Category Archives: Uncategorized

When Can Private Security Stop and Detain in Illinois?

In an action for declaratory judgment and false imprisonment arising from an incident in which plaintiff was stopped for speeding by a security officer employed by defendant property owners’ association. Poris v. Lake Holiday Property Owners Association brings several questions before the Court about the powers of private security forces.

Plaintiff owns property in the Lake Holiday Development, and is a member of the defendant Association. The Association Board of Directors has adopted rules and regulations for the governance of Association property, including speed limits. The Board hired private security officers to enforce the limits, bought vehicles and equipped the vehicles with oscillating and flashing lights, radar units and audio and video recording equipment. Officers were empowered to issue citations to homeowners for violations.

Plaintiff was stopped by a security officer for speeding on Association property. The encounter played out pretty much like any traffic stop with a policeman would: officer takes driver’s license, driver waits, officer writes citation.

Plaintiff sued the Association, every member of its Board, the chief of security and the officer. Count I sought a declaratory judgment that the practices of the Association’s security department were illegal. Counts II and III alleged breach of fiduciary duty and willful and wanton conduct. Count IV alleged false imprisonment. Counts V through XII alleged breach of fiduciary duty and willful and wanton conduct by each board member, and the Chief of Security. Count XIII alleged nuisance and Count XIV sought an accounting. The Circuit Court wasn’t impressed, tossing the whole thing on summary judgment.

But the Appellate Court held that the driver had stated certain claims after all. The Illinois Code of Criminal Procedure, 725 ILCS 5/107-3, gives private citizens — and a private security officer is nothing more than a private citizen in this state — the authority to make an arrest when he or she has “reasonable grounds to believe than an offense other than an ordinance violation is being committed.” But hold on, the Court said — the officer wasn’t stopping the plaintiff for committing an “offense” — plaintiff got stopped for violating the Association’s speeding-on-Association-property rule. So, the Association’s stop-and-detain rule may be a problem.

Ever wonder who gets to flash red lights on the highways? Under Illinois law, the answer is “[v]ehicles used by a security company, alarm responder, or control agency.” 625 ILCS 5/12-215(b)(13). Well, the parties agreed that the Association wasn’t an “alarm responder” or “control agency” — but the Association claimed it was a “security company.” Not so fast, the Appellate Court said, quoting from the Association’s articles of incorporation. So back goes that claim too.

The Court then reviewed several less controversial claims — the Association could use its recording equipment since officers turned it off whenever anyone objected, and it could continue to use the radar gun — the Court turned to the plaintiff’s false imprisonment claim. The result of this one was pretty much a foregone conclusion after the holding on stop-and-detain — the Association clearly had a problem. And so, it did: reverse with instructions to enter judgment against the Association with respect to liability.

So what comes next? It’s difficult to predict. There is no obvious conflict in authority in the Appellate Court opinion, so the Supreme Court likely concluded that this was a sufficiently common problem across the state to justify its intervention. Also, note how interconnected the claims are. Speeding is both an Association rule and a commonplace offense; if the Court blurs the distinction, the first declaration and the reversal on false imprisonment fall. Although the Association isn’t a security company, perhaps the security force is — if that’s so, then the declaration regarding those flashing red lights might be overturned too.

 

 

 

Tribune: Illinois has lack of oversight on security guards

CHICAGO — A newspaper investigation has found that private security guards in Illinois often aren’t as closely monitored as police officers, who in recent years have faced scrutiny over excessive force.

The Chicago Tribune analyzed state and police records, court documents and media reports to find that security guards deliberately fired a gun in a work-related situation 40 times from April 2011 to June 2018. Eleven people died in these shootings.

Illinois law requires security companies to report such shootings to the Illinois Department of Financial & Professional Regulation, which licenses guards. The agency also has the ability to investigate cases and evaluate if guards are fit for duty. Some small forces, such as in-house security of fewer than five guards, are exempt from reporting shootings.

The newspaper found 11 shootings since 2011 that weren’t reported as required. Records show that none of the companies were disciplined for failing to report.

  1. Paul McCauley, a professor emeritus of criminology at Indiana University of Pennsylvania, said the unreported shootings signal a lack of accountability in the industry.

“I think that’s unacceptable,” he said. “I’m assuming the legislative intent was not to allow security people to be so-called cowboys.”

The newspaper also found no record in the past seven years of the state disciplining a guard for playing a role in a shooting.

Illinois requires guards to undergo a background check, but doesn’t require a mental health examination. There is no law barring convicted felons or registered sex offenders from becoming a guard.

Armed guards undergo 40 hours of training, half of which is focused on firearms. In comparison, Chicago police spend nine months training in the academy and on the street.

More than 97,000 people are licensed to be armed guards in the state as of June.

The profession is dangerous, with records indicating that at least a dozen guards in recent years have been shot, the newspaper found. Those shootings resulted in six guards dying, including a security guard killed in a Robbins bar last month by police responding to a call.

 

City Paying Up To $1.2M To Private Security Firms To Deter Looting

CHICAGO (WBBM NEWSRADIO) — After peaceful protests of the Minneapolis police killing of George Floyd were marred by widespread vandalism and looting, city officials announced they would pay up to $1.2 million to three private security firms to avoid a repeat of last weekend’s mayhem.

Over 100 private security guards from Monterrey Security, AGB Investigative Services and Illinois Security Professionals will be dispatched to retail corridors across the city — with a particular focus on the South and West sides, city officials said.

The private guards will not be armed and will not have police powers, but are meant to be “another set of eyes and ears to support efforts to deter looters,” Mayor Lori Lightfoot’s office said in a statement Saturday.

The security force has been instructed to notify Chicago police of illegal activity they see.

“Chicago’s small businesses and neighborhood commercial corridors are the heart of our communities, which is why we are working with three companies to supply more than 100 private security guards to protect the local retail shops, grocery stores and pharmacies that community members rely on every single day,” the mayor’s office said.

While the city has allocated up to $1.2 million for the security services, the actual cost won’t be known until the end of the weekend, the mayor’s office said.

Additionally, Chicago police patrols will be “strategically positioned” in popular shopping areas throughout the city, especially on the South and West sides, the mayor’s office said.

Though recent protests across the Chicago area have been largely peaceful, the added manpower signals the city’s fears that future protests may come to mirror the events that accompanied and followed a May 30 protest in the Loop, which devolved into violence, theft and vandalism that left swaths of the city ransacked, including the city’s downtown and South and West sides.

Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices.

The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

These types of lists — called “bot lists” — are a common component of an IoT botnet operation. Hackers scan the internet to build bot lists and then use them to connect to the devices and install malware.

These lists are usually kept private, although some have leaked online in the past, such as a list of 33,000 home router Telnet credentials that leaked in August 2017. To our knowledge, this marks the biggest leak of Telnet passwords known to date.

Data leaked by a DDoS service operator

As ZDNet understands, the list was published online by the maintainer of a DDoS-for-hire (DDoS booter) service.

When asked why he published such a massive list of “bots,” the leaker said he upgraded his DDoS service from working on top of IoT botnets to a new model that relies on renting high-output servers from cloud service providers.

All the lists the hacker leaked are dated October-November 2019. Some of these devices might now run on a different IP address or use different login credentials.

ZDNet did not use any of the username and password combos to access any of the devices, as this would be illegal — hence we are unable to tell home many of these credentials are still valid.

Using IoT search engines like BinaryEdge and Shodan, ZDNet identified devices all over the world. Some devices were located on the networks of known internet service providers (indicating they were either home router or IoT devices), but other devices were located on the networks of major cloud service providers.

Danger Remains

An IoT security expert (who wanted to remain anonymous) told ZDNet that even if some entries on the list are not valid anymore because devices might have changed their IP address or passwords, the lists remain incredibly useful for a skilled attacker.

Misconfigured devices are not evenly spread out across the internet, but they’re usually clustered on the network of one single ISP due to the ISP’s staff misconfiguring the devices when deploying them to their respective customer bases.

An attacker could use the IP addresses included in the lists, determine the service provider, and then re-scan the ISP’s network to update the list with the latest IP addresses.

Security cameras can tell burglars when you’re not home, study shows

Some popular home security cameras could allow would-be burglars to work out when you’ve left the building, according to a study published Monday. Researchers found they could tell if someone was in, and even what they were doing in the home, just by looking at data uploaded by the camera and without monitoring the video footage itself.

The international study was carried out by researchers from Queen Mary University of London (QMUL) and the Chinese Academy of Science, using data provided by a large Chinese manufacturer of Internet Protocol (IP) security cameras.

Cameras like these allow users to monitor their homes remotely via a video feed on the internet, but the researchers say the traffic generated by the devices can reveal privacy-compromising information.

Popular security cameras such as those manufactured by Nest (pictured here) present the same privacy risk.

Study author Gareth Tyson from QMUL told CNN that data uploads of the unencrypted data increase when a camera is recording something moving, so an attacker could tell if the camera was uploading footage of someone in motion, and even different types of motion like running or sitting.

The risk is that “someone who is specifically targeting an individual household rocks up outside with a device to try and start passively monitoring traffic,” he said.

Tyson told CNN that an attacker would require a decent level of technical knowledge to monitor the data themselves, but there is a chance that someone could develop a program that does so and sell it online.

Noting that he hasn’t seen any direct evidence of this kind of attack taking place, he said one potential use would be if someone wanted to burgle your house.

“They monitor the camera traffic over an extended period of time, and by looking at the patterns that are generated by those cameras over maybe a week, they then start predicting the following week when you’re most likely to be in the house,” he said.

In order to reduce the privacy risk, companies could randomly inject data into their systems to make it harder for attackers to spot a pattern, he said.

A hacker accessed a family Ring security camera and told their 8-year-old daughter he was Santa Claus

A hacker accessed a family’s Ring security camera and told their 8-year-old daughter he was Santa Claus. Tyson said the team are trying to extend their research to work out how to maintain camera performance while reducing privacy risks.

At present, cameras are “fairly stupid items” in order to keep manufacturing costs down, said Tyson, uploading data whenever motion is detected.

“What we want to do is have a more intelligent system that allows the camera to understand what that motion is, assess the level of risk, and only upload it and alert the user in a case where the camera feels that it’s worthy doing,” he said.

For example, someone who owns a cat probably doesn’t want to be alerted every time the camera detects the animal walking around, but they would certainly want to know if a human intruder were spotted.

Tyson said this is the first study to investigate the risks posed by video streaming traffic generated by the cameras.

The global market for the devices is expected to be worth $1.3 billion by 2023, according to the press release. Popular brands include Xiaomi and Nest, which is owned by Google.

While the study authors did not analyze data from those brands, they did find that their cameras present the same privacy risk. CNN has reached out to Nest and Xiaomi for comment on the research.

The study was published at the IEEE International Conference on Computer Communications, which brings together researchers in networking and related field.