Subscribe to Monitoring Matters RSS Feed

Monitoring Matters

by: Ginger Hill - Wednesday, August 14, 2019

It seems Joe Public is shouting “privacy here, privacy there, privacy everywhere,” as people are pushing back against certain technologies that could, or people believe could, misidentify them and track, monitor and record their actions, or be the catalyst to their personal information and identity being stolen.

It’s a double-edged sword really; people want to use the technology to ensure safety and security, but at the same time, they want no interference with their privacy. It’s all or nothing. Unfortunately, we aren’t at a point with technology where “good” people are automatically excluded from the “bad.” However, one solution to protect privacy presented itself about a week ago at none other than DEFCON 27

As over 25,000 security professionals and researchers, federal government employees, lawyers, journalists, and of course, hackers with an interest in anything and everything that can be hacked descended on Las Vegas’ Paris, Bally’s, Flamingo and Planet Hollywood Convention Centers, professional ethical hacker and now, fashion designer, Kate Rose, debuted her weapon of choice against ALPRs and surveillance — t-shirts, hoodies, jackets, dresses and skirts. 

Knows as Adversarial Fashion, each garment is purposely designed to trigger ALPRs and inject data rubbish into systems used by states and its contractors, believed by some to monitor and track civilians. Rose tested a series of modified license plate images with commercial ALPR APIs and created fabric patterns that read into LPRs as if they are authentic license plates. Priced at no more than 50 bucks, tops, you too can now fool ALPRs with your clothes! 

Don’t feel like shelling out your hard-earned money? Not to worry! Rose lists all the resources needed to make your own computer vision-triggering fashion and fabric designs on her site, along with a hyperlinked list of libraries and APIs, image editing tools, color palette extraction tools and textile pattern tutorials. In addition, slides from her DEFCON 27 Crypto and Privacy Village talk, “Sartorial Hacking to Combat Surveillance,” offering the following how-to guide of designing your own anti-surveillance clothes: 

  1. Choose a recognition system and experiment with design constraints, starting with high confidence images.
  2. Test tolerances by making slight modifications to source images. 
  3. Make notes of “cue” attributes that affect confidence scores. 
  4. Plot enough images to determine what seems to work. 
  5. Use images that work to design a pattern and digitally print it onto fabric. 

I’m not too sure if this is a 5-step method to early retirement, but I can say people are demanding privacy and obviously, being very creative in their fight for it. 

 
by: Ginger Hill - Wednesday, August 7, 2019

Some people are calling it “social control,” some believe it’s exploiting the poor; others are saying it will “criminalize and marginalize” residents, while Congresswoman Ayanna Pressley mentions “rampant biases” especially with “women and people of color.” Sounds like “it” should be banned, right? Well, what if I told you I am talking about facial recognition biometric technology? Would that influence your decision to ban or not to ban this technology?

For the first time ever, a piece of proposed federal legislation addresses limits on biometric technology and tenants of public housing — the No Biometric Barriers to Housing Act of 2019, introduced by Congressional Democratic lawmakers Yvette Clarke from New York; Ayanna Pressley from Massachusetts and Rashida Tlaib from Michigan. 

Here’s what the legislation would do: prohibit the use of biometric recognition technology in most public and assisted housing units funded by the Department of Housing and Urban Development (HUD) and require the department to submit a report to Congress. Required in the report would be the following:

  • Any known use of facial recognition technologies in public housing units
  • Impact of emerging technologies on tenants
  • Purpose of installing this technology in units
  • Demographic information of tenants
  • Impact of emerging technologies on vulnerable communities in public housing, including tenant privacy, civil rights and fair housing.

Several organizations support this legislation including:

  • NAACP;
  • The National Housing Law Project;
  • National Low Income Housing Coalition; 
  • National Action Network;
  • Color of Change; and
  • The Project On Government Oversight (POGO), a nonpartisan, independent watchdog that investigates and exposes waste, corruption, abuse of power and when the govern fails to serve the public or silences those who report wrong doing. 

POGO went so far as to pen a letter to the Congresswomen, citing facial recognition systems have “registered false matches over 90 percent of the time in multiple law enforcement pilot initiatives,” and Massachusetts Institute of Technology researchers, the America Civil Liberties Union and an FBI expert found “facial recognition technology is less effective in properly identifying women and people of color, raising civil rights concerns.”

Thus far, this legislation would only affect HUD housing; however, it could very easily trickle into other landlord/tenant situations as the hot topic surrounding public security seems to revolve around privacy.

by: Ginger Hill - Wednesday, July 31, 2019

It finally happened. Temps reached into the 100s in Dallas as Cyber:Secured Forum helped some security professionals stay cool inside The Westin Dallas Park Central while learning actionable takeaways and best practices related to maintaining and improving cybersecurity of security systems and solutions. While I gather my thoughts to bring you a detailed rendition of the past two days, now would be a great time to do a cybersecurity risk assessment on your system. 

Here are my “4 Preliminaries” (4Ps) to help you get started on your assessment:

  1. Perspective. Make a list of all information stored on your computer, online, in different apps and in the cloud, for example, work documents, apps, music, passwords, pictures, videos of your family, banking and credit card credentials, etc. Physically seeing how much precious data you have should be a wakeup call to protect it against cyber threats and attacks.
  2. Passwords. Make a list of all online accounts and their login credentials. 
  3. Peruse. Look through the list and carefully think about the value of each type of stored data. If it would be detrimental if anyone gained access or a particular piece or data or online account was lost, deleted or leaked online, put a star by it or highlight it. 
  4. Posture. Take a position of defense against cyberattacks, cybercriminals and cyberthreats. To start, make sure all the passwords on your list are strong to prevent access to your data. Each account needs a DIFFERENT, robust password consisting of at least 12 or more of the following: upper- and lower-case letters, and numbers and symbols in various combinations and locations within the password. 

Once you’ve completed the 4Ps, google the phrase “cybersecurity risk assessment checklist.” This tool is available for free from different organizations and businesses. Choose the checklist that resonates most closely with your business, or take bits and pieces of a variety of checklists to create a custom list. Then, using the information you’ve already gathered from the 4Ps, get started answering the questions. You’ll be well on your way to learning exactly where your company is postured for cybersecurity as well as areas that need improvement. 

 

by: Ginger Hill - Wednesday, July 24, 2019

Being born in the late 70s, it’s been amazing to watch the evolution of computers, the Internet, cyber and the like. I remember sitting in my junior high computer class—7th grade, I believe. Working with Basic on an Apple 2e, I created white coding on a black screen that made a man (stick figure) jump, dance and run when the user got the correct answer to the math problem presented on the screen. That, my friends, was high tech! 

Now, the graphics are realistic and some even interact with voice; data is being produced and shared at the rate of zettabytes; and computers are turning into machine learners, all of which is absolutely amazing but at the same time scary as bad people have turned it into a free-for-all of mass hacking that is detrimental to people and society. 

Human security experts work tirelessly each and every day to keep people like you and me, and the world safe; however, being human, they have their limits. For example, cybersecurity involves repetitiveness and tediousness, scouring through big data to identify anomalous data points; long, exhausting hours of data analysis; and relentlessly monitoring data going in and out of enterprise networks. Enter the age of artificial intelligence (AI) penetrating into the cyber realm in terms of security, obviously known collectively as cybersecurity. Working along-side humans, AI can complement cybersecurity by performing the repetitive, tedious tasks; it can be trained to take predefined steps against attacks and learn the most ideal responses going forward; and AI is fast and accurate with data analysis. This enables and empowers human security experts to use their talents and skills on other projects to further enhance cybersecurity. 

Capgemini, a global leader in consulting, technology services and digital transformation, recently published “Reinventing Cybersecurity with Artificial Intelligence Report,” finding 61 percent of enterprises said they cannot detect breach attempts today without the use of AI technologies. That’s over half of the 850 senior executives surveyed from IT information security, cybersecurity and IT operations in seven sectors across 10 countries. And if that’s not eye-opening enough, check out these findings: 

  • 69 percent believe AI will be necessary to respond to cyberattacks; 
  • 73 percent are testing AI use cases for cybersecurity; 
  • 64 percent said AI lowers the cost and reduces overall time taken to detect and respond to breaches by 12 percent; and
  • 56 percent said their cybersecurity analysts are overwhelmed and approximately 23 percent are not able to successfully investigate all identified incidents. 

With numbers like these, it’s easy to see AI and machine learning are essential to cybersecurity now and into the future. So, here at SSN, we’ve taken a huge step to bring you the latest and greats cybersecurity news with the addition of a “cybersecurity” tab on our website. Yep, that’s right … a whole section dedicated to all things cybersecurity!

To get a taste of our cybersecurity content check out the articles “Federal government aims to modernize physical security practices” and “Data forensics: time is of the essence,” and as always, we value your feedback. 

 

 

by: Ginger Hill - Wednesday, July 17, 2019

I’ve spent the last two days in Montreal, learning all about Genetec but also learning tidbits of powerful information about the security industry. I will be sharing my thoughts, observations and knowledge in the days to come, so stay tuned to our website. Here is a preview of what’s to come:

We sometimes take for granted how “precious an average day is and how much it takes just to make a day average,” Andrew Elvish, vice president, marketing & product management, Genetec said when it comes to ensuring safety and security each and every day. Further, we have to “make sure everything happens every day.”

Genetec does its part to ensure everything happens every day by creating security solutions as well as partnering with others who do the same. The company has a global footprint in which they grow organically and currently, it employees 1,500 people of whom speak 23 different languages. The company also invests 28 percent of their topline into R&D. Expansion efforts are focused on entering a market at the right place at the right time with an emphasis on building channels and channel partners.

Yesterday was filled with open, authentic discussions around hot topics within the industry with Genetec employees as well as people from outside the organization who work with Genetec. Topics of discussion included: the role of privacy in a digital democracy, the future of AI in security, privacy matters in security, ALPR and the role of parking in cities and a panel discussion about cannabis and security.

Today, I get the unique opportunity to visit the Montreal Casino’s command center to see security in action, demonstrating how everything happens every day.

Again, stay tuned to SSN’s website and print publication for in-depth coverage and knowledge sharing of this event.

Topic:
by: Ginger Hill - Wednesday, July 10, 2019

Featured in Time magazine’s “Top 10 Public-Service Announcements,” the popular one from the 1960s, 70s and 80s went something like this: “It’s 10pm … do you know where your children are?” Being the ripe age of 42, I vaguely remember the tail-end of this campaign where a celebrity or publicly known person — Joan Rivers, Jane Seymour, Darryl Strawberry, Paul Stanley, etc. —would appear on the TV screen at 10pm or 11pm, depending on location, and ask this almost sinister-like question of moms and dads waiting for their dose of the nightly news. During this time, several cities across the U.S. had adopted new curfew laws and this was the late-night reminder to parents. 

Since then, it’s been parodied several times: CNBC asks, “It’s 4 o’clock … do you know where your money is?” while Monster.com asks, “It’s 6 o’clock … do you know where your career is?” And, my personal favorite: “It’s 10am … do you know where your coffee is?” While these are fun and playful sayings and marketing tactics, there’s a lot of truth to be discovered by answering that simple, historical question that remains ingrained in society. So, I ask you, the IoT manufacturer, the security installer, the IoT user: “It’s 10pm … do you know what your IoT devices are doing?” If you can’t answer that question, you may have a security/privacy issue. 

In response to IoT devices, their security/privacy issues, and the lack of laws and governance of these little electronic baubles, several organizations have developed IoT “guidelines” to help developers create, manufacturers build, and consumers purchase and use more secure IoT products:

Security Systems Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Security Systems

By: National Institute of Standards and Technology (NIST) 

This publication, targeted toward security engineering professionals, provides principles and concepts, and how these can be effectively applied to the creation of IoT devices and other security-related device. It is recognized that no system can be engineered to by absolutely secure and trustworthy, but rather, the focus should be on “adequate security,” making sure the device address the users security concerns. 

With several free, downloadable publications related specifically to IoT security, the IoT Security Foundation is on a mission to “Build Secure, Buy Secure and Be Secure.” They offer a tool called “IoTSF Compliance Checklist” that helps IoT manufacturers create devices that are within contemporary best practices. The checklist opens as an Excel document, with tabs that take the person through the entire process of compliance, starting with assessment steps; includes device hardware, software, operating systems and interfaces; and concluding with issues such as encryption, privacy, cloud and network elements and device ownership transfer. 

IoT Security Guidance

By: The Open Web Application Security Project (OWASP)

With the familiar look of a Wikipedia page, this guide speaks directly to IoT manufacturers, developers and consumers, offering specific and general recommendations. It’s laid out in an easy-to-read chart and bullet point format. It addresses 10 key categories such as insecure web interface, poor physical security, privacy concerns and insecurity cloud interface; tells what security issues the manufacturer, developer and consumer should be aware of; and offers recommendations to remedy such issues. 

Future Proofing the Connected World

By: Cloud Security Alliance’s IoT Working Group

This PDF guide offers 13 steps to developing secure IoT products, but it also describes exactly why IoT security is needed and addresses some of the common security challenges for IoT users. The 13-step process starts with developing a secure methodology and ends with performing internal and external security reviews. 

IoT Security Guidelines and Assessment

By: GSMA

The goal of these guidelines and assessment is to help create a secure IoT market with trusted, reliable and scalable services. The guidelines include 85 secure design, development and deployment recommendations; security challenges, attack models and risk assessments, and examples while the assessment, based on a structured approach yet providing a flexible framework, address the diversity of the IoT market while addressing the whole ecosystem.

Topic:
by: Ginger Hill - Wednesday, June 26, 2019

Being a part of the security industry as a journalist, it intrigues me as to the wealth of security-related knowledge floating around out there in cyberspace, magazine articles, books, newspapers, tv … any and all media outlets really. Take just a moment and think about this: at any given time, we can access information via our smart devices about any topic we choose. Seriously, let that soak in for a minute … 

The conclusion? Knowledge is power, as the saying goes; there’s even a Twitter hashtag dedicated to the adage: #KnowledgeIsPower. And, as I learned from my dad, it’s the one thing no one can take away from you. But I want to challenge this with: knowledge is power, but taking action based on that knowledge is powerful. Knowing something is only half the battle; it’s action taken because of knowledge that creates power-filled outcomes that truly supports, and adds truth and value to this concept.

With that in mind, The Monitoring Association (TMA) has joined with APCO International, the world’s oldest and largest organization of public safety communication professionals, calling on us — security industry professionals — to support a bill. To make an educated decision, we must gain knowledge: 

Name of the bill: 9-1-1 SAVES Act.

Type of bill: bipartisan, bicameral, simple and zero-cost.

What the bill would do: fix the federal classification by appropriately grouping Public Safety Telecommunicators with other “protective” occupations. 

Why this is important: our federal government currently classifies 9-1-1 operator positions as administrative/clerical, in the same group as secretaries, office clerks and taxicab dispatchers. While 9-1-1 operators do sit at desks, working on computers and phones, would you agree or disagree that this is an inaccurate classification and a disservice to the lifesaving work and dedication of these professionals?

TMA’s and APCO’s argument: Public Safety Telecommunicators should be classified as Protective Service Occupations. This includes a broad range of “protective” occupations such as lifeguards, gambling surveillance officers, fish and game wardens, parking enforcement workers, firefighters, playground monitors and more. These organizations believe reclassification is common sense, and about getting Public Safety Telecommunicators the recognition they deserve for the work they do every day to protect and save the lives of the public and first responders. 

Now that you have the knowledge, it’s time to take action. Here are your two choices: 

  1. Do nothing. After all, not taking action is in essence making a decision.
  2. Send a letter. APCO’s website offers a dynamic form where individuals can provide key contact information and the appropriate letter is sent automatically to your U.S. senators and representatives. (I just did. It literally takes less than 1 minute.) 
 
by: Ginger Hill - Wednesday, June 19, 2019

According to urbandictionary.com, the somewhat “official” definition of “trippin’” means “when someone is overreacting or getting all ‘bent out of shape’ over something small.” And while most of the more popular IoT devices present themselves as a small physical footprint — for example, Google Home is only 3.79 inches in diameter, 5.62 inches in height and only 1.05 lbs. while on the other side of the ring, fighting for market share is the Amazon Echo Plus Voice Controller, 2nd Generation, standing at 5.8 inches tall, 3.9 inches in diameter and weighing in at 27.5 ounces — they can pack a huge, unsettling punch when it comes to security. 

Having taken an interest in IoT devices in terms of security, I’ve written previously about what connected smart home IoT devices are REALLY doing as well as covered IoT devices from the perspective of trust, in which California is the first state to pass a bill, Senate Bill No. 327, that will require IoT manufactures to equip devices with “reasonable” security features, effective in the year 2020. Maybe government control of IoT devices is a step in the right direction, maybe not, but the fact remains that, according to a report from Zscaler, over 90 percent of data transactions from 270 different IoT devices developed by 153 device manufacturers, including smart watches, digital home assistants, medical devices, smart glasses, industry control devices and more are UNencrytped! This exposes these devices to hackers intercepting traffic and stealing or manipulating data, known as man-in-the-middle (MitM) attacks. 

Let’s take a moment to explore a real-life MitM attack and how these attacks can rob people just like you and me of our security. 

Meet Paul and Ann Lupton from England: happy, proud grandparents of baby Oliver, who had purchased a flat (aka apartment) in south London for Oliver’s mother and their daughter, Tracey. After the birth of Oliver, Tracey moved to a bigger home, so the Luptons decided to sell the flat for approximately $429,200 … quite a nice chunk of change and apparently some “others” thought so too.

Perry Hay & Co. in Surrey emailed Mr. Lupton requesting his bank account details for the money from the sale to be paid into, and he replied, sending his Barclays bank account number and sort code (a six-digit number that identifies the bank, in this case Barclays, and the branch where the account is held). A seemingly innocent action that led to his email getting intercepted by fraudsters who posed as Mr. Lupton quickly emailing Perry Hay & Co. again from Mr. Lupton’s email account instructing the company to disregard the previous banking information and send the money to a different account.

The sale completed and Mr. Lupton, none the wiser, sent the funds to the criminals’ account totaling almost half a million U.S. dollars! 

Mr. Lupton responded by contacting Perry Hay & Co. and the crime was (very fortunately) discovered, and it was fairly easy since Barclays was the account provider for all three involved —the Luptons, Perry Hay & Co. and the fraudsters (hmmm, maybe not too smart on their part?!). The Luptons ended up retrieving about $342,000 of their money. 

While the Lupton’s situation didn’t involve IoT, per se, and it did have a rather happy ending since they got some of their money returned, it demonstrates what could happen if a hacker taps into one of your IoT devices, your smart home speaker, for example, and listens while you discuss private issues — account numbers, addresses to schools your children attend, when you’re going on vacation so your home can be burglarized and the like — with your household.

By no means am I an IoT “hater,” (as Urban Dictionary so eloquently puts it). I understand the useful and positive impacts these devices can have on the everyday; however, I do believe security should be the top priority when introducing an IoT device into your life. 

Maybe more manufacturers should be "trippin’" and then “encrytpin’” their IoT devices’ data!

Topic:
by: Ginger Hill - Monday, June 10, 2019

From the showroom floor and education sessions to motivational speakers, one-on-one interviews and central stage talks lead by SSN as the premier media sponsor of ESX, the goal of #PassionateSecurity was more than fulfilled. In my opinion, this passion for security was best seen as industry peers openly shared their experiences with others via conversations, interactive education sessions, networking events and receptions—even if that meant sharing with the competition, all in the name of keeping security as top priority.  

One of the unique things that happens at industry events is an overarching theme will emerge, one in which “everyone” seems to be talking about. At ESX 2019, that was the customer and employee experience. This takes empathy and the ability for security professionals to put themselves into the shoes of their customers as well as their employees to understand how they feel and what they truly need. The result? Employees feel appreciated, leading them to embrace a “servant” mentality toward customers, doing whatever it takes to ensure nothing but greatness, which fosters excellent customer experiences when working with your company. (Hence, #PassionateSecurity.)

Case in point: I was honored to moderate the education session “Sales vs. Operations: 6 Ways to Turn Conflict into Collaboration,” where Jeremy Bates of Bates Security, Paul Hevesy of Stanley Security; and Suvankar Roy of Xfinity Home shared some amazing tips on how to bond together sales and ops teams so that the customer benefits. One easy-to-implement tip presented was “Thankful Thursdays,” where people on the sales team identify someone they are thankful for on the ops team and why, and of course, the ops team does the same for the sales team, and then voice this during cross departmental meetings. This fosters a culture of appreciation and gratitude within the company, which spills over into customer interactions by sales and ops team members, and helps to enhance the overall customer experience. 

And, speaking of unique … this year at ESX, SSN live-broadcasted the central stage talks, hosted by Editor Paul Ragusa, via Twitter. Below you will find a list of informative quotes that emerged from each on-stage security professional. Simply click on their name to be transported to their specific talk to gather even more valuable tips, tricks and insights. It’s like sitting in your living room with knowledgeable security professionals, sharing a cup of coffee and chatting about the industry! In fact, grab a cup of coffee and sip along as you view! And, please don’t forget to “like,” share and comment on each one.

ESX 2019 Central Stage Talks

“The two touchpoints today are the voice of the customer and the customer experience. At the end of the day, I think it’s the personal relationships that are going to differentiate those well-sought-after companies.” 

Ivan Spector, president, TMA

“They [the customer] want the latest video camera, door locks, but at the same time they don’t want to have 50,000 apps. They want simplicity.” 

Celia Besore, executive director, TMA

“Really what we need are salespeople who can ask better questions: what’s the problem we’re trying to solve? What is it that they [the customer] is trying to accomplish? Not just be so product oriented but solution oriented.” 

Gretchen Gordon, president, Braveheart Sales Performance

“One of the strategies we use is to let citizens know how a policy like verified response, which means that it confirms some criminal or attempted criminal activity before the police will respond, will affect them.” 

Stan Martin, executive director, SIAC

“Almost all the features that we do in our panel, all the technologies that we put in there, are a direct result of listening to our customer’s feedback.”

Jeremy Mclerran, senior director of marketing at Qolsys Inc.

“ … there’s DIY and DIT, “do it together,” and I think dealers are figuring out how that’s going to work … customers are taking some responsibility for their systems … I think the more that there is opportunity for the consumer to become aware of their security system and some of the features it delivers for them, whether it be convenience featured of peace of mind features, the more they’re willing to spend to add onto and grow, I think that will grow our entire industry.”

Mark Hillenburg, executive director of marketing, DMP

“On average, consumers spend four hours or more installing their DIY security system in the home, so the market tends to push toward ‘do it for me.’” 

Dina Abdelrazik, senior analyst, Parks Associates

“We [ESA] are launching an assessment exam which I think is something we’ve needed in the industry for a long time … because we have so many training courses, we have this vast array of test questions. So, we took all that information and put it together in a software package; we can actually have a technician take an exam, and that will give us the information we need to understand where their strengths are from a technical standpoint and where their weaknesses are. And, then we can develop a roadmap for the member to put that technician on a path to improve their weaknesses and maybe even accentuate their strengths.” 

Merlin, Guilbeau, executive director, ESA

“One of the great things around the smart home being more common and more useful is it brings a lot of awareness. It wasn’t too long ago, we’d have to explain to a client or prospective client what was possible with their system; whereas now, people understand you could control your lights with your phone. You can decide whether or not that’s of interest to you.” 

Mike Jagger, president, Provident Security 

“On the commercial side, it’s really all about cameras; it’s really about video and everything that video can do … that’s not just driven by market demand, but it’s also driven by legislation and local governance.” 

Steve Firestone, president, Select Security 

 
by: Ginger Hill - Tuesday, June 4, 2019

It’s my first visit to Indiana and it’s amazing to be spending my time at ESX 2019 learning about new trends and happenings in the electronic security industry. The day opened with a breakfast panel: Nate Williams from Kleiner Perkins and Alex Pachikov of Sunflower Labs, both of which highlighted focusing on the customer as well as the customer experience as it relates to security solutions created and offered. Education sessions followed and then Rick Rigsby took the stage as the luncheon keynote speaker, who divulged getting back to the basics when it comes to excelling in the security industry as well as life in general. Rigsby’s motivation that he shared with the audience can be experienced on Twitter @SSN_Ginger. 

Once the showroom floor opened, our Editor, Paul Ragusa, took the central stage, interviewing leaders within the industry. The knowledge shared can be seen on my Twitter @SSN_Ginger. 

Tomorrow’s agenda is filled with time on the showroom floor, education and more motivational keynote speakers, so stay tuned for a recap of things learned at ESX 2019 and be sure to follow me @SSN_Ginger for live Tweets and videos of the action! 

 

Pages