Security Resources

Archive for the General Site Category

DoS Attacks on Call Centers?

This is worth keeping an eye on. If the perpetrators’ focus shifts to private enterprise or provider central monitoring stations, it could create entirely new problems for our industry:

From CSO Online:

Your emergency call centers may be under attack soon
Federal law enforcement officials are reporting a rise in attacks in which the telephone lines of emergency call centers are flooded with bogus calls by extortionists whose demands for cash are refused. The entire number of attacks is rising,” said Rod Wallace, vice president of services for SecureLogix. The increase is seen across organizations, public and private. Typically, the motivation is to extort money or to protest a particular political or social cause. In the latest attacks, someone with a heavy accent calls the center, known as a public-safety answering point, claiming to be with a collections company for payday loans. The caller then demands a payment of $5,000 to cover the outstanding debt of a former employee or sometimes for someone who never worked at the center. When the demands are refused, the TDoS attacks begin, lasting for intermittent periods over several hours.

Destructive Malware – The New Trend?

newsThe concerning trend of malware being used to create mayhem within an organization or across a large population of disparate devices seems to be here to stay.

Within the security industry, one must think about what the response needs to be if, for example, enterprise security systems were targeted in such a way as to bring them down for days at a time. Whether through a vulnerability in the OS, connected devices (IP cameras, etc…), or software that manages the system(s), the threat is real. It is plausible that targeting physical security systems will be especially attractive due to the potential for capturing “private” video, interacting with the physical world (door control, sounding alarms), or gaining notoriety for breaching systems that are perceived as more secure than others.

More on the topic can be found here.

Is Everything We Know About Password Stealing Wrong?

note_encryptedFrom Microsoft Research comes an interesting article about the viability of password stealing as a criminal business (in the context of committing financial fraud/theft). Here is a summary:

Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones. This suggests that it is the mule accounts rather than those of victims that are pillaged. We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cyber-crime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.

Link to the full report.

Risks and Costs of “The Cloud”

cart_with_globesIn the security industry, it seems that hardly a day goes by without a pitch for a new cloud-enabled service or managed device. While this may be true of numerous industries, the fragmentation of the market, range of sales channels, and large number of broad/overlapping concepts (e.g. “business intelligence” and “big data”) make for an especially confusing space without clear leaders. When you factor in a huge base of outdated equipment, marketing hype around certain technologies, and fuzzy ROI math, understanding your options becomes even more difficult.

A simple example of the state of technology maturity can be seen in today’s residential automation and security platforms. It is trivial to connect a few IP cameras and lighting automation modules to your home network. Likewise, your home security provider probably offers a control panel that supports networked communication – via your ISP or cellular – enabling features like remote arming/disarming and a virtual keypad to control other functions via a smartphone. The problems are encountered as soon as one attempts to integrate these point solutions into something more user friendly (and functional). Unless all of the cameras, modules, and other devices are provided by the same company, the odds of controlling all of them using a single interface are almost zero. Likewise, communicating between devices, monitoring alerts/failures, and aggregating data are made significantly more complex – all thanks to a lack of standards, closed architectures, and business models that rely on limiting your options.

For commercial customers – especially retailers – there are dramatically more complex offerings available. Video analytics can be used to count customers, measure wait time at the register, and determine which aisles and displays draw the most attention. Customer counts can be compared with sales to determine “conversion,” driving bonuses for store employees, and suspicious transactions can be flagged and investigated thoroughly by matching register transactions with intelligent video recording. Increasingly, systems that were traditionally standalone, such as HVAC, lighting, refrigeration, and EAS (Electronic Article Surveillance) are being monitored with the goal of creating a more holistic picture of store operations. Finally, there are a number of new entrants to the BI (Business Intelligence) space that specialize in remote video-based auditing, gathering of customer demographics/habits, and the deployment of smart displays and RFID, among many others. Like the residential example above, most of these exist as independent solutions, often provided and maintained by separate companies, using different communication protocols, reporting methods, and networks/clouds.

The problem of multiple providers and disparate systems is, of course, nothing new – but the growth of broadband networks, ubiquity of smartphones, and the value of remote control and data collection have converged to enable countless solutions that would not have been practical to develop just a few years ago. This makes for an exciting, if somewhat confusing, time as customers weigh their many options and vendors scramble to differentiate their offerings.

So how does all of this relate to the “risks and costs of the cloud?”

Symantec recently published a report titled “Avoiding the Hidden Costs of the Cloud” in which they identify a number of security and expense-related issues that organizations encounter when deploying services haphazardly. From the report:

However, in a rush to implement cloud, there are a host of hidden costs unwary organizations may face.
These costs are easily avoided with a little foresight and planning, but only if IT knows where to look.

The report was not created to address security or BI systems specifically, but many of their observations and conclusions apply. Among them:

  • Increasing use of “rogue” clouds
  • Compliance, privacy, and eDiscovery issues related to offsite data collection
  • Inadequate use of SSL (encryption) technology

Not directly addressed in the report are the potential issues related to adding edge devices such as people counters, IP cameras, and other control systems that feed data to the cloud. These include creating unintentional vulnerabilities across the enterprise network, the cost of patching and monitoring the hardware, and the increased reliance on a specific vendor for basic system functionality. These are critical considerations in security/BI rollouts, but they are frequently overlooked, especially at the early stages when the focus is on an exciting new feature or technology.

As Symantec points out, involving IT at the outset is a critical success factor when working to avoid unnecessary risk and cost. When almost every new solution requires a separate communication pathway, monthly fee, and reporting system – it is easy to see how the oversimplified notion of “the cloud” can spiral into an unmanageable and expensive program.

Opportunities abound to begin to make sense of all of this, and a number of providers are taking admirable first steps. In a future article, I will propose one method by which organizations can mitigate risk and streamline their approach to adding new data/control points to their enterprise.

Next Generation Product Protection Coming Soon…

MWV Natralock with SirenTamper-Resistant Packaging

In the works for several years, this new packaging uses graphene printing technology (conductive ink) to create a concealed, low-cost circuit that is destroyed when opened. A battery-operated module sounds an alarm if someone attempts to cut or open the package before purchase. The alarm module would be removed at the point of sale and reused.

The solution, offered by MeadWestvaco, promises to reduce the cost and complexity of other product protection devices such as alarming wraps (aka SpiderWraps™) and boxes (aka Keepers or Safers). The idea that almost any size product could be protected by the same snap-on alarm module would have broad appeal within retail. Today, it is common for each store to stock numerous sizes of wraps, boxes, and tags – with some merchandise lacking desired protection solely due to their shape. The cost to store and apply these devices can be significant, but when the alternative is locking up merchandise, most retailers find it acceptable. Numerous studies have shown that securing products in cabinets or behind checkout counters results in a significant reduction in sales, compared with open-display merchandising.

The “Natralock® with Siren™” may have an additional tamper-resistant benefit, since the circuit shape and location is embedded within the layers of packaging material. As long as the alarm module and its connections to the packaging are not easily defeated, the system as a whole could prove to be more difficult to bypass without triggering an alarm.


Another new type of product protection technology is being offered by Proteqt. The solution consists of a “lock” that can be placed on products at the point of manufacturing or packaging, and is electronically released at the point of sale using radio frequency communication. Upon opening the packaging, the purchaser is able to remove and discard the lock. A review of the manufacturer’s website provides little detail about the security involved in the unlocking process, but it is presumably [hopefully] several steps above the magnetically-released locks found in most store-applied security tags.

This category of products is called “benefit denial” because an attempt to remove the lock before it is deactivated results in damage to the merchandise, typically rendering it unusable or unsaleable. Related products include clothing security tags containing ink capsules that break if the tags are forcibly removed, and DVD packaging with “teeth” that tear into the product unless removed using a special key.



Resources Added

bullet_infoA new section has been created on the site for posting helpful resources and links.

You will see that “Resources” has been added to the top menu bar, and includes these items to start:

Video Resolution Information – with acronyms and dimensions of popular formats. A great reference that is also available as a PDF.

Industry links – Chances are, most of these will be familiar, but this list will be curated to contain only the best sources of information on the web.

POS Malware Found in 40 Countries

PC_with_creditcardsAs reported by the Israel-based IT security firm, Seculert, malware has been found in POS systems in 40 countries, stealing credit card information from hundreds of thousands of consumers. Why should this matter to security integrators? Read on…

“Dexter” – the name given to the malware – appears to target Windows based systems and servers, and uses a command and control server to tailor attacks and collect stolen data. It is custom-made, and has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted systems include big-name retailers, hotels, restaurants and even private parking providers.

One of the unknowns is the method of delivery, since many of the affected systems are servers which would typically not be used for web browsing or other common tasks which might result in infection. It is believed that the attackers may have compromised other computers or devices on the same network, then launched an attack on the server from inside the target’s network.

Once installed, Dexter looks for processes that correspond to specific POS systems, and when it finds them, dumps the memory and parses it for credit card (track one and two) information to send to the C&C server. End-to-end encryption, which protects data from the card reader all the way to the payment processor, would prevent the attack from being successful – but adoption of this technology is slow due to the cost of new hardware.

Security integrators should be concerned about the possibility of their hardware being an attractive vector for future attacks. With the proliferation of DVR/NVR systems (and other security equipment) that integrate with POS – or those that simply share the store LAN/WAN – attackers may find these targets irresistible. PC-based video recorders, in particular, would provide a powerful platform from which to probe the network and infect vulnerable systems. See this post for additional thoughts on the subject.

Mandated Video Surveillance Passes in Pine Bluff, AR

blogThis is an update to the post titled “Mandated Video Surveillance – Let’s Hope Not…

According to the Pine Bluff Commercial newspaper, the Pine Bluff City Council passed a revised version of the ordinance that requires certain businesses to install and maintain video surveillance systems. Though well intentioned, the ordinance appears to have been watered down so thoroughly that it is little more than a suggestion – while requiring taxpayer resources to manage compliance.

Initially, the ordinance called for fines of up to $1,000, but after public and council discussions, the fine was decreased to $25 per violation. Businesses open before Jan. 1, 2013, are exempted – unless they make five or more calls to police regarding criminal activity, in which case compliance becomes compulsory. Prominent signage that a business is being monitored by security cameras is also part of the ordinance.

The Pine Bluff fire department will verify surveillance system functionality during annual inspections, and also perform random checks. If a system is found to be below the standards (which do not seem to be defined/published yet), the case is referred to the police department for verification and enforcement. The only specifics so far about what is required are that a business install “one or more” cameras, and that they may not be left inoperable or deliberately deactivated. Hopefully there will be more detail in the final version of the ordinance. If not, I suppose a single camera in the broom closet of a convenience store would pass inspection…?!

See the report from the local news below:

Curious About Ransomware? Read On…

monitor-lockIt is bad enough to experience a “typical” virus or malware infection on your computer. With luck, you catch it early and scrub the problem with software tools. Worst case, you reformat and reinstall your OS, restoring files from your [always up to date!] backups. “Ransomware,” however, introduces a particularly insidious component that justifies extra caution and preparation…

In short, and as the name implies, this malware variant is intended to hold your files and/or system “hostage” until a fee is paid. This is often done by encrypting personal files on the hard drive. You haven’t lost any data (yet), but without the key, you can not access it. As you might expect, it is common for victims to pay the hacker and never receive instructions for decrypting their files.

An interesting twist on the scheme involves locking the operating system itself, and displaying a screen that accuses the user of a range of crimes, from copyright violations to child pornography. The message claims to be sent from the FBI, and instructs the user to pay a “fine” in order to unlock their machine. Here is a screenshot of one such scam:


The best defense against ransomware is, of course, a good offense. The use of quality anti-virus and anti-malware tools is a must, and limiting the use of scripting and plug-ins within your browser will also help (check out NoScript for this). Most important is a good backup strategy. Full “offline” backups should be done frequently, with incremental backups to protect the most recent files. These measures will reduce your exposure, but are still no guarantee that you won’t be hacked. Also important is resisting the temptation to pay the hacker for what seems like a “quick fix.” You’ll never be sure that your data will be released, and the thieves could easily leave behind spyware or otherwise target you again – after all, you paid once…

More Information and Resources:

TechWorld: Ransom malware gangs making huge profits, Symantec discovers
Here is the Symantec report referenced in the article above.
New York Times: For PC Virus Victims, Pay or Else
Malwarebytes: Ransomware

Theft and Security Statistics Links – Anchor Post

This post will be updated periodically with statistics, links, and other information related to shoplifting, theft/fraud, and the security industry in general.


Shoplifting & Loss Prevention Studies & Stats

12-07-2012: Centre for Retail Research “Shoplifting for Christmas 2012”   Shoplifting+for+Christmas+2012+Study+US

12-06-2012: Norcross Patch article quoting CRR report and stats from the National Association for Shoplifting Prevention

12-04-2012: NRF article quoting estimates that return fraud will cost U.S. retailers $2.9B this holiday season. The estimates were derived from survey responses – the details of which are available here.


Security Industry Stats

12-07-2012: Freedonia Security Industry Growth Report. “US demand for private contracted security services is projected to increase 5.2 percent annually to $63.8 billion in 2016. The market will be supported by a high perceived risk of crime (from conventional violent and property crimes to white collar crimes and terrorism) and a concern that public safety officials are overburdened. The outsourcing of security activities to contracted firms, instead of relying on in-house security, will support demand. The privatization of some public safety operations, such as guarding government facilities and correctional facilities management, will also boost gains.

Security services that capitalize on continuing technological developments hold especially good prospects. For instance, both security consulting and systems integration revenues will see above-average growth. Security consultants and systems integrators are able to manage a wide variety of services when creating, upgrading or implementing security plans and when installing or upgrading complex electronic security devices. In addition, the trend toward more sophisticated and automated security electronics that are increasingly integrated with other building operations will boost growth for these services. ”

12-02-2012: Yahoo article on IBIS’s security alarm services growth report. Also, here is a direct link to the IBIS site.


General Crime and Other Stats

Page 1 of 3123