relied upon for years.

Posted in: Security Technology

Leave a Comment (0) →

Facial Recognition for Access Control?

Several years ago,  I worked on a project prototype for a major group of sea ports that had an interest to use the state’s drivers license image database for facial recognition/verification of TWIC applicants and the eventual use for identity verification for critical card access points.  The main focus of the project was to ensure that the person applying for the TWIC card was indeed who they claimed to be, and not an imposter.   Neither the CCTV system nor the card access system had the built in software to do this, much less do it together, so we had to write the interface and the software to manage it.  It worked, but not as well as we would have liked.   We used a GPL’d algorithm for the facial recognition, which while good, would have some false positives and false negatives from time to time.   Ultimately to me, it served as a proof of concept.  It did work, and could be made as a serviceable monitoring and investigation tool for security.  (Later we used that same GPL software to create a tool that would scrounge through the card access database and crop the cardholder photos to a uniform size.  THAT worked really well.)

Years later, as far as I know there is still not an off-the-shelf system that provides a true facial recognition monitoring capability for access control violations.  This seems like something very straightforward to do, and as most companies or government branches have an actively maintained photo database of their cardholder personnel, and most often have video cameras monitoring locations where access control is used.

The biggest limitation we found was the quality of the CCTV images against the badge database photos.   Both were of rather poor quality, but if we used the software as just a pre-filtering tool for security operators, the margins of error were more tolerable.  The idea was to still have a security guard doing the verification, but not for every photo, just the ones the software couldn’t handle well.

Cardholder with back to camera.

Poor camera angle doesn’t allow for good facial recognition

With Megapixel IP cameras replacing low resolution analog cameras, the probability improves of having a photo with an acceptable number of unique data points to match against an image database with a high degree of confidence.  This means more information data points to compare, and fewer false positives and negatives.   There are still other considerations such as angle of view, proper lensing, lighting, face concealment/alteration issues, and image database accuracy.  And you must have most, if not all of these considerations to have a usable image.  As shown here, even if you have good lighting and resolution, if you don’t have a good angle and lensing, you will not have a usable image for facial recognition of the cardholder.

Currently, there are about a dozen corporations world wide that offer some type of facial recognition software.   Many of their larger customers are government agencies or the financial industry.  It is used in some border crossings, passport identification, and high profile monuments.   The FBI may be the most famous consumer of this technology, but it is not used in a widespread fashion as far as I know.  Naturally, this isn’t something that is widely advertised by these agencies.

Still, as such a highly technically savvy country as the USA supposedly is, I’ve often wondered why we don’t have facial recognition with a national database at all critical locations like border crossings, airports, bus stations, train stations, embassies, and hospitals.  I realize there’s a modest invasion of privacy, and nobody likes the thought of having “big brother” monitor your whereabouts, especially putting your name to your face in a specific location and time.   It’s kind of creepy.  But the other side of the coin is that if we maintain a central photographic database of active criminals and terrorists (which we do), then having feeds from certain cameras in certain high traffic locations might allow us to not only apprehend said criminals/terrorists in a timely manner, but even allow us to gain intelligence regarding their commuting patterns, associations, and personal habits.  This is beneficial information that can reduce crime and terrorism.

Keep in mind, the government already has a very large database of photos, probably including you, even if you don’t have a mug shot in the NCIC.  Facebook, Twitter, Instagram, LinkedIn, are all repositories available that most likely link your face with your name.   The FBI has said that by 2015, it plans to have 52 million photos in its NGI facial recognition database.   The FBI will include non-criminal information as well as criminal.  Where’d they get those?!    So, you may already be in the database, and maybe me too.  Obviously, some people will object to this idea, some even quite profusely.  But the genie is already out of the bottle.  Getting him stuffed back in is going to be difficult, if not impossible.

So the natural progression on this “big brother” concern just may be to license the database.   For a fee, allow vetted customers to have access to the database via an API to use this centralized database for government and limited private commercial purposes.  Want to know if your daughter or son is in the NGI database?  Maybe there’s a background check service company that can tell you.   But for financial institutions, or the port authority I mentioned in the beginning of this article, it would be a boon of intelligence data.   Not only would they have their own employees and contractors in their own database, they could also have access to a national database of “persons of interest” that could assist them in determining if a potential applicant is a criminal, or maybe even just a high risk.  That has the simultaneous possibility of reducing their own risks, and providing timely information to Homeland Security about a potential threats whereabouts and possible intentions.

Facial recognition of employees at work

Facial recognition in the workplace.

I think the future of this technology is already headed in this direction, and there may already be entities that are doing exactly what I’ve described, but I believe the technology will become more pervasive as some of the technological (and sociological) barriers are broken down.

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →

Digital Video Forensics: “Is this video clip reliable?”

When we receive a request from an attorney or a forensic engineer to review digital video material, we are most often asked, “Is this video clip reliable?” Over the years, we’ve learned that this can mean many different things. The material in question is often a short piece of video in the form of a digital file that can be played using common media players, such as Windows Media Player. In some cases, the material is accompanied by proprietary viewer software that is required to view the video. On occasion, the video is actually in a DVD format, complete with title and menu.

But what our clients really want to know is one or more of the following:

“Is this video clip a true and complete copy of the original?”

“Has this video clip been altered or edited?”

“Can I rely on the time and date that appear in the video? To what degree of precision?”

“Are the proportions of the picture correct? Can I use it to measure distances?”

We generally deal with civil cases and not criminal investigations. In a criminal investigation, it is usually enough for investigators to obtain identification from the video. This may be facial identification of a perpetrator, the approximate height and weight of the individual, or simply a general description of the clothing the perpetrator was wearing. In some cases, investigators seek to identify a vehicle, by model, make, or color. The investigating agency may extract important images for enhancement or to distribute in aid to the investigation. But it is very rare that a criminal investigator concerns himself or herself with the precision of the date and time stamp, or whether a single frame may be missing from the video sequence.

In civil lawsuits, it is a different matter. Unsurprisingly (and according to the “CSI” shows), video recording systems are everywhere and frequently record video of incidents unintentionally. We have, for example, worked with numerous video files from security systems that recorded vehicle accidents in the background, a purpose for which they were not originally designed or installed. A civil lawsuit in connection with the accident might require the involvement of forensic engineers, who will normally perform a survey of the accident site to obtain accurate measurements of the positions of the vehicles before, during, and after the accident. Since vehicle speed may be a contributing factor in an accident, the engineers want to estimate the vehicle speed(s) at different locations. Speed is often estimated on the basis of skid marks or the amount of damage sustained by the vehicle(s), but the availability of recorded video gives the forensic engineer the opportunity to estimate vehicle speed by time interval. Knowing that speed=distance/elapsed time, and having accurately measured vehicle position during the investigation, all we need is a precise measure of the time interval between the frames of the video clip that show the vehicle at those measured positions. What could be simpler?

As it turns out, a lot. Most digital video recording systems were never intended to be used to measure time intervals to the precision required to differentiate between a vehicle going 45 MPH in a 45 MPH zone and a vehicle going 56 MPH in a 45 MPH zone. In fact, most date and time stamps inserted in video recording systems do not display with any more accuracy than one-second intervals, though some may display to a greater precision. If we do have a system with sufficient precision, there may then be the question of accuracy. Being precise to the millisecond is one thing. Being accurate is another. The task is further complicated if the video clip has been exported by the video recording system in a format different from that which was used in the original recording. It is very common for a video recording system that uses variable frame rate (i.e., the intervals between successive frames are not uniform) to export video clips to a video file format that uses a constant frame rate. The exported files are quite useful for identification purposes, but may useless for performing the calculations required to accurately estimate vehicle speed.

We frequently receive video clips in which the date and time stamp advances 15 minutes, or some other fixed time period, but the video clip actually plays in much less time using a software media player. We have several clips in which the audio portion of the file is shorter than the video itself, sometimes by more than 10%. The questions are then, “Which time intervals are correct? Can we state with confidence that the actual time interval between the vehicle at this location and that location is X.X seconds? What is our confidence interval for our estimate?”

Strangely, old-fashioned videocassette recorders are often more reliable and useful for the purpose of estimating time intervals than are modern digital video recording systems. A standard VHS recorder was designed to record video at 29.97 frames per second, and we have the further advantage of knowing that the camera was providing video to the recorder at an identical rate. Newer IP video cameras and digital recording systems normally work with variable frame rates and may even add the time stamp to the images only after they have been received at the recording unit, adding the problem of network latency to the mix.

A gentleman who was very experienced with digital video and had worked for years in the industry once told me that he would, “…never try to estimate time intervals in digital video with BOTH precision and accuracy.” While this might be an extreme view, it certainly reflects the challenges that face us.

We have attempted in this article to identify some of the important considerations in establishing the “reliability” of digital video used in forensic accident investigation. In subsequent articles, we will discuss some of these topics in more detail and introduce new topics of interest.

Posted in: Expert Witness, Security Technology, Video Forensics

Leave a Comment (0) →

Hacking Sony – Corporate culture broken from the top down

One of the questions I keep asking myself as I keep reading the dozens of recent articles about how Sony got hacked by “North Korea” is, why does Image left on screens for 2014 Sony HackSony KEEP getting hacked?

The short answer is “because they can”.  But the longer answer points to a corporate culture that doesn’t understand the need for protection of information assets, or the people who are constantly after those assets.

On November 24, Sony discovered that its corporate network had been hacked. The attackers took terabytes of data, deleted the original copies from Sony computers, and left messages threatening to release the information if Sony didn’t comply with the attackers’ demands.  But it was really much worse, not only was work disrupted as Sony’s IT professionals scrambled to recover lost data and restore data services, much of the proprietary information of Sony Corp. was released into the public domain for everyone to see.  Unreleased movies, private email conversations, celebrity contact information, social security numbers, passwords, and salary information were released into the wild.  The damage will be felt for years to come.

I’m uncertain of the actual number of cyber attacks on Sony (and only Sony knows the real number), but this latest attack has to put it somewhere in the high teens.  This attack was the latest of a string of attacks that has been happening since 2003, mostly related to Sony’s DRM policies and certain lawsuits over “hacking” the Sony PS3 platform.  At least, that’s where I think it all began.  Since then, it’s become the “hip” thing to do for black  hats, Hack Sony.  The notion that North Korea is behind this latest attack as claimed seems pretty thin to us, and also to the FBI in their official statements so far.

But what really is the cause of this?  From what I have read, it looks like it stems from a top down culture of a lack of respect for information security.   Their IT security department is woefully thin, understaffed for a company of Sony’s stature, security equipment and software was not properly installed, policies not enforced, and even simple things like compartmentalization of data, like keeping performer contracts or salary information separate from other data sources, were apparently not properly implemented.   This seems odd, since much of the technology Sony has developed (or bought) for DRM and copyright protection is fairly sophisticated, and expensive to develop.

Skipping the technical aspects of what Sony should have done or should now do to protect itself from cyber security, I will just propose in simple layman’s terms what a company in Sony’s position should consider across their corporate footprint.

  1. A top down philosophy of information security starting with corporate officers.
  2. Increased IT security staff and technology solutions to better identify, insulate and protect from cyber threats.
  3. Corporate wide training in information security, compartmentalization, best practices for data security and user authentication.
  4. Mandatory periodic password audits for all personnel (no Prima donnas who can’t remember a password).
  5. Two step authentication for most or all access, especially to sensitive information repositories.
  6. Regular security audits for physical and IT security.
  7. Personnel background checks, exit interviews with binding nondisclosure agreements.
  8. Active content filtering for incoming and outgoing internet traffic, strict VPN use for remote sites, and GEO IP security filtering at the desktop level.
  9. Active enforcement of corporate policies and legal prosecution for data breach events by employees or contractors.

Meanwhile, the media will be poring over mountains of sensitive information they shouldn’t have, hoping to find the next juicy bit of “Sony Dirt” to release in it’s next news cycle.

 

 

Posted in: Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Do You Know Where Your Power Supply Is?

Altronix Eflow16 Low Voltage Power SupplyWe’ve all had it happen: either a bad battery or a blown fuse in a security power supply.   It causes cameras to fail, a card access door to stop working, or a whole panel to fail.

Power supplies in their simplest sense do a very basic thing:  They turn 120 volts AC power to low voltage DC power for low voltage security devices such as cameras, card readers, alarm panels, or detection devices.   And while they have become more sophisticated, adding fused outputs, relay contacts for fire alarm disconnects (life safety egress for maglocks), and smart battery chargers, until recently it was up to the security integrator or maintenance staff to maintain the power supply by testing power and replacing batteries periodically.

In the IT world, just about everything is monitored – Computer servers, network switches, server room air conditioning and filtration units, UPS battery backup systems, even cameras in the data closet monitoring temperature, humidity, and noise levels.  Much of this information is sent via the Simple Network Management Protocol (SNMP).  This protocol is monitored by software that notifies console operations of the exact conditions or problems that may arise with hardware or software in the footprint.

Enter the power supply network module.  The Altronix LINQ2 is a new product that offers the same kind of monitoring capability used in the computer industry.

The Altronix LINQ2 network module is designed to interface with eFlow and MaximalF power supply/chargers. It enables power supply status monitoring and control of two (2) eFlow power supply/chargers over a LAN/WAN or USB connection. LINQ2 provides values on demand for AC fault status, DC current and voltage, as well as Battery fault status and reports conditions via SNMP.

Now security operations can be notified of potential problems and critical failures as they happen, or maybe even before.

For more information visit http://www.altronix.com/products/product.php?name=LINQ2

Altronix linq2 SNMP module

The Altronix LINQ2 SNMP Network Module

Posted in: Fire and Life Safety, New Equipment and Gadgets, Security Technology

Leave a Comment (0) →

PINs Matter

scramblepad

Hirsch Scramblepad

When working with a client once, they asked us to help harden their biological research labs by recommending additional security measures they could install. We did an initial and very casual walkthrough with them of the labs and how they were used. They were particularly proud of the Hirsch Scramblepads they had installed for access controlled doors. For those unfamiliar with these, they are an ingenious type of PIN pad where the numbers change each time you begin to enter your PIN sequence. This way, someone cannot peek merely at where your fingers were and assume that if you were at the bottom right of the pad, it was a 9. Anyway, they were (and still are in some circles) the Cadillac of PIN pads for access control.

As we began interviewing some of the lab staff, we asked how well they liked the keypads and how they were used. Most responded that they felt the keypads worked very well and were kind of “Star Wars” like because of their technology. We soon learned however, that the PINs used were 4 digit pins, and that there were a couple of hundred people who had access to these labs. To make it worse, departmental policy was that the individual was allowed to select their own PIN.  Yikes.

So, I promptly walked up to a PIN pad, and entered “1234”.

“Click”.  The door opened.

Okay, “1379”.  “Click”.

Yep.  Hmmm, one more, “2468”.  “Click”.   Okay, I see the biggest problem…

The good news, is it was a cheap fix.  That doesn’t mean easy, it was just cheap.  The long term fix was to add card access with CARD+PIN readers to enhance security; but in the mean time, we just increased the number of digits in the PIN, and assigned the PINs to the staff instead of letting them pick their own.  That’s why it wasn’t easy.  Some of the staff complained because now they had to learn a new PIN, and sometimes they forgot it, locking themselves out of the lab until they could remember it or get it reset.   Memorizing a new number (don’t we have enough numbers, passwords, etc. to learn already?!) is not fun and shouldn’t be necessary just to get into work.

Reading this now, this all probably seems like common sense to you, and it is.  It’s just that sometimes common sense isn’t used in practical applications the way we would always expect.  Security is a hassle, an inconvenience.  So, someone decided to make it easier on people and let them pick their own PIN.   This is were Security Policy and Procedures come into play.  They should be developed, implemented, maintained, and tested.  Had a proper policy been conceived and applied to the issuance of access control PINs, our job wouldn’t have been so easy.

PINs Matter

Just like passwords, a weak PIN is worse than NO PIN at all, because it gives you a false sense of security when there really is none.  If you still use only PINs, pick unique PIN of at least 8 digits, and ensure that they are unique for each user.  But better still, couple a PIN with an additional level of access control such as card access or biometrics.  After all, two levels of security are always better than one.

 

 

Posted in: Access Control, Security Technology

Leave a Comment (0) →
Page 2 of 3 123