james.wilson Posted October 25, 2015 Posted October 25, 2015 What do we do regarding this. Do we just port forward or is the client informed about the risks? http://www.engadget.com/2015/10/25/cctv-camera-botnet/ Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
sixwheeledbeast Posted October 25, 2015 Posted October 25, 2015 Risks are unsecure devices rather than the act of port forwarding. The equipment would need to adapted by having random default passwords for example. I recall a blog on this very topic by Joe a while back. Quote
james.wilson Posted October 25, 2015 Author Posted October 25, 2015 I know its mainly weak passwords etc but some devices have vulnerbilities even with strong passwords. Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
GalaxyGuy Posted October 25, 2015 Posted October 25, 2015 Port forward should be the last resort with customers warned about the vulnerability. Just because something is password protected, doesn't mean there's some other vulnerability available through the forwarded port. Installers are adding IP enabled devices in customers premises without having any idea of how secure the device and its internal protocols are. VPN should be the preferred connection method, with the firmware in the VPN device being regularly updated to ensure that any vulnerabilities have been addressed. Quote
sixwheeledbeast Posted October 25, 2015 Posted October 25, 2015 Port forward should be the last resort with customers warned about the vulnerability. Just because something is password protected, doesn't mean there's some other vulnerability available through the forwarded port. Installers are adding IP enabled devices in customers premises without having any idea of how secure the device and its internal protocols are. VPN should be the preferred connection method, with the firmware in the VPN device being regularly updated to ensure that any vulnerabilities have been addressed. VPN's also have vulnerabilities as you say. Ports are there for hosting applications. In the future v6 will probably replace the need for NAT anyway. I do agree devices aren't open enough to know about any vulnerabilities. When they sell there kit there not interested in patching like the rest of the IT world, they move on. I think more needs to be done from the manufacturers end. Here's that blog Quote
datadiffusion Posted October 25, 2015 Posted October 25, 2015 Yes, look at the recent-ish DiskStation episode - this was an exploit enabled simply by PF and nothing to do with weak passwords, and this wasn't exactly a poorly conceived back-street Chinese device. Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands
secureiam Posted October 25, 2015 Posted October 25, 2015 (edited) There are tools that allow even strong passwords to be broken, because the default usernames are used so the number of combinations has become significantly less. I have a vpn capable router but don't know enough on how to set one up properly and in the middle of doing some long tern tests I don't want to f'up by trying but it certainly something to think about. Although I have read there are different VPN's and not all of them are100% secure either, so what vpn model do I setup and how?, and how do I utilise that for access to an app for a panel or camera? Edited October 25, 2015 by secureiam Quote
james.wilson Posted October 25, 2015 Author Posted October 25, 2015 Not easily, needs vpn clients on the devices etc. Talk talk didn't do it right, imagine if it was a dvr installed by 'insert name' at an employees home.... A security providers kit being the weakness used would be an issue to the provider. I've said before tsi gets hundreds of attempts a day, but its patched, dynamic IP provides some protection but then ddns is used undoing some of that protection. I wonder how long till its in the news that a security system, not patched for over 5 yrs etc, is used as the attack point? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
GalaxyGuy Posted October 25, 2015 Posted October 25, 2015 (edited) Depends on your router or VPN gateway secureiam. Something based around open source will likely be updated quickly when any issues are discovered. If you're using one entry point, then it's easier to focus efforts to keep it up to date. Much easier to do that than to rely on very small teams of security equipment designers to find vulnerabilities and release fixes. My personal experience of reporting such a vulnerability to one vendor of a 'third party approved' device, was that they just didn't want to know. When your phone connects via VPN a secure tunnel is created into the private network and all apps/IP based programs behave as they would in the private network. All traffic between your external location and your VPN device is secure, so it doesn't matter anymore that your app traffic is plain text. The 'vulnerable' devices remain in the private network. Edited October 25, 2015 by GalaxyGuy Quote
MrHappy Posted October 25, 2015 Posted October 25, 2015 Unless its a corporate network the CCTV is likely to be no greater risk than any of the other items already on the network. Most of the CCTV I have enabled for remote access has low end routers, often using default passwords & dynamic IP's. I'd normally change router password, port forward & use my DNS provider On the DVR/ NVR I'd normally change default ports & default passwords. I've found lots of open or default stuff on the net to play with, many of these items have been up for yrs in default set up! I made a mistake & left a phone system not fully secured, within 24hrs it had been found & there where thousands of attempts to make sip connections to it, only non std extensions & passwords saved the day. Quote Mr Veritas God
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.