29.5.08

Analog vs. IP Video Surveillance. . . it's about the customer, folks!

I was really lucky to spend the past eight years working intensely on education programs dedicated to enhancing end user's physical security programs.

The single most important thing I learned that electronic security system deployment is one tool for the physical security or surveillance professional and not the center of their universe.

I am continually amazed at how some discussions about analog or IP video systems lead immediately to technology discussions rather than what's good for the customer. What do they need the system to do? What is their existing infrastructure?

There was an article I read about City Center Surveillance deployment acceptance.

http://www.citynews.ca/news/news_6687.aspx

Technology may, in the future, be enabled by enhanced wireless infrastructure technologies like WIMAX, but will not automatically be adopted as a result of technology. The requirements of the end user drive the use of technology and if IP video will provide the right product to more widely distribute video content for mobile reponders, then adoption will be encouraged. Here, mobile responders and emergency services have specific needs that are met by the distribution of IP video to many clients simultaneously.

Does the same system properly service the Loss Prevention or Gaming Surveillance Professional? Not currently, and I know that I am inviting commentary here, but first think of the needs of your customer or, more specifically, your customer's customer! The variable and often slow camera control system response on many IP Video Systems have slowed this deployment since the user has to, without compromise, keep up with tracking an individual through a casino or along the aisles of an electronic superstore. Yes, there are those systems available that provide an uncompromised solution, but at a greater cost than their analog counterparts.

So the next time someone jumps right into a technology discussion, ask them to instead take a moment and "listen up!" as a popular singer says, and perhaps the solution will turn out better for everyone...

22.5.08

Java Junkies beware!

disclaimer: This article is for informational and educational purposes only. Hacking into a internet stores is illegal and is not the intent of this article.

Now you can buy anything, even if someone has taken it off their company store.

Well, that is, if they've not protected the Online Store Product ID to the item you wish to purchase. So you've visited the dynamically rendered web page that does not contain a "add to cart" button. You want to buy that item. The vendor has restricted purchase, sometimes in the hopes of maintaining inventory for a specific client, etc.

We'll have none of that!

Just go to another item that has a "add to cart" button. Copy the javascript shortcut and paste it to your notepad. Notice that it will usually have the Store Product ID (secret number) and the actual (public) Model Number. Now you need to find the secret number for the item you want, that they are not letting you purchase. All you usually have to do is go to the technical information page on the product and look at the URL to get three possibilities for Store Product IDs.

Now you've got three possible Store IDs and one definite model number. Just take the javascript shortcut you pasted earlier and make three different scripts, trying each one until one adds your item to the cart! Once the item is in your cart, they can't stop you from buying it. It's a good idea to take a screen shot of the cart page in case the vendor does not wish to fulfill your order (very rare).

Next week we'll talk about coupon codes!

15.5.08

Leave the standards to the SDOs, or collaborate independently?

Allow me to first state that the following is simply the personal, subjective opinion of this author...

This week began with an announcement from three manufacturers of a "new" cooperative effort to start a communications forum and develop an interoperability standard. I felt like the Jeff Goldblum character from the great "The Right Stuff" movie that would run breathless down the hall to report on the latest activities by the Russians in space, only to hear "we know about it already."

It's probably good that I waited a few days before posting this as I was pretty disappointed that yet another group was doing an "end run" around the Standards Development Organization (the SIA) that has developed the only ANSI-approved interoperability standard for the Security Industry. The interesting thing is that this week's actions, though well intended, have helped me see how impartial SDOs and Credentialing organizations are in the best position to recognize, organize, focus and manage manpower to achieve realistic interoperability goals.

I completely understand how interoperability efforts are quite useful and will greatly benefit everyone in the Security Industry "food chain." However, when an effort exists, why not contribute to it and improve it rather than create another, duplicated, parallel effort. 'Nuff said on that one, right?

Well, not really. You see, last year I had the benefit of meeting a particular end user that taught me something quite insightful. "Think of my customer as your customer."

Wow!

If I can help my customer improve their customer's experience, or contribute to savings for his (or her) organization that could mean savings passed onto their clients, we all win.

What does this have to do with a parallel standards effort?

Simply put, it is industry resources not applied toward better helping the (hopeful) benefactors of this industry. If we took the time spent on multiple device and system interface efforts and applied those efforts to introduce more useful applications for the end user, we all win.

So where do we go now? What can we do to improve this situation?

Ask the SDO. They have a method in place for recognition of standards development activities and a way for these efforts to focused correctly and impartially.

6.5.08

The case for a Cooperative Certification Program

Whether you are a self-commissioning end user, a multi-site integrator or a smaller reseller, your time is important and needs to be spent on what keeps your business going. Why would our industry require multiple certifications on different products that are similar and share a basic skillset for deployment?

Each manufacturer would like the opportunity to tell their story in front of these key influencers, and then train on the nuances of product deployment and adjustment. I'm thinking that on one hand manufacturers might find the comparison less fruitful, but on the other there's an opportunity to meet end users and resellers they would not have.

Why end user's? There are a number of multi-site, large end users that will always use integrators for product purchase and commissioning, but need an understanding of the system deployment for planning, design and maintenance.

Stayed tuned; we may just be making history on this, yet!

3.5.08

I can buy anything at Amazon...

...and feel safe. I'm not quite sure how they do it, but their partners just provide a better purchasing experience and I don't have to worry about CC fraud. If you saw my previous post, I had a bad experience after Vegas and, well, it's a real hassle if merchants don't provide the best in transaction security. Here's a few of my last recent Amazon diverse purchases...


Bike in Tucson!

Yes it's bike friendly and you can ride an expensive bike around and feel secure - read all about it below:
photo of the Bianchi Ti courtesy msurfaro spigelman

Wifi - Wardriving and the fleecing of the traveler or randonneur

disclaimer: This article is for informational and educational purposes only. Hacking into a private security-enabled wireless network is illegal and is not the intent of this article.

Like sheep we are drawn to them. They are everywhere, in pockets and often located right at another addiction's distribution point, the coffee house. The WiFi hotspot is not a hotspot at all for connectivity, but for someone else's money.

When I fly into Vegas, I can feel the extra $$$ already leaving me as I know it will cost $15 per day at the hotel, and $40 at the convention center for three hours, and without adequate credit card transaction security.

In fact, the last trip to Vegas found my CC taken on one of those networks (I had a company firewall in place), and the rogue user began to selectively siphon $500 at a time from my account.

I drive or bike a good deal to my local destinations, so I'm not shy about getting on someone's unsecured network, doing what I have to and leaving. That is, if I haven't found a T-Mobile hotspot that I already pay for.
When in New York City, or a major city, there are times I am restricted to where the car, or a comfortable spot and PC can be, so sometimes I have to resort to looking at the person's router if its response is very slow.

Most people leave not only the default IP address and transmission unsecured, but also the router's password. A simple lookup and I find not less that 30 blackberrys consuming this network, and three PCs. I'm only going to be about 5 minutes, so I log on to the router, knock off the Blackberrys, keeping the users PC online, change the password on the router (I'll be changing that back before I leave), and limit the number of DHCP clients to 5.

I log off. I send my email and upload some large files and I'm almost out of there. I re-enter the router's admin app. and restore their settings, leaving the DHCP limit to 40, just in case they get another 30 visitors to crash their network.

Ethical or non-ethical? However you feel about the above, I can assure you that right now there could be"klingons" on your Wifi network at home, especially if you have not:
1. stopped broadcasting your SSID
2. changed your default router password and applied WEP or better, WPA2
3. limited the number of DHCP users
4. upgraded your firmware
5. filtered your MACs

Hey, we take some and we give; please feel free to pass along this advice and the very good reference below to your neighbor.

That is, after you've downloaded Madonna's latest CD...

From The Ethical Hacker:

Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools.

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.

Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption

Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).

Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.

ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.

Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.
courtesy to Daniel V. Hoffman, CISSP, CWNA

http://www.ethicalhacker.net/content/view/16/24/
BTW, there's one gentleman who is an ASIS Vice President who does a great job giving a "wardriving" and prevention class. Should anyone be interested in him presenting at a conference or consulting on this subject, feel free to ask me for his contact information.