58, 000 Security Camera Systems Critically Vulnerable To Attackers

From: Rod-Lists 
------------------------------------------------------
from /.
"Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet."
http://it.slashdot.org/story/13/01/29/0111238/58000-security-camera-systems-critically-vulnerable-to-attackers

Anyone got sources of secure cameras?

=============================================================== From: Dan Lyke ------------------------------------------------------ On Tue, 29 Jan 2013 12:23:59 -0500 (EST) Rod-Lists wrote: I'm giving a talk at the first "Personal Clouds Gathering" in SF tonight, and I think this touches on two things: First, firewall that stuff. Firewall and NAT everything, and then proxy a few things through it. Maybe with a VPN, but probably not. Second, how much do you trust your devices? Your browser? The last time I was talking to a guy doing deep security work, he was talking about trying to detect "exploit in the browser" infiltrations, where IE plug-ins were detecting accesses to specific banks, providing the credentials elsewhere, and then providing faked transaction and balance history pages while making withdrawals in the background. Stuff like that makes the fact that your new DSL modem is probably TR-069 enabled and your ISP's tech support person can see your WiFi connection info sound positively heartwarming. Dan

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +1 Firewall - -1 NAT +1 VPN We *have* to get out of this IPv4 mindset that NAT is a good thing (tm). The bad guys have been winning this particular war for at least the past 5 years. And I mean the really bad guys, not the script kiddie punk kind, the Estonian Mafia kind..... Using your modem as a modem and not a router with a proper firewall at your border will prevent that nonsense also. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRCDscAAoJEMP+wtEOVbcdnwgH/i3onxpf+uCik8gjqTMwNcXB A6HUQnZ9HsLrttY8jHh3W/zLMVQ9eRuzI+fjTC/ODuUR0wshWSZ61vlg3ZKPS4fc WiDs44v8EhxUqO1lWQnclRMxX/7MpZRORI0mNVPwFEMQ3MUEb7R2NIV+H82kyrcK hkeXJStjeiF0NR0RSajsF0x1055kX8fQo+L2d0OKRO2cTONd4cCMrMp9Llv9iA/w y8kzeThTPIb7DyGRjT7RWaCsgqZAl5Jf+v2twaFAlVBbbCdPV0btceOnEOXtJI5L lX94tQvfTaUaBZvCDoMN9v861gv9FcW8SoxkzdSryupzT5eLdTtsDDmCSfG/USU= =zPF3 -----END PGP SIGNATURE-----

=============================================================== From: Dan Lyke ------------------------------------------------------ On Tue, 29 Jan 2013 16:11:56 -0500 Dave Brockman wrote: Yeah, I'm not convinced that it's a good thing, but I'm of the opinion that it's what we have right now. Got *5* calls today from the guy claiming to be from technical support trying to get me to install software on my Windows computer. Yes. Dan

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The current consumer broadband model pretty much requires a PAT configuration with IPv4. We've been doing it for 20 years or so now, so we've made our applications smarter to get around it (for the most part, we still need FTP ALG in most cases for instance), but CGN is going to be a whole new kind of pain. Nat on each end plus a NAT in the middle, I see a whole lot of broken IPv4 based shit headed our way. The next battle will be with the ISPs to give you a /48 worth of IPv6 instead of a single /64. Hell, I guess we have to win the give a /64, not a /128 battle first..... I *never* get this guy.... I have a handful of VMs just waiting for the opportunity to capture one of these shit-heads in action. And it's not like I can firewall off my DID the way I do my network, so it's really not my fault, I keep getting the Cruise and Credit Services phone SPAM, don't know why I can't get the Microsoft guy :( Just because your network devices *can* plug and play, doesn't mean they should :) Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEbBAEBAgAGBQJRCEQ7AAoJEMP+wtEOVbcd5lEH+ImxQpKp3Bs9yzXY3bk2X8tF x9z+4nHvPjG9KlXsZSVW8sWmmr4dQn42gNCQfucYL4+FqY12K8Pdc35I7/JIb6OQ VOVpVsszeaLTh5+slBUbGt/sZkaahRp6sf0guKevgpSjWQps+b3oTgArXZbXato0 v8PN098/dQX9TpYZJFR4H9VcHCAp2FmwNYb6z14fajjGmwtZjfa+8SxIlfY6gQLO aO1F8R8aFrfuG/Rt5mpbUFCCOXK9y8JK7xFR5vnQhcrQQfZDR8Y3NsvIG/P84JUd BAZQbTlnf0XBeUNJthQAnOMtdonOtxKbu1JxnTj57HVzpbtPcRtzjVkgnR2v9A== =NCwE -----END PGP SIGNATURE-----

=============================================================== From: Nick Smith ------------------------------------------------------ Id be interested to know how to setup such a vm, that would be interesting to see them play in the sandbox..... -- -------------- Nick Smith nick at nicksmith dot us

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1. Install VMWare product. 2. Install XP VM (Bonus inversely calculated[1] on SP you don't install) 3. Wait..... 4. Play 5. Profit (Workstation is actually the best option for these kinds of games, it allows you to finesse your snapshots and offers more replay abilities than VMs running on ESX) Regards, dtb [1] Bonus point multiplier is 5. Calculate inversely on highest SP you do not install. Install SP3 = (0 x 5) 0 Bonus, install SP2 = (1 x 5) 5 Bonus, install SP1 = (2 x 5) 10 Bonus, no SP = (3 x 5) 15 Bonus - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRCFCcAAoJEMP+wtEOVbcd1wcH/Ag1vA36PNCkZmlBtnM9QxM8 Z06VECxyCGI/m/dRhr7Wnrs7ELI28o1uiTEIr4k/kZ6Iz3bmaBRBTUoLkVzn9nVz 50zbyObsOSm07dy8OuHNk42G+op4Dpv+BP2LEI7y6TORyNkr1JeMQKqUNCwAQML/ BCq9hneT1Ald84jSh0skjf8bIAPG010oAOGm7KoBRbxjVUH2bQ18thkOPKYF3OLk OtuKXtdaqa7ykzdNapfdJ6VbSAHJKczRdZV8cqJHPYGbDXp03BXU9hDzUnVhbT/d w80GVwMvZFsB8IuD3Iv9tacfT3KzUgtvaQ/gkT2g3G/n79UhVQ9zccVUT9B2pC4= =6mF/ -----END PGP SIGNATURE-----