"I have 50tb of data there, none of it essential"
Makes one think what an earth he was hoarding there...
Also, I sincerely hope he's not lecturing about infosec at MIT.
QNAP has urged NAS users to act "immediately" to install its latest updates and enable security protections after warning that product-specific ransomware called Deadbolt is targeting users' boxen. "DeadBolt has been widely targeting all NAS exposed to the internet without any protection and encrypting users' data for Bitcoin …
If it is, you're a fool.
I don't care what excuses you have, allowing Internet access to your own treasure trove is asking for trouble. You are not an Infosec expert (on average) and you have no idea of what kind of nasties are floating around with the sole goal of finding your kit and ruining your day.
Convenience be damned, secure your data and cut that NAS from a world of hurt.
Like any consumer grade NAS its just not worth having them internet facing (As they are designed for convenience), for any QNAP users they should be aware of the security nagging for a number of years. The apps can be set to update daily, firmware is supposed to self update however I normally update this myself when it notifies via email that it has a new firmware version to install.
The biggest issue I see (I do lurk from time to time on the Qnap forums) has been weak passwords, putting everything on the internet (MyQnapCloud has a uPnP option which might make it easy to setup means non technical users are exposing the management interface, etc...) and not disabling the admin root account. I can't see this changing anytime soon. As it seems QNap's popularity is biting I admit myself to removing everything internet facing and now using VPN for the management interface.
It is a bit hidden, I've double checked and do the following
1. Login
2. Click the notification bell icon in their Gui top right or the 3 horizonal lines in top left
3. Click Notification Centre
4. Click System Notification Rules
5. Scroll to Firmware Update and ensure the box is clicked (You will be able to see a lot of other alerts you can choose here also).
If smtp isnt stup click the Methods and Recipients tab and you can setup the notification method there.
Ah ok sorry I should have made that clear, I am on Qnaps mailing list for security vulnerabilities but must admit it would be useful if there was one for Firmware updates.
Then again the huge range they now have might make that a pain, especially if they follow HP's route for product update emails.
Dunno, but it is a bit worrying. The previous security bulletin advised disabling the default Admin account and use strong passwords, so it looked like brute-force attacks were the problem - and Synology reported some BF attacks around the same time. The advice they give now is to disable ports 8080 & 443 and update. This seems to imply that it's something other than brute force that's getting the malware in and it's a bit worrying.
Mine's behind a firewall with manual updates and that's where it will stay.
Their "cloud" service doesnt work correctly without port forwarding or upnp, so now I am left with a device that doesn't do what I paid for. I thought the whole point of cloud connectivity on a nas was so it didnt need to be exposed to the web to be fully functional but apparently qnaps definition differs.
This post has been deleted by its author