A Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks

An anonymous reader writes: "A botnet of over 25,000 bots is at the heart of recent DDoS attacks that are ferociously attacking businesses across the world with massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites," reports Softpedia. This botnet's particularity is the fact that attacks never fluctuated and the attackers managed to keep a steady rhythm. This is not a classic botnet of infected computers that go on and off, but of compromised CCTV systems that are always on and available for attacks. The brands of CCTV DVRs involved in these attacks are the same highlighted in a report by a security researcher this winter, who discovered a backdoor in the firmware of 70 different CCTV DVR vendors. These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher and the issues were never fixed, leading to crooks creating this huge botnet.

Owned

by the Chinease. What's new?

Re:Owned

So if the Chindifficult made it, it'd be more secure?

In the hopes that it might make your head literally explode: who do you think makes the tech you're using right now?

Re:Owned

So these appliances have backdoors. What was it that the U.S. govt. was saying about requiring backdoors in electronics manufactured in the U.S.? Only the govt. will be able to use the backdoors? It'll be safe to have backdoors in everything? How does this activity support that stance about backdoors being safe?

Archived link to story

The website for TFA is down. Please use the archived page instead. Thank you.

Surely

The company had nothing but the best intentions for all of it's customers. Why would they listen to a crackpot security researcher? After all: he was bringing attention to a problem where none existed before. Surely ignoring it will make it go away.

Crowdfund

[matbury]

Can we crowd fund a DDoS attack on TVT? Any takers?

Re:Crowdfund

[SeattleLawGuy]

Can we crowd fund a DDoS attack on TVT? Any takers?

No. This is what diplomacy is for.

Re:Crowdfund

That doesn't actually solve the problem. The problem is already in the hands of customers, and there probably isn't a way for TVT to force firmware upgrades. There might not even be a way to upgrade the firmware.

What is really needed - (and I hesitate to suggest this ) - is the equivalent of a DMCA notice, but for being a DDOS source IP.

Re:Crowdfund

[Required+Snark]

Until some part of the Federal Government takes responsibility for stopping this crap it will continue, and even get worse. No individual, non-profit or trade organization has the clout to stop this bad behavior. (Sorry libertards, this is where the real world intrudes and crushes your anti-government delusional thinking.)

So why hasn't this happened already? Because of the famous step 3: Profit! If some one at the federal level takes this seriously enough to intervene, then it sets a precedent that companies involved with the internet are responsible for security failures. This won't be limited to companies in China making internet gear, but it will necessarily include US businesses that get hacked. So banks (Hi Bank of America), retailers (Hi Target!), information services (Hi Facebook!), entertainment companies (Hi Sony!), and federal agencies (Hi OPM!), along with everyone else, will face real legal responsibility. Since legal responsibility is the enemy of Profit! no one wants meaningful security standards for the internet. (Except the people who get screwed, who are mostly not Big Corporate America.)

This is why there are no federal standards for security on the internet. Midway through his Presidency Obama tried to get legislation passed, but it was a nonstarter. The US Chamber of Commerce shot it down. The best the administration could accomplish was create some administrative guidelines, which counts for almost nothing. Now there is a government/business joint panel studying what to do, which is the equivalent of having a pretend friend doing your homework.

So the internet will be much more dangerous because corporate greed takes precedence over responsibility. Time for a car analogy! It looks like VW is going to face a $15 billion cost for cheating the EPA. Until some big name US business faces a similar economic hit nothing will change. (Although it is puzzling that Ford, after committing mass murder by killing over 125 people with a bad ignition switch, did not suffer anywhere near the economic hit. Due to arbitration they were able to pay off most of the claims for $1 million a piece. Peanuts compared to billions. I guess it makes a difference if your based in Detroit vs Germany.)

The two trends that might upset the current apple cart are the rise in ransomware and attacks on medical facilities and equipment. If 10 million random people suddenly have to pay a ransom to get their computer running, or a noticeable number of hospitals get shut down then there will be serious repercussions. Also, if people start dying because of any kind of medical hack it will be panic button time. Suddenly Congress will be shocked, shocked, that this happened. All the collusion fueled by corporate donations will suddenly be forgotten, and somehow the "government" will be blamed. Forgetting, of course, the Congress is "the government".

Re:Crowdfund

[Archangel+Michael]

Until some part of the Federal Government takes responsibility for stopping this crap it will continue

Why is it the responsibility of the government and not you?

Here is a thought. You (not you personally, but you the collective) have gone the route of buying the cheapest CCTV systems in the world, should be held civilly liable for their use and maintenence. This means, that if I can trace any part of a DDOS to your CCTV system, I can sue you and your corporation for damages. And so can everyone else affected by your hacked and damaged system.

Small claims courts are great for death by a million paper cuts. It would take about 5 or 6 well known cases of courts siding with those that have been damaged by rouge systems owned by corporations before EVER LAST ONE OF THEM is pulled from service, and replaced by new systems that are less vulnerable. We don't need new laws, we need the courts to start assigning damages to victims in such a way that it doesn't pay to leave crappy CCTV systems infected with botware up.

The corporations can then figure out how to recoup their losses from the Chinese.

Re:Crowdfund

[cusco]

Go look at the NVR or DVR in your employer's security center (if that's allowed). Can you tell who made it? Probably not. HikVision, Indigo, etc. don't make their own hardware, they contract it out. Possibly if you open the case you might see a label, but you might not. For a decade SuperMicro made all the DVRs for Lenel, and the only way you could tell is if you got into the password-protected BIOS. This issue was first discovered on an NVR from an Israeli company, would you automatically assume that a Chinese company actually built it?

Why do Libertarian solutions always require thundering herds of lawyers to implement?

IoCT

The Internet of Compromised Things strikes again. Vulnerability as a Service isn't just for luddites and apps anymore.

I'm curious

[Okian+Warrior]

So TVT, despite being chinks, are actually a bunch of big lipped stinking nasty chocolatey worthless nigger jigaboo porch monkeys!!

I'm curious.

Does anyone know why these posts keep appearing? It seems like there's one at the top of every discussion.

I can't imagine a real purpose for this.

Does anyone know what the goal or intent is? Can anyone explain how this benefits the poster in any way?

Re: I'm curious

Your best bet is not feeding the troll.
The idea is, get first post then get the thread so long that you have to scroll a mile to see any other threads. So, just leave it alone.

Re:I'm curious

Sometimes it's fun to imagine that there really is someone that pathetic.
With nothing better to do than bark at the digital moon.
Impotent rage must be a hell of a thing.

Re:I'm curious

Some people get a kick out of racist trolling. Maybe also they get a kick at making a bot that keeps evading slashdot's spam filters.

The real question is why cannot Slashdot Media implement a basic racism filter that blocks words racist words like 'nigger' 'chinks' etc. I know it won't stop all spam and they will start using more generic terms but it does take some of the racist impact from the posts.

While I know it is a hard problem removing all spam but these posts do really put slashdot in a bad light, I often avoid clicking on low post count stories because it is so tedious to scroll through all the vitriolic spam.

Re:I'm curious

No-one is a real person 'til you are 18, or even 21. Even then you may only be able to find 'junior' positions and pay.

There's fewer frontiers (and they get further away each year). Everything is owned. A pittance is set aside for shared use, in limited and proscribed ways.

If you are talented, focussed, hard working and lucky you may be able to make a mark, exert some influence on the world around you. For every one that makes it, there are dozens, hundreds that don't.

The social contracts and covenants are proving a lie except for a few. Small wonder, then, that posters like the GP rattle the bars, make a noise, troll for a reaction. How else do they know that they are alive?

There's no art to this. No bait on the hook of this troll. It's tired, unimaginative and so ordinary that even the transgressive elements barely elicit a reaction. It's dog-piss on a post - a pitiable attempt to mark territory and worth only pity or contempt - not for the content, but for the hand that wrote it.

Re:I'm curious

Plus, I don't think porch monkey is a racist term. My grandmother used to call me and my sister porch monkeys all the time.

Did she refer to a broken beer bottle once as a "nigger knife"?

Re:I'm curious

Dat's a shank, dawg!

Re:I'm curious

The real question is why cannot Slashdot Media implement a basic racism filter that blocks words...

Because censorship is more offensive than trash talk. There must always be zero tolerance for censorship.

Re:I'm curious

[JustAnotherOldGuy]

Does anyone know why these posts keep appearing?

Because some people have no life and just love to spew their nonsensical hatred.

Re:I'm curious

Was your grandmother by chance married to Uncle Remus ??

Re:I'm curious

Completely agree. Zero Tolerance.

Also, from an evolutionary perspective, wouldn't filtering provide selective pressure? Do we really want that feedback loop to start?

Re:I'm curious

[eulernet]

I believed that the anonymous poster was very proud of his pangram and wrote a bot to spam Slashdot, but I just noticed that the X and Z letters were not used.

Re:I'm curious

What good real advancements to science have negros made? You could list perhaps a few on one hand, but it is 1% of that of the contribution of caucasian europeans. Think muslims, negros, chinks, etc etc are so wonderful? Please, get the hell out of here and move to their own countries. We will be better off without your self hating suicidal stupidity.

Re:I'm curious

[Archangel+Michael]

That is damn near poetic. Too bad you wrote it as and AC.

Re:I'm curious

Because wankers like you keep responding to them and pointing them out, thus giving them positive feedback to continue doing it.

In other news

I'm still LOLing at the faggoty Canadians today.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Chinese CCTV

[turkeydance]

lots of C's. co-ink-i-dink?

Re:Chinese CCTV

Are you implying that this is communist Russian in origin?

Once in a while is OK

[Okian+Warrior]

If you don't respond to it, then people browsing at >=1 will never know it exists. That is the good thing about this mod system. Plus, I don't think porch monkey is a racist term. My grandmother used to call me and my sister porch monkeys all the time.

Yeah - In that definition I'm probably a porch monkey as well. Similar to "couch potato".

I think a lot of people are responding "don't respond" as a reflex action from political correctness. That's fine, and we shouldn't respond, but...

It also prevents us from talking about it. I've noticed these in a *lot* of posts, they always seem to get first post, and they're blatantly garbage.

It doesn't hurt to start a discussion once-in-a-while, and I'm not promoting his view by quoting and asking "WTF?".

We have a lot of smart people on this forum, many of which know a fair bit about psychology (armchair or otherwise).

I'd be very interested to hear an [serious] analysis of the person that posts these things.

Re:Once in a while is OK

[TigerPlish]

Would you rather have APK? Or the appy app app LUDDITE guy?

Don't feed the trolls, don't even try to understand them.

For any The Amazing World of Gumball viewers, these appy app apk racial epithet types probably look and feel *just* like TAWOG's representation of the Internet: An old-school 1990's tan PC with CRT monitor living in a basement, surrounded by decades-old pizza debris, constantly hounded by his Mom.

If I were that, I'da tripped my own circuit breaker years ago.

Re:Once in a while is OK

[JustAnotherOldGuy]

Would you rather have APK? Or the appy app app LUDDITE guy?

No, and yes, in that order.

The APPY APP guy is just a clown, APK is a festering boil on the internet's anus.

Re:Once in a while is OK

[mink]

So I stopped coming to /. for like 6 years.
Is this what replaced goatse links and gnaa?

Re:Once in a while is OK

[JustAnotherOldGuy]

So I stopped coming to /. for like 6 years.
Is this what replaced goatse links and gnaa?

Pretty much, yeah.

Comment removed

[account_deleted]

Comment removed based on user account deletion

These are the facts

In THIS PARTICULAR CASE IT WAS THE FBI

Israel is Anonymous
The NSA are Lizard Squad

I tire of keeping this to myself while these assholes try to pass 1000 new surveillance laws.

To TigerPlish the "ne'er-do-well" EATER

Don't put ME in the same class as app or n word guy: I made something that does more for less to secure & speed you up.

* Have you? Obviously not...

(It's scum like you the ruins the internet - why? Well, clearly, in computing you're useless, & you KNOW it... you take up bandwidth others like myself could be using to do others good... it's truly wasted on "your kind", true scumbag trolls who are seriously do nothing imbeciles...)

APK

P.S.=> As far as circuits to break? I severely doubt an EATER do nothing like you has any to break since you don't use them for the common-good... apk

Re:To TigerPlish the "ne'er-do-well" EATER

P.P.S=> I am gay and like to gag on a bunch of BLACK DICKS!

Re: To TigerPlish the "ne'er-do-well" EATER

But black dicks are always HUGE and I can never manage more than one at a time. Do you have an extra-large mouth?

Re: To TigerPlish the "ne'er-do-well" EATER

For once, I kinda agree with APK

Spam != trolls && trolls != spam

Network Design Flaw

[rtb61]

A piece of hardware still provides that connection, from network to network. So why are those pieces of hardware designed to allow naughty unnecessary communications. There is no reason why that hardware should be capable of executing a DDOS attack, a simple timing issue, that should be hardware locked.

Re: Network Design Flaw

[JustAnotherOldGuy]

So why are those pieces of hardware designed to allow naughty unnecessary communications.

The problem is not that they're designed to allow naughty unnecessary communication, the problem is that they're not designed not to.

It's like designing a door with a knob but no lock- there was no thought given to keeping the bad guys out.

This is going to be a bigger and bigger problem with the advent of IoT crap (the Internet Of Trash).

Re: Network Design Flaw

The problem is that all these IoT things are being built conveniently using stock Linux kernels on top of cheap CPUs. This is general compute hardware in the most general sense - whole PCs serving really simple purposes. The reasons for this is simple; the skills required to assemble a kernel to perform a particular task are reasonably well known. There's lots of programmers around that can duct-tape together a system with these things.

These systems could be made much more secure if they could execute their operations from read-only memory. The problem is most places like to leave the door open for firmware updates in case they screwed up. The internet promised a lot of things with regards to the ability to upgrade and fix software after release but all it really did was drive down the risk of writing crap software. Companies respond to reduced risk by de-prioritizing said work. Ergo the net result of the internet has been to drive down software quality as a whole. And here we are, with shitty software aplenty.

The only people interested in patching a system that's already been sold are the malware authors - the vendor has long since shifted their product focus elsewhere. In time all devices will be compromised and that will be the effective running state of the whole Internet.

Re: Network Design Flaw

[Bert64]

Booting them from ROM would actually make things worse, since you'd not be able to upgrade them the vulnerable version would remain there until the device was trashed. Those launching attacks could just exploit vulnerabilities and load their code into RAM, the backdoor would be lost after a reboot but these devices rarely reboot anyway.

And the problem with these devices is pretty much always due to their own crappy code and not the existing linux code the devices are running.

The same problem occurs with small wireless routers, the stock firmware is crap but there are several open source replacement firmwares which are much better. We need an open source distribution for CCTV cameras that can replace the terrible stock firmware.

Re: Network Design Flaw

[Desler]

Yes, you can. You can flash ROM. It's done all the time.

Re: Network Design Flaw

[Tharkkun]

So why are those pieces of hardware designed to allow naughty unnecessary communications.

The problem is not that they're designed to allow naughty unnecessary communication, the problem is that they're not designed not to.

It's like designing a door with a knob but no lock- there was no thought given to keeping the bad guys out.

This is going to be a bigger and bigger problem with the advent of IoT crap (the Internet Of Trash).

So they have no firewall on their network to prevent un-authorized access from outside the building? I think that's the point he was trying to make. No one should be able to connect to and manipulate this device in the first place.

Re: Network Design Flaw

[JustAnotherOldGuy]

So they have no firewall on their network to prevent un-authorized access from outside the building? I think that's the point he was trying to make.

Of course not, this is Joe and Jane Sixpack we're talking about here. They buy it, they plug it in. The End. They wouldn't know a firewall if they tripped over one.

-

No one should be able to connect to and manipulate this device in the first place.

Oh I totally agree, and that was the point I was trying to make. These things are designed without even a passing thought to security, and they get hacked because 99.999999999% of consumers don't have any firewall in place, nor do they even know that they need one. (Or that such a thing even exists.)

In other words, they aren't designed to not be manipulated or hacked, therefore they will be.

Re: Network Design Flaw

[cusco]

this is Joe and Jane Sixpack we're talking about here. They buy it, they plug it in. The End.

Oh, no, it's considerably worse than that. Most security hardware installers will happily drop the customer's NVR on the Internet outside of the company firewall,and then proudly show the customer that they can now access the cameras on their frelling smartphone. I have been railing for years on LinkedIn and other venues the necessity of protecting security equipment from the network, to no avail. Installing and configuring a VPN isn't rocket surgery, but Joe Cable-Puller doesn't know or care what one even is.

BTW, I'm not talking about just small shops either, major security vendors to Fortune 500 companies are doing this at their smaller customers.

Time for a factory recall???

[davidwr]

Maybe it's time for the government to order a factory recall.

Re:Time for a factory recall???

[cusco]

It's China, a nice deposit in a regulator's bank account and any such order evaporates.

It's likely that TVT has no clue where all the devices even went, they sell to wholesalers who sell to wholesalers who sell to rebranders who sell to wholesalers who sell to retailers. Good luck tracking that down.

It's time for software liability laws

Seriously, this plague of shitty, insecure-by-design IoT products will intensify until standard product liability law applies to software (with an appropriate exception for free software). This will also have the beneficial side effect of shaking a lot of people loose from the industry who should never have become software developers to begin with.

Re:It's time for software liability laws

[Hylandr]

I wonder how much money TFT is making by selling access to the Botnet they got other people to purchase and deploy for them.

Re:It's time for software liability laws

[Archangel+Michael]

The liability should be on those who purchase crappy IoT devices because they are "cheap". If they are compromised, they (the owners) should be sued into oblivion by those who are affected, and make the device owners go back to the manufacturer to recoup their losses. Right now, our legal system, the victim (the public DDOS recipient) has almost no way to recoup their losses from crappy products that have been hacked. These CCTV devices are on corporate networks, and as such they (the corporate networks) should be held liable for the damages being done from their IP domain.

TFT selling Botnet time.

[Hylandr]

I wonder how much money TFT is making by selling access to the Botnet they got other people to purchase and deploy for them.

Pretty ingenious really.

List of affected brands

Since it's buried 2-3 links in.

(Extra characters to get past slashdot's minimum characters per line filter. Who the hell thought it would be a good idea to make a filter which basically prohibits lists, and also prevents you from putting the padding out of the way at the end of the post? Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.)

Ademco
ATS Alarmes technolgy and ststems
Area1Protection
Avio
Black Hawk Security
Capture
China security systems
Cocktail Service
Cpsecured
CP PLUS
Digital Eye'z no website
Diote Service & Consulting
DVR Kapta
ELVOX
ET Vision
Extra Eye 4 U
eyemotion
EDS
Fujitron
Full HD 1080p
Gazer
Goldeye
Goldmaster
Grizzly
HD IViewer
Hi-View
Ipcom
IPOX
IR
ISC Illinois Security Cameras, Inc.
JFL Alarmes
Lince
LOT
Lux
Lynx Security
Magtec
Meriva Security
Multistar
Navaio
NoVus
Optivision
PARA V

Re:List of affected brands

A fellow Lorem ipsum user!!! (I'm about to faint).
Good use of it!

*Bzzzt - message auto-deleted since its minimum characters were not entered into Comment Field. Error 00-Yz*

Solution?

It's time to start DistributedDeni... er.. DistributedBatchingOfSystem.. DBoS

Why are these cameras even connected to the net?

[timrod]

As someone who has some experience with CCTV DVRs, all of the DVRs I've worked with are the same: fanless computers with cases so thick they're practically mil-spec that get set up once and then immediately locked up in a room (to which only a handful of people on-site are allowed to have a key). The DVRs themselves are on an intranet with the cameras that has no outside internet access. The process works because no one can hack the network without physically being present in the building (at which point they'd be seen by security and likely arrested once the police are called) or launching a military-style assault on the room with the DVRs inside (at which point the company has far bigger problems than CCTV was designed to solve).

So, why are these even connected to the internet at all, especially if they're commercial DVRs?

Re:Why are these cameras even connected to the net

Perhaps because they're the no-brand CCTV DDRs bought by small businesses the world over, with a basic 4 camera setup and screen by the till so the business owner can keep an eye on the aisles, the stockroom and record activities at the checkout for when they get robbed. They're connected to the internet because the store owner wants to be able to access the feeds from a PC, tablet or phone when they've gone home at night, "for security".

Such a setup is a godsend for the botnetters.

Re:Why are these cameras even connected to the net

[Bert64]

All kinds of reasons...

Some people want to monitor the premises from a remote site...
Some companies want to centralise their cctv monitoring to save costs.
There is already an ethernet network present, cheaper than running separate cabling for ip cameras.

TigerPlish - My works helps vs. botnets

See subject: Like in THIS article albeit another here today, via my ware https://it.slashdot.org/commen... where APK Hosts File Engine's output applies on topic & works to help on an amazing number of grounds for more speed + safety online for free & far less security exploits or resources consumed, yet I do far more.

QUESTION (See subject): Where's yours doing the same on the same grounds? It's not. You're giving me crap for helping others via less is more genius IN MOTION that works too?

APK

P.S.=> Stop projecting your childhood trauma onto me &/or trying to PRETEND to be me & grow up... apk

Re:Why are these cameras even connected to the net

Because most people don't want to spend more that what they're trying to protect on overpriced crap?
Chinese coax cameras would be as secure as your setup since there's no network connection and cost orders of magnitude less.

But we live in a world of App Appers and network cameras are as cheap as analog ones, some even wireless which means people don't even have to lay cabling, do you really think most of the users have any network knowledge?

Re:Why are these cameras even connected to the net

[Desler]

So the cameras can be remotely monitored.

JustAnotherOLDBitch the webmaster... apk

See subject: You serve Google ads & you like "AlmostALLAdsBlocked" letting ads in to infect + slow users!

APK

P.S.=> You project what YOU are, & you KNOW it... apk

Insert free slashvertisment for Sucuri

[khz6955]

"US-based security vendor Sucuri discovered this botnet, very active in the last few weeks, and they say it's mainly composed of compromised CCTV systems from around the world.

Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri's main product, its WAF (Web Application Firewall)."

Re:Why are these cameras even connected to the net

[Archangel+Michael]

All of those things can be provided, by proper IT.

Remote Monitoring - Virtual Desktop Infrastructure. Only systems inside the firewall can use the CCTV system, and VDI provides a way into the inside of the firewall. The CCTV system is on a non-routable VLAN that traffic cannot leave the premises. No hacking ,no DDOS no nothing.

Centralized Monitoring - VLANs and VPNs. By setting up proper VPNs and VLANs, you can properly isolate systems from the outside, while providing the same level of service (perhaps even better service) for properly maintaining a single central monitoring service. The issue here is that in order to do this, you have to have an IT dept that can articulate why it needs to isolate networks from each other properly.

Ethernet Present - Yup, and probably the swiching/routing needed to properly VLAN and VPN the whole thing so that you can use existing infrastructure to isolate traffic from each other on the same equipment. Cheap ass networking gear excepted.

Good IT is expensive, bad IT is costly.

Ask the GNAA

Is the GNAA around anymore?

CCTV DoS can be fun

[Megane]

Many years ago I worked at a major networking hardware manufacturer (one who should know their stuff, but somehow let this happen). This was maybe '04 or '05 or so. Seems they had installed some kind of security camera system that ran on a Windows platform. Like one per camera or maybe one per four cameras or something. And because it's all wrapped up as a product, you can't just stick McAfee on it. Yes, I know, what the ever loving fuck. They were deployed all over the company. Hooked up via gigabit Ethernet to the internal backbone. Along comes the latest Windows worm, and the cameras not only catch it, they blow out the entire company's network spewing packets all over the place as the worm tries to spread. It was bad enough to cause significant packet loss to the internet.

I also remember that from time to time some SMB worm thing would hit a printer when trying to spread, and those brillant HP printers would happily spew a new page ever time they saw an 0x0C. We actually had to replace one printer in my area because this broke it. (Extra large paper tray, of course.)

Re:Why are these cameras even connected to the net

[luis_a_espinal]

All of those things can be provided, by proper IT.

Remote Monitoring - Virtual Desktop Infrastructure. Only systems inside the firewall can use the CCTV system, and VDI provides a way into the inside of the firewall. The CCTV system is on a non-routable VLAN that traffic cannot leave the premises. No hacking ,no DDOS no nothing.

Centralized Monitoring - VLANs and VPNs. By setting up proper VPNs and VLANs, you can properly isolate systems from the outside, while providing the same level of service (perhaps even better service) for properly maintaining a single central monitoring service. The issue here is that in order to do this, you have to have an IT dept that can articulate why it needs to isolate networks from each other properly.

Ethernet Present - Yup, and probably the swiching/routing needed to properly VLAN and VPN the whole thing so that you can use existing infrastructure to isolate traffic from each other on the same equipment. Cheap ass networking gear excepted.

Good IT is expensive, bad IT is costly.

Well, I'm going to lose the mod points I provided, but what the heck.

The type of customer these products are targeted for - small businesses or homes - they do not have proper IT. Now, it is not a fault of these type of customers (to a degree). It is more the manufacturer's faults for not designing products that are *obviously* aimed that does not have dedicated/proper IT.

It should not be impossible to provide a COTS, drop-in CCTV solution that only connects from the cameras to the DVR and to pair the DVR to whatever device the customer wants to use for monitoring, with all other type of network access (local and public) restricted (expect maybe a way to "dial home" for updates.

Such a thing would never be 100% impervious to attacks, but it would be far safer than the current alternatives which are the evil cousins of open smtp relays.

Re:Why are these cameras even connected to the net

[Tharkkun]

All kinds of reasons...

Some people want to monitor the premises from a remote site... Some companies want to centralise their cctv monitoring to save costs. There is already an ethernet network present, cheaper than running separate cabling for ip cameras.

That still doesn't explain why it's insecure. VPN's are cheap. Install a router/firewall where you can VPN in and then manage from there.

Mind-numbingly Stupid That It's Even Possible

[EndlessNameless]

Why do CCTVs have outbound access to the internet at all?

If a CCTV feed really needs to leave the premises, that's what VPN is for.

Between the security and privacy issues, someone should be losing their job.

Re:Why are these cameras even connected to the net

[cusco]

I monitor cameras at sites in 21 countries on every continent but Africa and Antarctica (and we're going to drop a site in South Africa next year). **NOT ONE** is directly on the Internet. There is absolutely no reason for any of these NVRs to be on the Internet, except laziness by the installer and salescritters. I have been barking up this tree for years on LinkedIn, that a VPN is cheap and easy to install, and the vast majority of even professional security system installers who work with Fortune 500 customers will pay no attention at all. Their smaller customers want to click the link and have a camera come up, they don't want to click the VPN, wait for the secure connection to be established, and then open their camera.

With the coming Internet Of Things flood this is only going to get worse.

Silence Old Bitch... apk

See subject: I've got your # down & it silenced your LAME deceitful ass, now didn't it? Yes, it did https://news.slashdot.org/comm...

APK

P.S.=> Is your favorite color TRANSPARENT? Must be - I see RIGHT thru you... apk

Agree w/ me again too then... apk

See subject: Cryptizard failed in "taking me on" (hosts work vs. botnets) https://it.slashdot.org/commen... as I crushed him in the exchange I posted above earlier here, lol!

APK

P.S.=> I tell you: It's NOT EASY being "world-class" like me - BUT, it is easy (& you all KNOW that I've just GOTTA say it now don't you? Ah, but of COURSE you do) - just "too, Too, TOO EASY - just '2ez'" blowing away naysayer fools like Cryptizard (& 1,000's of others way, Way, WAY before him here on /.)... apk