Securlinx at IAHSS in Chicago

Securlinx, is on the ground in Chicago to take part in the International Association for Healthcare Security & Safety (IAHSS) annual conference and to demonstrate the newest version of our FaceTrac facial recognition software. We’ll be in booth #601 today and tomorrow.

IAHSS is dedicated to professionals involved in managing and directing security and safety programs in healthcare facilities.

 

More baseball stadium biometrics…

Yankees announce improved security and entrance measures for fans (Crain’s) &#8212 Yankee Stadium visitors soon will be able to avoid long security lines by registering their fingerprints with a biometric identity service used at 12 U.S. airports.

In another deployment the St. Louis Cardinals (baseball’s second-most successful franchise in history) have installed iris biometrics for player and staff access control in more secure locations.

Security integrators and IT professionals in the IoT era

Role Of Security Integrators In The Internet Of Things Era (Source Security)

Networking IoT devices may seem like an information technology (IT) function, typically handled by a chief information officer (CIO). However, says Martens, CIOs will be preoccupied with complex issues far beyond physical security. Therefore, identifying where IoT sensors are placed, how they are managed and how they interact will fall to facility managers. And they will depend on their security integrators’ expertise more than ever.

Technology is pushing the security and IT functions closer together, most obviously because they are increasingly provided over the same infrastructures. There’s a lot of good insight at the link.

Forecast: Global Smart Security Market 2015-2019

Latest report on the global smart security market that is estimated to grow at a CAGR of 18.59% over the period 2014-2019 (Sandler Research)

Smart security solutions are used to monitor the activities and behavior of people in areas that are more prone to unauthorized access or damage, such as enterprises, educational institutions, commercial buildings, and utility infrastructure. Smart security includes advanced security systems such as IP surveillance cameras, biometric access control systems, integrated perimeter intrusion prevention systems, and wireless alarms. Thus, these solutions can secure an area from miscreants, terrorist activities, and data theft.

Adoption of intelligent security solutions for cities and their infrastructure not only provides security but also peace of mind to the residents.

The analysts forecast global smart security market to grow at a CAGR of 18.59% over the period 2014-2019.

Older Andriod versions had more vulnerabilities

Is Samsung’s Galaxy S5 ‘leaking’ YOUR fingerprints? Flaw means hackers can intercept and steal biometric data (Daily Mail); Forbes piece, here.

The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.

Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.

The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here’s a great example.

A close reading of the article reveals that earlier releases of Google’s version of the Android mobile OS weren’t as secure as they are now. This will come as news to few. The article points out that, “Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner.”

Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it’s their outfit; it’s their call.

For readers here, instead of “OMG fingerprinst[!],” I’d emphasize that:

Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.

Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past “hacks” of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here’s a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn’t a hack in any real sense — it’s a malware test.

That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn’t encrypted (with a strong key).

So, without more information, it’s hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device’s software up to date, and be careful about malware.

As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.

See: The Con is Mightier than the Hack

True cybersecurity requires a conceptual shift

The user knows nothing: Rethinking cybersecurity

This position — that the adversary knows your system as well as you do, if not better, as soon as it is stood up — while extreme, led to the creation of large number factorization, the basis for all modern encryption, from PGP to RSA tokens. Under these encryption schemes, as long as the key is kept private, someone can know everything about how the security system works and still not be able to crack it.

To get to a place of true cybersecurity, another stark innovation in thinking is needed. What is needed is an Inverse Shannon’s Maxim: the user knows nothing.

Coincidentally, our CTO and I were having a conversation along these lines just yesterday. It’s a thrill a minute at SecurLinx!

CyberSec: So hot right now

Why Venture Capitalists Love Security Firms Right Now (MIT Technology Review)

Venture capitalists poured a record $2.3 billion into cybersecurity companies in 2014, a year marked by frequent reports of hacks on high-profile companies. Yearly investment in cybersecurity startups been on the rise for several years now, and is up 156 percent since 2011, according to CB Insights. The trend will likely continue, as 75 percent of CIOs surveyed by Piper Jaffray said they would increase spending on security in 2015.

Cybersecurity in Brazil

Guest Post: Brazil’s Cybersecurity Conundrum (Council of Foreign Relations)

Brazil has embraced the digital age with more gusto than most. It is one of the top users of social media and recently signed-off on a bill of rights for the Internet, the Marco Civil. The country is also a leader in the development of online banking with more than 43 percent of web users engaging such services, and can be proud of a thriving software industry, including some world class companies.

Brazil certainly is an interesting case.

Technology is neutral

WikiLeaks Releases Alleged CIA Documents Detailing Travel Tips For Undercover Agents (IBT)

“The two classified documents … detail border-crossing and visa regulations, the scope and content of electronic systems, border guard protocols and procedures for secondary screenings,” WikiLeaks said, in the statement. “The documents show that the CIA has developed an extreme concern over how biometric databases will put CIA clandestine operations at risk.”

In the leaked documents, the CIA also expressed concerns over the impact the implementation of a biometric security system in the Schengen Area would have on its undercover operatives traveling under false identities, adding that it would “increase the identity threat level for all US travelers.” The Schengen Area comprises of a bloc of 22 European nations that have relaxed passport and border controls at their common borders.

Biometrics can be used to suss out identity fraud among organized criminals. Biometrics also appear to be greatly complicating the activities of intelligence agencies to move assets from country to country.

The technology doesn’t care.

Predicting the future of security

IDC Reveals Worldwide Security Predictions for 2015 (TMCnet)

Some excerpts:

2. Biometric Identification – Mobile devices have biometric capabilities and in 2015 we expect that 15% of those devices will be accessed biometrically, and that number will grow to 50% by 2020.

5. Security SaaS – Enterprises will be utilizing security software as a service (SaaS) in a greater share of their securiy spending. By the end of 2015, 15% of all security will be delivered via SaaS or be hosted and by 2018 over 33% will be.

6. User Management – By 2016, multi-factor authentication will be the primary method of access control used by 20% of enterprises for highly privileged or otherwise sensitive accounts.

There’s a lot more good information at the link.

Access control upstages video surveillance

The Press Release for this Memoori market research study contains a lot of great information…

This steady consistent growth since 2011 has been driven by a combination of factors including strong growth in IP Video Networking and IP Access Control products, buoyant markets in Asia and North America and higher levels of penetration in vertical markets such as transport, retail, health and education.

ACCESS CONTROL MOVES TO IP AND DELIVERS CUSTOMER VALUE PROPOSITIONS

Access Control, for so long the poor relative of Video Surveillance, this year it has come out of the shadows and upstaged it by delivering a higher growth rate and we forecast that it will continue to increase its growth rate over the next 5 years.
This will be achieved by moving to IP Technology and integrating Access Control with Identity Management. There can be no doubt about the business case for integrating these services. Identity Management for the purpose of Access Control has given rise to a number of major acquisitions in the last 5 years. September 2010 saw a flurry of activity with the purchase of L-1 Identity Solutions by Safran for $1.1 billion, 3M’s purchase of Cogent Systems for $430m, the merger of AuthenTec and UPEK. In 2014 whilst the number of deals declined, this group accounted for 19.2% of the total number of acquisitions and 5.6% of the total value.

Access control through a standard card reader system is a weakness particularly at a time when risk of corporate theft, malicious damage to staff and property and terrorism has increased. The need for a more secure system incorporating biometric devices to authenticate identity and manage the process is becoming a standard requirement for new systems in high security areas.

Physical Identity and Access Management (PIAM) is also a service that promises to deliver further growth opportunities. It enables common policy, workflow, approval, compliance automation and life cycle management of the identity / badge holder (employee, contractor, visitor, temps) across disparate physical security systems. The key benefit from PIAM solutions is operational cost reductions that can be delivered through this platform providing a bridge between the disparate systems, without stripping out and starting again. PIAM has so far failed to attracted the mainstream PACS business.
There is a steady stream of alliances and partnerships between PIAM Software companies & PACS companies but so far we have not identified any mergers and acquisitions. Information on the business is pretty sparse and most “best estimates” on the market size range around $150 million. This if accurate is quite small considering that virtually all Fortunes Top 500 companies must have installed one.

IMPROVED PERFORMANCE, ROI & REDUCED TCO

Now has to be the time to dig even deeper and for manufacturers to increase their efforts to align the motivation of security buyers to invest in better performing systems through educating and training both themselves and those in the distribution channel in order to drive out all the benefits.

Whilst technology has been the enabler of change, the driver and motivator is now clearly to channel this to deliver products and services that increase productivity and provide a better ROI and reduce the TCO. This is gradually changing the buyers culture from believing that physical security is a pure cost centre to a profit centre.

Security, sadly, is still regarded by most end users as a cost center and as such has been towards the end of the food chain for capital investment. This can be crucial when budget reductions are on the agenda. However a gradual change in attitude by buyers is taking place. Specifically that security can be a cost saver when reducing shrinkage (retail) and that when integrated with other services it can increase productivity in the business enterprise and therefore reduce operational costs. This has been made possible through IP convergence and in some vertical markets such as retail there is a growing belief that IP Video Surveillance should be treated as a profit centre.
This has had a major impact on increasing the value-add on security projects. The market has not been slow to see the opportunities and changing requirements for more converged and integrated solutions. In order for companies to deliver such systems many have decided that it is necessary to acquire, merge or form alliances and partnerships with other suppliers. In order to maximize the opportunities of delivering on ROI it is vital for suppliers to have specialist knowledge and experience in vertical markets. But equally important is to have the networking skills to join all the vertical and horizontal layers of product together with the analytical software and interface with the other building services software and finally join them to the business enterprise. Video Surveillance is already on route to establishing an important role in the Building Internet of Things (BIoT) and the wider IoT.

 

India using biometrics to streamline government interactions with citizens

Technology Can Surely Help Reduce Hardships (The New Indian Express)

Prime minister Narendra Modi on Monday launched the “Jeevan Pramaan” project, a digital version of the “life certificate” scheme that could eventually benefit 10 million claimants. The biometric-based software means pensioners will now no longer have to visit banks every year to give proof of their being alive to continue receiving benefits. Around 50 lakh people draw pension from the central government, and an equal number from state and UT governments. Several PSUs also provide pensions, and over 25 lakh retirees draw pensions from the armed forces. The software will be made available to pensioners and other stakeholders on a large scale at no extra cost. It can be operated on a personal computer or smartphone, along with an “inexpensive” biometric reading device.

For thousands of years, more security meant less convenience. Biometric technologies have the power to change that.

Airline biometrics for security & convenience

Forget E-Tickets, Alaska Air Mulling E-Thumb for Boarding (Bloomberg)

Alaska Airlines (ALK) is exploring using passengers’ fingerprints to replace travel documents, driver’s licenses and credit cards now needed to navigate from airport curbs to jetliner seats. If successful, it would be the first U.S. carrier to employ biometrics for boarding passes and inflight purchases and could spur wider adoption across the industry.

Biometrics can add security and convenience at the same time. It looks like people are starting to recognize it.

US: DHS sets sights on new biometric database

At Planet Biometrics…

The US Department of Homeland Security’s Office of Biometric Identity Management will receive US$20 million in extra funding to keep its existing identification system operating while a new database is developed, a senior OBIM official confirmed to Planet Biometrics at the Global Identity Summit in Tampa.

The official confirmed that the new database is required because the 20-year-old system is currently dealing with 300,000 transactions a day (hitting a database of 173 million unique identities) in comparison to 220,000 (hitting a database of 150 million unique identities) a year ago.

Passwords vs. biometrics (GCN)

The password by itself actually is a pretty good tool. It is simple to use, easy to implement and can be reasonably strong. The problem is one of scale. For a user juggling passwords for multiple accounts and for administrators juggling many users, the system quickly becomes unwieldy, and strong security begins to break down. In addition, the steady growth in computing power erodes password security by making dictionary and brute force attacks more practical.

Biometrics – the use of physical traits such as fingerprints, irises, faces or voices to identify persons – is more complex, but is becoming more practical. It offers the promise of better security based on the premise that there is only one you.

Yet it has its drawbacks…

See also:
January 17, 2012 More on the Awesomeness of Passwords

Educating the supply side and the demand side of voter fraud in the Solomon Islands (Solomon Star News) — What gets through enrollment will most likely get caught in de-duplication.

Going up? The overall smart elevators market is expected to reach $16.45 billion by 2018 — It’s about time elevators got biometrified.

Security has layers. Top Security Techniques That Work For The Masters (Blog Her) — “Every layer of protection the bank adds is designed to make it harder for a criminal to ge paid. Consider a layered approach for your small-business security plan.”