Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface. Infosec outfits Vertical Structure, based in the Northern Ireland, and WhiteHat Security, headquartered in …
There are numerous issues with routers provided by ISPs. If you purchase static IP addresses, the installer will typically configure the router to use them for DHCP. Customers may also turn on IPv6 pass-through rather than use the more complex, and often buggy, IPv6 firewall rules for each device. Fixing your own ISP-provided router is hard as hell unless you can hack together another internet connection for looking up secret instructions and bug workarounds.
Have you ever looked at a good majority of ISP-supplied router firewall rules? They are text rules based.
You usually get 3 pre-configured system settings of:
- "Default", which are the ISP rules;
- "Disable" which is 'I'm food, eat me!, and;
- "Custom", which usually presents you with a completely blank rules page where *every port and exception rule must be written in rule-context text, created from scratch*.
You would be far more comfortable to simply poke your own eyes out with a hot soldering iron than to create a entire text-based port rulebook from scratch, incoming *and* outgoing. Which is what the cheap ISP, intentionally stripping down the UI to such bare-bones, prefers you do rather than fool around with their choices.
STOP OPENING PORTS TO THINGS THAT DON'T NEED PORTS OPEN!
Seriously, nothing to do with the firmware or whatever... what the hell is a NAS with those kinds of documents doing handling raw packets from the Internet?
I *BET* this is a UPnP thing too... where the box just says "Hey, open all these ports and point them at me" and people's stupid networks just obey blindly without any notification.
Firewalls are supposed to work BOTH WAYS people. Not letting in anyone who shouldn't be in, not letting anything talk out that shouldn't be out, and NOT blindly doing so automatically or operated by someone who just cuts holes in the damn thing unthinkingly "to make everything work".
An analogy I use... every port-forward is like drilling a hole in your marble worktop, or punching a hole through your house's outer wall. Sure, you have to do so occasionally. Of course it's necessary for some parts to work (e.g. taps). But you don't go drilling more and more and more holes just because it makes it easier for the electrician, and you don't make the holes any larger than necessary and, when you're done with that hole, you fill it back in.
I have less ports forwarded (never just open, but forwarded to another machine on an enclosed VLAN) than almost anyone else in the same industry as me, and yet I offer far more services on-site than anyone else in the same position.
Unless you are running, deliberately running, a server on a well-known port, you do not open (incoming) ports. And you disable UPnP on any gateway device immediately upon receipt (clients can request UPnP all day long from their UPnP services if they like, but it's the gateway that actually acts upon them).
And all "servers" should be treated as such - updates, security, authentication, least-privilege, auditing, logging, and where possible proxying between them and the outside world too. (I once get marked down in a security audit involving an external penetration test because they were unable to query my webservers directly as they all showed up as a Squid/Apache reverse proxy. "Obviously" that stopped them being able to look for version strings and query vulnerability to ridiculous URL constructions like "../../../.." etc. so they marked me down... despite the fact that that's *precisely* why that's in place)
The UNIVERSAL means everyone can plug it in any ANYONE can play with it. Woe be to anyone who prevents hackers from accessing it.
More seriously, I was at Sun during the Java wars and attended a UPnP conference in Redmond. Strangely enough, one of their main architects happened to sit next to me during lunch. So I point blank asked him if UPnP had any security. And he answered honestly that they had none and they were probably never going to even though it was a bad idea. That time MSFT was gong-ho about functionality and security be damned. It has changed since then but the detritus is still floating around.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
