6
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 23 Nov 2023
6 points (100.0% liked)
Homelab
371 readers
2 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 1 year ago
MODERATORS
From experience most NAS drives, cctv boxes are built cheap and dirty. They are often slow and the proud product of a shite company/software developer.
Bad actors are running scripts on their servers, automated looking for know exploits in pages, ports and software. They are actively scanning thousands of WAN facing devices a minute.
Web pages are often written with poor practices. There is little to no care for security but just enough to satisfy the end user.
Java script protected pages (may aswell just write the password on the page)
Usernames and passwords embedded into source code. Session variables stored in cookies in plain text. Vulnerable to session hijacking, man in the middle attacks, and more.
One device we pen tested a few years back allowed access to the settings page without logging in. This is due to a header redirect being incorrectly used. The page served the form and tried to redirect the browser. We just stopped the redirect. Changed the password and logged in normally. Potato Security at its best.
These devices often do not have any rate limiting or firewall, which means brute forcing is nothing but pure playground for a nice database of known usernames and passwords. GPUs are fantastic for brute forcing. The more you have the faster you can test usernames and password combinations.
If you must share file access. Setup a VPN. Tunnel into your network securely and then access your NAS.
Assume everyone is gonna get you.