Wednesday, January 29, 2014

Security of Security Cameras - Part 1

Security cameras have been the first step of defense for many organizations, governments, school & colleges. When it comes to defending against crime. This trend has been around for many years and using a security camera is still at the top of the list.  According to research carried out by the urban institute, it shows that indeed there is a drop in the crime rates when such cameras are installed and used in the “Right way”. Now let us emphasize the words “Right Way”. Nowadays the traditional close circuit TV’s (CCTV) have been replaced by IP based security cameras and these give the great functionality of anytime anywhere viewing to its customers. While many customers may think that it is an advantage to them, it is actually of just as much benefit to those committing crime.

Now you may wonder why we say so.

In the case of CCTV, all the data, images etc. would remain ”secured”. Whilst on the other hand in the case of IP based cameras all the data is transmitted and available on the World Wide Web.

Figure -1 Funny camera sticker

It is quite easy to forget the threats that these IP based cameras could pose. A simple google search would answer all the queries regarding the threat scenario of implementing an unsecured IP based camera.

IP based security cameras will have all the vulnerabilities that any other data networks possess. The issue arises when anyone is able to install the camera, but not everyone is aware of the vulnerabilities associated with this installation.  As these are easily available over the internet a lot of privacy issues arise and sensitive information can be accessed. Apart from these vulnerabilities, the important thing to look at is that many of these cameras run internal webservers on unsecured channels rather than a secure channel i.e. https. This enables credentials to be transmitted in clear text over the network.

Another such issue is that these cameras also run unsecure file transfer protocol sessions instead of more secure sessions i.e. SSH. Running a secure session would enable image transfer between the client and the server in an encrypted format. However, in most cases the data is not encrypted and is sent over LAN, MAN or WAN, where unauthorized users can gain access to sensitive information pertaining to the organization. This information that is collected can then be used to attack more networks in the organization.

This unauthorized access to cameras is useful for people who are interested in cam spying. The manufactures of cameras use a consistent URL string to access the camera, therefore, allowing anyone with capabilities of using google the ability to access them. If you Google “inurl :/view/index.shtml” you will find thousands of such insecure IP based camera. If you are unaware of the search terms to use there are several websites available that already have a list of terms that can be used.

The criminals can watch all these while sitting in a coffee shop or sitting in their living room. They would have ample time to plan their attack and take notes regarding the layout, dimensions, etc. What is even scarier is that most of these cameras have features such as pan and tilt which aid the criminal in pointing towards a specific location and gathering more detailed information regarding the location. These can also be used to divert the camera view to another location when an attack is being performed.

Figure-2 Camera in office.
 Figure-3 Camera in a zoo.

As this information is available from a simple google search. Business entities have a legal and ethical responsibility of not exposing access to such data to the public. Thus, the entities should take measures on implementing a security procedure. These procedures should focus on areas such as: only authorized personnel are allowed to have access to the data that is on the server.

Also as pointed out earlier one of the problems is the level of knowledge of the person installing the surveillance equipment. All such equipment has built in password functionality and some of the more advanced equipment have facilities such as data encryption. It is the responsibility of the entities to research and select the equipment which is best suited to the organization according to their needs. Selecting the equipment is only half the job, as the organization / installation company with proper installation knowledge is the other half of the job that needs to be verified.

The installer who generally has limited knowledge will install a system with all the default settings or will leave a weak password i.e. less than 8 characters and not having upper, lower and special characters. Again by this we return to the point originally raised i.e. “Right way” of installation. The installation of such devices has to be combined with network security in order to truly secure the business.

That’s it for the first part of this blog spot in the second part we would be diving into detailed as to how network intrusion is to be prevented from such devices.                                                               

Tuesday, January 21, 2014

Telspace Systems top security predictions for 2014

Happy New Year everyone! To welcome in the new year, Telspace asked two of its Security Analysts what they think the top security predictions for this year are. Here are their responses:

Dimitri Fousekis, Security Analyst / Team Lead

1. Increase in financial security breaches

For a while, things seemed relatively quiet on the credit card and financial data breach front. However, 2013 ended with a bang when Target was hacked and over 150 million of its clients’ credit card details were stolen. 

I believe this trend will continue into 2014, but will take on a new approach as focus is shifted to electronic currencies such as Bitcoin. With the opening of new and more secure Bitcoin repositories (as well as insurance policies for Bitcoin), there will be increased attention from attackers. However, credit cards will definitely not escape attackers’ attention and payment gateways (such as Paypal) will come under fire as well.

2. Backdoors and spying – let the games begin!

With so much recent focus on the NSA and its rather questionable tactics for obtaining data, ascertaining just how far and how deep their reach goes will be highlighted in the coming year. The increased probing will no doubt reveal other spying entities and more backdoors we did not know existed, which will further pressure governments and corporates to take measures in protecting users and their data.

Additionally, it will be the year where corporates will either begin aligning themselves with government agencies by defending them – or drawing very clear lines to distinguish themselves from them. Both strategies will yield interesting and varied results.

3. Malware anyone?

Malware saw its fair share of growth in 2013, but 2014 will be the year we see an increase of malware into embedded systems and consumer hardware. 

There are already reports of malware on USB devices, SD cards, etc. and this will continue to grow this year – expanding the realm of where and how malware operates. This will be influenced by both government agency backdoors as well as by increased consumer data and credit card theft as malware moves into the retail/point-of-sale arena.

4. The year of encryption

Again, being driven by the global focus on government spying and countries prying into user data, 2014 will see definite changes in encryption technology, as well as where (and how) encryption is used. It will now become necessary to encrypt data that did not previously require encryption. The introduction of new methods and algorithms into the encryption realm will bode well for the security industry, but this phase will not be free of initial hiccups, resulting in the odd breach, as less mature solutions are implemented initially. Either way, 2014 will see a significant increase in how people protect their data, what data they choose to protect, and who they trust to handle it.

5. Cloud computing – bitter, sweet, and maybe salty

Cloud computing uptake will no doubt increase exponentially this year. The buzzword still has much life in it with regards to what it can offer and companies will drive hard to deliver cloud computing methods in 2014. However, adopting cloud systems comes with its share of obstacles - the new technology will be plagued by new privacy rules, general users will experience a lack of faith due to data being hosted in other countries and territories, and there will be a plethora of new targeted attacks as cybercriminals fight to gain access to these large repositories of profitable, centrally-stored data. 

Rhys Mossom, Security Analyst

1. Malware/Ransomware

According to the McAfee Q3 Malware report 2013 there was a staggering 50 million newly identified virus signatures added to their databases. Specifically, there has been an increase in so-called Ransomware, a further rise in botnets, and a higher number of malware targeting Bitcoin wallets. 2014 will see a continued rise in malware development and detection.

Some notable examples are:
• Pony Botnet - Botnet and bitcoin thief
• Prison Locker - Ransomware

2. Mobile devices

With the new culture of Bring Your Own Device (BYOD) comes a myriad of security concerns that are currently being faced and addressed. The RSA Europe conference last year postulated that there would be a dramatic rise in Ransomware infecting mobile phones, and a more recent announcement by McAfee reiterated this claim. 

Additionally, companies are now faced with the problem of company personnel bringing in personal cellular access points, often bypassing company security policies and transmitting sensitive data over an unsecured, out-of-band channel. This adds to the list of vectors an attacker could pursue. 

3. Cloud storage 

There has been a great rise in companies opting for the use of cloud storage solutions, as they require less maintenance and generally give the impression of being more secure. However, one of the consequences of businesses moving away from centralised data storage is often that less energy is spent ensuring the client side is secure. For this reason I believe we will be seeing more attacks on both cloud storage centres, and an escalation of man-in-the-middle attacks on the client side.

4. Irresponsible disclosure

Within the last four years we have had some pretty notable irresponsible disclosures of vulnerabilities. Within the industry of ethical hacking and cyber security in general there is a lack of public understanding as to what ‘responsible’ disclosure should entail. To name some of the recent debacles that have resulted due to the act of irresponsible disclosure in chronological order:

• Julian Assange – WikiLeaks
• Edward Snowden – NSA
• Moe1 - E-Toll System
• A recent disclosure by a reputable firm of ethically suspect hacking ‘how-tos’ that relate directly to financial and government institutions.

5.Greater migration of users to decentralised web content

Even with the recent bust of Ross William Ulbricht from the infamous Silk Road (an online store where a customer would be able to trade illicit drugs globally or even hire the use of professional hitmen), the idea of a decentralised anonymous internet certainly appeals to many people and shall continue to attract illicit and depraved activity.

Well thats it from our 2 analysts, on behalf of everyone at Telspace Systems we hope you have a great 2014 year!