Search the Community
Showing results for tags 'installer'.
-
If anyone is available on 28-30 April and wants a free ticket to The Security Event taking place at the NEC in Birmingham, drop me a message. There is a new Installer Conference this year focusing on standards, regulations and best practice, and it's co-located with the Fire Safety Event so there is loads going on. Free parking and drinks party open to everyone at the end of day one. Really worth dropping into. So many products on display including some never seen before. Backed by all the leading industry bodies. It's the best event to go to this year by a mile. www.thesecurityevent.co.uk
-
Hey everyone, My name is Ross Harvey from Fuse Systems in Northern Ireland. Looking forward to inputting into this forum. Been in the industry for 20 years and loved every minute of it. If anyone ever looking advise mayve quickly give me or the team a ring on ##REMOVED## as we offer 24 hour assitance ##REMOVED##
- 2 replies
-
- installer
- consultant
-
(and 3 more)
Tagged with:
-
Hello all, I am new to this site and looking for sub-contract work in CCTV and Security or Access systems, in and around the West Midlands. I have many years experience, using Honeywell Galaxy, Pyronix etc, PAC and Paxton along with various CCTV systems, analogue and IP systems. I have my own unmarked vehicle along with all tools needed, including steps and ladders etc. I also have CSCS card. please contact me directly if you have any requirements. best regards. Nick Harrison
-
We are on a look for a subcontractor in Scotland (Glasgow preferably) to help with our workload. Please browse for Human Recognition Systems MSite to found out more. We also require cover for our systems at EDI and Glasgow Airports. Please PM me Maciej Furga Engineering Manager Human Recognition Systems
-
- biometrics
- access control
-
(and 1 more)
Tagged with:
-
Time To Revolt Against The 'default'?...
Joe Harris posted a blog entry in Electronic Security & Technology
Ghost in the machine... With around three quarters of remotely accessible CCTV systems allowing intruders free access to invade privacy and compromise entire corporate computer networks, is it time to say 'enough is enough' to manufacturers and insist upon firmware changes to improve security control? This is not isolated to consumer level CCTV platforms only. Many 'professional' DVRs & NVRs are installed with default administrator accounts unchanged or additional accounts created and system owners given control over the default account (which they then fail to change). This means that anyone who is able to connect to the unit remotely can simply enter the default username & password (which can be found within seconds through a simple google search in almost all cases) and then have access to the system as completely as if they were standing in front of the unit. To compound matters further CCTV systems are rarely secured to only allow specific IP addresses to connect to them and at the same time they broadcast their presence through banner information given out to any device that queries the unit (This means it is easy to find such devices in the wild). In ~80% of installations the default passwords remain in place for the first three months. This drops to an average of ~70% after three months as some systems are made more secure by their removal. This still leaves vast numbers of units out there which can be listed by country / ISP / city, or date of installation and more which are openly accessible to any IP address. Some examples: AVTech - Over 420,000 units exposed - (14,000 in Great Britain / 12,000 in America) Hikvision - Over 710,000 units broadcasting - (10,000 in Great Britain / 16,000 in America) Dedicated Micros - Over 18,000 units detected - (8,000 in Great Britain / 7,000 in America) You might be thinking, so what, it's just CCTV - what's the worst that can happen? It should be remembered at all times that modern DVRs are in effect computers in most cases. Usually based on linux these machines are carrying out a specific task but can be put to use for other non DVR activity with ease. Each compromised DVR is in effect an open computer allowing anyone and everyone access to a corporate network potentially. If security of the DVR is poor then it is possible that network security within a corporation is equally lax. Last year a CCTV module was added to a tool called Metasploit, widely used in the blackhat community this tool allows users to attack a DVR, testing default access and brute forcing passwords. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems. Whose fault is it really?... It can sometimes be difficult to pin down exactly where the fault lies as there is a blurring of responsibilities in some contractual agreements. A professional installer may fit a DVR and put in place a secure username and password combination for remote management or viewing by a remote RVRC or ARC. They may also advise the system owner to put in place ACL (Access control lists) so that only authorised IP addresses are allowed to connect to the device as well as giving advice on blocking netbios responses and port forwarding. However, if a user insists on being able to access the device remotely and chooses to keep the simple to remember default account and not to implement such measures then the machine can remain vulnerable. Often the company responsible for installing, maintaining or monitoring the system does not have control over the network used by the device for transmission. Even if the password is changed there exist a large number of exploits on known DVRs and in many cases these and similar exploits can be applied to other DVRs as the programming code is sometimes not as secure as it ought to be. The CCTV hardware sector has been under intense price pressure in recent years and with a downward spiralling price index it has been common to see a reduction in the number of developers and code writers employed by some companies which could potentially increase the risk of security holes remaining in a product. In the event that a breach receives widespread mainstream media coverage it does not just reflect badly upon an end user themselves as the security industry on the whole would receive bad press even if not at fault. How do we fix it?... In part this may require some contract review to ensure that clear definitions are in place by all businesses as to the responsibility that both they and the client hold. Clear understanding must be given as to the potential risks and good practise should be recommended in securing the unit. Perhaps a move towards mobile broadband and IPv6 will mean that we can take back control of securing the communication channel? We must however tackle the issue of default user accounts existing in the first place. There is no need to have such accounts any more. Even if such accounts could be made unique to each device it would be an improvement, but in an ideal world the units would prompt for a unique username and password combination on first powering up with an option to default the unit only by an physical action on the unit itself in some secure manner. Dedicated Micros units for example come configured with up to five seperate default accounts of which three have admin level access and allow full control over a unit. Are your engineering teams ensuring that all of these accounts are removed? I recently asked the technical support staff at several DVR manufacturers why they still use default accounts despite the huge risks involved when they are regularly left in place? I was repeatedly advised that it made their job much easier when providing remote support to users and engineers. Newer Axis cameras feature the technique of forcing a password change on first access and it is much more secure as a result. We should be hammering the doors of manufacturers to ask them to indtroduce this approach in their new firmware revisions (no hardware change should be required in most cases). We should also be encouraging the standards to push towards a more robust approach to handling default accounts. Manufacturers often boast of how much value is protected by their devices (it's a safe boast that does not reveal how many units they sold) - It is this same value that is potentially at risk. The next time you are presented with new CCTV equipment or a new manufacturer, ensure that you ask them how they ensure that their products remain secure as it is your reputation at stake. Action to be taken: Installers Check contractual agreements Ensure engineers trained in best practise Audit existing installations Verify guidance given to end users Ensure firmware is updated regularly Manufacturers Remove generic default accounts Deploy an effective mechanism for security Check existing exploits to ensure none affect your units Keep up to date with new exploits Notify your clients when you discover older firmware is at risk Maintain a 'risk register' of some kind for trade members to be aware of potential risks End Users Protect their own networks by blocking Netbios Allow access only to specific IP addresses Change / Remove default accounts!! Use secure passwords (6 Characters or more / Alphanumeric / Mixed case) Ensure that internal communications to and from the device are restricted -
Convergence - Where Will It Lead?
Joe Harris posted a blog entry in Electronic Security & Technology
Crossing of paths... Alarm Transmission Systems (ATS) are increasingly adding capabilities that would traditionally have been performed by dedicated devices, for example CCTV verification. At the same time Control and Indicating Equipment (CIE, or control panels in plain English) feature built in IP communication functionality and are giving us access to Home Automation integration and more. This type of blurring of what would previously have been clear and distinct roles that equipment played is becoming much more common and is set to extend even further in the future. We are already in a position where individual cameras and detectors of all types can communicate directly with the software at an Alarm Receiving Centre (ARC) without utilising at ATS if they so wished. Installers are being empowered with the ability to not only connect instantly to a remote CIE to analyse a potential fault, but to be in a position to connect directly to a detector or camera or any other component of a system to amend settings, re-enable or even repurpose a generic multi-purpose device to enable the maximum potential protection for clients at all times. This type of convergence leads to some fantastic opportunities and will mean that the next few years will certainly be interesting. It will also however, mean that those whom are writing the standards to which we each adhere, will have to write them without constraints on the form of equipment utilised in some cases. A very tough ask of them when they are trying to give reasonably specific guidance. Confusion or cohesion? Given this merging of functions and the seemingly inevitable move towards every component being addressable where does that leave our suppliers? Will there be a place for specialised equipment if the same function is provided to the same standard in an integrated manner by another supplier? Does this lead to an eventual move away from processing of alarms by dedicated CIE at the protected property to instead provide processing 'in the cloud' at the ARC or any other centralised location? Will instant and thorough control of remote devices by installers lead to a change in business models when attendance is much reduced? Does dedicated equipment improve the structure of the overall system or benefit us in another way? Will ATS suppliers be bypassed or will they 'lead the revolution'? Will we see less competition as a result or more? As always, please feel free to discuss, sharing your thoughts and views on this subject…- 2 comments
-
- Technology
- CIE
-
(and 5 more)
Tagged with: