Jump to content
Security Installer Community

Search the Community

Showing results for tags 'cctv'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Main Public Area
    • Site News, Events, and Feedback
    • Name And Shame Area
    • Introduce Yourself
    • Product / Service News
    • Members Lounge (Public)
    • Guest Forum
    • FORUM TRADE MEMBERSHIP
    • Regulations & Standards
    • Misc Area
    • UK Security Installers by regional Police Force
    • Collectors And Vintage Security & Fire Parts
  • Global Section
    • Security Job Requests and Vacancies
    • Equipment Reviews
    • General Security & Fire Queries
    • !!..DIY Installers..!!
    • Electrics
    • Inspectorate Queries
    • UK Security Sub-Contractors
    • User Manuals
    • Security Horror Stories
    • Setting-up Business Queries
    • Trade ADT Only Engineer Forums
  • CCTV & Access Control Area
    • CCTV & Access Control
    • Trade Access Control
    • Trade CCTV Forums
  • Fire Area
    • General Fire Alarm Queries
    • Trade Fire Forum
    • Restricted Trade Fire Forum
  • Intruder Alarm Section
    • Control Panels (Public)
    • Detector Queries (Public)
    • Home / Building Automation (public)
    • Trade Only Area
  • Telecoms & I.T. Forum
    • General Telecom Queries
    • Networks
    • Computing etc
    • Mobile Devices
  • Trade Security Resources
    • Security Intruder Manufacturers
  • BSIA Commitees
    • SSS TC1
    • SSSTC
    • Regulation Drafts
  • Communal Trade`s Forums
    • Members Lounge
    • Trade Member Listings
    • Security News
    • Installers & Engineers Forum
    • Getting Approved..?
    • Rules and Regulations
    • Health & Safety
    • Basic Electronics
    • Trade Job Vacancies & Queries.
    • Equipment Wanted....
    • Engineer Manuals
    • The SWAP's Shop
  • Trade - Intruder Forums
  • Trade ACCESS & CCTV
  • Trade Fire Alarm Forums

Categories

  • Applications
  • Documents
  • Documents (Trade Members Only)
  • Engineer / Installation Manuals, Training & Application
    • Access Control
    • CCTV
    • Fire
    • Intruder Alarms
    • Training
  • User Manuals
    • Access Control
    • Fire
    • Intruder Alarms
  • Sales Brochures
    • CSL Dualcom
    • Honeywell
    • Texecom
    • Web Way One

Blogs

  • Service Engineer's Blog
  • Service Engineer's Blog
  • arfur mo's Blog
  • therealmophead's Blog
  • jb-eye's Blog
  • jb-eye's Blog NICEIC making up charges for certs
  • jameswilson's Blog
  • Smoke Screen's Blog
  • Jim's Blog
  • The Messenger
  • Electronic Security & Technology
  • digitalwitness' Blog
  • Operational Security & Management
  • The Scantronic & Menvier Tat Blog

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Location

  1. Hi, I work for a firm in kent and thought i would sign up for a mixture of advice to give and hopefully receive. we install/maintain intruder, fire, cctv and access. Hi everyone. steve
  2. hi I currently have a site that has 15 remote sites with the really old dedicated micros dvip units in them which currently have pelco domes running on them working on the Pelco coaxatron option. my client wants to upgrade these dvrs but wants to do it as cheap as possible but at the same time wants reliability does anybody know a good value dvr that has pelco c protocol available and is reliable many thanks grant
  3. Unmanned Aerial Vehicles Some press exposure was given recently to the news that Secom are actively looking to utilise ‘drones’ for the private security market on a rental basis. [1] This appears to relate to the American market with the rental price given in dollars, yet is the UK market also ready to consider the possibilities? The usage of drones, also referred to as Unmanned Aerial Vehicles (‘UAVs’), in the military sector has been known about and discussed widely for quite a while now. However, the typical lapse into commercial operations is beginning to take place quite quickly now and with the addition of Chinese CCTV market into the mix along with a thriving amateur hobbyist community (thankfully both non-weaponised for now) we are now able to consider the application of this technology in a serious manner in relation to the UK electronic security industry. [2] Scope Drones generally come many forms, it seems though that two main types are established at the moment in the commercial and civilian markets – ‘Multicopter’ types which are devices with several rotors designed to assist in direct and immediate flight and the more traditional aircraft types similar to model planes. Drones are defined as “an aircraft without a human pilot on board. Its flight is either controlled autonomously by computers in the vehicle, or under the remote control of a pilot on the ground or in another vehicle” This also leaves open the possibility of a drone definition as an unmanned aircraft under the control of a pilot in a remote location. ARCs & UAVs – A good match? There are some restrictions in the utilisation of drones in the UK. The Civil Aviation Authority (CAA) states that drones can be flown without a pilot's licence as long as they meet the following criteria: They must weigh less than 20 kilograms Remain below a height of 122 metres Remain within visual line of sight of the pilot Remain within 500m of the pilot Only be flown away from populated areas and airports Pilots must also be able to take over manual control if required Permission must be sought from the CAA [3] [4] This would seem to prevent the deployment of drones by remote centres but how would this affect an Alarm Receiving Centre ('ARC') with trained and licensed pilots with drones utilised under regulatory control for protection of a building? What about site based rooftop drones, which have a single application following an activation of flying directly upwards, transmitting footage from an aerial viewpoint before descending to recharge again? Protection in the event of a fire or duress situation could be more effectively managed perhaps with aerial thermal imaging and CCTV. Would manual PTZ control of such devices and utilisation of 4G for transmission purposes open up a new avenue for protection of property? Would we, in this scenario, eventually be petitioned by the police to take things a step further and follow suspects away from the property whilst they are en route so as to assist in a successful arrest? The use of two way audio in combination with a flyover by a drone device could be a powerful tool to deter would be burglars from a property. With a carefully managed marketing exercise to demonstrate effective results (similar to the smartwater approach) we could as an industry add another difficult to overcome layer of protection causing less well prepared miscreants to be caught and/or identified more effectively. Considerations There are some caveats to consider of course as with any new technology. Weather restrictions – wind shear, storms affecting flight Fog and other visibility issues restricting vision – much as with tradtional CCTV Recharging the UAV – Contact based charging solutions are now viable however Communications – The usage of robust 4G and 5G solutions should resolve this Auditing – On board encrypted SD cards should assist here Security of control – An important issue which I will describe below in more depth Health & Safety – Any such vehicle could potentially cause an accident or harm if lost Privacy – As always privacy concerns would have to be addressed and respected [5] [6] On the issue of security of control I would like to point out that where control of a Drone is intercepted by a third party we must be able prove that such action has taken place. There ought to be mandatory requirements regarding the security of access in line with current standards relating to all other security equipment in use. Though the application may be different the same level of care ought to be considered. This leaves us with some more questions to ask and discuss with regards the impact on and usage of UAVs within our sector: Would you consider implementing this technology? Do our current standards suitably allow for this technology to be utilised? Is it appropriate for ARCs to implement licensed pilots for this purpose? Would installers consider implementing these devices in specific installations? Does an aerial viewpoint offer advantages over properly sited CCTV? Should individual ARCs be licensed to pilot security UAVs? Would a single RVRC specialising in remotely controlled UAVs be a better approach than many RVRCs/ARCs offering individual solutions? As always, please feel free to discuss, sharing your thoughts and views on this subject… References: [1] – Engadget.com – Secom offers a private security drone (December 2012) [2] – Wired.co.uk – Here come the drones… (July 2012) [3] – Civil Aviation Authority – Policy for Light UAV Systems (May 2004) [4] – Civil Aviation Authority – CAP722 Guidance (August 2012) [5] – Global Research – Civil liberties and the CAA (December 2011) [6] – Youtube – BBC coverage of increased drone usage (Decembe 2012)
  4. Change is coming, like it or not... There is currently a movement by many businesses within our industry to get involved with much more than just 'vanilla' alarm installations. What does the near and distant future hold for those involved with service delivery, manufacturing, installation or the monitoring of such systems? Are we truly on the way to Security 2.0? It is a clichéd term, but we are currently on a one way street towards our industry either embracing other technologies and service offerings OR facing the very real prospect that our services will be provided by other industries in our place. They will not provide these at a standard which is anything close to our current quality and performance, yet with the apparent move towards an eventual privatisation of emergency response and with apathy from some key stakeholders towards resolving these issues we must accept that maybe the way we have always done things is not perhaps the only viable solution. Growing demands of the 'hyper-connected' generation... End users have been somewhat spoilt by an age of technology that has provided information at their fingertips. Interaction is available instantly, on-demand and in several different formats allowing end users to decide to use their laptop, phone or several other mediums to check their status and to provide a means for them to control. This has been also available in our industry in many ways with smart phone apps for control panels, CCTV systems and direct access to control their alarm monitoring. This is not going far enough though. This is control in a granular fashion with multiple applications and protocols being used and a 'clunky' approach to solving issues and having to cross reference several systems to get answers. The user experience (UX) needs to improve drastically if we are to keep up. Events such as CES2013 have highlighted the developments in white goods and home automation systems showcasing smart homes and their benefits. This has the potential to develop into an 'expectation' in new homes as clients look to a UX that matches the rapid pace of their changing demands. What, where and how.. So where do we fit into all this, considering there is already an established and rapidly growing industry providing home automation and AV solutions? As an industry we have previously provided 'system integration' which allowed end users to benefit from the best in class of each type of product whilst still allowing such systems to work together in what was a seamless manner offering a fantastic UX as far as the end user is concerned. This has always been a strength in our industry and one that we have shown great expertise in, though this has been supported by rigorous standards and protocols with flexibility and the enforcement of these among equipment manufacturers. If we are to provide the same level of interoperability with evolving markets and next generation products that are not yet available (Google Glass / iWatch / Etc...) then we need to begin to agree on how we are going to achieve this. One of the most critical points is to try and avoid the closed (proprietary) protocol approach and inflexible standards that have stifled our industry to date which have been a major part of our inability to move as quickly as the technology has. We should consider being less technology specific and aim to instead define in our standards a clear end goal and aspirational targets yet with scope for multiple methods of meeting these. Standards are by their nature outdated as soon as they are released. We should aim to find ways to improve engagement with their development and enforcement and look to other industries to ensure that we are delivering the best possible offering. Is the current system effective at delivering the intended aims such as protecting end users? One of the most crucial elements is to select the most appropriate 'eco-system' of a platform and protocol combination that will support developments and allow complete interoperability. Choosing a winner... In moving forwards there are currently several platforms to allow communication between our current systems and likely potential future developments. We already have some systems available to support building management and 'smart home' systems: X-10: Basic protocol which has been in use for a while. Uses home power network Z-Wave: Widely supported product range and was the first wireless protocol Modbus: Very basic wired serial connectivity Insteon: Enables wireless comms on X-10 format and improved UX ZigBee: Newer wireless technology but struggles if multiple manufacturers kit used Both Z-Wave and ZigBee have an alliance behind them to promote the benefits of the platform and to support uptake. In some cases a combination of these technologies can be used to acheive the end result. For example some Smart Meters use Modbus protocol to exchange data via an RS232 port but then Z-Wave or ZigBee or others, to then pass that information on outside the device. So how do we pick a winner from all of these standards and more? What benefit is there from all manufacturers and system integrators using the same languages? We can focus on patching and fixing multiple disperate protocols until we are blue in the face, or, we can all agree on an approach and then put that same energy into developing the possibilities that are enabled through the agreed technology. There may be countless disagreements at first, but if we can stand united as an industry then that would give us strength to tackle some of the more difficult challenges and showcase the potential of our place in this emergent market. We have in the past struggled to work collaboratively, but social media and changing attitudes now mean that we can have much more open and frank discussion and can see the immediate benefits of doing so. As an industry we have a lot to offer and we can create world class solutions when we work effectively. I am optimistic that we can all pick a winner and that we can all succeed. I would ask all readers to consider what they can do to work effectively with others to ensure that we provide a solution that puts us on the map as world leaders in innovation and effective collaboration. Legal Notice: All images and logos remain trademarks of their respective owners and are used in accordance with the fair use of a copyrighted work for purposes such as comment, criticism, news reporting, teaching or research.
  5. Ghost in the machine... With around three quarters of remotely accessible CCTV systems allowing intruders free access to invade privacy and compromise entire corporate computer networks, is it time to say 'enough is enough' to manufacturers and insist upon firmware changes to improve security control? This is not isolated to consumer level CCTV platforms only. Many 'professional' DVRs & NVRs are installed with default administrator accounts unchanged or additional accounts created and system owners given control over the default account (which they then fail to change). This means that anyone who is able to connect to the unit remotely can simply enter the default username & password (which can be found within seconds through a simple google search in almost all cases) and then have access to the system as completely as if they were standing in front of the unit. To compound matters further CCTV systems are rarely secured to only allow specific IP addresses to connect to them and at the same time they broadcast their presence through banner information given out to any device that queries the unit (This means it is easy to find such devices in the wild). In ~80% of installations the default passwords remain in place for the first three months. This drops to an average of ~70% after three months as some systems are made more secure by their removal. This still leaves vast numbers of units out there which can be listed by country / ISP / city, or date of installation and more which are openly accessible to any IP address. Some examples: AVTech - Over 420,000 units exposed - (14,000 in Great Britain / 12,000 in America) Hikvision - Over 710,000 units broadcasting - (10,000 in Great Britain / 16,000 in America) Dedicated Micros - Over 18,000 units detected - (8,000 in Great Britain / 7,000 in America) You might be thinking, so what, it's just CCTV - what's the worst that can happen? It should be remembered at all times that modern DVRs are in effect computers in most cases. Usually based on linux these machines are carrying out a specific task but can be put to use for other non DVR activity with ease. Each compromised DVR is in effect an open computer allowing anyone and everyone access to a corporate network potentially. If security of the DVR is poor then it is possible that network security within a corporation is equally lax. Last year a CCTV module was added to a tool called Metasploit, widely used in the blackhat community this tool allows users to attack a DVR, testing default access and brute forcing passwords. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems. Whose fault is it really?... It can sometimes be difficult to pin down exactly where the fault lies as there is a blurring of responsibilities in some contractual agreements. A professional installer may fit a DVR and put in place a secure username and password combination for remote management or viewing by a remote RVRC or ARC. They may also advise the system owner to put in place ACL (Access control lists) so that only authorised IP addresses are allowed to connect to the device as well as giving advice on blocking netbios responses and port forwarding. However, if a user insists on being able to access the device remotely and chooses to keep the simple to remember default account and not to implement such measures then the machine can remain vulnerable. Often the company responsible for installing, maintaining or monitoring the system does not have control over the network used by the device for transmission. Even if the password is changed there exist a large number of exploits on known DVRs and in many cases these and similar exploits can be applied to other DVRs as the programming code is sometimes not as secure as it ought to be. The CCTV hardware sector has been under intense price pressure in recent years and with a downward spiralling price index it has been common to see a reduction in the number of developers and code writers employed by some companies which could potentially increase the risk of security holes remaining in a product. In the event that a breach receives widespread mainstream media coverage it does not just reflect badly upon an end user themselves as the security industry on the whole would receive bad press even if not at fault. How do we fix it?... In part this may require some contract review to ensure that clear definitions are in place by all businesses as to the responsibility that both they and the client hold. Clear understanding must be given as to the potential risks and good practise should be recommended in securing the unit. Perhaps a move towards mobile broadband and IPv6 will mean that we can take back control of securing the communication channel? We must however tackle the issue of default user accounts existing in the first place. There is no need to have such accounts any more. Even if such accounts could be made unique to each device it would be an improvement, but in an ideal world the units would prompt for a unique username and password combination on first powering up with an option to default the unit only by an physical action on the unit itself in some secure manner. Dedicated Micros units for example come configured with up to five seperate default accounts of which three have admin level access and allow full control over a unit. Are your engineering teams ensuring that all of these accounts are removed? I recently asked the technical support staff at several DVR manufacturers why they still use default accounts despite the huge risks involved when they are regularly left in place? I was repeatedly advised that it made their job much easier when providing remote support to users and engineers. Newer Axis cameras feature the technique of forcing a password change on first access and it is much more secure as a result. We should be hammering the doors of manufacturers to ask them to indtroduce this approach in their new firmware revisions (no hardware change should be required in most cases). We should also be encouraging the standards to push towards a more robust approach to handling default accounts. Manufacturers often boast of how much value is protected by their devices (it's a safe boast that does not reveal how many units they sold) - It is this same value that is potentially at risk. The next time you are presented with new CCTV equipment or a new manufacturer, ensure that you ask them how they ensure that their products remain secure as it is your reputation at stake. Action to be taken: Installers Check contractual agreements Ensure engineers trained in best practise Audit existing installations Verify guidance given to end users Ensure firmware is updated regularly Manufacturers Remove generic default accounts Deploy an effective mechanism for security Check existing exploits to ensure none affect your units Keep up to date with new exploits Notify your clients when you discover older firmware is at risk Maintain a 'risk register' of some kind for trade members to be aware of potential risks End Users Protect their own networks by blocking Netbios Allow access only to specific IP addresses Change / Remove default accounts!! Use secure passwords (6 Characters or more / Alphanumeric / Mixed case) Ensure that internal communications to and from the device are restricted
  6. Security Flaw Some of you may be aware that last year there was some exposure given to a vulnerability in Trendnet camera firmware allowing access to their consumer webcam devices despite password protection being enabled. They claimed to have released a patch within a month to solve the issue and to have contacted every customer to advise them to update their devices. This is (despite the assurances of Trendnet) still a common issue, to help highlight it a real time map was produced showing where such devices were located and allowing you to connect directly to them. The website has now been taken down thankfully as the goal of highlighting the issue in mainstream media again was achieved. Professional Security This is a pretty good demonstration though of just how prolific an issue this can be when Joe Public gets his hands into the pot but it also reminds me of the many poorly secured 'professional' installations I have come across in my time (I'm sure you have too) and it is hopefully a wake up call to some businesses to improve their security practices. How would you feel if 'XYZ Security - Live CCTV feeds' was the next google map mashup launched showing devices which you are maintaining or monitoring? Also take note that despite the publicity around the Trendnet devices, they are not the only ones affected. There was a website called Shodan HQ launched some time ago which gives the ability to search devices which are 'web facing' (in other words can be connected to over the internet) and list those matching specific url strings or other flags. This offers much more capability than Google searches for example in highlighting potential 'target devices'. It is already possible now to list unsecured access points on some very well known 'professional' DVRs and NVRs. Ease of connectivity is very much a double edged blade. We must remember that many of the devices we use are now starting to utilise built in web servers and connectivity. Considerations How are you ensuring that you are aware when exploits are announced on devices you utilise? What are your plans to identify, notify affected users and upgrade potentially affected devices quickly and effeciently? Are you considering these issues when investigating new web facing technology? How do you measure for and protect against potential built in backdoor access to foreign equipment? As well as looking outwards at your clients are your own systems secured and protected? Is technology advancing too quickly to ensure adequate security is deployed? As always I welcome your thoughts, questions, answers and debate.....
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.