Security-related events and commentary from around the web, with emphasis on issues that affect physical, electronic, and data security management.
Several articles floated up recently that are worth review:
1. Business Intelligence in Retail
From Axis Communications, a summary of a LPRC study commissioned in late 2012 that addresses retailers’ adoption and use of IP video. Not surprisingly, the data shows an increase in the number of companies seeking sales, operations, and marketing improvement through the use of intelligent video (video analytics). This is reassuring, since image quality and resolution have been consistently discussed as the primary motivators, while their value continues to be debated. Of the ~25% of respondents who reported that business intelligence was a primary factor in selecting IP video:
- People Counting was by far the most used non-LP analytic application, with 46.3 percent of
respondents deploying this feature, up from 27 percent in 2010;
- Dwell Time Analysis (20 percent) and Heat Map or Hot/Cold Zone (18.2 percent) usage
increased in 2012, while 38.3 percent of respondents use video analytics to detect POS fraud;
- Queue Counters are used by less than 10 percent of companies surveyed, yet 50 percent say
they may use this application in future. Similarly, while no respondents said they utilize Out of
Stock Alerts today, more than 56 percent say they may use them in the future;
- Nearly 32 percent of respondents utilize surveillance to help analyze “shopping & buying
behavior,” with 20 percent using video to measure shelf and product placement effectiveness
2. Big Data Requires a Cautious Approach
Beware the Errors of Big Data summarizes Nassim Taleb’s position that big data must be used with great care in order for it to be useful. His primary observation is that “modernity provides too many variables, but too little data per variable. So the spurious relationships grow much, much faster than real information. In other words: Big data may mean more information, but it also means more false information.”
He asserts that this is not necessarily bad, however, since big data can be effectively used to debunk a theory or conclusion, rather than draw new conclusions whose basis is made questionable by big data.
As the claims around big data continue to make their way into the video intelligence, security and integration space, the article (and the author’s book, Antifragile) are worth a read.
3. SD Card Video Storage (recording at the edge)
From SDM Magazine comes an article on the current state of SD card (flash memory) storage for video. While it only addresses the current trend of cameras supporting off-the-shelf SD memory cards, and not more reliable types of flash memory, the article does touch on some of the applications and limitations of this approach. Thanks to demand from the consumer market – driven by tablets, high megapixel cameras, and ultrabooks – the capacity, cost and reliability of SD cards is improving constantly. For many commercial and residential applications, it is virtually certain that this type of distributed recording will be the norm in just a few years. It will be a welcome and exciting change for end users and service providers – and a terrifying one for DVR/NVR vendors who haven’t yet figured out their migration to a cloud/SaaS model.
In the security industry, it seems that hardly a day goes by without a pitch for a new cloud-enabled service or managed device. While this may be true of numerous industries, the fragmentation of the market, range of sales channels, and large number of broad/overlapping concepts (e.g. “business intelligence” and “big data”) make for an especially confusing space without clear leaders. When you factor in a huge base of outdated equipment, marketing hype around certain technologies, and fuzzy ROI math, understanding your options becomes even more difficult.
A simple example of the state of technology maturity can be seen in today’s residential automation and security platforms. It is trivial to connect a few IP cameras and lighting automation modules to your home network. Likewise, your home security provider probably offers a control panel that supports networked communication – via your ISP or cellular – enabling features like remote arming/disarming and a virtual keypad to control other functions via a smartphone. The problems are encountered as soon as one attempts to integrate these point solutions into something more user friendly (and functional). Unless all of the cameras, modules, and other devices are provided by the same company, the odds of controlling all of them using a single interface are almost zero. Likewise, communicating between devices, monitoring alerts/failures, and aggregating data are made significantly more complex – all thanks to a lack of standards, closed architectures, and business models that rely on limiting your options.
For commercial customers – especially retailers – there are dramatically more complex offerings available. Video analytics can be used to count customers, measure wait time at the register, and determine which aisles and displays draw the most attention. Customer counts can be compared with sales to determine “conversion,” driving bonuses for store employees, and suspicious transactions can be flagged and investigated thoroughly by matching register transactions with intelligent video recording. Increasingly, systems that were traditionally standalone, such as HVAC, lighting, refrigeration, and EAS (Electronic Article Surveillance) are being monitored with the goal of creating a more holistic picture of store operations. Finally, there are a number of new entrants to the BI (Business Intelligence) space that specialize in remote video-based auditing, gathering of customer demographics/habits, and the deployment of smart displays and RFID, among many others. Like the residential example above, most of these exist as independent solutions, often provided and maintained by separate companies, using different communication protocols, reporting methods, and networks/clouds.
The problem of multiple providers and disparate systems is, of course, nothing new – but the growth of broadband networks, ubiquity of smartphones, and the value of remote control and data collection have converged to enable countless solutions that would not have been practical to develop just a few years ago. This makes for an exciting, if somewhat confusing, time as customers weigh their many options and vendors scramble to differentiate their offerings.
So how does all of this relate to the “risks and costs of the cloud?”
Symantec recently published a report titled “Avoiding the Hidden Costs of the Cloud” in which they identify a number of security and expense-related issues that organizations encounter when deploying services haphazardly. From the report:
However, in a rush to implement cloud, there are a host of hidden costs unwary organizations may face.
These costs are easily avoided with a little foresight and planning, but only if IT knows where to look.
The report was not created to address security or BI systems specifically, but many of their observations and conclusions apply. Among them:
- Increasing use of “rogue” clouds
- Compliance, privacy, and eDiscovery issues related to offsite data collection
- Inadequate use of SSL (encryption) technology
Not directly addressed in the report are the potential issues related to adding edge devices such as people counters, IP cameras, and other control systems that feed data to the cloud. These include creating unintentional vulnerabilities across the enterprise network, the cost of patching and monitoring the hardware, and the increased reliance on a specific vendor for basic system functionality. These are critical considerations in security/BI rollouts, but they are frequently overlooked, especially at the early stages when the focus is on an exciting new feature or technology.
As Symantec points out, involving IT at the outset is a critical success factor when working to avoid unnecessary risk and cost. When almost every new solution requires a separate communication pathway, monthly fee, and reporting system – it is easy to see how the oversimplified notion of “the cloud” can spiral into an unmanageable and expensive program.
Opportunities abound to begin to make sense of all of this, and a number of providers are taking admirable first steps. In a future article, I will propose one method by which organizations can mitigate risk and streamline their approach to adding new data/control points to their enterprise.
Matt Krebs recently posted another entry to his detailed and entertaining catalog of skimming devices, available at Krebs on Security. The device in question was found inside the credit card terminals of a yet-to-be-named U.S. retailer, and is presently being evaluated by Trustwave Spiderlabs. By itself, this is not particularly newsworthy, since there have been many similar cases involving devices attached PIN pads at retailers like Barnes and Noble, as well skimmers on/inside gas pumps and ATMs. So what makes this one interesting? The engineering and installation are worth a closer look:
- The stolen data is encrypted using AES before being stored/transmitted
- Card numbers and PINs can be retrieved by Bluetooth, and optionally, via cellular
- The microprocessor was secured against tampering (lock bit set)
- The PCB appears to have been produced professionally
- There was delicate soldering work required to attach the device inside the credit card terminal
There is [very reasonable] speculation that the skimming devices were installed either early in the card terminal supply chain, prior to installation, or that the terminals were swapped out at some point with modified versions. Given the complexity of the connections, it is highly unlikely that the devices could have been modified on-site, even by a dishonest service technician.
The quality of these devices is increasingly impressive, and it seems plausible that future versions will be integrated into replacement system boards or peripherals, making their identification even more difficult.
Here are some photos of the Bluetooth skimming module:
There was a good article in the Atlantic recently on the subject of privacy, and specifically, how the concept of obscurity is often a better way to think about data in our highly connected world. It primarily addresses the new “Graph Search” that Facebook is rolling out, but there are broader comments that have relevance to physical security professionals.
From the article:
“While many debates over technology and privacy concern obscurity, the term rarely gets used. This is unfortunate, as ‘privacy’ is an over-extended concept. It grabs our attention easily, but is hard to pin down. Sometimes, people talk about privacy when they are worried about confidentiality. Other times they evoke privacy to discuss issues associated with corporate access to personal information. Fortunately, obscurity has a narrower purview.
Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn’t mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent.”
The article goes on to mention video analytics technologies that are still coming into their own:
“Likewise, claims for ‘privacy in public,’ as occur in discussion over license-plate readers, GPS trackers, and facial recognition technologies, are often pleas for obscurity that get either miscommunicated or misinterpreted as insistence that one’s public interactions should remain secret.”
It is safe to expect legislation restricting the type and use of data collected in public spaces, but opinions vary widely about how the laws will be crafted, enforced, and how well they will hold up under challenge. Consider a few possible use-cases for video analytics and whether they might run afoul of laws designed to protect citizens’ rights:
- Facial recognition software in retail stores that alerts employees to the presence of a potential shoplifter, based on a database of suspects (previously apprehended or captured on video), developed and stored on the retailer’s private network.
- As above, but using a database of “suspects” compiled collaboratively with multiple retailers, and shared between them.
- License plate recognition software placed at the entry/exit of a hotel parking ramp, mall parking lot, or even a neighborhood.
Clearly, these applications could greatly enhance an active security program, improve the quality of evidence, and, over time, create additional deterrence. The problem is that while the “data” has been gathered for years via cameras connected to recording equipment, the ease of use and availability thanks to video analytics changes the conversation. In other words, the level of obscurity is diminishing, which is likely to disturb privacy advocates – especially as the use of the data makes headlines and appears more often in litigation.
Organizations using video analytics today must plot their own course. A previous post referenced proposed FTC facial recognition guidelines – but we’re a long way from adoption. For better or worse, the limits on this technology are likely to be decided in the courts. My hope is that we strike a good balance, allowing careful and effective use that better protects us all. Integrators and end-users can do their part by considering each project from a private citizen’s point of view prior to implementation. Exposing too much data, or using it too aggressively is certain to bring the wrong kind of attention.
More reading on this subject can be found here:
Details are sketchy, but the video below purports to show a hacker gaining root access to a WeMo WiFi-controlled switch. The module is part of a family of basic home control products that enable control, triggering, and scheduling of connected devices. Since most applications involve lighting control and other relatively mundane things, the severity of such a vulnerability is low – but in cases where sensitive or potentially dangerous equipment are connected (e.g. computers, amplifiers, space heaters, motors), the risks are much greater. In the demonstration, the hacker causes the WeMo to cycle power to a lamp very rapidly – fine for a traditional light bulb, but potentially damaging to other types of equipment.
A key feature of the WeMo devices is the ability to control them via the Internet using a mobile app, so if the vulnerability can be exploited remotely (as has been reported), the problem is that much worse.
The latest in a string of DVR and IP camera vulnerabilities was posted last week by a blogger using the pseudonym “someLuser” and affects an OEM design from RaySharp whose products are reportedly sold under a number of brand names, including Swann, Lorex, KGuard, Zmodo, Hi-View, Soyo, and others. These are often sold direct-to-consumer in kit form, bundled with several cameras and remote viewing software.
In the post, the blogger provided example scripts to demonstrate several exploitable weaknesses in the DVRs, including:
- Unauthenticated access to the device configuration files
- Ability to view usernames and passwords in clear text
- Ability to execute system commands as root (after obtaining the passwords)
The security researchers at Rapid7 (who help maintain and distribute the Metasploit framework) attempted to determine the number and location of systems exposed to the Internet by searching for the devices’ web interface signatures. This effort identified over 58,000 unique IPs in over 150 countries running these vulnerable platforms – 19,000 of which were located in the U.S. (A chart of the geographic distribution can be seen here)
As discussed previously, embedded systems are often found to have similar vulnerabilities, but are usually hidden by a firewall, limiting the ability of a hacker to locate or attack them. Since DVRs are routinely placed in DMZs or otherwise exposed to the Internet, their vulnerabilities are much easier to exploit. For devices inside the firewall that also communicate on a private LAN/WAN, the risks posed by insecure devices is potentially significant.
As of this writing, there are no known patches or updates that address the problem. Concerned users should consider removing the devices from their network, or disabling access via the Internet.
Frank Mayer and Associates has a free whitepaper available at their website that provides an overview of the design concepts, benefits, and challenges of theft deterrent merchandise displays. Since Frank Mayer manufactures such products, their perspective includes things not often considered by those who are primarily security-focused, such as the number of product facings and the ways to integrate dummy and demo product into the fixture design.
It is a good primer for anyone interesting in learning about how retailers attempt to create a positive customer experience while managing risk.
Note that a short registration form must be filled out at this link prior to downloading the whitepaper.
The EAX-300 from Detex is a battery-operated alarm with integrated delay timer. This allows free short-term use of a door, while monitoring for a “propped open” condition. Common applications include:
– Rear Receiving Doors
– Server Rooms and Data Closets
– Vault / Cash Offices
– Employee / Stairwell Doors
The alarm delay is adjustable between one second and four minutes, and the unit can be deactivated via key when necessary. It is important to note that once the alarm sounds, it can be silenced by simply closing the door, unlike similar alarms that require a key to reset. This will be seen as a pro or con, depending on the application.
Since the device requires no cabling, it would be simple to retrofit into existing spaces. For new construction and remodels, a cabled solution would have the advantages of being powered remotely (no batteries to change) and could be partially concealed for better aesthetics and security. It should also be noted that the trend is toward gathering and reporting such events to improve policy compliance and link them to video – which requires a more intelligent system. The Detex device is elegant in its simplicity, comes from a reputable manufacturer, and is definitely worth considering for low-security applications.
Complete specs can be viewed here.
In the 4th quarter of 2012, the Industrial Control Systems (ICS) team within CERT responded to multiple instances of power plant and utility control systems being infected with malware. In at least two of these, featured in ICS-CERT Monitor articles, the use of infected USB drives was identified as the means of transmission. Both cases illustrate the need for rigid backup and removable device policies. In one, the drive was used as the sole method of backing up critical workstations, and the other involved a third-party technician unwittingly infecting equipment while updating software using a USB drive. An important reminder to all who service networked devices…
As discussed in previous posts (see Hardware Hacking category), vulnerabilities in equipment connected directly to the Internet are capturing most of the attention these days. ICS-CERT recently summarized “Project SHINE,” which filtered and researched systems identified via the SHODAN search engine, looking for those most likely to control critical infrastructure. In the end, they determined that 7,200 devices (out of an initial list of more than 500,000) were directly related to control systems. With assistance from CERT, the group of researchers has been notifying owners about the potential exposure to attack, but this issue will be with us for a long time to come.
ICS-CERT also published a summary of the incidents by sector for 2012:
Additional Information about SHINE: “SHINE stands for SHodan INtelligence Extraction. Managed by Bob Radvanovsky and Jake Brodsky of InfraCritical, it is a project to locate probable sites where control systems hardware may be running openly (without encryption or authentication of any sort) on the Internet. These include everything from hospital patient monitoring systems, building automation, Distribution SCADA RTUs, PLC gear, smart meters, traffic control systems, point of sale systems, security and fire alarm systems, and so on.”
The Shodan search engine can be found here.
An article detailing some of the projects being considered for the “DARPA Innovation House” should pique the interest of anyone working with video analytics and surveillance.
From the project website: “The DARPA Innovation House is a study into the feasibility of effective software design and development in a short-fuse, crucible-style living and working environment. DARPA selected imagery analysis as the topic for the effort. DARPA aims to show that small teams of highly focused, collaborative developers operating under extremely short deadlines can make breakthroughs in automatically obtaining meaning from photos, videos, geospatial data and other imagery-related data.”
The proposed areas of study include:
- Petavision: Multi-Modal Approaches to Real-Time Video Analysis
Biologically-inspired, hierarchical neural networks to detect objects of interest in streaming video by combining texture/color, shape and motion/depth cues.
- GOSE (Geospatial-Oriented Structure Extraction): Structure Extraction from Imagery
Automatic construction of a 3D wireframe of an object using as few images as possible from a variety of angles.
- Videovor: Visualization of Video Information
Software that fragments and re-models linear time of video content to cluster big pools of related data in a 3D interactive interface for human analysis.
The full list can be found here.
Several of the projects have the potential to benefit security and loss prevention systems, so their progress will be interesting to watch.