U1: I tell you what! All these shady Chinese crap companies.....
U2: They aren't Chinese bruh
U1: WHAT?
U2: They are American?
U1: (blank stare)
Do as we say, not as we do.
The effective motto of the Security Industry Association and their cyber board member Arecont Vision. Today, the two companies issued an interview where they talked cybersecurity [link no longer available].
Ironically, though both companies fail following their own guide.
The *****
*** ****** ************** *****. ** ** ****** ***************, ********* reasonable *************** ****:
******* ** *****.
******* ******* *********.
SIA *******
***'* *** *******, ****://***.****************.***/ **** *** ******* ** *****.
**** **********, ***'* ***** **** **** not *** ***** ***** **** ***'* users ** **** ** ******* ***** passwords ******:
[******: *** *** *** ***** ***** login **** ** *** *****]
*******,*** ****** **** * *** *** *** **** ****** ******:
Arecont *******
******* ***** ** ******** ******.
***, ******* ******* ** *** ******* HTTPS ** ***. ***** ***** ****? Not ** ***. *** **** ** option. (*******: **** ****** ******* ******* *** ** Google)
***, *******'* ***** ****, **** ***, does *** ******* *****:
[******: ******* ****** *** *** **** HTTPS ****-****, ********* *** ***** ****.]
*****,******* **** ****** **** * *** *** *** **** ******.
****** *** ******** **** *********, ******* defaults ** ** ******** ** ***. Or ** ******* ********* *****:
******* ****** ******* ** *** **** with ************** *******
"Thought **********"
******, *** *** ******* **** ************ themselves ** ***** '******* *******'. *** would ***** '**********' *** ** ******** if **** ******** ***** ***** ********** themselves? Does *** *** ******** ******* ****** than ****?
*** *** **** ***, ** **** conscience, **** ******* ** *** ************* board **** ******* ***** ** ******** fundamental ****** ** ***** *** *****. Do ***** ****?
U1: I tell you what! All these shady Chinese crap companies.....
U2: They aren't Chinese bruh
U1: WHAT?
U2: They are American?
U1: (blank stare)
Maybe this is an opportunity for an independent organization to create a rating system on the security of all web enabled cameras, NVR's, DVR's, access control, alarm systems, home automation......deep breath, commercial controls, wireless access point, switches and routers. Some sort of Penetration Test Rating that at the time of Manufacturing a random independent penetration test was conducted. Of course with all the zero-day exploits coming out all the time the rating could go up and down for model #'s.
The organizational model that comes to mind is the IP Code rating on outdoor rated technology. For example granted that IP66 is good enough for most outdoor installations, but if your national security or 100's of lives are at stake then you may want to use IP69. At least you know you did the best you could given whats available to you.
This would create a lot more clarity in the market especially sales people that are up against the out of the box camera system that can be streamed to a smartphone (Very impressive I know). Just ask these people "Does it concern you that there are self learning autonomous servers running 24/7 scanning for your public facing network weaknesses and exploiting them for no reason besides that's what they are programmed to do?" then they will ask for proof and well this is where a White Hat rating system would be a great to reference to cite.
Update: SIA has fixed their login page issue, Arecont still has not.
Update: Arecont Vision has now gone HTTPS site-wide, including the login page.
IPVM making industry manufacturers websites more secure, one HTTPS site at a time!
IPVM, the fly on the butt of the Old Dog known as the security industry.