Security Resources

Archive for the Video and Analytics Category

Big Data, SD Storage, Business Intelligence Articles

newsSeveral articles floated up recently that are worth review:

1. Business Intelligence in Retail

From Axis Communications, a summary of a LPRC study commissioned in late 2012 that addresses retailers’ adoption and use of IP video. Not surprisingly, the data shows an increase in the number of companies seeking sales, operations, and marketing improvement through the use of intelligent video (video analytics). This is reassuring, since image quality and resolution have been consistently discussed as the primary motivators, while their value continues to be debated. Of the ~25% of respondents who reported that business intelligence was a primary factor in selecting IP video:

  • People Counting was by far the most used non-LP analytic application, with 46.3 percent of
    respondents deploying this feature, up from 27 percent in 2010;
  • Dwell Time Analysis (20 percent) and Heat Map or Hot/Cold Zone (18.2 percent) usage
    increased in 2012, while 38.3 percent of respondents use video analytics to detect POS fraud;
  • Queue Counters are used by less than 10 percent of companies surveyed, yet 50 percent say
    they may use this application in future. Similarly, while no respondents said they utilize Out of
    Stock Alerts today, more than 56 percent say they may use them in the future;
  • Nearly 32 percent of respondents utilize surveillance to help analyze “shopping & buying
    behavior,” with 20 percent using video to measure shelf and product placement effectiveness

2. Big Data Requires a Cautious Approach

Beware the Errors of Big Data summarizes Nassim Taleb’s position that big data must be used with great care in order for it to be useful. His primary observation is that “modernity provides too many variables, but too little data per variable. So the spurious relationships grow much, much faster than real information. In other words: Big data may mean more information, but it also means more false information.”

He asserts that this is not necessarily bad, however, since big data can be effectively used to debunk a theory or conclusion, rather than draw new conclusions whose basis is made questionable by big data.

As the claims around big data continue to make their way into the video intelligence, security and integration space, the article (and the author’s book, Antifragile) are worth a read.

 

3. SD Card Video Storage (recording at the edge)

From SDM Magazine comes an article on the current state of SD card (flash memory) storage for video. While it only addresses the current trend of cameras supporting off-the-shelf SD memory cards, and not more reliable types of flash memory, the article does touch on some of the applications and limitations of this approach. Thanks to demand from the consumer market – driven by tablets, high megapixel cameras, and ultrabooks – the capacity, cost and reliability of SD cards is improving constantly. For many commercial and residential applications, it is virtually certain that this type of distributed recording will be the norm in just a few years. It will be a welcome and exciting change for end users and service providers – and a terrifying one for DVR/NVR vendors who haven’t yet figured out their migration to a cloud/SaaS model.

Risks and Costs of “The Cloud”

cart_with_globesIn the security industry, it seems that hardly a day goes by without a pitch for a new cloud-enabled service or managed device. While this may be true of numerous industries, the fragmentation of the market, range of sales channels, and large number of broad/overlapping concepts (e.g. “business intelligence” and “big data”) make for an especially confusing space without clear leaders. When you factor in a huge base of outdated equipment, marketing hype around certain technologies, and fuzzy ROI math, understanding your options becomes even more difficult.

A simple example of the state of technology maturity can be seen in today’s residential automation and security platforms. It is trivial to connect a few IP cameras and lighting automation modules to your home network. Likewise, your home security provider probably offers a control panel that supports networked communication – via your ISP or cellular – enabling features like remote arming/disarming and a virtual keypad to control other functions via a smartphone. The problems are encountered as soon as one attempts to integrate these point solutions into something more user friendly (and functional). Unless all of the cameras, modules, and other devices are provided by the same company, the odds of controlling all of them using a single interface are almost zero. Likewise, communicating between devices, monitoring alerts/failures, and aggregating data are made significantly more complex – all thanks to a lack of standards, closed architectures, and business models that rely on limiting your options.

For commercial customers – especially retailers – there are dramatically more complex offerings available. Video analytics can be used to count customers, measure wait time at the register, and determine which aisles and displays draw the most attention. Customer counts can be compared with sales to determine “conversion,” driving bonuses for store employees, and suspicious transactions can be flagged and investigated thoroughly by matching register transactions with intelligent video recording. Increasingly, systems that were traditionally standalone, such as HVAC, lighting, refrigeration, and EAS (Electronic Article Surveillance) are being monitored with the goal of creating a more holistic picture of store operations. Finally, there are a number of new entrants to the BI (Business Intelligence) space that specialize in remote video-based auditing, gathering of customer demographics/habits, and the deployment of smart displays and RFID, among many others. Like the residential example above, most of these exist as independent solutions, often provided and maintained by separate companies, using different communication protocols, reporting methods, and networks/clouds.

The problem of multiple providers and disparate systems is, of course, nothing new – but the growth of broadband networks, ubiquity of smartphones, and the value of remote control and data collection have converged to enable countless solutions that would not have been practical to develop just a few years ago. This makes for an exciting, if somewhat confusing, time as customers weigh their many options and vendors scramble to differentiate their offerings.

So how does all of this relate to the “risks and costs of the cloud?”

Symantec recently published a report titled “Avoiding the Hidden Costs of the Cloud” in which they identify a number of security and expense-related issues that organizations encounter when deploying services haphazardly. From the report:

However, in a rush to implement cloud, there are a host of hidden costs unwary organizations may face.
These costs are easily avoided with a little foresight and planning, but only if IT knows where to look.

The report was not created to address security or BI systems specifically, but many of their observations and conclusions apply. Among them:

  • Increasing use of “rogue” clouds
  • Compliance, privacy, and eDiscovery issues related to offsite data collection
  • Inadequate use of SSL (encryption) technology

Not directly addressed in the report are the potential issues related to adding edge devices such as people counters, IP cameras, and other control systems that feed data to the cloud. These include creating unintentional vulnerabilities across the enterprise network, the cost of patching and monitoring the hardware, and the increased reliance on a specific vendor for basic system functionality. These are critical considerations in security/BI rollouts, but they are frequently overlooked, especially at the early stages when the focus is on an exciting new feature or technology.

As Symantec points out, involving IT at the outset is a critical success factor when working to avoid unnecessary risk and cost. When almost every new solution requires a separate communication pathway, monthly fee, and reporting system – it is easy to see how the oversimplified notion of “the cloud” can spiral into an unmanageable and expensive program.

Opportunities abound to begin to make sense of all of this, and a number of providers are taking admirable first steps. In a future article, I will propose one method by which organizations can mitigate risk and streamline their approach to adding new data/control points to their enterprise.

Obscurity and the Impending Video Analytics Debate

user_womanThere was a good article in the Atlantic recently on the subject of privacy, and specifically, how the concept of obscurity is often a better way to think about data in our highly connected world. It primarily addresses the new “Graph Search” that Facebook is rolling out, but there are broader comments that have relevance to physical security professionals.

From the article:

“While many debates over technology and privacy concern obscurity, the term rarely gets used. This is unfortunate, as ‘privacy’ is an over-extended concept. It grabs our attention easily, but is hard to pin down. Sometimes, people talk about privacy when they are worried about confidentiality. Other times they evoke privacy to discuss issues associated with corporate access to personal information. Fortunately, obscurity has a narrower purview.

Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn’t mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent.”

The article goes on to mention video analytics technologies that are still coming into their own:

“Likewise, claims for ‘privacy in public,’ as occur in discussion over license-plate readers, GPS trackers, and facial recognition technologies, are often pleas for obscurity that get either miscommunicated or misinterpreted as insistence that one’s public interactions should remain secret.”

It is safe to expect legislation restricting the type and use of data collected in public spaces, but opinions vary widely about how the laws will be crafted, enforced, and how well they will hold up under challenge. Consider a few possible use-cases for video analytics and whether they might run afoul of laws designed to protect citizens’ rights:

  • Facial recognition software in retail stores that alerts employees to the presence of a potential shoplifter, based on a database of suspects (previously apprehended or captured on video), developed and stored on the retailer’s private network.
  • As above, but using a database of “suspects” compiled collaboratively with multiple retailers, and shared between them.
  • License plate recognition software placed at the entry/exit of a hotel parking ramp, mall parking lot, or even a neighborhood.

Clearly, these applications could greatly enhance an active security program, improve the quality of evidence, and, over time, create additional deterrence. The problem is that while the “data” has been gathered for years via cameras connected to recording equipment, the ease of use and availability thanks to video analytics changes the conversation. In other words, the level of obscurity is diminishing, which is likely to disturb privacy advocates – especially as the use of the data makes headlines and appears more often in litigation.

Organizations using video analytics today must plot their own course. A previous post referenced proposed FTC facial recognition guidelines – but we’re a long way from adoption. For better or worse, the limits on this technology are likely to be decided in the courts. My hope is that we strike a good balance, allowing careful and effective use that better protects us all. Integrators and end-users can do their part by considering each project from a private citizen’s point of view prior to implementation. Exposing too much data, or using it too aggressively is certain to bring the wrong kind of attention.

More reading on this subject can be found here:

Electronic Privacy Information Center (EPIC)

FTC Guidelines

Face Recognition Homepage

 

DVR Flaw Discovered – Swann, Lorex, Others Affected

RaySharp_DVRThe latest in a string of DVR and IP camera vulnerabilities was posted last week by a blogger using the pseudonym “someLuser” and affects an OEM design from RaySharp whose products are reportedly sold under a number of brand names, including Swann, Lorex, KGuard, Zmodo, Hi-View, Soyo, and others. These are often sold direct-to-consumer in kit form, bundled with several cameras and remote viewing software.

In the post, the blogger provided example scripts to demonstrate several exploitable weaknesses in the DVRs, including:

  • Unauthenticated access to the device configuration files
  • Ability to view usernames and passwords in clear text
  • Ability to execute system commands as root (after obtaining the passwords)

The security researchers at Rapid7 (who help maintain and distribute the Metasploit framework) attempted to determine the number and location of systems exposed to the Internet by searching for the devices’ web interface signatures. This effort identified over 58,000 unique IPs in over 150 countries running these vulnerable platforms – 19,000 of which were located in the U.S.  (A chart of the geographic distribution can be seen here)

As discussed previously, embedded systems are often found to have similar vulnerabilities, but are usually hidden by a firewall, limiting the ability of a hacker to locate or attack them. Since DVRs are routinely placed in DMZs or otherwise exposed to the Internet, their vulnerabilities are much easier to exploit. For devices inside the firewall that also communicate on a private LAN/WAN, the risks posed by insecure devices is potentially significant.

As of this writing, there are no known patches or updates that address the problem. Concerned users should consider removing the devices from their network, or disabling access via the Internet.

 

DARPA Video Projects

DARPAAn article detailing some of the projects being considered for the “DARPA Innovation House” should pique the interest of anyone working with video analytics and surveillance.

From the project website: “The DARPA Innovation House is a study into the feasibility of effective software design and development in a short-fuse, crucible-style living and working environment. DARPA selected imagery analysis as the topic for the effort. DARPA aims to show that small teams of highly focused, collaborative developers operating under extremely short deadlines can make breakthroughs in automatically obtaining meaning from photos, videos, geospatial data and other imagery-related data.”

The proposed areas of study include:

  • PetavisionMulti-Modal Approaches to Real-Time Video Analysis
    Biologically-inspired, hierarchical neural networks to detect objects of interest in streaming video by combining texture/color, shape and motion/depth cues.
  • GOSE (Geospatial-Oriented Structure Extraction)Structure Extraction from Imagery
    Automatic construction of a 3D wireframe of an object using as few images as possible from a variety of angles.
  • VideovorVisualization of Video Information
    Software that fragments and re-models linear time of video content to cluster big pools of related data in a 3D interactive interface for human analysis.

The full list can be found here.

Several of the projects have the potential to benefit security and loss prevention systems, so their progress will be interesting to watch.

Mandated Video Surveillance Passes in Pine Bluff, AR

blogThis is an update to the post titled “Mandated Video Surveillance – Let’s Hope Not…

According to the Pine Bluff Commercial newspaper, the Pine Bluff City Council passed a revised version of the ordinance that requires certain businesses to install and maintain video surveillance systems. Though well intentioned, the ordinance appears to have been watered down so thoroughly that it is little more than a suggestion – while requiring taxpayer resources to manage compliance.

Initially, the ordinance called for fines of up to $1,000, but after public and council discussions, the fine was decreased to $25 per violation. Businesses open before Jan. 1, 2013, are exempted – unless they make five or more calls to police regarding criminal activity, in which case compliance becomes compulsory. Prominent signage that a business is being monitored by security cameras is also part of the ordinance.

The Pine Bluff fire department will verify surveillance system functionality during annual inspections, and also perform random checks. If a system is found to be below the standards (which do not seem to be defined/published yet), the case is referred to the police department for verification and enforcement. The only specifics so far about what is required are that a business install “one or more” cameras, and that they may not be left inoperable or deliberately deactivated. Hopefully there will be more detail in the final version of the ordinance. If not, I suppose a single camera in the broom closet of a convenience store would pass inspection…?!

See the report from the local news below:

Mandated Video Surveillance? Let’s Hope Not…

A recent article in Security Systems News summarized the efforts of Pine Bluff, Arkansas to create an ordinance requiring surveillance cameras at convenience stores and restaurants.

Despite support in the wake of a tragic event – the shooting death of a store clerk during an attempted robbery – this effort is destined to fail. As an integrator for most of my career, I should laud the initiative… after all, nothing sells a system (and service agreement) faster than a government mandate. The reality, however, is that this requirement would do little to improve the safety of store employees – the sponsoring Alderman’s stated goal – while creating a significant burden for those charged with its execution and enforcement.

Without delving into the challenges around ensuring system functionality (i.e. auditing and health monitoring), one needs only to consider the most basic problem of defining what equipment should be required. Cameras at the points of entry? What about each point-of-sale terminal? The safe? What about non-public areas like receiving docks and the manager’s office? What resolution and camera features should be specified? If the cameras are not capable of producing an image that would allow identification of a suspect, but are otherwise functional, is the business in compliance? If the picture is washed out at certain times of day due to strong back-lighting, is the business in compliance? How much video storage will be required? How long is too long to complete a repair? The list goes on and on…

Clearly, there is a problem here. Make the requirements vague and you create a false sense of security while unintentionally defining a “minimum standard” that will not deliver results. The other extreme is worse: Specifically defining an acceptable system is a complex task, and may result in unintended consequences such as increased litigation, conflicts with industry standards, and high compliance/administration costs. Settling somewhere in the middle would likely be so subjective as to be useless.

I give credit to the Pine Bluff Police Department and George Stepps, the Alderman, for wanting to deter crime in a more proactive way, and I agree that cameras can help, but ordinances like this are the wrong strategy. Just look at the debate surrounding the NFPA 730/731 standards. Even working groups within the security industry don’t agree on system design best practices. How much time and money would be spent building a city program that would exist under constant scrutiny and revision?

The best way to get video systems installed – long term – is to promote their use, publish guides and statistics, and get buy-in from the business owners. Special tax incentives and licensing discounts are two ways that government involvement could promote this technology from a distance.

The ROI and deterrent value of video surveillance has always been difficult to quantify – especially for businesses without Loss Prevention departments – but when the benefits are understood, the decision is easy. Business owners need to be educated about these systems, including the many advanced features available today. I expect that our legal system will continue to help the cause, by shielding those who take appropriate preventative measures, and punishing those who ignore known risks.

This is a call to action for integrators and business owners alike. When something as fundamental as basic video surveillance has to be mandated, we’re not doing our jobs.

UPDATES

12-07-2012:  Security Director News article with additional commentary

12-19-2012:  The City Council passed a revised version of the ordinance. See this post for more…

Buying Direct from China: 700TVL for $39?!

One of my more unusual “hobbies” is closely watching the mix of low-cost video surveillance products available from manufacturers, resellers, and wholesalers, which has expanded and improved over the past several years. From the exhibitors at the Asia Pavilion at ISC West, to the myriad options on eBay and Alibaba, there are literally hundreds of sources of inexpensive video equipment. Are there bargains to be found, or do the risks outweigh the rewards?

I occasionally purchase products through these channels – mostly out of curiosity – and thought I would share some recent experiences. First of all, a spoiler: I wouldn’t consider purchasing any of these cameras or DVRs in bulk without a substantial undertaking to ensure regulatory compliance (e.g. FCC), quality assurance, component validation, and the impact of shipping, taxes and duties on the final price. That said, when a 700TVL Sony CCD camera with OSD controls, IR LEDs, and a waterproof housing can be had for under $50USD delivered, my curiosity gets the better of me.

With the analog camera market shrinking, and consumer expectations around image quality rising, it makes sense that quality components would begin to creep into the lower-end of the product spectrum. It is a nice change. Over the past six or eight years, I have purchased about a dozen low-cost cameras from a variety of sources – including a few from U.S.-based distributors like SuperCircuits. Most had poor (or abysmal) video quality, mediocre construction, and a short lifespan, but if you expect too much from any of these off-brand units, you’re going to be disappointed. That said, the difference today – at least in specifications – is significant versus just a couple of years ago. There are a wide range of high-resolution (500-700TVL) color cameras for under $100, and if you can live with lower resolution, prices can drop below $20. Even cameras with more expensive features like varifocal lenses, wide-dynamic range, mechanical IR-cut filters, and dual 12VDC/24VAC compatibility are commonly found for less than half of what you would expect to pay – even at wholesale – from a reputable supplier.

I decided that it was time to upgrade my aging home surveillance system, and in the process, evaluate a couple of bargain cameras and a DVR (see separate post for a summary of the recorder). After combing through a field of options, I settled on two cameras that each had a difficult-to-believe combination of features and price. These were my selections, both from AliExpress:

My existing DVR was a GE StoreSafe Pro, a commercial-grade product that was popular with retail stores for its reliability and ease of use, but is now obsolete. The two cameras I replaced were of moderate quality – both were purchased from U.S. distributors and fit into the middle of the pack (among bullet and ball-dome IR equipped cameras) as far as cost and specs were concerned. Over the years, their LEDs began to dim and picture quality slowly degraded to the point that I had these views:

Front Door View:

Driveway View:

I swapped out the front door camera with the white “generic” 700TCL camera first. Here is the image on the GE recorder:

And here – as a preview – is the image captured by my new (very inexpensive) D1/H.264 recorder:

[4CH_DVR1]Ch0120121214135118

The image is already much better, despite some harsh lighting in the scene, but the overall quality of the image is still below what I prefer for such a close shot.

I will update this post with images from the Sony-chip camera as soon as I run some cable… I decided to keep the existing driveway camera and add backyard and front yard shots. More soon…

UPDATE 12-19-2012:  Still haven’t had time to run my new cable, but here are images from the unboxing of the Sony chipset 700TVL camera:
cam_pkgcam_pkg2

cam_1

cam_2

cam_3

DVR and IP Camera Hacking – Only the Beginning

There have been a number of articles and proof-of-concept hacks in recent years illustrating vulnerabilities in IP camera software, access control systems, and the like. Some have raised awareness about fundamental flaws in technology – like the relative insecurity of common proximity card readers, unprotected programming access to a locking system, and simple methods to access a camera’s video feed. Most of the attention following these announcements is focused on the ability of a device to be bypassed or viewed (in the case of a camera), which misses a critical point.

While it is concerning that a replay attack can spoof an access card, and that an IP camera may not provide adequate security against unauthorized viewing, the real danger lies in the potential of these systems to be hacked and modified to serve some other purpose. Here are a few examples – and a prediction: We will see one or more of these in the wild within 24 months.

Scenario One:  The IP Camera Worm
Many IP cameras are designed using FPGAs, not microprocessors, so their ability to run arbitrary code is limited. This trend is changing, however, and as cameras adopt a more standards-based architecture, they will become powerful edge devices running operating systems that can be attacked like any other. Some higher-end models can already run cron scripts, handle video analytics, and manage local storage of data. They are, without exaggeration, computers with a lens and network connection. They are also commonly thought of as “appliances,” with a plug-and-play approach applied to many projects. It is feasible that a worm or other malware could infect these devices as early as the point of manufacturing, or when they are plugged into the installer’s laptop for programming. The software might lie dormant or attempt to infect other cameras or computers on the same network. Affected devices could even be used to launch a Denial of Service (DoS) attack against the recording server or some other target. The common practice – at least in larger systems – of segmenting cameras onto their own LAN might help to reduce this potential, but since the recording server is usually connected to other network(s) for remote viewing and administration, malware capable of infecting the server is a logical progression of this threat.

Scenario Two:  The surveillance DVR/NVR (Network Video Recorder) as a point of entry into corporate networks
Executives like video surveillance systems – and for good reason. As networks and video quality have improved, these systems have saved organizations tremendous amounts of money. Investigations can be performed more efficiently, guards can be reduced, travel costs can be cut, and the list goes on. This means, of course, that the video systems need to be accessible to various departments via the corporate network. Most implement some type of basic security, like requiring a remote user to connect over a VPN, but few have taken steps to totally isolate the video traffic from other network systems. Since many DVRs and NVRs are full-fledged PCs running Windows or Linux, they are vulnerable to the same kinds of attacks as any other server or workstation, but they are easily overlooked and could become a “zero-day” vulnerability or convenient back door into the network.

Scenario Three:  Unintended “Integration”
Every year, security hardware and software moves closer to delivering on the promise of interoperability. It has been a long road, and there are still miles to go, but today’s systems come equipped with protocols for a variety of devices, in order to enable integration. This means that building a “security network” within an enterprise often makes sense. To gain the full benefit from your systems, they need to be able to interact, and since capabilities are sure to be added later – anything that might need to share data ends up on the same segment. When industrial controllers, manufacturing equipment, or other critical systems make this list, the scene is set for security devices to be used as a launchpad for espionage or manipulation. It can seem logical to group these systems together – after all, the “security network” should be a safe place for any important devices, right?

So, why is a hack inevitable?
Fundamental to the problem is that these systems and devices are routinely installed without sufficient thought given to security, and without a plan for ongoing monitoring and maintenance. Furthermore, some of the latest features of alarm panels, home automation controllers, IP cameras and DVRs require Internet access or remote server connections just to function properly, opening a vector of attack that, again, is not well understood or monitored. This means that segmenting a network or “sandboxing” the application may not be an option unless the owner is willing to sacrifice functionality.

I realize that it is not much of a stretch to predict that a hackable device connected to a network might be used in a new and nefarious way… but let’s hope I’m just plain wrong.

 

For More:

DVRs are being targeted by hackers, says security expert – Article discussing vulnerabilities in consumer DVRs

Bypassing IP Camera Authentication (example)

OpenIPCam site, dedicated to hacking various cameras and the development of custom firmware

FTC Issues Facial Recognition Guidelines

The FTC released a document on October 22, 2012 calling for the protection of privacy by those who develop and use facial recognition technology. Many of the suggestions involve obtaining “affirmative express consent” before using identity information.

The document does not directly address the use of facial recognition in security, but the recommendations appear to be at odds with some of the likely applications – especially the use of shared shoplifter databases.

Some excerpts:

“To begin, staff recommends that companies using facial recognition technologies design
their services with privacy in mind, that is, by implementing ‘privacy by design,’”

__________________________________________________________________________

“For example, companies using digital signs capable of demographic detection – which often
look no different than digital signs that do not contain cameras – should provide clear notice to
consumers that the technologies are in use, before consumers come into contact with the signs.”

__________________________________________________________________________

“Perhaps of most concern, panelists surmised that advances in facial recognition
technologies may end the ability of individuals to remain anonymous in public places.32 For
example, a mobile app that could, in real-time, identify anonymous individuals on the street or
in a bar could cause serious privacy and physical safety concerns, although such an app might
have benefits for some consumers. Further, companies could match images collected by digital
signs with other information to identify customers by name and target highly-personalized ads
to them based on past purchases, or other personal information available about them online.33
Social networks could identify non-users of the site – including children – to existing users, by
comparing uploaded images against a database of identified photos. Although staff is not aware
of companies currently using data in these ways, if they begin to do so, there would be significant
privacy concerns.”

__________________________________________________________________________

 

The FTC report:  Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies

Also, a document cited in the report that details digital signage best practices can be found here.

Page 1 of 212