Posts by MasterofDisaster 29 publicly visible posts • joined 27 Jan 2014
In this case it sounds like it may have been more than reservations systems being breached. When they say "IT systems" it could be anything from access control systems that open your hotel room door to the laundry operations. Hope they are transparent with exactly what happened here and to what extent.
The irony of course is that Verkada bills itself as the solution to all the other camera vendors being insecure. Maybe they need to reassess having half the company in sales, instead of engineering. Yet another wakeup call for operators of physical security systems (IoT) to get some religion around updating firmware, managing certificates, and more comprehensive password management (i.e. what IT security has been doing for years).
Hoping at some point to learn why the past few years they had cavernous stores with virtually nothing in them. Hard to imagine there isn't some dirt to be shared on money laundering or similar; how else did they stay afloat this long? On the other hand, Macy's seems to be doing the same trick :)
I want to be different, Like everybody else I want to be like
I want to be just like all the different people
I have no further interest in being the same
Because I have seen different all around
And now I know that that's what I want
I don't want to blend in and be indistinguishable
I want to be a part of the different crowd
And assert my individuality with others
Who are different like me
I don't want to be identical to anyone or anything
I don't even want to be identical to myself
I want to look in the mirror and wonder
"Who is that person? I've never seen that person before;
I've never seen anyone like that before"
I want to call into question the very idea that identity can be attached
I want a floating shifting ever changing persona:
Invisiblility and obscurity
Detachment from the ego and all of it's pursuits
Unity is useless
Conformity is competitive and divisive and leads only to stagnation and death
If what I'm saying doesn't make any sens
That's because sense can not be made
It's something that must be sensed
And I, for one, and incensed by by all this complacency
Why oppose only when there's a war?
Why defend the clinics only when they're attacked?
Why are we always reactive?
Lets activate something
Lets fuck shit up
Whatever happened to revolution for the hell of it?
Whatever happened to protesting nothing in particular, just
Protesting because its Saturday, and there's nothing else to do?
Songwriters: John S. Hall / Roger Murdock
It's Saturday lyrics © Warner/Chappell Music, Inc
Forgive the paraphrasing, but one of my favorite Grateful Dead lyrics seems appropriate here, from Saint of Circumstance:
"If I can still walk, then I'm sure that I can dance"
With Phil&Friends, Dead&Co, and others rocking in their 70's, these German festafarians are the leading edge of a wave we can see coming.
Have to give some credit to Axis that was not pointed out in the article - they are one of the leaders (along with Viakoo) for developing automated ways of updating firmware on cameras. The reality of surveillance cameras is they have been "set it and forget it" for a long time, and the idea of updating firmware is genuinely new to the industry. Without an automated firmware update mechanism camera vendors may as well not bother; it's unrealistic to have the facilities guy on a ladder with a USB updating the hundreds/thousands of cameras across a large enterprise.
The reality underlying this story is that many industrial organizations are ill-equipped to handle firmware updates at scale and safely. In many cases the facilities team (not IT) control the infrastructure, and are not used to pesky firmware updates. Last year Trend Micro estimated that over half of security cameras they tracked in North America had one or more malware agents on them....and probably still do because most camera firmware updates are done with a guy on a ladder sticking a USB in (a process that doesn't scale). Some camera vendors and third parties are developing automated capabilities, but if Schneider thinks updating device firmware will solve things let's hope it's fully automated.
Trend Micro reported last year that 51% of cameras they tracked in North America had one or more malware agents present (mostly undetected). More smarts in the cameras might mean better cyber-protection for them, but might also make them a lot more attractive (and effective) as attack surfaces. Combined with most cameras being maintained by physical security staff (and not IT), will be interesting to see how the hackers exploit a lot more horsepower.
HPE has a number of options in object storage; the deal announced with DDN did not mention their object storage (WOS), but wouldn't be surprising if WOS ended up resold by HPE in certain markets (like HPC). Seems like HPE is doing the right thing by bringing in Cloudian (and DDN, and Scality) to grab as much market as possible. Sorry Scality.
The third cohort ("the strivers") have a lot of companies that are barely treading water, gaining new customers slowly and living off the maintenance revenues. These are zombie companies more than powerful R&D houses. This means stagnation and decay over time. Would expect to see this cohort either die off or get gobbled up by the other two. No way can the third cohort thrive-survive-strive over time.
The broad issue in selling storage for video surveillance is the incredibly long sales cycle; a lot of deals take 12 -18 months to close and there is a race to the bottom with pricing. Few storage vendors (or their salespeople) have the stomach for that.
On the other hand, what I thought this article was going to go into is how Colorado and other places have codified seed-to-sale video surveillance and multiple months of needing to retain that data. The combination of specific regulations, long retention periods, real audits and compliance checking represent an opportunity not just for storage, but for service assurance, IoT, and other physical security technologies. Video surveillance is often run in very shoddy ways (many reports of less than 70% uptime), so legal weed might be one of the few places where real IT skills and technology are wanted in physical security.
Physical security is still analog in many places, and the move to IP is probably the slowest of any major industry. Hackers finding the weak point and exploiting it - not surprising. What is surprising is the shocking head-in-sand approach by many security integrators who are being paid maintenance contracts to make sure this stuff works (note: IT MSPs don't cover this stuff for the most part, and it's a huge missed opportunity for them because of how behind the times the security integrators are). Apparently working and being secure are two completely different concepts to a security integrator.
Like IoT in general, in physical security it seems that basic IT needs like "operational intelligence", "service assurance", "monitoring", and "cyber-security" are weirdly lacking. Adding real IT competency would prevent situations like this.
Well known issue in physical security: the stuff is all IP-based, but almost never directly run or managed by IT. It's run by physical security teams, who need to retain/control their empire, but don't know much about IT. Scratch the surface and that's why you find that most video surveillance systems have an uptime of 70% - they simply are not managed or treated as IT systems. Anyone know of something your IT team manages with a 70% uptime? Didn't think so.
If your not monitoring it is very likely the overall organization sees more "broken glass" than they should, thus forming a view of IT and the overall system. In some places that's okay (lots of IT teams carry forward with a poor view of their efforts), but if the "broken glass" is something mission-critical to the company then it is hard to see not having monitoring specifically tuned to that mission-critical element. For example, if you manage an IP-based video surveillance network and it is very visible when it fails (e.g. bank heist with no video footage), you'd be foolish not to have a purpose-built monitoring tool for at least that purpose. The less broken glass, the more likely there are multiple monitoring approaches (purpose built for the mission-critical stuff, generic for the other systems). In other (and fewer) words, monitoring is a reflection of the corporate importance of what is monitored.
Dirty little secret for years in physical security is how low the "uptime" is for video surveillance; typically around 70%. City of Philadelphia audited their city-wide surveillance system and found it worked only 32% of the time (http://www.viakoo.com/orphaned-video-system-in-philadelphia/). End result is police never look at it because they know it's incomplete at best.
Just google "hacked security cameras" and the issue is not just putting tape on your laptop camera, but how secure is your organization's physical security? Too many people don't change default passwords, don't put physical security onto a separate network from corporate, and don't have any warning/alerting mechanism to detect tampering. With all the focus on cyber-security it is well worth remembering physical security can be as (or more) vulnerable to hacking and malicious attacks.
I'm also at IoT World, and to correct the mis-perception of this article there is a lot going on in "industrial IoT" that is real-world and meaningful. Easy to point to the consumer side and say it is not ready, but a lot of enterprise needs are being met better through industrial IoT, and there are real-life examples. Shouldn't El Reg focus more on that, than the less-developed consumer side?
Good article, especially in highlighting the scope outside of strictly IT. As was mentioned with aviation, physical security (access control, video surveillance) should be included in this more because there are more and more cases where that is used to gain the insight needed to overcome logical security. For reference, look at the Carbanak malware-based bank heist where video was hacked in order to learn from observation how things worked inside.
I have not gone through the list, but my suspicion is that of the 100+ companies there are quite a few zombies. They had an initial spurt of customers, still serve them well, but are unable to gain new customers because they are NOT the "new shiny thing on the block" nor are they the big entities that would take the business based on bundling or price. If you were a new buyer in this market you wouldn't look at everyone; hot startups and established entities is where you'd focus. The BC/DR company hot 2 or 3 years ago may now be left in the cold, slowly bringing down spending in sales & marketing, living a zombie-like existence while feeding off of maintenance renewals. Would not be surprised that such companies are the majority in this space.
As physical security also is part of the network (IP cameras, access control, etc), those systems also become part of the threat profile. Just like no one thinks of the HVAC system (that lead to the Target breach), too often people are forgetting that any "touchpoint" can be used (that's why even the pixels on screen, captured by IP camera connected to network, could be used in an air gap situation). Services like Viakoo that monitor/diagnose issues in security video IP streams have been finding more cases of digital tampering of surveillance camera footage, in part because if you're able to infect/hack computers, you also will hack into the security video to erase your tracks. While this article may not be "real-world", the lesson should be taken to heart that with IoT expanding rapidly, so are the potential points of entry/infection.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
