Latest News, Blogs & Announcements | Page 169

The Home Office has published a series of 5 short practical guides through its crime reduction website, to help businesses and organisations tackle vandalism and criminal damage. Each guide is short and snappy at only 4 pages long, and addresses practical issues, illustrating its points with pen picture case studies. The five guides are: Tackling Vandalism and other Criminal Damage; Tools and Powers for Tackling Criminal Damage; Environmental Approaches to Tackling Vandalism; High Visibility Policing; Tackling Youth Vandalism. And can be found by following this link. Recommended in the literature is the implementation of surveillance systems. Tensor can provide your organisation with state-of-the-art digital CCTV camera and recording systems, which are compliant with UK police requirements. Tensor are also leaders in the provision of access control systems, which prevent unauthorised access to your premises. Suitable for both large and small sites, Tensor can provide a system to suit your needs. If you are interested in learning more about digital CCTV or access control and how it can help you, why not contact Tensor, and we would be happy to provide you with additional information.

Lost or stolen laptops which fall into the wrong hands can be used to launch an attack on the corporate LAN using tools obtained online or from auction websites. In a recent demonstration showing network vulnerability, a sample laptop with commonly used password security was used to carry out a series of hack attacks to show how these mobile devices can act as a gateway to data housed on internal systems. Local user passwords were compromised allowing data residing on the hard drive to be harvested and attacks were launched on the device’s associated network connections. The first step to compromise the laptop entailed hacking the BIOS before the Windows operating system had launched. A BIOS reset connector, typically used by manufacturers to deactivate and reset the laptop BIOS password during repair, can easily be made or purchased from Ebay and allows complete access to data housed on the hard disk. Alternatively, the hacker can remove the hard drive from the laptop entirely and install this in another device without a BIOS password, again allowing access to data on the drive. Compromising Windows passwords was equally as simple. Backtrack, a Linux tool on CD-ROM, was booted on to the device, providing access to the Windows file system before the operating system had even launched. Software hacking programmes such as GetSyskey and Gethashes were downloaded from the internet and used to access the Windows encrypted passwords. In addition, Rainbow Crack, a software tool which creates Rainbow Tables was used to compute the various password hashes used by the LM password algorithm. Using a precomputed table of over 60GB of hashes, the administrator password was cracked in under two minutes. Moreover, encrypted WEP passwords and remote desktop log-in details from the Windows registry file were discerned using password recovery software. Having cracked these passwords, the desktop could be browsed at leisure and files and documents on the laptop could be identified, even those which the user had deleted from the hard drive. Disk Investigator, a downloadable software tool, was used to recover deleted files from the file system, as well as locating deleted files from flash media such as USB pen drives. Finally, a fictitious corporate LAN was broken in to using a remote access client. An installed Cisco VPN client was used, and cached login credentials stored locally in a .pcf file were located, enabling access. Cain and Abel, a tool readily available online, was then used to crack the Cisco VPN encrypted client passwords, decoding these into clear text. Once inside the network, an enumeration attack was carried out to browse named hosts. These PCs and servers, often given away by telltale names ranging from the obvious, such as ‘Payroll’, to old techie favourites such as Star Wars or Lord of the Rings characters, planets or Greek Gods, were easily identified. Having selected a target client, a free, open-source exploit tool called Metasploit, which provides a simple graphical user interface, was then used to gain administrative access. The hacker was now free to export data from the internal host or carry out corporate sabotage or espionage. The risk of attack to the corporate LAN has increased along with the popularity of mobile working and hotdesking. FBI Computer Crime and Security Survey claims around 50 per cent of organisations reported mobile device theft in 2005 and it’s a problem that affects both the private and public sector. Over the last twelve months in the UK 21 laptops have been stolen from Department of Trade and Industry (DTI) buildings and five laptops have been misappropriated from the Office of the Deputy Prime Minister. Any of these devices could have been used to compromise the core networks of business or government using these simple tools and techniques. Here are recommendations to organisations with mobile workers to help combat information theft: At the very least, encrypt your sensitive files with freely available software. Set a BIOS password, even if they can be reset. Don’t allow users to boot from USB keys, floppy disks, CD ROMs or from a network. Use a secure VPN technology. Don’t allow the caching of passwords or user names in RAS clients. Educate your staff. All too often credentials can be found in notepad files on the desktop. Incorporate biometric logon devices. Consider full disk encryption. PIN lock GPRS or 3G SIM cards. Encourage staff to report laptop or mobile device theft immediately on discovery and ensure you have a 24-hour process to enable this. Consider using passwords which use UK-specific character sets, as most RainbowTables currently available are computed from American keyboard codepages. Article courtesy of Security Park

The ID card debate continues to rage with questions over their purpose, necessity and logistics of a nationwide roll-out still to be answered. In the background, a few organisations are starting to invest in increasingly sophisticated identity authentication technology. Banks including LloydsTSB and HSBC are already starting to roll out token-based solutions, which combine the traditional username and password with a one-time code generated by a keyring-style token, in order to combat ID fraud. It is encouraging to see that financial services organisations are starting to move away from purely password-based authentication techniques in a bid to combat sophisticated key-loggers and phishers. However, the benefits of two-factor authentication devices, such as tokens and smart cards, are not confined to banks. Yet take-up amongst other industries has been slower. Smart cards take strong authentication into a new realm, because they are capable of storing so much information on them and have a vast number of uses. One card, issued by an employer, can allow staff access to office buildings as well as the IT network, thereby combining physical and logical security into one device. Multiple applications on the network can be accessed via a single sign-on mechanism, removing the user’s headache of remembering many different passwords and cutting down calls to the IT helpdesk for password resets. What is more, remote users can access the network with the same level of security as office-based workers using the same card. Not only that, smart cards can be used to make a digital signature, which in future could make electronic documents permissible as evidence in a court of law. Tensor have used smart cards within our security systems for a number of years, and represents a prime example of how the technology can be incorporated into a number of applications. From time and attendance solutions, to access control and cashless catering, one smart card is able to perform a variety of individual tasks. As we continue to move rapidly towards a completely digital age with complex regulations to adhere to, being able to prove beyond reasonable doubt that an email or document was sent or received will be a must-have, not just a nice-to-have. Increasingly, private enterprises are working with government bodies to deliver commercial and public services to citizens via smart cards, because they are capable of storing multiple credentials for access to different buildings, systems and accounts. Further development depends on public and private sector investment in new infrastructure, and the most cost-effective approach is to work together in order to develop the technology then use it according to the needs of their individual organisations. The potential benefits of stronger identity authentication technologies to commercial and public sector organisations alike are immense, encompassing increased efficiency, compliance issues and better access to public services for all.

Identity management is a security issue which is becoming increasingly challenging as the perimeter of the network crumbles. This is well illustrated by the DTI Information Security Breaches Survey of 2006, which shows that one in five larger businesses had a security breach associated with weaknesses in their identity management, with the number of incidents being less for smaller companies. The survey found that incidents were from staff gaining unauthorised access to data, staff obtaining and misusing confidential information, financial theft or fraud, and impersonation or phishing attacks. While the incidence of fraud was low, the impact was greater than for any other type of security incident. Several small businesses lost between £10,000 and £50,000 as a result of fraud and one large bank lost millions. Identity management has been a problem for many years, but recent changes to the security landscape have made the risks greater. The growth of mobile computing and remote access are important factors. Couple this with the rapid rise of wireless and the growth in access to applications, then you have significantly increased the opportunities for unauthorised access into your network. At the same time, the internal threat of staff gaining access to confidential information remains as high as ever. Alongside this, the range of potential breaches has materially increased with problems such as pharming, phishing, spyware, keyboard logging, war-driving, etc. on the increase. A number of issues arise in this new landscape. How do you ensure that users activate security features when they connect to the Internet? How do you get them to protect confidential information and guard against threats such as spyware? And not least, how do you manage access to their machines by other colleagues, family or friends. This is a challenging picture and the continued reliance on weak single-factor authentication looks increasingly ostrich-like. The DTI 2006 survey found that some 96% of large companies and 93% of all companies are still using single factor authentication to authenticate users. There isn’t a single answer to resolving these problems, but a number of options. There is one thing, however, which is certain – single factor authentication (passwords) is not enough. There are a number of authentication options: single sign-on is a step forward, but requires superior identity management two-factor authentication is much better and involves the user of authentication tokens, biometric devices, etc. three factor authentication is far superior and involves something you know (e.g. password), something you have (e.g. authentication token) and something you use (e.g. device authentication) Article courtesy of Security Park

The UK Government is right to stand firm over the UK opt-out from the Working Time Directive, according to the Chartered Institute of Personnel and Development (CIPD). The CIPD commented as reports from Brussels suggested that a deal between the UK and EU on retaining the opt-out was close. CIPD research has shown that the vast majority of long-hours workers choose to do so, and would resent any moves to remove their right to continue doing so. The UK also leads Europe on flexible working, and as a result average working hours in the UK are not high by EU standards. Mike Emmott, CIPD Employee Relations Adviser, said: "Working excessively long hours is not to be encouraged, and can bring problems for employers and employees. But existing protection under the Working Time Directive has removed the vast majority of the element of compulsion in long-hours working. Most people who work long hours genuinely choose to do so." "There is an argument for better enforcement and more awareness raising of existing regulations to tackle the minority of cases where employers are abusing the opt out provisions. The bigger job is educating managers and employees to focus more on work outputs than hours worked, and of the risks to health and business performance of excessively long-hours." There is a myth across parts of Europe that the Anglo-Saxon labour market model leaves workers enslaved, whereas the European social model sets them free. But analysis of the facts shows that there are many areas – flexible working for example – where UK employees get a better deal from our emerging Anglo Social Model. There is much room for improvement in people management in UK firms to boost productivity, for example by reducing absenteeism and increasing effectiveness at work. The CIPD report ‘Calling Time on Working Time?’, surveyed 750 long hours workers who work more than 48 hours. It addresses many of the issues raised by those in Europe who wish to see the UK opt out removed. The survey found: More than three-quarters of long hours workers say that they do so as a result of their own choice. Fewer than a third of employees sign an opt-out clause at the same time as signing their employment contracts. 10% of employees report that long hours working causes damaging physical effects, while 17% cite mental health problems.

A survey into ‘Mobile device usage in the healthcare sector’ carried out by the British Journal of Healthcare Computing & Information Management has revealed that one fifth of the devices used to store data have no security on them at all and a further two fifths have only password-controlled access, which does not guarantee security from hackers. Using basic hacker software downloaded from the Internet it would take a few seconds to bypass a basic password. Just a quarter of respondents used passwords with another form of security, including biometrics, encryption, smart card and two-factor authentication. Respondents included information managers, IT managers, medical professionals and a range of other job titles. Two thirds of the 117 who responded to the survey were in the NHS and a quarter were suppliers to the sector. USB memory sticks/memory cards (76%) were the most popular mobile device to be used to download data in the healthcare sector followed by laptop/tablet PC (69%), PDA/Blackberry (51%), smartphone (9%) and mobile phone (2%). Advances in technology have resulted in the ability to store gigabytes of information not just in these devices but also MP3 music players, cameras, voice recorders etc. The easy availability of tiny, high capacity storage devices such as USB memory sticks and memory cards makes it very easy for a person to carry unnoticed large amounts of data such as patient records or sensitive corporate data. Overall, 42% of respondents owned at least one of the devices they used, but half of the NHS respondents were using their own devices to aid them in their everyday work. The most common type of data stored was personal contact details (80%), while three quarters stored work contact details. Nearly two thirds stored corporate data and an amazing fifth of the healthcare workers who were interviewed held security details – which could include passwords, PIN numbers and bank account details. About half of the medical professionals carried patient records on a mobile device. The majority of medical professionals used a password alone for security. One Doctor commented that his security was okay because he used "the initials of one of his patients as his password". Two-fifths used higher levels of security, but a small number had no security at all. Comments from respondents included a claim that there was minimal chance of loss or theft and a minimal chance of misuse. Another wrote "my patients couldn’t afford to pay for blackmail and they probably wouldn’t care if others knew" [about their medical records]. A couple thought that the risk to security was no worse than having information on paper. Over half expressed anxiety that patient details are being held on mobile devices. The biggest concerns were that if a device is lost or stolen it would breach patient confidentiality (57%) and that the information "could get into the wrong hands and be abused" (50%). This still leaves, however, a large number who didn’t show any concern and thought that security was adequate. The number of devices that have been lost is surprisingly high. A quarter of respondents had lost a device themselves, and a similar number knew of a colleague who had lost one. However, about half found their devices again and none said there were any consequences from the loss. A small number of colleagues, however, were subject to disciplinary action and one, who had lost a PDA belonging to a local authority chief executive had even lost their job. The survey shows that a large number of people are using their own devices for carrying data such as work contacts, corporate data and even medical records, which is a basic failure of security policy. Two thirds of the devices have no or inadequate security and there appears to be a lack of appreciation of the security risks among a large number of users. About 80% said that there was a security policy in their organisation, but the results of the survey show clearly that there is widespread and serious failure in the way that security policies deal with the risks of mobile devices and are enforced. If you are looking to increase the security of your PC or laptop, Tensor supply biometric fingerprint logon devices used in conjunction with a password to safeguard your data.

People and passwords – in the long run, they just don’t work very effectively together. Recently, a network password cracker was run as part of an enterprise security audit to see if employees were adhering to advanced password policies, and guess what… it found that they weren’t. Within 30 seconds, 80 percent of people’s passwords were identified. Immediately, those same employees were asked to create strong passwords that adhered to the security requirements. A few days later, the password cracker was run again: This time, 70 percent were cracked. The difficulty seems to be that employees are unable to maintain strong passwords, and those that did forgot them, so they would have to be reset. The use of biometrics – the mathematical analysis of characteristics such as fingerprints, veins in irises and retinas, and voice patterns – as a way to authenticate users’ identities has been a topic of discussion for years. Early commercial success stories have largely come from applying biometrics to projects with provable returns on investment: time and attendance, password reduction and reset, and physical access control. Tensor have developed a low-cost biometric logon device which provides a competent alternative to reliance on a username and password system. Biometric fingerprint recognition devices can be connected to any PC or laptop, and provide the effective two-factor authentication process that virtually eliminates the possibility of an intruder hacking into your system. The most mature applications of biometric technology are in systems that control physical access to facilities and keep records of time and attendance. Over the last few years Tensor has rolled out fingerprint-based network and systems across the UK. Incorporated into time and attendance, access control and visitor monitoring systems, the combination of biometrics with smart cards has taken the private sector by storm. Even the public sector are getting on the bandwagon – Tensor’s biometric prison visitor monitoring system has received unprecedented demand, and is now approaching 20 installations in prisons across the UK. Fingerprint biometrics are largely used as part of an authentication process for providing personnel and associates with smart cards for physical and network access. With the Enterprise range of products suitable for implementation across multiple sites, Tensor provide a proprietary biometrics system that works over multiple bases. If you are interested in finding out more about Tensor’s biometric product range, don’t hesitate to contact a member of our sales team who will be happy to provide information and advice.

The CPD Certification Service encourages the provision and assists in the dissemination of high quality, independently certified Continuing Personal / Professional Development (CPD) throughout a wide range of industry sectors. Tensor have been cited as an important source of technical and educational information due to our specialist knowledge of the security industry within the UK. Often called up to provide presentations on our products and services to other members of the security industry, Tensor PLC have also become involved in providing materials compliant with CPD guidelines. These guidelines support the further learning initiatives being undertaken by organisations in both the public and private sector. All professionals need to adapt to the rapidly changing environment within which they work. A commitment to CPD ensures that each individual is equipped with the skills, knowledge and confidence to achieve adaptability. CPD Certification underlines Tensor’s commitment to investment in our products, services and employees, and ensures that we remain one of the leading authorities within the security industry. Tensor was certified by the CPD Certification Service in June 2006.

The loss of employee privacy rights in the workplace is a growing concern among employees, lawyers, and civil libertarian groups. Although employers in banks, telecommunications, securities exchange, in hi-tech industries, and in other workplaces justify using video surveillance in the workplace to monitor employee behavior to chiefly promote safety, improve productivity, and stop theft, protecting employee privacy must be a top concern. If the courts find that the employer’s surveillance methods are less than fair, that firm may find itself knee-deep in lawsuits that could have been prevented. Employers install hidden surveillance cameras for many good reasons such as preventing theft, promoting productivity or protecting employees. However in some cases, the very systems installed to protect will intrude upon employee privacy. Legal observers and human resource specialists who study workplace privacy believe that employee privacy intrusions are more common than previously observed, and that they will increase every year. According to a 2005 survey, more than half of the companies surveyed use video monitoring to prevent theft, violence and sabotage (51% in 2005 vs. 33% in 2001). In addition, the number of companies that use video surveillance to track employees’ performance has also increased, with 10% now videotaping selected job functions and 6% videotaping all employees. Among firms that use video surveillance, 85% notify employees. As more and more employee groups become aware of how they are being watched, the more likely they will take their employers to court. These are the four main types of court-upheld privacy violations that could occur in shops, factories and offices and the first type is directly related to video surveillance. Intrusion upon seclusion which includes invading worker privacy in bathrooms and changing rooms; Publication of private employee matters; Disclosure of medical records; Appropriation of an employee’s likeness for commercial purposes. In addition, video surveillance must be limited to visual images and cannot include audio in order to comply with regional and national statutes. Employers need to be proactive and aware of these four privacy violations so that their employees’ individual rights are respected and protected. How to achieve balance between monitoring and intruding upon employees First, the employers need to clarify what privacy rights employees are guaranteed and what constitutes an invasion of privacy. Then, employees must be notified in writing that video surveillance will be conducted and they should also sign a waiver verifying that they know they may be monitored. Management must define what is acceptable supervision versus "snoopervision" and that includes not videotaping showers, toilets, changing rooms, smoking areas, and employee lounges. These are places specifically for employees’ personal comfort, health or for safeguarding their possessions. However, employers must also be sensitive against using video surveillance in other areas where employees might takes breaks. Employers must be fully aware of the privacy risks associated with videotaping employees so that the likelihood of litigation is reduced. Companies should also nurture a workplace environment where employees can voice privacy or security concerns in confidence with management without feeling that their conversations are being monitored. In short, if employers choose to use video surveillance in the workplace, they must adhere to written privacy guidelines that will keep employees secure and that will also respect their privacy.

New research has shown that 23% of UK workers aren’t going to take a summer holiday this year, despite persistant claims that Britain is an overworked nation with a poor work-life balance. Those who are taking a break during the summer months are very likely to have booked their time off well in advance. A minority of 3% are intending to ask for time off, but might have left it too late for bosses to say yes. This situation may place businesses in a difficult situation. Staff failing to take their holiday entitlement is potentially placing their organisation at risk as overworking themselves into the ground could lead to much more serious health problems and, ironically, enforced time off. A similar survey conducted last winter showed that a third of UK workers fail to take their full entitlement and of these, 7% will lose their holiday altogether, not being able to claim either payment or rollover days into the following year. It was estimated that over £14.5 billion worth of holidays were going unclaimed. In order to ensure that your employees take their annual holiday entitlement, you should set out an annual leave policy following the guidelines below: Outline employees’ annual leave entitlement, which should be at least the statutory minimum of four weeks’ paid leave, as stipulated in the 2000 Working Time Directive; Outline the dates your organisation’s holiday year runs to and from; State that employees should take the leave they are entitled to, outlining the responsibility of managers in ensuring workload demands do not prevent leave from being taken. Cleary state your company’s policy on whether it will allow employees to carry holiday over to the next year or pay for leave not taken. Outline the process for requesting and approval of annual leave; Detail any circumstances in which annual leave may be withdrawn.

When you monitor your home or office with CCTV surveillance, it’s like you have an entire television network devoted to the safety of your home. CCTV broadcasts your security surveillance on a private network, but unlike broadcast television, all components within your network are connected through cables and wires. Already popular in large public places where security is heightened, such as at airports or casinos, CCTV systems are becoming more and more widely used in private home settings as well. Many independent studies in the UK have suggested that CCTV surveillance acts as a powerful deterrent, stopping crimes before they happen. Studies also show strong evidence that CCTV can be an extremely effective tool in detection and prosecution. The same CCTV video surveillance technology used in our public venues is available for your home. We offer systems that can monitor every room in your home through dedicated CCTV cameras, which produce clear, high visibility images. One surveillance system can cover up to 16 rooms in your home. By monitoring your family’s security on a CCTV network, you are able to record suspicious activities as they occur. Monitor your garden, front door, garage, even your mailbox. We strongly believe that CCTV security is a powerful addition to your home security system. Your home is your castle, and you have the right to protect it however, CCTV is subject to laws regarding a person’s right to privacy and you want to remain on the right side of the law. Therefore, when installing a CCTV system in your home, it is important that you are certain of the legality of your surveillance. CCTV is inexpensive and simple to use, and it will help increase security and put your mind at ease. For more information on CCTV systems for your home, office, or factory, contact us today.

It seems that the unproven nature of biometrics is proving to be a stumbling block for private sector industry, and is the main reason for the slow uptake of biometric security. There have been no extensive trials conducted by companies not involved in the biometrics industry, and so no precedent has been set for the large-scale implementation of biometric technology. The most significant trials conducted with biometric technology have been infrequent and only publicised to select market sectors. This has meant that the UK business community as a whole have been unaware of any trials taking place, let alone being able to view the results. An example of this are the small frequent traveller trials conducted by airlines, but these trials have tended to involve educated, tech-savvy males, which is not a representative sample of the UK population. In addition to low-key device trials, logistical issues around the process of capturing biometrics have proved a stumbling block. Unresolved difficulties with, for example, people with dark eyes or worn fingerprints, are also slowing the progress of widespread implementation. Early adopters of the widespread implementation of biometric systems are expected to be banks and financial services companies, as they strive to protect their customers with the best security available on the market. Suprisingly, it seems that the private sector are leading the way in the utilisation of biometric devices. A growing trend has been experienced in the PC and laptop security sector as individuals strive to safeguard their data. With logon devices costing as little as £40, many people are deciding to bite the bullet and invest in the new technology. With so many different types of biometric device available on the market and no production standards set in stone, all biometric products run the risk of being tainted by the same "biometric technology" brush, something which can only be rectified through well-publicised trials of the technology.