Tag: video-surveillance

A CCTV hacking incident could be a lesson in system lifecycle issues

Article

How A Prison Had Its CCTV Hacked | Lifehacker Australia

My Comments

In this article, it was found that a prison’s video-surveillance system was compromised. The security team checked the network but found that it wasn’t the institution’s main back-office network that was compromised but a Windows Server 2003 server that was affected. This box had to be kept at a particular operating environment so it could work properly with particular surveillance cameras.

The reality with “business-durable” hardware and systems

Here, the problem was focusing on an issue with “business-durable” hardware like the video-surveillance cameras, point-of-sale receipt printers and similar hardware that is expected to have a very long lifespan, usually in the order of five to ten years. But computer software works to a different reality where it evolves every year. In most cases, it includes the frequent delivery of software patches to improve performance, remedy security problems or keep the system compliant to new operating requirements.

Newer software environments and unsupported hardware

The main problem that can occur is that if a computer is running a newer operating environment, some peripherals will work on lesser functionality or won’t work at all. It can come about very easily if a manufacturer has declared “end of life” on the device and won’t update the firmware or driver set for it. This also applies if a manufacturer has abandoned their product base in one or more of their markets and leaves their customers high and dry.

Requirement to “freeze” software environments

Then those sites that are dependent on these devices will end up running servers and other computer equipment that are frozen with a particular operating environment in order to assure the compatibility and stability for the system. This can then compromise the security of the system because the equipment cannot run newly-patched software that answers the latest threats. Similarly, the system cannot perform at its best or support the installation of new hardware due to the use of “old code”.

In some cases, this could allow contractors to deploy the chosen updates using removable media which can be a security risk in itself.

Design and lifecycle issues

Use standards as much as possible

One way to tackle this issue is to support standard hardware-software interfaces through the device’s and software’s lifecycle. Examples of these include UPnP Device Control Protocols, USB Device Classes, Bluetooth Profiles and the like. It also includes industry-specific standards like ONVIF for video-surveillance, DLNA for audio-video reproduction

If a standard was just ratified through the device’s lifespan, I would suggest that it be implemented. Similarly, the operating environment and application software would also have to support the core functionality such as through device-class drivers.

Provide a field-updatable software ecosystem

Similarly, a device would have to be designed to support field-updatable software and any software-update program would have to cover the expected lifespan of these devices. If a manufacturer wanted to declare “end of life” on a device, they could make sure that the last major update is one that enshrines all industry-specific standards and device classes, then encompass the device in a “software roll-up” program that covers compliance, safety and security issues only.

As well, a “last driver update” could then be sent to operating-system vendors like Microsoft so that the device can work with newer iterations of the operating systems that they release. This is more so if the operating-system vendor is responsible for curating driver sets and other software for their customers.

The device firmware has to work in such a way to permit newer software to run on servers and workstations without impairing the device’s functionality.

As well, the field-updating infrastructure should be able to work in a similar way to how regular and mobile computer setups are updated in most cases. This is where the software is sourced from the developers or manufacturers via the Internet, whether this involves a staging server or not. This should also include secure verification of the software such as code-signing and server verification where applicable.

Conclusion

What this hacking situation revealed is that manufacturers and software designers need to look seriously at the “business-durable” product classes and pay better attention to having them work to current expectations. This then allows us to keep computer systems associated with them up to date and to current secure expectations.

At last, two QNAP VioStor Network Video Recorders targeted at the small business

Press Release

QNAP Security Moves into the Consumer Mainstream Security by Introducing A New Affordable Standalone Surveillance Video Recording System

Product Page

VioStor VS-2004L – 4 channels (4 caneras concurrently recorded)

VioStor VS-2008L – 8 channels (8 cameras concurrently recorded)

My Comments

I have shown interest in the QNAP VioStor VS-20xL series network video recorders because QNAP have presented the equipment as an affordable recording solution for small businesses who are taking their first steps towards IP-based video surveillance.

One reason these units earn their keep as far as I am concerned is that they permit the business to improve the video surveillance system without the need to replace more equipment than they have to replace. The only limitation with these units is that they require an external computer as the video-surveillance system’s visual display and they can only maintain two hard disks per unit, support basic single-disk operation as well as dual-disk “large-volume” (JBOD and RAID 0) and dual-disk mirrored (RAID 1) operation.

There is even the ability to support capacity and operation-mode changes in certain situations without having to shut down the NVR. Other examples of upgradeability include the ability to buy another QNAP VioStor system, especially one of the VS-200xL Series, to increase the concurrent recording capacity as you add more cameras but keep the existing unit recording away.

As well, these systems still provide the full expected functionality like alarm recording on motion detection, camera “alarm input” or URL-based alarm triggering. The latter functionality can work with software that can pass URLs on certain events like particular transactions such as voids and no-sales.

They are of a similar size to an entry-level dual-disk network-attached storage and do support connectivity to USB devices like USB storage devices and control links for uninterruptible power supplies that serve this unit. The unit can backup the video data either to a USB hard disk or to a network-attached-storage device on the same network.

These recorders can work alongside cameras that are ONVIF-compliant but this may not guarantee a true “plug and play” experience when you want to “evolve” the system yourself.

There are still a few “holes” concerning the useability, such as inability to support integration with UPnP-compliant routers when setting up remote-monitoring links. This is even though manufacturers like Draytek and AVM are supplying small-business-grade routers that have this functionality. As well, there isn’t a standaline client-side program for the common desktop operating systems that works as the system’s dashboard. This could affect system performance especially with older computers or standard operating environments that are based around competing Web browsers.

These units, especially the VS-2004L,  could become the heart of an “analogue-upgrade” kit which has one of these units and a 4-channel video encoder which allows a small business to add network functionality to their existing analogue-camera-based CCTV system. As well, the VS-2004L, when worked along with four capable network video cameras, could be what is needed to provide video surveillance for something like a small shop.

At least this is a step towards fulfilling a challenge of providing an affordable IP-based video-surveillance system for the small business that doesn’t skimp on quality or functionality.

Feature Article – Moving your closed-circuit TV surveillance to IP technology

WARNING THESE PREMISES ARE PROTECTED BY VIDEO-SURVEILLANCE

The typical video-surveillance system

You have established a video-surveillance system in your business premises and have had it going well for many years. It would be based on four to nine analogue cameras located through the business premises and all of these cameras are connected to a multiplexer, commonly known as a “quad”. This device, which presents video images from the cameras in a sequence and / or as a matrix of four images on the one screen, is then connected to a VHS time-lapse video recorder that is recording whatever is going on in the premises. You are able to see the output of the cameras through one or two monitors, whether dedicated video monitors or a spare TV that is pressed in to service as a monitor.

If you are lucky enough to do so, you may have used a dedicated digital video recorder instead of the VHS time-lapse video recorder as the system’s video recorder. These units would have a built-in hard disk and may copy images or video segments that are needed for reference to a DVD using an integrated DVD burner. There is also an increased likelihood of these units being able to work with multiple cameras without the need to use a “quad”.

But now you have heard talk from people in the IT or security industry, such as your system’s installer, about the concept of network-based video surveillance and perhaps seen other businesses and government sites being equipped with this technology. What with the ability to have the increased expandability and flexibility that it provides at all points of the equation.

What benefits does the new IP technology provide?

For example, you could have the recording functionality located away from the premises so employees can’t handle the recording media or to permit security firms to offer offsite video monitoring as another service. In some cases, an IP-based video-surveillance system can make it easier for business partner groups such as police officers or your landlord’s security team to easily “patch in” to your cameras as needed and upon you agreeing without upsetting your existing system’s setup.  As well, you may want to benefit from advanced handling of the video feed which can lead to functions like video motion detection, automatic vehicle number-plate (license-plate) recognition or people-counting being part of your system, whether integrated in to the cameras or as part of extra software in other system devices. These systems may also offer the ability to use high-resolution cameras which may appeal to you in certain security scenarios like fraud detection.

The technology is becoming available at a cost that most small business users can afford. One of the reasons is because most of the infrastructure may already exist due to the data network being laid down for Internet access and computer networking. Similarly, you may benefit from your network-attached storage device or business server being able to work as a DVR device simply by you adding cheap or free software to that device. On the other hand, there are some DVR devices that work with network cameras and offer a lot more video-surveillance functionality and integration in the long run, with some of them offering a Web-based system dashboard available over the network. As well, your regular desktop or laptop PCs can work as cost-effective system-control and monitoring terminals through the addition of cheap or free software or the computers’ Web browsers being pointed to the cameras’ Web sites. This may then make you think that your closed-circuit TV system is simply “too old” for today’s requirements. How should you go about moving towards the technology?

The IP network infrastructure

The network infrastructure that is part of your IP-based video surveillance system should be based on Cat5 Ethernet cable, which can be used as your business’s wired data network. This can provide for a reliable system and permit you to move towards “Power Over Ethernet”, which allows a single Cat5 Ethernet cable to carry power to the cameras as well as the data back from the cameras. This is infact a scenario you should look towards deploying, with a multi-port “power midspan” or “powered switch” providing the power-supply needs for the cameras and obtaining its power via a good-quality uninterruptible power supply that has adequate power capacity.

You could use other network media like Wi-Fi or HomePlug powerline for supplementary camera installations such as additional event-specific cameras or test-run cameras that you may use as part of building out your system.

Standards and setup issues

When you choose your equipment, make sure that your equipment works to common standards such as video codecs that are commonly in use or Internet-standard protocols. You may also want to make sure that each camera is accessible by either a known IP address or host name through the logical network at all times so as to make it easy to set up or revise your system.

If you are thinking of remote access, it may be worth using a dynamic-DNS service or fixed IP service; and establish port mapping so you can navigate to the cameras from outside of the network. This is to allow you to use a known IP address or fully-qualified domain name to refer to your system from outside.

The main objective with a proper IP upgrade is that you don’t lose any functionality that your existing system has provided you. Rather, you gain more in the way of functionality, expandability and security from the new setup because of the new features that the IP-based equipment and software will provide.

The upgrade path

Check your DVR for additional network functionality

If your system uses a DVR rather than the VHS time-lapse recorder as its recording device, find out if the DVR offers access to stored footage or live camera streams via industry-standard network setups. It also includes the possibility of the DVR sending images or footage to nominated people by e-mail or MMS in response to an alarm event. As well, the extra functionality could also include the ability to record images or footage from network cameras.

This functionality may be available through hardware and/or software that you may be able to retrofit, whether done by yourself or a competent computer or security technician. The software may be available for a very low price or, in some cases, for free from the manufacturer’s site or a respected third-party developer.

Network video encoders

These devices are used to connect the existing system to your network. They come in one-channel or multi-channel versions. The one-channel version can service one existing camera or the “MONITOR” output of an analogue system’s multiplexer, whereas a multi-channel version can service multiple cameras. The latter solution can come in handy if you want individual access to your legacy system’s camera outputs via your network.

It is also worth noting that some of the high-end network video encoders come in the form of an expandable infrastructure where there are many encoder “blades” that are installed in a rack-mount “master chassis”. This could allow a user to increase the number of channels in the encoder simply by replacing the “blade” which has fewer channels with one that has more channels. These units may appeal more to installations where there are many serviceable analogue cameras.

If any of the cameras in your system use “pan-tilt-zoom” functionality, the network video encoder that you use for these cameras should have a compatible “PTZ” interface so that you don’t lose this functionality. Similarly, if your system uses alarm connectivity for changing how it records the video information, the network video encoder should support this same alarm connectivity.

Recording

The IP-based video-surveillance system has increased recording flexibility compared to the legacy systems. Here, you could have the images captured on a network-attached storage unit that exists within the logical reach of your business network. For example, you could have one of QNAP’s multi-disk “muscle-NAS” units located in your premises AND a D-Link two-disk NAS at home or in another premises under your control set up to record images from the same lot of cameras  You also benefit from the fact that most of these NAS units can be upgraded to higher capacity in the field through the purchase of larger capacity OEM hard disks from independent computer stores.

In some cases, you can set up some of the NAS units like most of the QNAP range to work as network video recorders by installing software applications in these units. This usually allows the cameras and the recordings to be viewed from the NAS’s management Web page.

It may be worth knowing that there are some special NAS units that are optimised for IP-based video-surveillance setups. These will usually have functions like a Web-based dashboard, improved user interface for indexing and, in some cases, video-analysis functionality not available in the cameras. These are worth considering for larger video-surveillance systems.

Alarm integration and POS Exception Monitoring

Your system may be set up so that your video recorder works in real time if, for example, the building’s alarm is triggered or a staff member presses the duress-alarm button during a hold-up. You can make sure you don’t lose this functionality when your system is network-enabled. As well, you may benefit further from this through network cameras sending through pictures to specified e-mail addresses or MMS-enabled phone numbers upon alarm events.

To achieve this, you need to make sure that your cameras that are in the alarm’s scope have alarm-input terminals and that the signalling devices are properly wired to these terminals as specified in the documentation. In some cases, you may need to use a relay or optocoupler as a way of achieving a compatible connection that operates properly. An alarm installer or electronics technician can do this kind of work easily.

If you are a retailer who integrates POS Exception monitoring where certain normal or abnormal transactions cause your closed-circuit TV system to register them as alarm events or overlay transaction data on the video information, you should make sure you can integrate this functionality in your network-enabled system. The network-based system may allow for transaction-searching or exposure of transaction data independent of the video and could work with network-based POS systems.

Scenarios

These scenarios avoid the need to replace any equipment that is in good working order ahead of its time and prefer that the IP-based technology be “bolted on” to a video-surveillance system in a manner to enhance the system without losing any of its functionality.

Simple network enablement

You may simply start out by connecting the monitor output of your existing system to a single-channel network video encoder. This may be of use if your current-term objective is to view the system’s output on your network-connected PC or your mobile phone.

On the other hand, you may use a multi-channel network video encoder to network-enable all the cameras in a small 4-camera system or, for a larger system, a few cameras that you consider important as well as the monitor output. Then you add another multi-channel network video encoder to network-enable more cameras. You then run a video-surveillance manager program on your general-purpose PC so you can easily view the cameras and set up your network-based recording options.

You will still keep your “quad” and VHS time-lapse recorder or DVR going as a “failover recording setup” until that hardware breaks down irreparably.

Additional or replacement cameras

When you “build out” your video-surveillance system with extra cameras or replace any of the existing cameras, the newer cameras that you deploy in this scenario should be network-capable units. As mentioned before, you run a video-surveillance program on your PC to set up the recording and viewing options.  If you have enough room on your existing system’s multiplexer for extra channels or are replacing existing cameras, you have the option to connect these cameras to the multiplexer because they will have video outputs as well as network outputs. This setup will then appeal to those of us who have plenty of mileage left on the older equipment and still want to use that equipment to record the footage; or haven’t yet run Ethernet wiring out to the new cameras.

Moving away from tape or proprietary DVR

Your VHS time-lapse recorder may be just at the end of its service life and you may be thinking of where to go next. Similarly, you may have had enough of that proprietary DVR that cannot be expanded easily and want to look for something better. This could be a time to network-enable your existing video-surveillance system. Here, you could deploy a multi-channel network video encoder and a network-attached storage like a QNAP unit on your network dedicated for the video surveillance system. Then you use video-management software on your PC to direct the cameras to record to the NAS and to make DVDs of footage that you need to provide.

Complete system upgrades

You may be in a position to upgrade your video-surveillance system, such as through new premises, renovations, newer security requirements placed by government, insurance or company needs; or a large number of the components coming to the end of their useful life. Sometimes, the government may financially assist you in improving your system whether through a grant, loan or tax break towards the cost of the equipment as part of a compliance or “safer cities” program.

This upgrade may give you the break to move towards an “all-IP” system with IP-based cameras, one or more recording devices being network-attached storage devices, computers running video management software; and all of them interconnected using the business’s Cat5 Ethernet cabling.

Conclusion

Any business who has the premises protected by a video-surveillance system should be aware of the IP-based video-surveillance setups. As well, they should know when to evolve to the IP-based technology and how to do it without unnecessarily replacing existing equipment.