Subscribe to

Blogs

Security threats to wireless alarms?

 - 
Wednesday, July 30, 2014

Tech publication Wired magazine may not focus too closely on alarm monitoring or residential security, but it does devote a good deal of ink to assessing network security threats, no matter what the context.

Just last month a writer for the magazine, Mat Honan, painted a funny dystopian sketch of the connected home in revolt, commandeered by morally wayward hackers on some perverse quest for Internet notoriety. Identifiable only by screen names evoking bad cyberpunk films from the 90s, these lonesome code junkies are intent on doing everything from dousing homes by activating sprinkler systems to invading your privacy in all the imaginable ways in a home amply stocked with network cameras.

The piece, titled “The Nightmare on Connected Home Street,” is of course meant to be hysterical: The narrator is jarred awake at four a.m. by the blaring pulse of dub step music exploding from his connected pillow. The vignette ends, a few hours later, with a bare and awesomely memorable paragraph: “The skylights open up. The toaster switches on. I hear the shower kick in from the other room. It’s morning.”

It’s all just a thought experiment, but the piece is entertaining and well worth a read.

Interestingly enough, about a month later, Wired turned its attention to security again, this time focusing on concerns that, surprisingly, have nothing to do with Internet connected devices. This time, the article dealt with security vulnerabilities related to wireless home alarms, which, according to a pair of researchers cited in the article, could be comprised—the alarm being either suppressed (via “jamming”) or made to deliver false signals. The researchers found identical problems with a number of brands.

The issue, according to the report, has to do with radio frequency signals. While the conversation is understandable for a layman, it can seem a bit arcane. In sum, the researchers found that the systems “fail to encrypt or authenticate the signals being sent from sensors to control panels,” according to the report, “making it easy for someone to intercept the data, decipher the commands, and play them back to control panels at will.” Would-be malefactors, the report says, can do this relatively easily.

The researchers cited in the article—Logan Lamb and Silvio Cesare—plan to present their findings at the Black Hat security conference, a computer security conference held in Las Vegas next week. I’m eager to here more about their findings and to see what kind of impact the research could have.  

Security threats to wireless alarms?

 - 
Wednesday, July 30, 2014

Tech publication Wired magazine may not focus too closely on alarm monitoring or residential security, but it does devote a good deal of ink to assessing network security threats, no matter what the context.

Just last month a writer for the magazine, Mat Honan, painted a funny dystopian sketch of the connected home in revolt, commandeered by morally wayward hackers on some perverse quest for Internet notoriety. Identifiable only by screen names evoking bad cyberpunk films from the 90s, these lonesome code junkies are intent on doing everything from dousing homes by activating sprinkler systems to invading your privacy in all the imaginable ways in a home amply stocked with network cameras.

The piece, titled “The Nightmare on Connected Home Street,” is of course meant to be hysterical: The narrator is jarred awake at four a.m. by the blaring pulse of dub step music exploding from his connected pillow. The vignette ends, a few hours later, with a bare and awesomely memorable paragraph: “The skylights open up. The toaster switches on. I hear the shower kick in from the other room. It’s morning.”

It’s all just a thought experiment, but the piece is entertaining and well worth a read.

Interestingly enough, about a month later, Wired turned its attention to security again, this time focusing on concerns that, surprisingly, have nothing to do with Internet connected devices. This time, the article dealt with security vulnerabilities related to wireless home alarms, which, according to a pair of researchers cited in the article, could be comprised—the alarm being either suppressed (via “jamming”) or made to deliver false signals. The researchers found identical problems with a number of brands.

The issue, according to the report, has to do with radio frequency signals. While the conversation is understandable for a layman, it can seem a bit arcane. In sum, the researchers found that the systems “fail to encrypt or authenticate the signals being sent from sensors to control panels,” according to the report, “making it easy for someone to intercept the data, decipher the commands, and play them back to control panels at will.” Would-be malefactors, the report says, can do this relatively easily.

The researchers cited in the article—Logan Lamb and Silvio Cesare—plan to present their findings at the Black Hat security conference, a computer security conference held in Las Vegas next week. I’m eager to here more about their findings and to see what kind of impact the research could have.  

Security threats to wireless alarms?

 - 
Wednesday, July 30, 2014

Tech publication Wired magazine may not focus too closely on alarm monitoring or residential security, but it does devote a good deal of ink to assessing network security threats, no matter what the context.

Just last month a writer for the magazine, Mat Honan, painted a funny dystopian sketch of the connected home in revolt, commandeered by morally wayward hackers on some perverse quest for Internet notoriety. Identifiable only by screen names evoking bad cyberpunk films from the 90s, these lonesome code junkies are intent on doing everything from dousing homes by activating sprinkler systems to invading your privacy in all the imaginable ways in a home amply stocked with network cameras.

The piece, titled “The Nightmare on Connected Home Street,” is of course meant to be hysterical: The narrator is jarred awake at four a.m. by the blaring pulse of dub step music exploding from his connected pillow. The vignette ends, a few hours later, with a bare and awesomely memorable paragraph: “The skylights open up. The toaster switches on. I hear the shower kick in from the other room. It’s morning.”

It’s all just a thought experiment, but the piece is entertaining and well worth a read.

Interestingly enough, about a month later, Wired turned its attention to security again, this time focusing on concerns that, surprisingly, have nothing to do with Internet connected devices. This time, the article dealt with security vulnerabilities related to wireless home alarms, which, according to a pair of researchers cited in the article, could be comprised—the alarm being either suppressed (via “jamming”) or made to deliver false signals. The researchers found identical problems with a number of brands.

The issue, according to the report, has to do with radio frequency signals. While the conversation is understandable for a layman, it can seem a bit arcane. In sum, the researchers found that the systems “fail to encrypt or authenticate the signals being sent from sensors to control panels,” according to the report, “making it easy for someone to intercept the data, decipher the commands, and play them back to control panels at will.” Would-be malefactors, the report says, can do this relatively easily.

The researchers cited in the article—Logan Lamb and Silvio Cesare—plan to present their findings at the Black Hat security conference, a computer security conference held in Las Vegas next week. I’m eager to here more about their findings and to see what kind of impact the research could have.  

Are wireless home systems vulnerable?

 - 
Wednesday, July 30, 2014

Tech publication Wired magazine may not focus too closely on alarm monitoring or residential security, but it does devote a good deal of ink to assessing network security threats, no matter what the context.

Just last month a writer for the magazine, Mat Honan, sketched a funny, dystopian picture of the connected home in revolt, commandeered by morally wayward hackers on some perverse quest for Internet notoriety. Identifiable only by screen names evoking bad cyberpunk films from the 90s, these lonesome code junkies are intent on doing everything from dousing homes by activating sprinkler systems to invading your privacy in all the imaginable ways in a home well stocked with network cameras.

The piece, titled “The Nightmare on Connected Home Street,” is meant to be absurd: The narrator is jarred awake at four a.m. by the blaring pulse of dub step music exploding from his connected pillow. The vignette ends, a few hours later, with a bare and awesomely memorable paragraph: “The skylights open up. The toaster switches on. I hear the shower kick in from the other room. It’s morning.”

It’s all just a thought experiment, of course, but the piece is entertaining and well worth a read.

Interestingly enough, about a month later, Wired turned its attention to security again, this time focusing on concerns that, surprisingly, have nothing to do with Internet connected devices. This time, the article dealt with security vulnerabilities related to wireless home alarms, which, according to a pair of researchers cited in the article, could be compromised—the alarms either being suppressed (via “jamming”) or made to deliver false signals. The researchers found identical problems with a number of brands.

The issue, according to the report, has to do with radio frequency signals. While the conversation is understandable enough for a layman, it can drift into the arcane. In sum, the researchers found that the systems “fail to encrypt or authenticate the signals being sent from sensors to control panels," the report said, “making it easy for someone to intercept the data, decipher the commands, and play them back to control panels at will.” Would-be malefactors, the report says, can do this relatively easily.

A vulnerability is a vulnerability, and certainly no security company wants there to be any possibility of a system being hacked. But it probably should be mentioned that while these techniques may come across as elementary to the reading community of Wired Magazine, these methods would probably be, for your run-of-the-mill thief, well above average from a sophistication standpoint.

The researchers cited in the article—Logan Lamb and Silvio Cesare—plan to present their findings at the Black Hat security conference, a computer security conference held in Las Vegas next week. I’m eager to here more about their findings and to see what kind of impact the research could have.

Viscount will be highly visible at ASIS

 - 
Wednesday, July 23, 2014

Viscount, the access control system that is software-based and does not have a panel, will be highly visible at ASIS, according to CEO Dennis Raefield.

Raefield joined Viscount at COO in December of 2013 and became CEO of the company, replacing Steve Pineau, in January of 2014. In February, Viscount "raised $2.4 million in new cash in a  private placement." He's used that funding to "staff up" adding tech support and sales people including hiring Michael Pilato, as VP of sales and marketing. Pilato has worked for Schlage/Ingersoll Rand, Assa Abloy, Honeywell Security, and Sensormatic/Software House (now Tyco).

"We went from 26 to 36 employees," Raefield said. "We now have dedicated tech support from 5 a.m. to 5 p.m. and on-call support 24/7," he said.

Viscount has been in business for 12 years, but its Freedom Encryption Bridge access control product is relatively new. It made traction with the federal government, in banking and it is  installed at Microsoft's GSOC.

"Our biggest deal is with the Department of Homeland Security, the CIS (Citizens Immigration Services) Group. [Freedom] is installed all over the country in 30 different sites and the plan is to roll out 200 more sites in the next year," Raefield said.

Freedom is doing well for two reasons, Raefield said. "One. It's highly secure from hacking for a very simple reason. The traditional [access control] panel has a database ... that is highly vulnerable to hacking. ... What we did is very simple. We took that database out of the panel," he explained. "We use a little thing called a bridge that converts all information at the door ... sends it to the company's own computer. Our software is on their server and the server makes the decision [about access]." This makes the IT director much more comfortable than a traditional access control system where a security appliance that is out of the IT director's hands is hanging on the company's network, he said.

Because the Freedom access control system is behind a company's firewall, it is as secure as any other application on an end user's network, Raefield pointed out.

Raefield noted that the recent Target data breach which received so much publicity and resulted in the firing of the Target CEO "was not a frontal assault on the IT infrastructure" but rather a "backdoor breach"—the result of a stolen HVAC contractor's password. That kind of backdoor breach cannot happen with this access control system, he said.

The second reason the federal government likes Freedom, according to Raefield, is that "our little bridge is much less expensive that anyone's panel. ... "You take out the expensive control panel and the dedicated computer for security and you now have a significaly lower total cost of ownership," he said.

The security director now can worrry about physical security instead of managing hardware and computers, he added.

Viscount Systems did about $4.1 million in revenue in 2013. About $3 million of that came from Viscount's legacy telephone entry system, a product called Mesh Enterphone, which is used in highrise buildings. It's been a "stable bread and butter" product for Viscount for 12 years. Raefield is also investing in that product, making it "high end with a touch screen." It can also be integrated with the Freedom access control system. The remaining $1 million in 2013 revenue was from Freedom, which Raefield said went from $0 to $1 million in one year. Raefield expects Viscount, which is a publicly traded company based in Vancouver, to do "between $6 and $8 million" in revenue in 2014.

Asked about whether Freedom can be used as a managed access control system, Raefield said yes. "The long term strategy is that [Freedom] will be able to be managed on site, in the cloud, any of the above, because it's all software."

Viscount is currently working with major integrators such as Stanley, Convergint and Johnson Controls. At ASIS, the company plans to make its case from a big booth to the integrator community that "this is the next direction and a smart direction," Raefield said.

Pilato said that Freedom has been rigorously tested by the federal government, it has shown itself to be "secure, scalable architecture" and it's ready for wider deployment in the commercial market, in K-12 schools, in banking and elsewhere. "ASIS will be the official commercial launch of Freedom," Pilato said. "The commercial side of the house is ready for prime time."

 

 

 

 

 

 

Another tech giant making a $200m move into the connected home?

 - 
Tuesday, July 22, 2014

I’ve written recently about Google’s $3.2 billion buy of smart thermostat and smoke alarm maker Nest Labs, and then Nest’s $555 million plan to buy Dropcam, which makes video cameras that stream video to a user’s computer or cellphone. Also, Apple in June introduced HomeKit, its new home automation/home security framework.

Now, Samsung also may be making a home automation push with a $200 million buy of startup SmartThings, according to news reports.

The potential deal was first reported in TechCrunch.

Forbes says that SmartThings is based in Washington, D.C. and “sells $100 hardware hubs and provides a cloud platform to make the hundreds of smart gadgets out on the market talk to each other in one unified app.”

Forbes notes that Samsung “already has many connected home appliances on the market.” However, Forbes says SmartThings could enhance those.

“What the SmartThings technology could do is better connect its appliances to other third-party devices onto one central platform. This is what Apple looks to be aiming to do with its HomeKit and what Nest may one day achieve after opening up its API program to allow other devices to talk to its growing family of smart gadgets.”

SmartThings, founded in 2012, has “tens of thousands” of SmartThings systems currently installed in U.S. households, Forbes said.

 

Vivint providing actionable intelligence for smart homes

 - 
Wednesday, July 16, 2014

The BusinessDictionary defines “actionable intelligence” as data “that can be used to boost a company's strategic position against industry peers.” But with a new partnership announced this week, Vivint is using data collected from sensors in smart homes to “identify actionable insights to enrich their customers’ lives.”

Provo, Utah-based home automation/home security company Vivint has partnered with Cloudera, which offers businesses “one place to store, process and analyze all their data,” according to a July 15 news release.

Palo Alto, Calif.-based Cloudera provides businesses with “fundamental new ways to derive value from their data.” In Vivint’s case that means, according to the news release, that “for the first time, Vivint is able to apply a new lens to data generated from intelligent devices and systems embedded with sensors in and around homes.” More than 100,000 data points “from smart sensors embedded in devices [are now] visible with Cloudera,” the release said.

Brandon Bunker, Vivint’s senior director of customer analytics and insights, put it this way in a prepared statement: “Vivint has been at the forefront of the connected home for decades, and now with the emergence of [the] IoT (Internet of Things), we are truly able to innovate by collecting and analyzing vast amounts of data from sensors embedded in our devices. We've taken that one step further with Cloudera and can now look across many data streams simultaneously for behaviors, geo-location, and actionable events in order to better understand and enrich our customers' lives.”

Vivint has more than 800,000 customers using various third party, smart-enabled devices, the release said. Each home has from 20 to 30 sensors, it said.

Here, according to the release, is how Cloudera’s services will make a difference with data from those sensors:

“Many of those devices come in the form of thermostats, smart appliances, video cameras, window and door sensors, and smoke and carbon monoxide detectors. Without a central internal repository to gather and analyze the data generated from each sensor, Vivint was previously limited in its ability to innovate and to add higher intelligence to its security offerings. For example, knowing when a home is occupied or vacant is important to security -- but when tied into the heating, ventilation and cooling (HVAC) system, you can add a layer of energy cost savings by cooling or heating a home based on occupancy. Similarly, by adding geo-location into the equation, you can begin to adjust temperature changes to a home based on the proximity to an owner's arrival, for instance, when the owner has a connected vehicle.”
 

Such "actionable intelligence" would be a sellling point for Vivint because consumers can save from 20 to 30 percent in energy costs by turning off their HVAC systems when they’re away or sleeping, the release said.

Vivint said it chose Cloudera because it has a proven track record and a very broad “big data ecosystem, to ensure support as more and more devices are connected to the Internet each day.” The company also ensures the data’s security, the release said.

And that traditional definition of “actionable intelligence,” about boosting a company’s position against industry peers?

Well, that’s actually a part of the partnership too, according to Vivint. “This platform has differentiated our business and given us a tremendous competitive advantage,” Bunker said in his statement.

 

ESA taps new president and officers

 - 
Wednesday, July 16, 2014

The Electronic Security Association has installed Marshall Marinace, owner of Yorktown Heights, N.Y.-based Marshall Alarm Systems, as its president for the next two years.

Marinace’s presidency was one of five new officer appointments announced at ESA’s annual membership meeting held during ESX 2014 in Nashville.

Marinace has been involved in the security industry for 38 years, and his alarm company was founded in 1976. He also has a longstanding involvement with ESA, serving in several different capacities with the association, including multiple terms as vice president, chairperson of the Membership Committee and liaison to the Standards and Fire Life Safety Committee, among other roles, according to an ESA news release.

“Having been involved with association boards and committees for the past 30 years and counting, my personal goal is to continue the legacy and ongoing development of strong leadership that has made ESA the foremost industry association,” Marinance said in a prepared statement. “I am therefore honored and humbled to have been given the opportunity to fill the role as ESA president for the next term.”

The following industry practitioners were also elected to ESA roles:

-- Dee Ann Harn, CEO of RFI Enterprises, elected to one-year term as vice president

-- Chris Mosley, president of Complete Security Systems, elected to two-year term as vice president

-- Angela White, executive vice president of Central 1 Security, elected to two-year term as vice president

-- Jon Sargent, industry relations / government affairs for Tyco Integrated Security, elected to two-year term as secretary

Milestone research: Video, metadata, operational intelligence

 - 
Wednesday, July 16, 2014

Interesting piece of news in my inbox this morning having to do with research that VMS provider Milestone Systems (recently acquired by Canon)  is working on.

The VMS provider is working with Technical University of Denmark (DTU), Aalborg University, Securitas and Nabto, on a research project that looks at using video for operational intelligence.

The news release said that Milestone is putting some of the research into practice already. From the release: “Research that is ongoing in a 3-year project to develop technological innovations is already paying off: the latest release of Milestone XProtect 2014 launched a new metadata framework that vastly improves the speed of searching and analysis with the video software. … Milestone's software manages video for security uses, but can also support and optimize activities in production, logistics, marketing, sales, healthcare, intelligent buildings, environmental control, and other analytical applications. Thanks to the XProtect open platform architecture, other companies are integrating software applications with Milestone's video management software to adapt it for particular operational needs in different business sectors.”

The Danish National Advanced Technology Foundation provided funding (DKK 15 million) for the project. The goal is “to interpret the recorded video material so the content can be described automatically.”

In a prepared statement, Hans Jorgen Skovgaard, Milestone VP of R&D said:
"We are still in phase one and expect to present to the market several new solutions for searching in metadata—the framework has already been released in XProtect 2014. During the next phases, we will do research among other things on how the software can learn to distinguish between normal and abnormal activity in video images. This means video surveillance can proactively give an alert before an incident occurs, and further enable use as a business tool in many more operational scenarios. … For example, if there is an accident or an assault at a bus station, the police or security personnel can search for the exact area where the incident happened by linking GPS coordinates with the video recordings from the buses, and within a few seconds they will have the relevant recording of the offender or other people involved.”
 
The release says that the metadata technology “can also be used with mobile phones as moving security cameras where GPS coordinates and compass information can be stored with the video. Operators thereby will know precisely where the video was recorded. Used in this way, mobile phones can increase security and safety, and threatening behavior can easily be proven. The technology can also be used as evidence of pollution emissions, for resolving insurance claims, or many other applications yet to be explored.”

Information about our "20 under 40" awards

 - 
Wednesday, July 9, 2014

Now is the time for you to submit your nominations for the Security Systems News "20 under 40" Class of 2014. Click here to make your nomination.

It’s the eighth year that SSN has solicited nominations of young people, ages 40 or younger, who display leadership characteristics, are tech-savvy and are dedicated to the security industry.

To be eligible, nominees must work for an installing fire or security dealer or integrator or work for a monitoring company. Sorry, employees of manufacturing companies and consultants are not eligible.

End users are not eligible for SSN’s “20 under 40” awards, but if you know a talented young end user, please nominate them for the “20 under 40” awards of our sister publication, Security Director News.https://www.surveymonkey.com/s/sdn20under40
So, nominate a colleague, a customer or yourself, and do it before the Aug. 1 deadline.

The “20 under 40” awards process will culminate in an awards ceremony for both SSN and SDN “20 under 40” award winners at TechSec Solutions, the industry’s premier conference for integrators, end users, consultants and manufacturers to discuss and debate the effects of new and emerging security technologies on their bottom line.
This year’s conference will take place Feb. 3 and 4 at the Delray Beach Marriott in Delray Beach, Fla. At the end of the first day, we take time out from the discussions and debate and head out to the pool for the SSN/SDN “20 under 40” awards reception.

It has become a tradition at TechSec and the social event that all TechSec attendees look forward to.

In addition to being honored, the “20 under 40” winners participate in the conference, some as speakers and some as active audience members. The heavy participation of the “20 under 40” demographic is one of the things that sets TechSec apart from other conferences.

The younger TechSec participants bring a variety of expertise and perspectives and enrich the discussion and debates at TechSec. Their participation is encouraged and valued by other attendees and presenters, as well as organizers.
 
We’re proud that the conference tends to attract “20 under 40s,” both past and present. Many people first came to TechSec as “20 under 40” honorees and now come back to TechSec every year.

But we need your help identifying the young leaders that we’ll honor this year. Get your nominations in, and if you have any questions about the “20 under 40” awards or TechSec, give me a call or send me an email.

Pages