Dick Posted November 30, 2015 Share Posted November 30, 2015 I think that's too much of a sweeping statement.An opinion you're entitled to. If your line of expertise is not important then your view may be taken as much the same, without some form of clarification to the guys who post on this forum would you not think? Indeed it may, Jim, but It doesn't alter the findings or my opinions on the very same. Just curious, you seem quite angry and defensive probably work related I guess? Not angry or defensive in the slightest. Why on earth you'd come to that conclusion is beyond me. I'm merely saying it as I see it because I don't have to pretend all is well in the world of security like some of you guys obviously are. 1 Quote Link to comment Share on other sites More sharing options...
norman Posted November 30, 2015 Share Posted November 30, 2015 Yes, yes you are. Dick Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
Dick Posted November 30, 2015 Share Posted November 30, 2015 Breathe deeply, count to ten, and get off that Daily Mail website... See my response to Norman. Yes, yes you are. Dick Yes, yes you are what, Norman? 1 Quote Link to comment Share on other sites More sharing options...
datadiffusion Posted November 30, 2015 Share Posted November 30, 2015 Yes we're so convinced everything is alright, the hate is just palpable through the screen towards Cybergibbons, we definately don't want him here and certainly don't encourage him to post his findings on here... Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
norman Posted November 30, 2015 Share Posted November 30, 2015 Angry. Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
Dick Posted November 30, 2015 Share Posted November 30, 2015 Angry.I suppose if you can't manage a decent post on CG's findings something is better than nothing. His findings have no bearing on me whatsoever but I note them with interest, nothing more. When it comes to security I'm an end user so evaluating the information is important should I go a particular route. However, the results haven't come as a total surprise, the level of incompetence on the other hand has though. 1 Quote Link to comment Share on other sites More sharing options...
MrHappy Posted November 30, 2015 Share Posted November 30, 2015 the level of incompetence on the other hand has though. you from an IT back ground ? Quote Mr Veritas God Link to comment Share on other sites More sharing options...
Dick Posted November 30, 2015 Share Posted November 30, 2015 you from an IT back ground ? Seriously, shouldn't you guys be asking about CG's findings rather than trying to play Give us a Clue with me? 1 Quote Link to comment Share on other sites More sharing options...
PeterJames Posted November 30, 2015 Share Posted November 30, 2015 I don't have to pretend all is well in the world of security like some of you guys obviously are. None of us are pretending anything, there has been and all ways will be ways around security systems, so long as the kit is one step ahead of the type of burglar expected then whats to worry about? I understand that there are vulnerabilities with some of the signalling options available, but I also understand the risk and anyone with any real intelligence are unlikely to want to risk their freedom for low value. On the other hand if something is worth protecting then its worth protecting properly that means understanding the risk. I have been in this industry for over 25 years now and I cant think of a burglary where any real technical intelligence has been used. Though I have seen many clever burglaries in my time 3 Quote Link to comment Share on other sites More sharing options...
Dick Posted November 30, 2015 Share Posted November 30, 2015 None of us are pretending anything, there has been and all ways will be ways around security systems, so long as the kit is one step ahead of the type of burglar expected then whats to worry about? I understand that there are vulnerabilities with some of the signalling options available, but I also understand the risk and anyone with any real intelligence are unlikely to want to risk their freedom for low value. On the other hand if something is worth protecting then its worth protecting properly that means understanding the risk. I have been in this industry for over 25 years now and I cant think of a burglary where any real technical intelligence has been used. Though I have seen many clever burglaries in my timePeter, the lack of any real input from installers on here has been noted and not just by myself. One point of CG's findings is that serious vulnerabilities can't be patched in some cases so keeping one step ahead of threats isn't going to happen. You may well have been in the industry since Noah but we are in 2015 now and facing a different kind of threat from, in some cases, kids younger than your favourite pair of socks who have more technical knowledge than most, if not all, any old school installer on how these things tick. You talk like a bigger cost option is definitely more secure than a cheaper device but maybe CG has more to come to dispel that belief.Grade 3 security aside who wants their automation equipment being messed with as is happening now with things like central heating being turned up at daft hours by a hacker? Expecting proper secure coding isn't much to ask is it? 1 Quote Link to comment Share on other sites More sharing options...
al-yeti Posted November 30, 2015 Share Posted November 30, 2015 (edited) Peter, the lack of any real input from installers on here has been noted and not just by myself. One point of CG's findings is that serious vulnerabilities can't be patched in some cases so keeping one step ahead of threats isn't going to happen. You may well have been in the industry since Noah but we are in 2015 now and facing a different kind of threat from, in some cases, kids younger than your favourite pair of socks who have more technical knowledge than most, if not all, any old school installer on how these things tick. You talk like a bigger cost option is definitely more secure than a cheaper device but maybe CG has more to come to dispel that belief. Grade 3 security aside who wants their automation equipment being messed with as is happening now with things like central heating being turned up at daft hours by a hacker? Expecting proper secure coding isn't much to ask is it? Why not just tell em your a house basher who dabbles with diallers, but to be a pro house basher like me you got to realise customers will rarley use outputs on themSo although I am a hard core house basher, monitoring is not my business model , house bashing is just wack a dialled in with the odd one paying for a gsm as well Off topic hkc needs a free basic app lol Edited November 30, 2015 by al-yeti Quote Link to comment Share on other sites More sharing options...
Dick Posted November 30, 2015 Share Posted November 30, 2015 Why not just tell em your a house basher who dabbles with diallers, but to be a pro house basher like me you got to realise customers will rarley use outputs on them So although I am a hard core house basher, monitoring is not my business model , house bashing is just wack a dialled in with the odd one paying for a gsm as well Off topic hkc needs a free basic app lol Just like every village has one, a forum does too and it is never that long before they appear. 1 Quote Link to comment Share on other sites More sharing options...
norman Posted November 30, 2015 Share Posted November 30, 2015 Peter, the lack of any real input from installers on here has been noted and not just by myself.There's plenty of input in the trade part of the forum. Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
jimcarter Posted November 30, 2015 Share Posted November 30, 2015 Seriously, shouldn't you guys be asking about CG's findings rather than trying to play Give us a Clue with me? I think you are right and the focus should be back on the topic, unfortunately I have to remain rather cautious as the subject is a competitive service. CGs work is very good and has been endorsed not only by me but Texecom in a separate thread. This is an extremely important topic and one that we (WebWayOne) take incredibly seriously, indeed we have argued at the standards committees that all communications should be at the highest level, no matter what the risk. It makes absolutely no sense to say "well its only low risk so we don't need to bother about security, its never happened before and probably never will". That is insane. Because as Dick says, it may not be a security product that is hacked, it may be something simple to disrupt companies or peoples lives. We advocate (and deploy) AES encryption techniques at every level, it should be a standard requirement. Period. The implications of a security breach or published weakness cannot be underestimated and if you cannot update your software remotely then the impact on the end user, installer etc are immense. Just look at the security updates you get for your PC, MAC or firewalls as an example. Imagine if Microsoft could not remotely update their software, there would be queues for miles outside PC world etc for updates. Hence we have always deployed flash upgradeable equipment. Quote Jim Carter WebWayOne Ltd www.webwayone.co.uk Link to comment Share on other sites More sharing options...
datadiffusion Posted November 30, 2015 Share Posted November 30, 2015 not just by myself No, it really is just yourself. Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
Dick Posted November 30, 2015 Share Posted November 30, 2015 There's plenty of input in the trade part of the forum. Ah, OK. That's a pity those with an interest aren't allowed in but I get why not for the most part. I think you are right and the focus should be back on the topic, unfortunately I have to remain rather cautious as the subject is a competitive service. CGs work is very good and has been endorsed not only by me but Texecom in a separate thread. This is an extremely important topic and one that we (WebWayOne) take incredibly seriously, indeed we have argued at the standards committees that all communications should be at the highest level, no matter what the risk. It makes absolutely no sense to say "well its only low risk so we don't need to bother about security, its never happened before and probably never will". That is insane. Because as Dick says, it may not be a security product that is hacked, it may be something simple to disrupt companies or peoples lives. We advocate (and deploy) AES encryption techniques at every level, it should be a standard requirement. Period. The implications of a security breach or published weakness cannot be underestimated and if you cannot update your software remotely then the impact on the end user, installer etc are immense. Just look at the security updates you get for your PC, MAC or firewalls as an example. Imagine if Microsoft could not remotely update their software, there would be queues for miles outside PC world etc for updates. Hence we have always deployed flash upgradeable equipment. Superb post, Jim, and one that should be replicated by other companies but sadly doesn't appear to be the case.No, it really is just yourself. Righto. Quote Link to comment Share on other sites More sharing options...
al-yeti Posted November 30, 2015 Share Posted November 30, 2015 Head 1 Quote Link to comment Share on other sites More sharing options...
PeterJames Posted November 30, 2015 Share Posted November 30, 2015 Peter, the lack of any real input from installers on here has been noted and not just by myself. One point of CG's findings is that serious vulnerabilities can't be patched in some cases so keeping one step ahead of threats isn't going to happen. You may well have been in the industry since Noah but we are in 2015 now and facing a different kind of threat from, in some cases, kids younger than your favourite pair of socks who have more technical knowledge than most, if not all, any old school installer on how these things tick. You talk like a bigger cost option is definitely more secure than a cheaper device but maybe CG has more to come to dispel that belief. Grade 3 security aside who wants their automation equipment being messed with as is happening now with things like central heating being turned up at daft hours by a hacker? Expecting proper secure coding isn't much to ask is it? With regards to home automation hacking that would really be down to a suitable firewall I think you have to see it from the everyone's point of view, I would like to think that most installers would use a decent bit of signalling kit to protect high risk property with value, and a signalling kit proportionate to the risk in all other cases. This is why we do a risk assessment, the value of the contents dictates the likeliness of the system being compromised. You have to also take into account that some inside information is needed before any attempt can be made, you have to know that the system you have hacked is the same property you are trying to break into, you also have to know there is not another form of signalling medium protecting the property. As yet I havent seen anyone compromise a system this way, just because it can be done does not necessarily mean that it will happen, in theory I could survive a bungy jump it doesn't mean I am going to do it (And yes I know millions do but there have been many killed despite safety checks) Quote Link to comment Share on other sites More sharing options...
al-yeti Posted November 30, 2015 Share Posted November 30, 2015 These days it's hard for them to know if any signalling exists anyway , they will try it on if they really want your stuff Quote Link to comment Share on other sites More sharing options...
cybergibbons Posted December 1, 2015 Author Share Posted December 1, 2015 It would be good if we could keep this on-topic if possible. My personal feeling is that the risk here is not to individual properties unless they are very high value. I don't know what does the signalling when you get up to the highest values - most of the really at risk places have 24/7 guarding. Possibly some CNI stuff - certainly big substations are unmanned, but then they already have SCADA links in place and I would imagine alarm stuff goes over the same channels. That said, I think we need to start thinking about attackers that aren't Billy Burglar. As PeterJames said, technical attacks on alarms by burglars are not yet happening. I can think of other attacks though: Sending huge numbers of spoofed alarms, causing ARCs to be inundated and guarding services and police to be unable to respond. A great distraction whilst you do something like the Hatton Garden job. Bricking hundreds of alarms using UDL (because the UDL protocols behind signalling devices have poor security as well) Using a signalling device in a botnet to perform DDoS attacks or send email Using a signalling device as a pivot to attack a network The last one is the one that really interests me. I've used DVRs to pivot into networks on pen-tests several times now. They are generally not secure and once I am on them, I can use them to attack the rest of the network. No one suspects these little devices of being malicious. Installers don't know networks so can't firewall or partition them. IT won't touch them because they are installer by a third party. The current Dualcom boards can't be used as a pivot because they are physically incapable of it. I guess that is a saving grace. I think we also need to look at the standards in more depth. The Dualcom boards I looked at are certified to be compliant, but there is no way that a competent third-party would certify them. What did CSL tell Intertek? Who messed up here? The standard demands the encryption - it's planned for a technical attack. Just to add - the installers here have generally been welcoming and positive about the work. But an installer who spends their time on a forum is probably one of the more involved and knowledgeable - it's the rest of them that need convincing! Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.