Jump to content
Security Installer Community

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Main Public Area
    • Site News, Events, and Feedback
    • Name And Shame Area
    • Introduce Yourself
    • Product / Service News
    • Members Lounge (Public)
    • Guest Forum
    • Regulations & Standards
    • Misc Area
    • UK Security Installers by regional Police Force
    • Collectors And Vintage Security & Fire Parts
  • Global Section
    • Security Job Requests and Vacancies
    • Equipment Reviews
    • General Security & Fire Queries
    • !!..DIY Installers..!!
    • Electrics
    • Inspectorate Queries
    • UK Security Sub-Contractors
    • User Manuals
    • Security Horror Stories
    • Setting-up Business Queries
    • Trade ADT Only Engineer Forums
  • CCTV & Access Control Area
    • CCTV & Access Control
    • Trade Access Control
    • Trade CCTV Forums
  • Fire Area
    • General Fire Alarm Queries
    • Trade Fire Forum
    • Restricted Trade Fire Forum
  • Intruder Alarm Section
    • Control Panels (Public)
    • Detector Queries (Public)
    • Home / Building Automation (public)
    • Trade Only Area
  • Telecoms & I.T. Forum
    • General Telecom Queries
    • Networks
    • Computing etc
    • Mobile Devices
  • Trade Security Resources
    • Security Intruder Manufacturers
  • BSIA Commitees
    • SSS TC1
    • SSSTC
    • Regulation Drafts
  • Communal Trade`s Forums
    • Members Lounge
    • Trade Member Listings
    • Security News
    • Installers & Engineers Forum
    • Getting Approved..?
    • Rules and Regulations
    • Health & Safety
    • Basic Electronics
    • Trade Job Vacancies & Queries.
    • Equipment Wanted....
    • Engineer Manuals
    • The SWAP's Shop
  • Trade - Intruder Forums
  • Trade ACCESS & CCTV
  • Trade Fire Alarm Forums


  • Applications
  • Documents
  • Documents (Trade Members Only)
  • Engineer / Installation Manuals, Training & Application
    • Access Control
    • CCTV
    • Fire
    • Intruder Alarms
    • Training
  • User Manuals
    • Access Control
    • Fire
    • Intruder Alarms
  • Sales Brochures
    • CSL Dualcom
    • Honeywell
    • Texecom
    • Web Way One


  • Service Engineer's Blog
  • Service Engineer's Blog
  • arfur mo's Blog
  • therealmophead's Blog
  • jb-eye's Blog
  • jb-eye's Blog NICEIC making up charges for certs
  • jameswilson's Blog
  • Smoke Screen's Blog
  • Jim's Blog
  • The Messenger
  • Electronic Security & Technology
  • digitalwitness' Blog
  • Operational Security & Management
  • The Scantronic & Menvier Tat Blog

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL








  1. Hello, We offer a range of telecommunications services as well as CCTV in the East of Yorkshire. You can find out more details here: Thanks Switch Networks
  2. Hey everyone, My name is Ross Harvey from Fuse Systems in Northern Ireland. Looking forward to inputting into this forum. Been in the industry for 20 years and loved every minute of it. If anyone ever looking advise mayve quickly give me or the team a ring on ##REMOVED## as we offer 24 hour assitance ##REMOVED##
  3. Hello, We are looking for sub-contractors who have good knowledge of IP systems, preferably Samsung (Hanwha). We have an number of sites across the UK with these systems installed, which we are needing serviced. If you have IP knowledge or know of someone who does, please contact me at ###REMOVED### Many thanks, Katherine Stubbs
  4. Hi there, I'm just after some general advice regarding a security system I have installed in the house I just bought. It is a (C&K Securitech) Securit 700L, and the internal battery is apparently dead, as when the mains is cut, the external alarm (bell box) sounds, presumably powered by an independent back up battery. I have both the user and engineer guides (available online), neither of which have instructions for battery replacement. I would ideally like to know the model of battery required, and also which of the following methods should be followed to replace: EITHER 1) Remove cover from main panel (which will presumably trip a tamper alarm) - then enter the user code to acknowledge the tamper - then replace the battery, OR 2) Enter the engineer code - then remove the cover from the main panel - then replace the battery - then press reset. I'm hoping someone will have experience with this or other similar Securit systems and will be able to advise, then it should be a simple job to do myself. Any help greatly appreciated!
  5. Hello friends, I'm new to this forum and I want to know something from you members. Actually, I have a key safe (Police approved) and I'm quite satisfied with its quality. But, I want to know more such websites where I can buy these for my office and my dad's house.
  6. Hi, Are you are in need of 4 experienced, competent and hard working electricians/fire alarm and security engineers? We are 4 electricians who have been working together for the past 5 years, and this has been predominantly doing fire alarm installation. We have sub contracted and been part of teams that have worked on big fire alarm and security installations such as the new Birmingham Dental Hospital/school of dentistry, both north and southbound new Gloucester gateway service stations, Perry Manor care home in Worcester, Daventry Hill Special School, and the new Westgate chopping centre in Gloucester. We have done work for companies such as GBE, Trinity, Ng Bailey and Unitech. We also have substantial experience in domestic Electrical work, having started out in this field, and have worked on some commercial Electrical projects too, the largest being the new Worcester university Sports Arena. All four of us hold Fire and security Installer ECS cards, and we all also hold IPAF qualifications in class 3a and 3b. Three of us also have SSSTS (Site Supervisor Safety Training scheme) certificates. We have worked with many different fire alarm systems, mostly Gent Vigilon and Apollo. We have some experience with Intruder alarm systems and Access control systems, and similar experience with CCTV systems also, but are very keen to become more knowledgeable in this field. We have all don most of our work as sub-contractors to a Worcester based Fire alarm installation company, but their work has begun to dry up, so we are looking to expand and hopefully provide an excellent service to other customers now. We would be very keen to possibly discuss sub-contracting to new firms, if this was something you would be open to. We eagerly anticipate your thoughts, and if you have any questions or queries, then please don't hesitate to call us on either Regards Scott Sellars Please read the forum rules before posting thanks
  7. hello I have the above alarm all working fine except for the doorbell which is the Exit Terminate button in day mode. it’s says in the user manual, quote:Turning the Chime On/OffYour system may be programmed so that a chime tone sounds whenever certain doors are opened while the system is unset. If your system has an Exit Terminate button, then it will act as a door bell while Chime is on. To turn Chime on or off:1. Key in your access code. The display shows "_ _ "2. Press 7 followed by y (Clear).I have tried this and it doesn’t work, is there a programming feature in E mode that I’m missing?...I’ve just re set the whole system in E mode and added the chime function to zone 1 (final exit zone) and have a brand new battery and all is working perfectly except for this one feature.. plz Help Many thanks Clare
  8. Hello all, I am new to this site and looking for sub-contract work in CCTV and Security or Access systems, in and around the West Midlands. I have many years experience, using Honeywell Galaxy, Pyronix etc, PAC and Paxton along with various CCTV systems, analogue and IP systems. I have my own unmarked vehicle along with all tools needed, including steps and ladders etc. I also have CSCS card. please contact me directly if you have any requirements. best regards. Nick Harrison
  9. Hi all Cosmic Security is a recently established Fire & Security company based just outside London. We offer installation and maintenance services for Fire detection and Security systems; primarily covering the Home Counties, London and the South East. We have SSAIB and LPCB 1014 accreditation. If you hear of any need for services such as ours please let us know and we would be delighted to worth with you If you need to contact us then please message me or drop me an email: [DELETED]
  10. Welcome All! Located at Branxholme Industrial Estate in Bailiff Bridge; Federal Securities LTD is here for all your security needs, offering out services locally and nationally to domestic locations, building sites and to your business!
  11. Hello, I'm new to the site and CCTV. I have just purchased a Swann DVR4-4400 with two cameras plus i purchased 1 extra camera. Problem 1- I purchased a standalone outdoor microphone from Maplin UK wich connects via the camera power cord splitter and plugged audio phono into back of DVR. Sound was fine but after a short while it seems to die, it hum's a little then crackles and dies. If i try again later it will work again for a short while...What could be happening?Problem 2- It has 720P resolution but only offers 4 days continuous recording unless i lower resolution to 960H then i would get the 30 days i was promised by the salesman! (feel a bit miss led). Anyway, When i lower the resolution to 960H and it reboots it then suffers video loss and i can't seem to get it to work on 960H if i require 30+ recording, It will only work when i put it back to 720P, Any ideas what i may be doing wrong?, cheers.
  12. Hi everyone, We've got two rooms at the back of the property and both have double french doors. The doors already have a couple of "Sash Jammers" and multi-lock system, but I still feel unsafe as these are our main entry/exit points. What can we do to bolster these doors, so that they are very difficult to break-in?
  13. We offer full packages from Supply, Install, Commissioning to follow on maintenance visits, we hold accounts with most UK wholesalers and suppliers so supplying the open protocol equipment isn't a problem. We are Fully insured 5m Public Liability and Indeminity and DBS checked giving you piece of mind, all Engineers are uniformed (no logo/Company branding) only "Fire and Security Engineer" logo on left breast, We have worked in a varitey of different sectors, Schools, Factorys, Hotels, Cinemas, Govenment Buildings, Power stations etc We have built a good working relationship with our clients and built up trust to the point the companies have stopped taking on installation staff and soley rely on us Why?..... No employment issues, Paying Holiday, Sick Pay, National Insurance and you wont be paying us to drink tea, we take on most of our work on a fixed price limiting the risk to your profit margins. All our Engineers are FIA unit trained and BS5839-1 and highly motivated, Experienced and skilled we have 100% faith in them as industry friends and in time you will too. Please give me a call if we can help.
  14. Hi Everyone, I currently work for a Subcontracting Agency and we are always looking for quality installation, service and commissioning engineers that can work on all disciplines within the fire & security industry. We cover the whole of the UK and also have opportunities, for the right individuals, abroad. I am interested in hearing for all, old and new as my new position at CSR is all about upping the technical output of our service. Best Regards, Carl.
  15. Hi Guys & Girls FSSUK LTD a UK based wholesaler for IP and HD-TVI solutions your one stop shop for everything CCTV related.....be nice its our first time here you may have seen us at London IFSEC this year and ELEX toolfair at Event City in Manchester any queries please give us a shout
  16. We are NSI-Gold Fire and Security systems installers based in South West London [everything else edited - job advert]
  17. Hi guys! Hope everyone is well and enjoying the Christmas break! Firstly can I say thank you so much for providing me with great answers for some of my questions as I don't have many friends working in the CCTV sector it's great I have access to such a good forum. So I have another questions yet again which is that we mainly do installations for supermarkets and shops but not many restaurants and homes, and wanted to ask how people go about installing cameras on plastered walls and ceilings where fishing and wiring walls is a nuisance?
  18. SECURITY SYSTEMS PERMANENT OPPORTUNITIES Supervisor Security Systems £28,000 + Overtime and Benefits Installation Engineers £25,000 + Overtime and Benefits Due to rapid growth, our client a Security Company is looking to expand their team and are recruiting for an experienced Supervisor for team of Installation Engineers (Access Control, CCTV and Intruder) as well as Installation Engineers in the Northamptonshire area. Our client install’s a wide range of Intruder Alarms, CCTV & Access Control You will have First and second fixing, commissioning, Client handover and client training experience. You will also be able to work to high standards and deliver a quality service. Fire Alarm knowledge would also be an advantage, but is not essential. Applicants must have previous Security Systems Installation experience and be able to demonstrate good attention to detail and application to work load. Key attributes: Must be able to work to own initiative and unsupervised Must have excellent communication skills both verbal and written. Must have a full driving licence Willing to travel nationwide Benefits: Travel allowance paid after an hour of travelling NO Call out Overtime Payments Company Vehicle Fuel Card Mobile phone For more information please call Hollie onfor a confidential chat!
  19. Hello! I’ve joined this forum in order to ask specialists for their opinion and recommendation. Have anybody used access turnstiles produced by Perco (www.perco.com)? What is your impression, positive or not? Our enterprise is going to purchase a turnstile with access control system to put it at the building entrance. Employees and visitors flow is app. 500 persons in the morning and the same in the evening 5 days a week. We decided to install one tripod turnstile with traffic capacity not less than 20 persons/min. By this moment we fixed on Perco. Thanks for any suggestions.
  20. Hi All! I hope you don't mind me posting this but Blast Films may need you! CCTV STORIES Have you got a story to tell that involves CCTV? Do you have CCTV or has it played an important role in your life at some point? Has it been used to protect you or your family? Are you using it as evidence in a court case? Do you own a home recording system or know someone who does? Has your local community clamped down on crime by investing in home CCTV? Have you campaigned for more CCTV in your area? Do you enjoy recording your pet while out at work? Or have ever spied on your kids to make sure they’re doing their homework? Have you used it to prove a point in neighbourhood disputes? If this is you or you know someone like this, Blast Films would love to talk to you to help with our research on a new C4 series we are making. Please note, this conversation will be in confidence and you can remain anonymous, with absolutely no commitment to being involved in the documentary. Blast! Films are multi-award winning factual producers with one of the best reputations in British television for making thoughtful, topical documentaries. Some of our recent work includes the ITV Series Neighbourhood Force, the BBC TWO series The Tube made with London Underground and 999: What’s Your Emergency – Channel 4’s ratings hit of 2012 which returned October 2013. (You can have a look at all our back catalogue on our website: Please contact me
  21. Unmanned Aerial Vehicles Some press exposure was given recently to the news that Secom are actively looking to utilise ‘drones’ for the private security market on a rental basis. [1] This appears to relate to the American market with the rental price given in dollars, yet is the UK market also ready to consider the possibilities? The usage of drones, also referred to as Unmanned Aerial Vehicles (‘UAVs’), in the military sector has been known about and discussed widely for quite a while now. However, the typical lapse into commercial operations is beginning to take place quite quickly now and with the addition of Chinese CCTV market into the mix along with a thriving amateur hobbyist community (thankfully both non-weaponised for now) we are now able to consider the application of this technology in a serious manner in relation to the UK electronic security industry. [2] Scope Drones generally come many forms, it seems though that two main types are established at the moment in the commercial and civilian markets – ‘Multicopter’ types which are devices with several rotors designed to assist in direct and immediate flight and the more traditional aircraft types similar to model planes. Drones are defined as “an aircraft without a human pilot on board. Its flight is either controlled autonomously by computers in the vehicle, or under the remote control of a pilot on the ground or in another vehicle” This also leaves open the possibility of a drone definition as an unmanned aircraft under the control of a pilot in a remote location. ARCs & UAVs – A good match? There are some restrictions in the utilisation of drones in the UK. The Civil Aviation Authority (CAA) states that drones can be flown without a pilot's licence as long as they meet the following criteria: They must weigh less than 20 kilograms Remain below a height of 122 metres Remain within visual line of sight of the pilot Remain within 500m of the pilot Only be flown away from populated areas and airports Pilots must also be able to take over manual control if required Permission must be sought from the CAA [3] [4] This would seem to prevent the deployment of drones by remote centres but how would this affect an Alarm Receiving Centre ('ARC') with trained and licensed pilots with drones utilised under regulatory control for protection of a building? What about site based rooftop drones, which have a single application following an activation of flying directly upwards, transmitting footage from an aerial viewpoint before descending to recharge again? Protection in the event of a fire or duress situation could be more effectively managed perhaps with aerial thermal imaging and CCTV. Would manual PTZ control of such devices and utilisation of 4G for transmission purposes open up a new avenue for protection of property? Would we, in this scenario, eventually be petitioned by the police to take things a step further and follow suspects away from the property whilst they are en route so as to assist in a successful arrest? The use of two way audio in combination with a flyover by a drone device could be a powerful tool to deter would be burglars from a property. With a carefully managed marketing exercise to demonstrate effective results (similar to the smartwater approach) we could as an industry add another difficult to overcome layer of protection causing less well prepared miscreants to be caught and/or identified more effectively. Considerations There are some caveats to consider of course as with any new technology. Weather restrictions – wind shear, storms affecting flight Fog and other visibility issues restricting vision – much as with tradtional CCTV Recharging the UAV – Contact based charging solutions are now viable however Communications – The usage of robust 4G and 5G solutions should resolve this Auditing – On board encrypted SD cards should assist here Security of control – An important issue which I will describe below in more depth Health & Safety – Any such vehicle could potentially cause an accident or harm if lost Privacy – As always privacy concerns would have to be addressed and respected [5] [6] On the issue of security of control I would like to point out that where control of a Drone is intercepted by a third party we must be able prove that such action has taken place. There ought to be mandatory requirements regarding the security of access in line with current standards relating to all other security equipment in use. Though the application may be different the same level of care ought to be considered. This leaves us with some more questions to ask and discuss with regards the impact on and usage of UAVs within our sector: Would you consider implementing this technology? Do our current standards suitably allow for this technology to be utilised? Is it appropriate for ARCs to implement licensed pilots for this purpose? Would installers consider implementing these devices in specific installations? Does an aerial viewpoint offer advantages over properly sited CCTV? Should individual ARCs be licensed to pilot security UAVs? Would a single RVRC specialising in remotely controlled UAVs be a better approach than many RVRCs/ARCs offering individual solutions? As always, please feel free to discuss, sharing your thoughts and views on this subject… References: [1] – Engadget.com – Secom offers a private security drone (December 2012) [2] – Wired.co.uk – Here come the drones… (July 2012) [3] – Civil Aviation Authority – Policy for Light UAV Systems (May 2004) [4] – Civil Aviation Authority – CAP722 Guidance (August 2012) [5] – Global Research – Civil liberties and the CAA (December 2011) [6] – Youtube – BBC coverage of increased drone usage (Decembe 2012)
  22. I don’t think that anyone would disagree that the security industry has changed significantly over the last few years. In the intruder alarm business, the revenue focus has shifted from profit on the supply and installation of equipment to profit on the life of the contract or take overs. CCTV is heading down the same path so how can CCTV manufacturers help facilitate the “recurring revenue” business model? The Key for me is the DVR. (The target market for this are End Users that would typically purchase an >4 camera system with a standalone DVR) In this blog, I hope to describe how a DVR (if it were available) could not only help you generate additional recurring revenue but also protect your business from online sellers and part time security companies. For the professional Security Installer: Consider how the following would affect your business and sales approach of CCTV: Upgradeable DVR: DVR is built to what the customer requires now, keeping initial costs to a minimum while future proofing the installation. Add additional channels and/or megapixel channels as required, add integration possibilities or other modules - the possibilities are endless. Cloud Integrated DVR: Properly integrated with a cloud could allow for certain services to be performed off-site . Analytics, storage, till monitoring, etc. These could generate additional monthly revenue. Integrated DVR: DVR can add value to existing security equipment, by associating cameras with sensors or control points for example. This point focuses on a key strength of a professional security installer which is their knowledge of Intruder, Access, Fire, etc and making use of that in a CCTV system. Something a part time security company is not likely to be able to offer. Professional Services: Know before your customer when there is an issue (camera loss, hdd, etc), ability to show your customer “how to” remotely (think PC Anywhere functionality), speed up commissioning and setups by downloading your company specific configurations, logos, etc. directly to the DVR. The above is just a snapshot of an overall system design (blog would be way too long), the above elements should describe how it may help retain customers and generate revenue from additional service offerings/upgrades but much can be done to help attract new customers in the first place. For the End User: The marketing people generally look for what they term USPs or Unique Selling Points, these are functions or services that will make a product or service stand out from the competition, consider the following if you were selling a DVR: No more passwords – fingerprint reader maybe! No more downloads – Even without off-site storage; this can be achieved through on-board removable storage and mirroring for example. Tutorials – Ability to play either online or on-board tutorials for common functions. Business tool – A DVR offers a Visual Record of what is going on in a business, through cloud analytics it would be possible to offer a customer a summary of the days operation based on their predefined requirements. A DVR that offers a report that’s worth reading?? More intuitive Interface – This is an area that can be greatly improved in my opinion, I have heard comments on various DVRs and which ones are easy to use but remember the time when Nokia was considered easy to use (excluding windows 8 ofcourse)? Consider the following: A touch interface, The beauty of a touch interface is that it generally only offers options relevant to the current function and hide set-up functions when the engineer is not logged in which can simplify its operation significantly, that in itself is not that unique but the difference is touch enabled operation versus touch optimised operation. I have researched and watched many videos on touch operated DVRs but they completely miss the point in my opinion. Some have had nice sliders for adjusting the brightness, recording frame rates, etc but that’s touch setup not touch operation. Even LiLin’s recent release “NVR Touch”, which was built from first day to be a touch operated NVR but it too misses the point. A touch optimised DVR interface would have no need for channel numbers, instead the user would “interact with images”. To explain, consider your Android or Apple phone, each of the icons on the screen as camera image. You can move them around, duplicate or remove. To adjust a cameras settings, you simply select it and click the option, to playback/back-up a number of cameras, you select them, drag them and drop them either in the playback or back-up area. No need for channel numbers! Besides the Android like operation, if it were based on Android (not suggesting this is a good idea), what apps could you think of for the customer to download that could benefit your business? Ok, so you have read the blog and you have probably said to yourself on at least one of the points “my current DVR can do that” but you are missing a huge piece of the puzzle, how it’s implemented and this is much harder to explain, I ask you to think about the above and evolve it based on your own requirements. For example, although the CMS that comes with DVRs may offer some of the functionality but you wouldn't recommend it for a professional monitoring station. You also need to consider where it may lead; if implemented correctly, many of the above could lead to a profound effect on the professional security business, for example: Off-site Storage: The ability to interrogate/download/analyse footage without leaving your desk has a massive appeal to others also. The police spend millions if not billions doing this manually, with the right promotion and politicians ear, only “connected” equipment could become the standard or even requirement for certain installations, installed by professional installers. Business Tool: The more the client uses the system the more the possibility of using it as a communication tool. E.g. Advertising, call out requests, record keeping, etc. Your definition of what a professional DVR may be completely different but the objective is to recognise that the business has changed for professional security companies and that manufacturers have their part to play in facilitating the business model. I would sincerely like to hear your opinions………
  23. Ghost in the machine... With around three quarters of remotely accessible CCTV systems allowing intruders free access to invade privacy and compromise entire corporate computer networks, is it time to say 'enough is enough' to manufacturers and insist upon firmware changes to improve security control? This is not isolated to consumer level CCTV platforms only. Many 'professional' DVRs & NVRs are installed with default administrator accounts unchanged or additional accounts created and system owners given control over the default account (which they then fail to change). This means that anyone who is able to connect to the unit remotely can simply enter the default username & password (which can be found within seconds through a simple google search in almost all cases) and then have access to the system as completely as if they were standing in front of the unit. To compound matters further CCTV systems are rarely secured to only allow specific IP addresses to connect to them and at the same time they broadcast their presence through banner information given out to any device that queries the unit (This means it is easy to find such devices in the wild). In ~80% of installations the default passwords remain in place for the first three months. This drops to an average of ~70% after three months as some systems are made more secure by their removal. This still leaves vast numbers of units out there which can be listed by country / ISP / city, or date of installation and more which are openly accessible to any IP address. Some examples: AVTech - Over 420,000 units exposed - (14,000 in Great Britain / 12,000 in America) Hikvision - Over 710,000 units broadcasting - (10,000 in Great Britain / 16,000 in America) Dedicated Micros - Over 18,000 units detected - (8,000 in Great Britain / 7,000 in America) You might be thinking, so what, it's just CCTV - what's the worst that can happen? It should be remembered at all times that modern DVRs are in effect computers in most cases. Usually based on linux these machines are carrying out a specific task but can be put to use for other non DVR activity with ease. Each compromised DVR is in effect an open computer allowing anyone and everyone access to a corporate network potentially. If security of the DVR is poor then it is possible that network security within a corporation is equally lax. Last year a CCTV module was added to a tool called Metasploit, widely used in the blackhat community this tool allows users to attack a DVR, testing default access and brute forcing passwords. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems. Whose fault is it really?... It can sometimes be difficult to pin down exactly where the fault lies as there is a blurring of responsibilities in some contractual agreements. A professional installer may fit a DVR and put in place a secure username and password combination for remote management or viewing by a remote RVRC or ARC. They may also advise the system owner to put in place ACL (Access control lists) so that only authorised IP addresses are allowed to connect to the device as well as giving advice on blocking netbios responses and port forwarding. However, if a user insists on being able to access the device remotely and chooses to keep the simple to remember default account and not to implement such measures then the machine can remain vulnerable. Often the company responsible for installing, maintaining or monitoring the system does not have control over the network used by the device for transmission. Even if the password is changed there exist a large number of exploits on known DVRs and in many cases these and similar exploits can be applied to other DVRs as the programming code is sometimes not as secure as it ought to be. The CCTV hardware sector has been under intense price pressure in recent years and with a downward spiralling price index it has been common to see a reduction in the number of developers and code writers employed by some companies which could potentially increase the risk of security holes remaining in a product. In the event that a breach receives widespread mainstream media coverage it does not just reflect badly upon an end user themselves as the security industry on the whole would receive bad press even if not at fault. How do we fix it?... In part this may require some contract review to ensure that clear definitions are in place by all businesses as to the responsibility that both they and the client hold. Clear understanding must be given as to the potential risks and good practise should be recommended in securing the unit. Perhaps a move towards mobile broadband and IPv6 will mean that we can take back control of securing the communication channel? We must however tackle the issue of default user accounts existing in the first place. There is no need to have such accounts any more. Even if such accounts could be made unique to each device it would be an improvement, but in an ideal world the units would prompt for a unique username and password combination on first powering up with an option to default the unit only by an physical action on the unit itself in some secure manner. Dedicated Micros units for example come configured with up to five seperate default accounts of which three have admin level access and allow full control over a unit. Are your engineering teams ensuring that all of these accounts are removed? I recently asked the technical support staff at several DVR manufacturers why they still use default accounts despite the huge risks involved when they are regularly left in place? I was repeatedly advised that it made their job much easier when providing remote support to users and engineers. Newer Axis cameras feature the technique of forcing a password change on first access and it is much more secure as a result. We should be hammering the doors of manufacturers to ask them to indtroduce this approach in their new firmware revisions (no hardware change should be required in most cases). We should also be encouraging the standards to push towards a more robust approach to handling default accounts. Manufacturers often boast of how much value is protected by their devices (it's a safe boast that does not reveal how many units they sold) - It is this same value that is potentially at risk. The next time you are presented with new CCTV equipment or a new manufacturer, ensure that you ask them how they ensure that their products remain secure as it is your reputation at stake. Action to be taken: Installers Check contractual agreements Ensure engineers trained in best practise Audit existing installations Verify guidance given to end users Ensure firmware is updated regularly Manufacturers Remove generic default accounts Deploy an effective mechanism for security Check existing exploits to ensure none affect your units Keep up to date with new exploits Notify your clients when you discover older firmware is at risk Maintain a 'risk register' of some kind for trade members to be aware of potential risks End Users Protect their own networks by blocking Netbios Allow access only to specific IP addresses Change / Remove default accounts!! Use secure passwords (6 Characters or more / Alphanumeric / Mixed case) Ensure that internal communications to and from the device are restricted
  24. Security Flaw Some of you may be aware that last year there was some exposure given to a vulnerability in Trendnet camera firmware allowing access to their consumer webcam devices despite password protection being enabled. They claimed to have released a patch within a month to solve the issue and to have contacted every customer to advise them to update their devices. This is (despite the assurances of Trendnet) still a common issue, to help highlight it a real time map was produced showing where such devices were located and allowing you to connect directly to them. The website has now been taken down thankfully as the goal of highlighting the issue in mainstream media again was achieved. Professional Security This is a pretty good demonstration though of just how prolific an issue this can be when Joe Public gets his hands into the pot but it also reminds me of the many poorly secured 'professional' installations I have come across in my time (I'm sure you have too) and it is hopefully a wake up call to some businesses to improve their security practices. How would you feel if 'XYZ Security - Live CCTV feeds' was the next google map mashup launched showing devices which you are maintaining or monitoring? Also take note that despite the publicity around the Trendnet devices, they are not the only ones affected. There was a website called Shodan HQ launched some time ago which gives the ability to search devices which are 'web facing' (in other words can be connected to over the internet) and list those matching specific url strings or other flags. This offers much more capability than Google searches for example in highlighting potential 'target devices'. It is already possible now to list unsecured access points on some very well known 'professional' DVRs and NVRs. Ease of connectivity is very much a double edged blade. We must remember that many of the devices we use are now starting to utilise built in web servers and connectivity. Considerations How are you ensuring that you are aware when exploits are announced on devices you utilise? What are your plans to identify, notify affected users and upgrade potentially affected devices quickly and effeciently? Are you considering these issues when investigating new web facing technology? How do you measure for and protect against potential built in backdoor access to foreign equipment? As well as looking outwards at your clients are your own systems secured and protected? Is technology advancing too quickly to ensure adequate security is deployed? As always I welcome your thoughts, questions, answers and debate.....
  25. Summary Many specific industries in the UK are currently being targeted for online attacks in order to access the information which they hold. This information is rapidly becoming a new commodity in these changing times. The financial sector saw a 3000% increase in the volume of attacks directed specifically at them in the first quarter of 2012. [1] [2] The electronic security industry is a definite target due to the ‘low risk, high yield’ target nature of ARCs & Installers for potential attackers coupled with the lack of up to date awareness in many parts of the industry. The risk from DDoS type attacks in particular is a well founded one but also comes on the back of other concerns in respect of “information security”. Our industry is at particular risk from this threat for a number of reasons: In the first case we hold (as an industry) vast amounts of sensitive data on our clients. We are ourselves a means by which access can be granted to further information from our clients. As an example consider an attacker armed with a security firms authorisation credentials or a site password then contacting a client of the ARC whilst performing a social engineering attack. Mobile telephone numbers can lead to location data or voicemail access of end users. The other aspect to consider is that as an industry we face an increased exposure from this type of attack that can be very detrimental to business. “Electronic security” is not the same thing as information security but to end users and clients this distinction is not so clear. We operate in an environment of trust and robust security protocols. Clients would potentially steer clear of the victim of a data breach as they would be seen as ‘untrustworthy’; this can have a massive impact within the industry. [3] A small investment in time and resources now could save businesses a great deal of cost and time at a later date. Following some basic principles [4] of system management will help. In the long term a complete managed structure is the only effective solution to mitigate the increasing risk and exposure. To manage system updates, audit all of the many server and client machines, keep up to date with trends and exploits and to effectively harden the many networks, software platforms and systems is a lengthy and laborious task which businesses small and large may struggle to keep up with. [5] [6] Threats & Exposure To understand the risks and better manage them we ought to first understand who would be aiming to access data. I believe we can categorise the majority of potential attacks as coming from one of five primary sources presenting the highest risk factors for our industry: Hacktivists Whilst traditionally few ARCs or Installers are seen to have any specific political or corporate ties (which reduces exposure to this threat) the servers and bandwidth available to ARCs can be seen as a potentially lucrative target to use for attack redirection or to include within a zombie network for attacking other targets Staff / Industry competitors Whilst a lower risk it needs to be considered and accounted for. Attacks such as competitors taking up similar domain names in the hope of emails being mistakenly delivered to them needs to be monitored for and addressed. Sensitive commercial information is in itself of value to a potential attacker from this sector. Criminals Well, at least with this source it is one we are all very familiar with. It is interesting that information security and electronic security are both very similar when criminals form the source of the attack. Target hardening is effective and will cause criminals to instead opt for an easier alternative target. The reason and target of attack is financially motivated. The best defence here can be to make it labour intensive, time consuming and expensive for anyone to perform a successful attack and it will reduce the impact from this source. It must be remembered though that the criminal enterprises can have *significant* resources available to them and they are becoming wise to utilising cheap mass labour to perform the legwork which can complicate matters. Script Kiddies This is becoming a dwindling form of attack source, however, it cannot be discounted entirely. While this particular source of attack generally uses widespread and basic tools which can be protected against, there is also the opportunity for talented and determined individuals to find previously unknown 0sec (zero seconds / newly discovered) exploits, which would not be so easily detected. State sponsored This is the largest threat to our industry. The sheer numbers involved and the impunity in which attackers operate highlight the fact that the internet is now very much like the old west with very few laws and regulations and several different highly active groups (the UK is no exception). Please take a moment to consider the type of information that could be useful to a potential attacking state. Vast amounts of data is stored which can all be funnelled into pool of information for later analysis. Nation states have many Petabytes / Exabytes of data storage for just this purpose and in many cases employ very effective attack teams. They have staff dedicated to harvesting and categorising target clients (IPV4 means fairly limited numbers which they can go though quite literally one by one). In the case where a target client is not immediately exposed to any current risk their equipment and services can still be categorised. When a new ‘0sec’ exploit is then released / discovered or purchased then these categorised targets can all be revisited quickly and with ease. This is also a form of attack that will not entirely disappear in the future without significant changes, indeed there are claims that this is now the modern battlefield between nations, we need to be careful to ensure that as an industry we do not become the injured innocent bystanders. Attack Vectors For the modern ARC or Installer there are several attack vectors and points of exposure: External webservers / client interfaces Company websites Mail servers Corporate intranets USB / Removable media Precompiled VMs IP Signalling device connectivity Receiver software / firmware You must ask questions of yourselves in relation to each of the above vectors remaining honest with yourself whilst doing so. Are each of your systems adequately protected? Is the authentication procedure appropriate to the risk exposure? How do you know if you have already been infiltrated? What measures can you take to prevent exposure to each of the above? Are your staff members trained to respond to and recognise these risks? Are you opening up more data than is required to perform the task at hand? If so why? Are your contingency arrangements formed with these risks in mind? Does your backup procedure give you scope for recovering to a point prior to an attack occurring which may be discovered at a later date? The reality in our industry is that the technical expertise employed within and by third parties on behalf of ARCs and Electronic Security Installers is often quite specialised. Whilst there are very many incredibly talented individuals working in the industry, it does not follow that they are necessarily aware of all aspects which are required in order to effectively protect company assets. The Solution? There is no "one size fits all" solution that would work for all types of businesses. There are however, some good practises and recommendations that can be made. Where possible implement managed network provision from a suitable supplier. Ensure that you have the support of any ISP utilised in order to help counter DDoS types of attacks. There has been a gradual evolution of some signalling products and back office systems to utilise remote access and various forms of IP technology. Ensure that the systems you are utilising have approached the implementation of this technology with a sound understanding of the risks involved. Other products have been designed from the very start around the core principles of data security and robustness, this should be a primary consideration. With all the points raised above, the key thing is awareness. Understand the capabilities and weaknesses of each product and perform your own risk assessments. You may conclude that it is no longer appropriate to utilise some equipment or demand more robust solutions from the supplier. In either case at least you are prepared and aware. Ensure that you are able to accurately track the flow of data in and out of your business and be able to see the status of all critical equipment and networks instantly at any time (keep your fingers on the pulse). We are all in the habit of assuming the worst case scenario in order to minimise risk. This puts our industry in a good position to be able to overcome such issues as and when they arise as long as we continue to be prepared. Consider your existing networks and infrastructure carefully. What is your exposure to risk? Can action be taken to reduce or ideally, entirely negate the risk? It will become crucial in future for Installers and ARCs to communicate effectively to highlight and manage risks. We have already begun to see the efectiveness of this approach when nationwide issues occur and in future we should all take advantage of these networks to help mitigate and protect from risk.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.