Archive for March, 2013

2G Sunsets For 4G Traffic

Wednesday, March 20th, 2013

Cell carriers have decided  2G networks must go to make room for 4G networks

This brings back memories of the analog network sunset back in February 2008. Everyone (almost everyone) was affected. Cellular customers had to ditch their old analog cell phones and move to digital units. Soon after followed the explosion of smart phone technology. No coincidence. The advent of the smart phone could not have occurred without the analog sunset. The analog bandwidth was not even fractionally sufficient to carry the smart phone data. There was a cost in terms of money, comfort level and learning curve. Most of us got over it, and found that life was just better in the digital world.

Alarm systems were affected in a HUGE way. Many alarm systems used analog cellular transmitters to increase security and alarm signal transmission reliability. Security dealers had to explain to customers that their cellular units were in need of an upgrade, or they would stop working at the end of that February in 2008. It got ugly at times, but we got over that too, and found that we could leverage that digital cellular technology to provide our customers with remote control and notification services for their alarm systems and CCTV systems.

Now we are looking at another sunset. As of December 31st, 2016, the 2G digital networks will be shut down to make room for the more capable 4G (LTE) network. This will affect the same people the last sunset affected. Cellular 2G telephone unit users will need to upgrade to 4G units. Alarm system users will need to upgrade their communicators to the 4G standard.

What is driving this sort of activity? Simply put, customer demand. The major carriers would like nothing better than to stop pouring investments into improving the cellular network. But their customers would mutiny and jump ship in droves. Cellular users demand more services delivered to their hand, and alarm system users want more remote control and remote video viewing power.

Alarm owners are getting used to an idea that cellular telephone user came to grips with already; you need to change your cellular technology (and all associated equipment) about every 5 years (6 maximum) to stay on the network.

We were all a bit better prepared for this sunset, we have been through it before and heeded the warnings way in advance. Safe-T-Tech has been installing 4G communicators for over a year now. And that’s a good idea, because there is a really huge problem that is not talked about so much. You see, its not like on the sunset date the 2G network will just stop working. It will stop working completely on that date, but right up to that time it will also be steadily degraded, as carriers take down 2G equipment from cell towers to make room for the 4G equipment. We have seen some outage areas already, and we are still about two years from the sunset.

Call your alarm dealer to find out if this sunset will affect you. The sooner you make the switch, the more secure you will be.

I look forward once again to a better life in this new (newer) digital age.

CCTV System Used As Hack Vector

Saturday, March 16th, 2013

Last post I was ranting on about security dealers possibly, inadvertently, opening their customers to criminal hacks.

Most of these situations might occur because the dealer was negligent (leaving the equipment default password unchanged is classic) or the dealer was simply clueless about computer and network security. Or the dealer did every thing correctly within his/ her power, but the IT department or infrastructure was at fault. Or it was an ‘inside job’.

Two days after my post, a casino in Melbourne Australia was robbed of $33,000,000.00 (33 million dollars) by criminal hackers. The crooks were able to gain access to the casinos extensive CCTV system.

You can read the full article here as reported on 03/15/13 by Wired.com Magazine. The criminals were apparently able to remotely gain access to the high resolution cameras in the high stakes poker room and help a ‘high roller’ player cheat by seeing the other players cards.

It remains to be seen how the hack was actually accomplished, as the investigation is still ongoing. It may have been an inside job, or a savvy criminal hacker may have found an opening in the casino security firewall or equipment and used that as a vector for this exploit (hack).

How would a black hat hacker know about this sort of vulnerability? Hackers of all color hats read manuals (which often have the default log-in information). They also probe the network to find un-patched vulnerabilities. Or some one may have compromised or corrupted an actual employee (called a social engineering hack or pretexting).

U.S. gambling expert Barron Stringfellow was quoted by ABC Melbourne as saying “Accessing a casino’s internal video monitoring system is not as hard as you would think. It’s very easy to intercept a signal from many casinos that don’t take precautions” (and making me cringe). You might think that this kind of attack is common from watching Hollywood movies, but actually, a properly implemented system should be almost impossible to break into. Honeywell has many cameras and DVR’s (digital video recorders) that can tell when they are being tampered with. It is a security system after all and engineered to prevent this sort of thing. The weakest link in the chain almost always comes down to the human element.

It will be very enlightening to find out what actually occurred. Of course, the casino may not want comment on the real events. They (like most financial institutions) that are compromised, would rather lose the money that give their customers the impression that their finances are not safe. The only way to find out what happened may be by paying attention to people (white hats) close to the hacker culture. This can be done by doing things like listening to radio talk shows, listening to pod cats, reading magazines (yes, hackers do all these things and they are available to the general public if you pay attention) and using Google to search for hacking events. Don’t worry, the Fed’s won’t come after you. I was at a hacking conference and the NSA was there openly trying to recruit hackers who were attending. The Director of the NSA made to key note speech at the conference. This is the sort of thing you would notice only if you were looking for this sort of thing.

Security dealers need to be aware of the possibility of an electronic attack as well as a physical intrusion. The line between the two is becoming increasingly thinner.

Security System Dealers & Hackers

Tuesday, March 12th, 2013

Why does your security dealer seem to know more about computer hacker culture and activities than your comfort level finds necessary?

Because they need to be.

The answer to “Why?” can be grasped with some well informed information.

Understanding what a hacker actually is, and the various activities they involve themselves with can help shed some light on the subject.

The word hacker has taken on a meaning for many people, mostly due to mass media, as some one who engages in illegal computer and network activities.

In my mind, the word hacker is synonymous with the word tinkerer. Some one who is curious about technology, exploring it, and often modifying it to better suit their needs. Many hackers write computer code and therefor can look right into the heart of programs and see were the flaws are. Then they can fix them and make them better and more secure, (good guys), or use them for crimes (bad guys).

Ham radio operators are a classic example of the above, they were the first real electronic hackers. Building and modifying their own radios to make them better, more powerful, etc. Then, as our nation developed a public telephone system, people began to explore that (and sometimes exploit it). Then came computers. Then came networks. Then came the Internet. People began acquiring personal computers.

People (hackers) saw this vast landscape of interconnected computer networks, and being curious by nature, just had to explore it!

As hackers began exploring, many ran afoul of the law when they trespassed into other people’s networks. Some learned their lessons and stayed within the law. Many went on to careers in the budding field of computer and network security. They founded companies like Kaspersky, Symantec, Norton, Gibson research, McAfee, etc. Some hackers went on to careers in crime. Some hackers found some middle ground.

Hackers are generally and VERY loosely classified by their activities. White hat hackers are the good guys, black hats are the criminals, grey hats operate in the gray area between legal and questionable. Depending on personal ethics, some hackers change hats as suits the situation.

White hat hackers are often employed by computer security companies to find out what the black hats are doing, and find patches and fix flaws.

When a black hat “hacks” your computer, it is often a exploit (“hack”) that uses a vector (entry point) that was either a recently discovered software or hardware flaw, or a computer that was not updated with the most recent security patches, or a component that is connected to the network but not properly configured for security.

Security dealers not only daily connect security devices to existing home and corporate networks, but these days are in fact installing security systems that are wireless and hard wired networks in themselves.

Some times security dealers are creating the vector for the black hats by installing equipment that requires doing things like opening ports in fire walls. Does the dealer really understand what the consequences of their actions could lead to? They will when it is explained by the prosecution in a court of law.

I believe security dealers owe due diligence to their customers by playing the part of a white hat. Don’t expose your customers to an electronic attack while trying to protect them from a physical attack. That means learning a bit about hacking. And computer and network security in general. If you are not sure, partner with an IT specialist.

Today I am an electronic security system dealer. I design, sell, install and service CCTV systems, access control systems, intrusion detection systems and fire alarm systems, often integrated across corporate networks . Years ago I was in an Army Ranger unit. We were made to study Soviet tactics and doctrines. We actually learned to service and fire Soviet weapons (don’t ask where they came from). We were learning how the enemy operated so we could anticipate their actions.

The same logic applies to the security business. Security dealers should know the tactics of criminals, and that includes criminal hackers.

Security dealers that routinely deal with corporate networks and IT departments are expected to know the basics of computer and network security. If they can’t prove that they know what they are doing, the IT people will consider them a possible vector, and show them the door.

All security dealers should be ready to put on a white hat when needed. I’m not advocating that dealers spend years learning computer security skills, but I am advocating that if you don’t know what you are truly doing, then don’t!