Tag: Security

Categories
exacqVision Server Linux x64 Support exacqVision Hardware

Some Exacq Ubuntu images may disable Unattended-Upgrades package features by default

Ubuntu’s unattended-upgrades commands and package features may not work as expected when using an Exacq Ubuntu image on ExacqVision hardware. By default on Ubuntu Exacq images, unattended-upgrades package features are purposely disabled from running due to the potential of losing video – and how the use of this feature cannot guarantee uptime of the ExacqVision Server software host.

This unattended-upgrades package is usually intended to install security updates automatically, by default, so that machines that are not proactively maintained do not become a liability.

For more information regarding ExacqVision’s stance on updating or upgrading operating systems on ExacqVision NVRs please see:
https://support.exacq.com/#/knowledge-base/article/5144

Product 

  • ExacqVision Server Hardware
  • ExacqVision Server Software
    Ubuntu Operating Systems only.

Step to Reproduce 

Schedule unattended-upgrades package features as listed by Ubuntu documentation.
See: https://ubuntu.com/blog/3-ways-to-apply-security-patches-in-linux

Notes:
The unattended-upgrades package is over a decade old, and is enabled by default on all currently supported versions of Ubuntu offered directly from Ubuntu. The ExacqVision image is configured differently, with this disabled as to prevent loss of video.

Expected Results 

Unattended-upgrades package features should work as expected when scheduled.

Actual Results 

Unattended-upgrades package features fail without dialogue.

Solution

1) Run the terminal commands below:

sudo apt-get -y install unattended-upgrades

sudo apt-get install apt-listchanges

sudo dpkg-reconfigure –priority=low unattended-upgrades

2) Create and/or edit the file at /etc/apt/apt.conf.d/10periodic and /etc/apt/apt.conf.d/20auto-upgrades with the following:

APT::Periodic::Enable “1”;

APT::Periodic::Update-Package-Lists “1”;

APT::Periodic::Download-Upgradeable-Packages “1”;

APT::Periodic::AutocleanInterval “1”;

APT::Periodic::Unattended-Upgrade “1”;

3) Run the following terminal commands:

systemctl unmask apt-daily.service

systemctl unmask apt-daily-upgrade.service

systemctl enable apt-daily.service

systemctl enable apt-daily-upgrade.service

4) sudo systemctl edit apt-daily-upgrade.service

Edit and Comment out “ExceStartPre=” line,

repeat this action for:

sudo systemctl edit apt-daily-upgrade.service

5) Run the following terminal command:

sudo systemctl daemon-reload

6) Run all of the following terminal commands in order listed:

systemctl enable apt-daily.timer

systemctl enable apt-daily-upgrade.timer

systemctl start apt-daily.timer

systemctl start apt-daily-upgrade.timer

systemctl start apt-daily.service

systemctl start apt-daily-upgrade.service

7) systemctl list-timers to see if the timers are active and when they run next

8) tail -n 100 /var/log/unattended-upgrades/unattended-upgrades.log to see if it ran at the time start service was ran

<br>

Categories
Technical Advisory Bulletins Knowledge Support exacqVision EDGE exacqVision Enterprise Support exacqVision Client Other exacqVision Server exacqVision Mobile exacqVision Webservice exacqVision Hardware Products exacqVision Integrations

Support procedure for reporting newly discovered cyber security vulnerabilities in Exacq Software 

This document will outline the procedures expected from Exacq Support staff in the event of discovering a previously unreported security vulnerability in an exacqVision product.

Product 

Any exacqVision product

Procedure:

  1. Verify the vulnerability has not already been properly reported at: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
  2. Email the GPS (Global Product Security) team at: productsecurity@jci.com
    • Provide vulnerability analysis in this email and any relevant links
    • Provide customer details and contact information in this email
    • Provide software product and software versions in this email
    • CC the customer on the email
  3. Inform the customer you have notified the appropriate team (GPS) and will be closing the Support ticket.

Our Global Product Security team will then be responsible for following up with this customer and resolving vulnerability.

<br>

Categories
User Guides Knowledge Support Documentation Support Illustra Categories Products exacqVision Integrations

Enhanced vs Standard Security on Illustra cameras

After logging into your Illustra camera for the first time, accepting the End User License Agreement, and creating a Host ID, you will be asked to select a security mode.

SecurityMode.png

Enhanced is selected by default. As the message indicates, Enhanced will automatically select several advanced security options, such as enabling additional authentication needs, like forcing the creation of a non-default username, and requiring HTTPS. Regardless of the selection chosen on initial setup, individual settings can always be changed later by navigating to Security Status, under the Security menu.

Selecting ‘Enhanced’ Security performs the following:

  • Requires authentication to the RTSP video stream
  • Changes Authentication from Basic to Digest
  • Disables HTTP, requiring HTTPS connections for the camera GUI and Video
  • Disables uPnP, which hides the device from device discovery.
Security settings, as automatically selected by Enhanced Mode. Individual settings may still be changed manually.

Changing any of the security settings only requires you to click the Edit link beside the listed option. Some settings offer the ability to change port numbers and some offer additional setting fields to configure. 

Notice that Onvif Discovery may be individually disabled on this page as well. Clicking the Edit link for Onvif Discovery redirects to the Remote Access options page. This permits you to disable Onvif Discovery, or require Onvif User Authentication. 

The Users configuration page permits additional user accounts to be created, in which a user role is assigned. Enabling Onvif User Authentication directs the camera to only accept commands from authenticated users. 

<br>

Categories
Knowledge Support Support Categories Products exacqVision Hardware

ExacqVision stance on Operating System updates

The official stance of ExacqVision regarding security updates and auto-updates is they are off by default, because there is the potential risk of the NVR being rebooted during the update process which can stop video recording, so please plan accordingly!!!

ExacqVision cannot control the integrity of security patches or operating systems updates; therefore these off by default and leave it to the installation technician, IT staff or system owner to apply any updates or security patches to their ExacqVision Video Recorders.

Updating Windows Operating System Https://support.exacq.com/#/knowledge-base/article/5159

Updating Linux Operating System https://support.exacq.com/#/knowledge-base/article/5151

Categories
Knowledge Support exacqVision Client Categories

Why do we enforce password complexity ?

Why do we enforce this complexity?

As the threat from cyber-attacks continues to rise, cyber-protection measures have become critical to combat these threats. Like many other technology leaders, Exacq has implemented the use of complex passwords as one measure to combat potential cyber-attacks.

Password cracking programs are one of the tools hackers use to gain unauthorized access to systems, and some of these programs can test over 100,000 passwords per second. To decrease the chances of a password being discovered by one of these programs, the usage of complex passwords is highly recommended, as passwords that contain common words or letter combinations are much more susceptible to being cracked. 

<br>

What is the rule for password complexity?

Complex passwords typically follow the same basic requirements, such as a minimum number of characters and the usage of a special character, a capital letter, and a number. Exacq products require a password of at least 8 characters, including a special character, a capital letter, and a number. It’s highly recommended to use a group of random letters together as opposed to a word or phrase, as this greatly decreases the chance it will be discovered by a password-cracking algorithm.

<br>

How will I know what password is acceptable?

When entering a new password, a tool tip will appear that updates as you type to let you know what characters are missing from the complexity. Your password will also be checked against a list of commonly used passwords to prevent their use and make it less likely for an attacker or unauthorized user to guess your credentials. If any of the fields are highlighted in red the password has been deemed unacceptable. Complexity rules do not apply if you choose to use a passphrase of 20-characters or longer. 

<br>

Does it affect current accounts with passwords that don’t comply?

No – Users with legacy passwords can still access the system. Complex password enforcement only applies when creating new user accounts or changing an existing user’s password.

<br>

Why-do-we-enforce-password-complexity.pdf
Categories
User Guides Documentation exacqVision Server Categories Products

Security Whitepaper

Login Delay

exacqVision Server implements a login delay, in order to address the risk of various flavors of brute force attacks. More information on the nature of these attacks can be easily found elsewhere; hence, they will not be further described here.

<br>

The login delay mechanism introduces a progressive delay before completing authentication. The objective here is to increase the time required in order to carry out various flavors of intrusion attempt. The delay increases 1 second with each subsequent authentication failure, to a maximum of 26 seconds. Do note the following version-specific behaviors:

  • Beginning with server version 6.6.0, when login delay was first introduced, a subsequent successful login with good credentials would immediately reset the delay mechanism and emit successful login response.
  • Server 8.6.0 then began to apply the same delay to the first subsequent successful login as well, in keeping with security best practices (see https://cwe.mitre.org/data/definitions/307.html ). However, a few ensuing problems were then observed:
    1. If the delay value had increased to a large value, it would cause a Client with good credentials to arbitrarily wait for the entire delay, and give an impression of defective behavior like server or connection having stalled or otherwise become unresponsive.
    2. The web service has always abandoned a connection after 10 seconds. Therefore, once the delay value had reached 10 seconds, no web service could then connect to that server unless a client were used to “unlock” the account in question, even if the web service were using correct credentials.
    3. In a network arrangement where all remote clients come in via gateway and hence appear with identical IP address, one “bad” client could effectively cause a denial of service for all other remote clients.

<br>

Server 8.6.x then reduced the delay on good login to a brief duration, in order that web service would not become seemingly “locked out”, and therefore would not have to be “unlocked” via another client or web service.

<br>

In a nominal scenario, users consistently log in to the server with correct username and password, and therefore would never encounter the login delay. This is made likely by virtue of the fact that ESM, Client, and the web service all persist server lists (per-user for Client, per-system for ESM and web service). Here, complications arise once a user’s password has been changed, which may never occur on legacy systems with no password change enforcement. But at the same time, every new server list entry presents an opportunity for bad credential usage, and therefore at least some encounter with the login delay mechanism.

<br>

Security-Whitepaper.pdf
Categories
User Guides exacqVision Server Categories Products

Installing Windows Security Essentials on Win7 based evServers

  1. Stop exacqvision Server Service (Control Panel -> Administrative Tools ->Services -> exacqVision Server : Stop)
  2. Download Windows Security Essentials Package (mseinstall.exe, x64) from Microsoft website, and execute the installer on the target machine.
  3. Select all default options, except for the ones listed below.
    1. Do not join the program (Optional)
    2. Unselect both options below:
    3. Do not immediately scan
    4. The system will update automatically (if connected to the internet) and come to the following page:
    5. If Internet was not accessible, connect to the internet, and update definitions. Make sure the system shows the latest definitions are installed.
    6. On the settings page, schedule a daily scan to a time of your convenience.
    7. Click on ‘Exclude Files and Locations’, and hit Browse.
    8. Select all the Data Drives (on which Video is stored) and choose the exacq install location (C:\Program Files\exacqVision), and hit OK.
    9. All Data drives and the exacq install directory should be shown, separated with a semi-colon.
    10. Hit ‘Add’, and all the data drives and the exacq install directory should be on the excluded list.
    11. Come back to Home page and run a full scan.
Installing-Windows-Security-Essentials-on-Win7-based-evServers.pdf
Categories
Knowledge Support Support exacqVision Client Categories

Using Antivirus Software with exacqVision

Antivirus Configuration

As with all third-party software not on the Product Integration section, the user assumes the risk of software incompatibility with the exacqVision software suite.

To permit antivirus software to work with exacqVision software, the following file extensions need to be exempted from scans:

  • .PS
  • .PSI

NOTE: As an alternative, you could also exclude the data drive you are using to store video.

It is also be necessary to exempt certain files if they are targeted by scans. See KB 20594.

If your antivirus protection suite has a firewall, the following must also be exempted:

exacqVision Client
exacqVision Server
exacqVision Web Service
<br>

Additional Notes

  • Most systems require a restart after changing the configuration. Within some antivirus suites, settings might revert after the restart (this activity has been specifically observed with the Avast antivirus suite in the past). It is recommended that you double-check your settings after the restart to verify that your exclusions and exceptions have been saved.
    <br>
  • On an exacqVision Client workstation machine, the only exception needed is for the exacqVision Client software.
    <br>
  • Some suites, such as Kaspersky Endpoint 10, also install components on the NIC driver to monitor network traffic. It is recommended that these be disabled if you see a performance decrease or inability to connect to cameras after this component has been enabled.
    <br>
  • Best practice is not to use multiple antivirus applications on the same system as these can often conflict with each other.
    <br>

Timestamp issues

If you are using antivirus software and you see an incorrect timestamp in live video windows or you cannot successfully search for video in a specified time and date range, the antivirus software might be preventing the exacqVision Server from correctly identifying its own IP address. This has been known to occur when using Trend Micro OfficeScan and other antivirus software.

To resolve this issue, you must enter the IP address of the exacqVision server in the IP Camera Time Server field on the System page’s Date/Time tab.

<br>