Malware Infects 70% of Seagate Central NAS Drives, Earns $86,400

An anonymous Slashdot reader writes: A new malware family has infected over 70% of all Seagate Central NAS devices connected to the Internet. The malware, named Miner-C or PhotoMiner, uses these hard-drives as an intermediary point to infect connected PCs and install software that mines for the Monero cryptocurrency... The crooks made over $86,000 from Monero mining so far.

The hard drives are easy to infect because Seagate does not allow users to delete or deactivate a certain "shared" folder when the device is exposed to the Internet. Over 5,000 Seagate Central NAS devices are currently infected.
Researchers estimates the malware is now responsible for 2.5% of all mining activity for the Monero cryptocurrency, according to the article. "The quandary is that Seagate Central owners have no way to protect their device. Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location, one of the reasons they purchased the hard drive in the first place."

IoT

Do not expose IoT devices to the wide and whooly internet. After the init sale most companies do not care.

IoT could be cool but it never will be because of this exact reason. No support after the sale.

Re:IoT

"Internet of things" is a buzzword, this news story serves to prove that.

Re:IoT

sed s/"IoT//g

Any device, be it IoT, a client, server, network device, or anything has this problem. In my experience, security is perceived to have no ROI, so at best it gets lip service, at worse, it is obviously ignored. I have seen "encryption" where all zeroes were used as AES keys for all operations, 4096 bit keys that were really sixty-four, 64-bit RSA keys (really giving 70 bits of security), tons of added stuff, no OS firewalling, disinterest in any updates, locking down firmware where no updates can be performed (this is extremely routine, because it adds planned obsolesce, and companies have zero responsibility to provide them, even if there is a major, show-stopper bug.)

The best device on the Internet is no device. Next to that, it is having devices placed between hardened firewalls, only communicating to a few machines, real secure mechanisms for updates [1], and so on. Ideally devices should communicate to a hardened hub, and the hub handles everything else.

[1]: Back in the 1990s, RSA was not prevelant, so motherboard makers actually had to use real security. No motherboard flashing could be done until a physical switch was flipped. This may not be possible for all devices, but it should be considered part of the flashing process, to stop rogue firmware "upgrades."

Re:IoT

[the_Bionic_lemming]

back into the 1990's there was pretty much no worries about security.

And the motherboards didn't have anything baked into them because of hackers.

There were no switches. Unless you are talking about the jumpers so you should of said jumpers to actually prove what you were talking about. There were no internet based hacks that required jumper use to repair in the 1990's.

Re:IoT

[shione]

"Because Windows has a bad habit of hiding file extensions, whenever the device owner accesses their NAS, they see this file as a folder, fooled by the fake icon." - http://news.softpedia.com/news...

So part of the problem is windows too. Hiding file extensions and allowing scripts to be run without confirmation. That's the same rubbish which made macro viruses so rampant in msoffice formats.

Re: IoT

Just ask for your money back. These devices do not work as expected and it's definitely a manufacturing problem.

Re: IoT

Back in the 1990's (before around 1993 when consumer dialup Internet access became available) there wasn't any http. Desktop MS-DOS PC'S didn't even have separate user and system accounts.

Re:IoT

I like my ASRock motherboards, there is a physical switch that makes it boot up from the primary bios or the backup bios. Overwriting the Backup requires intentionally telling the Bios to overwrite the backup. You can flip the switch and make it boot from the backup and it can overrite the primary. You can't screw this up.

Also you can't flash the bios in Windows 10. You can however tell the bios to update the bios over the internet.

Now, why this is relevant. I had a Gigabyte motherboard last time around, it flashed itself to death. Because of issues with the CPU it would occasionally boot up and malfunction, and try to recover by copying the backup to the primary and rebooting. This happened enough times that it eventually bricked itself.

But you're right, the correct mechanism is to make it so that the BIOS/Firmware on a hardware product has a mechanical switch thrown to enable this. I've bricked 2 WRT54G's due to bad firmware, and they could have been salvaged if they had a backup firmware that could be switched to. Certain devices are more susceptible to being damaged, with wireless routers being at the top of the list. All those need to be overwritten is for a rogue access client to tell it to reboot and accept a TFTP firmware most of the time. When I first moved to this city, I found open wireless access points with no password set on the admin panel, I told those devices to update the firmware and then logged back in, set an admin password, then wiped the access log. This was more than 12 years ago.

More to the point however, IPv6 is supposed to give every device a real world ip address, no more NAT bullshit. Unfortunately IoT devices are often setup with no security because otherwise they can't be setup at all.

This reminds me of back in the early days of cable modems before routers were standard, If you connected a Windows XP machine to a cable modem, you were infected with malware within minutes. Not enough time to download any patches. Even with Windows 95 and 98 (remember "back oriface" ?) the kiddies were getting any machine connected to the same ISP infected, or bumping users off that they didn't like, stealing their passwords and so forth.

It's like nobody wanted to learn anything from 20 years ago with this "assume some idiot is going to plug this device right into an internet-facing device" problem that was pretty much everywhere.

For IoT things, the best thing to do is have two firmwares, (oh but that costs a few more pennies) one to boot if DHCP reveals a non-routable ip address (eg 192.168.x.x) and one to boot if ipv4 or ipv6 show routable ip addresses, with the latter making sure that it doesn't have "default" settings like admin/password accounts setup.

Re:IoT

[Hognoxious]

There were no switches. Unless you are talking about the jumpers so you should of said jumpers

A jumper makes or breaks a connection. Even if you're a total aspie and don't think that makes it a switch, I have an old Asus MEW board right next to me and it's got DIPs on it so just fuck off.

P.S. s/should of/should have/

Re:IoT

The best device on the Internet is no device.

Exactly. I just bought a dishwasher. As usual, the salesman tried to bait&switch to another model. The other model had wifi so you could start the washing from anywhere in the world using "an app". I told him I worked with internet security, and knew how many ways that could go wrong. (I can start the washing cycle, and how many others can do so too? Over the 10-15 years we expect the machine to last?) Didn't buy that one!

Re:IoT

[Gr8Apes]

In the 80s and 90s, depending upon when, exactly, there was complete and total access to everything on the internet, just about. Computers connected to the internet were directly accessible, for the most part. Firewalls? Routers? They all came later. Everything was pretty much statically defined and worked like your wired home LAN, if your home LAN were comprised of speaker wires with crappy connectors and ran at 10Kb/s.

Re: IoT

You do realize that http was thought of in 1989 and created around 1990? By Tim Berners-Lee and Robert Cailliau in 1990.

Re:IoT

[the_Bionic_lemming]

A jumper can make a switch, but isn't a switch, it's a jumper that connects two or more terminals together. If it was a switch, it never would of been called a jumper.

Next you'll be telling a fuse is a switch. You know, because it switches something on.

Re:IoT

[the_Bionic_lemming]

Oh, and the MEW board? When was that introduced?

late 1999 and you tell me to fuck off ? Wow, You are a stain on slashdot. The sooner you get mod bombed the better.

Re: IoT

"Should of". "Would of".
What fucking putz.
Do you say "I of done something", or "I of said something"?
Hopefully not, especially if you wanted to be understood.
Hopefully what you said was "I HAVE done something", or "I HAVE said something".
And if you instead of doing or saying it, you will say "I SHOULD HAVE done or said something".
It's not that fucking hard to speak or write English correctly, especially when someone corrects your first bit of idiocy, yet you doubled down.
What a fucking putz.

Re: IoT

[the_Bionic_lemming]

I love when grammar nazis are wrong.

go back to school.

Silly Suits

[Tablizer]

Put an un-updatable OS on a harddrive, Brilliant!

Re:Silly Suits

On the contrary, it seems malware operators are quite proficient at updating the OS... -PCP

Re: Silly Suits

This would never happen if they ran Linux. It's a fact that Linux is never vulnerable.

Re: Silly Suits

Those drives are running Linux.

http://www.theinquirer.net/inquirer/news/2355376/seagate-rolls-out-nas-range-with-its-own-linux-based-operating-system

All NAS systems run linux except for some very expensive models designed for data centers and the FreeNAS-based systems which are only sold by iX systems and the few users who know where to find identical hardware to build their own.

Re: Silly Suits

There's a culture of insecurity at Seagate's NAS unit.

Some years ago, we (not a security or IT firm) reported some issues with their web interface. Basically there was a public (no authentication needed) PHP script in the directory used to serve the web admin interface which ran arbitrary commands from the URI as wheel. That could be used to reset the admin password, load and run arbitrary code, load an entire hostile OS for the NAS, etc.

Support didn't understand the issue, and security ignored it as being too difficult to exploit in practice. We soon pointed out to Seagate and some friendly media that there were hundreds of these exploitable Seagate NAS boxes indexed on Google, including Organizations working in charitable and vulnerable sectors, and that we would be contacting Seagate's customers about the issue.

They still didn't admit that there was an issue, but their next 'firmware' update addresses the issue by requiring a password to run arbitraty commands from the URI. The passwors was the same for all devices and was stored in a plaintext file in the same publicly accessible directory.

We stopped using Seagate products altogether after that experience.

Re: Silly Suits

YHBT. YHL.HAND.

Really?

Quoting the summary:

Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location, one of the reasons they purchased the hard drive in the first place.

Once again, exposing various things directly to the Internet is a Bad Thing. Putting such devices into isolated environments and strictly limiting network access to authorized, whitelisted sources is really not that difficult. The device in question is clearly suffering from serious design flaws, but claiming device owners "have no way to protect their device" is bullshit. -PCP

Re:Really?

[damn_registrars]

Once again, exposing various things directly to the Internet is a Bad Thing.

Indeed it is, but it likely isn't really exposed "directly to the Internet". More likely it runs some service through a Seagate server that makes it available (likely by default, no less). After all, this is designed for home users and how many home users even would know how to modify their router's default rules to expose a specific port on a specific system to the internet?

claiming device owners "have no way to protect their device" is bullshit.

Well, if the first thing it does out of the box is call home to Seagate to give owners remote access to their files through the magical Seagate cloud, then the statement might be pretty darned accurate. These drives most likely default to getting addresses by DHCP on the user's network, and the user most likely gets their outside address by DHCP from their ISP. These hackers likely aren't finding these drives to be exposed directly, but rather to be exposed via Seagate. And considering the (lack of) quality that is Seagate these days, the drives probably have some terrible default password as well that makes it trivially easy for a hacker to get in.

Re: Really?

This.

I have one of these devices. The first thing that must be done is to create an account on thw Seagate server. All account creation and password changes go through their server.

The devicw itself is utter crap. Linux OS with an NTFS formatted. The transfer speed using ethernet is comparable to dialup.

Stay away from anything Seagate / NAS. Waste of money.

Re:Really?

[arth1]

Claiming they lose the ability to access the device from a remote location if they turn off the remote access feature is also bullshit. Just VPN in, or enable read-only FTP, or any of a number of other different options.

Re:Really?

Indeed it is, but it likely isn't really exposed "directly to the Internet". More likely it runs some service through a Seagate server that makes it available (likely by default, no less). After all, this is designed for home users and how many home users even would know how to modify their router's default rules to expose a specific port on a specific system to the internet?

You're incorrect. You may wish to read the technical report covering this issue. -PCP

Re: Really?

^^^ this ^^^

Performance of these things is beyond abysmal. I prefer ownCloud.

Re:Really?

Claiming they lose the ability to access the device from a remote location if they turn off the remote access feature is also bullshit.

Well seeing that remote access was one of the features the device was sold with, yes they lose the feature that they intended to buy and use.

Just VPN in, or enable read-only FTP, or any of a number of other different options.

Now listen dickface, these devices clearly are not sold to people who can just "VPN in" or "enable read-only FTP". These are sold to your average user who doesn't fully understand the security implications and certainy have no clue about vpns or anything else.

You must be great fun at parties....

Re: Really?

[drinkypoo]

Stay away from anything Seagate / NAS. Waste of money.

I bought a Dockstar once... that's a pogoplug :)

Actually a decent little box for Debian, although you really want the Pogoplug V4.

Re: Really?

[arth1]

I have one of these devices. [...]
Linux OS with an NTFS formatted.

The Seagate BlackArmor NAS I have uses ext3, not NTFS.

The transfer speed using ethernet is comparable to dialup.

Two gigE ports, which even allow for bonding. The speed issue isn't with the transfer speed, but using software RAID without enough memory to cache anything.

That's not even the worst part

[damn_registrars]

The worst part of the story is that the HDD is made by Seagate and won't last more than 13 months regardless. The users think they bought a good network drive, until they go to retrieve their files and discover the drive has already bought the farm.

Re: That's not even the worst part

Wrong.

Seagate has dramatically improved the reliability of their drives.

http://arstechnica.com/information-technology/2016/02/hgst-hard-disks-still-super-reliable-seagates-have-greatly-improved/

Re: That's not even the worst part

The worst part of the story is that the HDD is made by Seagate and they can't shake their reputation for hard drives that won't last more than 13 months regardless of recent improved reliability.

Re: That's not even the worst part

[BenJeremy]

An improved turd is still a turd. Not trusting Seagate... they once had a good reputation, then they bought Maxtor and apparently ditched all the Seagate side of the drive engineering and manufacturing in favor of Maxtor, because that was the exact moment their products went to complete shit.

I have purchased quite a few Seagate drives in the past 6 years, and all of them are now dead - most before they were online for 3 years. The first couple I figured were flukes... and there were always decent deals on Seagate externals; but no deal is worth it, not with these crap drives.

Re: That's not even the worst part

[hairyfeet]

Well the rumor that was going around on the builders forums at the time (they even had lists of serials to tell the difference between "Seagate" drives and "Maxgate" drives) is that when Seagate bought Maxtor they got a REALLY cheap ARM HDD controller from Maxtor...how cheap? So cheap they could build 4 of them for the price of a single Seagate controller. Now what company wouldn't want to drop the price on a major part by 75%?

The catch was this controller is buggy as fuck, especially if it gets hot. If you keep the drive super cool? It works fine, if the drive gets hot? It loses its little mind and forgets the HDD geometry and will slam the head because it doesn't know where the drive starts and ends. My own tests seem to back this up as I've had zero issues with Maxgate drives I put in a big old ATX case I have at the shop with a couple of 240mm fans front and back to push away any heat generated but if I put a Maxgate into a small PC box without a ton of fans? Its gonna fail, and the hotter the case the quicker the fail.

Re: That's not even the worst part

[chuckugly]

I can't back that up but I have really good results with Seagate, and all my drives are in a couple servers (a FreeNAS and an ESXi box) with decent cooling. So I can't say you're right, but my evidence sure doesn't say you're wrong either. Personally I like them, and I'll likely get a bunch of 8tb ones for my next NAS box.

Re: That's not even the worst part

I haven't trusted Seagate drives since they bought Conner. Conner were pretty much the crappiest drives until Maxtor came along and took that title. Then they bought Maxtor, and there is even more reason not to trust their drives! I would never buy a Seagate drive, and never buy any drive meant to be connected to the internet!

Re:That's not even the worst part

[fahrbot-bot]

... the HDD is made by Seagate and won't last more than 13 months regardless

I have a Seagate 250GB PATA drive in my MythTV system for the OS and recordings. It was installed in 2007 and has been running 24x7 w/o any issues.

Re: That's not even the worst part

Seagate has been shit for 30 years, they accidentally make a reliable driver every 5-10 years, that doesn't erase the long history that one day Seagate is going to fuck you over on storage.

Re: That's not even the worst part

There are always outliers and edge cases.

Re:That's not even the worst part

I'm pretty sure they could have made millions, but the drives must have failed after 5' of mining :v

Re: That's not even the worst part

[geekmux]

Wrong.

Seagate has dramatically improved the reliability of their drives.

http://arstechnica.com/information-technology/2016/02/hgst-hard-disks-still-super-reliable-seagates-have-greatly-improved/

Too bad they didn't put that same level of effort into their security model when disallowing the end user to secure a NAS device properly.

Tends to highlight the best practice of inviting Common F. Sense to your design meetings.

Re:That's not even the worst part

[Billly+Gates]

It is 2016. Who uses mechanical disks anymore?

I own a Seagate drive which still works. Reason being is it is for storage and not booting or running apps. I read files every once and a while for linked folders for my Vm's which never stresses it that keeps it alive.

The only people who use mechanical disks or for storage. Not running apps or booting here in 2016 so I think they are irrelevant

Re: That's not even the worst part

I have purchased quite a few Seagate drives in the past 6 years, and all of them are now dead - most before they were online for 3 years.

Anecdotal I know, and a small dataset for me as well, but I purchased a Seagate drive and it lasted less than a year. I have not purchased any more Seagate drives. I agree with your "crap drives" conclusion.

Re:That's not even the worst part

The only people who use mechanical disks or for storage. Not running apps or booting here in 2016 so I think they are irrelevant

Mental note: Do not rely on you for information. While everything is certainly heading that way, your statement is incorrect.

Re:That's not even the worst part

[Solandri]

Most of Seagate's poor reputation is due to a couple bad drive models from around 2010. Their current lineup has above-average reliability (WD's is worse).

I've actually been steering people away from WD drives lately. They've started adding very aggressive head parking timeouts to their firmware. So far, I know all their laptop drives and their 3.5" green drives are affected. I'm starting to suspect their 3.5" blue drives are as well. The drive's built-in firmware will park the heads after about 10 seconds of inactivity. Windows seems to consider pagefile access to be critical priority. So if you have a pagefile on the drive and it parks the heads, the next time Windows tries to access the pagefile the entire OS will freeze for a fraction of a second as it waits for the heads to unpark. I've helped "fix" dozens of cases of microstuttering in games caused by this. (Move the pagefile off the drive, or disable the drive's APM if it's your only drive.)

Re: That's not even the worst part

WD Reds ftw.

BUILD your own NAS

[stikves]

It is not difficult to setup http://www.freenas.org/ on a small server machine, and benefit from FreeBSD security with no (known) backdoor accounts. If you're really serious get a proper NAS motherboard with ECC RAM (if you're not using ECC RAM, then it means you're not very serious with your data anyways), which won't cost you more than $500 with the case and the PSU.

Of course if you're unable or unwilling to secure your box, accept that anything on the Internet is wide open, and buy (rent) online storage from Amazon, Box, or somewhere similar. Amazon gives free unlimited backup account with prime (which is around $99)

Re:BUILD your own NAS

[jtmach]

Amazon gives free unlimited backup account with prime (which is around $99)

I checked on this because I it sounded too good. Here's what I found.

Your Amazon Prime membership comes with Amazon Prime Photos, unlimited photo storage and 5 GB for videos, music, and other files.

Unlimited backup of any files is $60 a year.

Re:BUILD your own NAS

[thegarbz]

That depends, there's an incredibly large amount of media that will tolerate a flipped bit. There are a large amount of solutions out there to checksum and recover corrupted data. The odds of an ECC error causing disk corruption are quite low. To be honest there's a lot of things I would look at before thorough out everything just to get some ECC RAM.

Speaking of throwing everything out, no need to go balls out with freenas and dedicated machines. Installing Seattle or owncloud would be a good stop gap for people who are looking for cloud features without setting up their own full blown NAS.

Re:BUILD your own NAS

[radarskiy]

"won't cost you more than $500 with the case and the PSU."

If drives and your time are free.

"Amazon gives free unlimited backup account with prime (which is around $99)"

If all you have to back up are pictures.

Re:BUILD your own NAS

[Mashiki]

Not even so much. I think the cost of the last one I build was $50, because I needed a powersupply. Everything else was from componenets which were sitting around, old intel e5300 for the CPU. Free ECC ram from a company going out of business. Bunch of 1T-2TB drives leftover from upgrades, old case laying around. Motherboard had onboard video but it was flaky, so I slapped in an old PCI videocard 20 minutes to setup. Got ambitious a few years ago and picked up a couple of PCI SATA drive controllers that supported hotswap for $45 each, now have a 20TB file backup system and it's still a chugging along.

Re:BUILD your own NAS

[NotAPK]

This article suggests that ECC should be used more than it is. Since yes, a single bit error won't matter at all to an MP3 or a moviefile, single bit errors can ruin JPEG files pretty easily, or corrupt a Word document. The point is you don't get to choose where the error will occur, so you have to assume it will happen in the worst possible place. There is a reason ZFS systems should have ECC memory.

Re:BUILD your own NAS

[dbIII]

If drives and your time are free.

It's a distro where you pretty well just tick boxes you want and get something that works out the other end. No mucking about with driver disks so in a lot of cases much easier than installing MS Windows.
Other people already put in the time and drives are a lot closer to free than they used to be.

Re:BUILD your own NAS

[Mashiki]

The reality is ECC vs non ECC is basically a speed and price point issue for most people. If you're doing something that's absolutely critical and you can't afford the possibility of any type of RAM corruption screwing things over for you, then ECC is the way to go. Anything else? You're looking at easily 1/3 or 1/8th the price(depending on where you live) for non-ECC vs ECC and more capacity. On top of that with speed? Parity checksums within current ram configurations are good enough whether it be for a home desktop or a 8SLI array of videocards.

Re:BUILD your own NAS

[Lord+Crc]

You're looking at easily 1/3 or 1/8th the price(depending on where you live) for non-ECC vs ECC and more capacity.

Where I live ECC costs about 30% more than non-ECC, and with RAM prices being so low these days, this is more than affordable for the extra safety ECC brings.

The bigger issue is with the cost of motherboards and CPUs which support ECC.

Re:BUILD your own NAS

So, where on earth can you get a (non-server) motherboard that supports ECC RAM?

I happened to luck out and find a Gigabyte AM2+ ATX board that had support, but that was six or seven years ago.

Re:BUILD your own NAS

Eh, just name them all filename.ext.png and you should be good to go. Or you can get really good with steganography.

Re:BUILD your own NAS

[Mashiki]

The bigger issue is with the cost of motherboards and CPUs which support ECC.

Not bad on the prices, better then around here. Sad I can remember when ECC support on motherboards and CPU's was pretty much standard. But if you're looking Intel, anything higher then the Haswell architecture supports it and on the AMD side all AM2 and AM3 processors except APU's support it(if I'm remembering right).

Re:BUILD your own NAS

[thegarbz]

The reasons ZFS should have ECC memory is the same reason as your former line that you "assume the worst". ZFS does not need ECC memory any more than any other file system. The point is that ZFS with it's ultimate of data integrity can only ensure this integrity 100% if you use ECC. This is similar to a swiss cheese model used in industry to prevent an undesirable event. Each is a new mitigation. Only with every mitigation in place do you have perfect coverage, that does not mean that every single person needs to close every hole.

If I lost all my data tomorrow I would be extremely pissed, but it won't kill me. If Amazon did so it would put thousands of people out of work. The average home use does not have critical requirements on their data. If you told me "I'm going to corrupt a random file on your harddrive right now" I would be unlikely to blink an eye, even if I didn't have backups. There's not a single thing I can think of that wouldn't be more than an annoyance.

Yet that is exactly what you prevent with ECC. Now if you said ECC is a requirement to prevent complete and total dataloss on my drive, that would be a different story, but it's not and the odds of that happening in any unrecoverable way are so close to zero that I'm more worried about a terrorist bombing this tiny hotel in the middle of nowhere where I'm currently typing this from.

Now I say all of this as someone who has ECC RAM in my machine at home. Not because of any risk reason, but because the price didn't make it unreasonable and my motherboard was fussy enough to need it. But in the grand scheme of things 80% of data loss can be saved by backups, 19% on top of that by RAID1. 0.9% of that by fault tolerance built into your system (e.g. ZFS), and then 0.01% of that by ECC. These numbers are made up but the law of diminishing returns are incredible.

Re:Funny how Slashdot users are okay with criminal

[Tablizer]

The criminals are in shady and desperate corners of the world and it's unlikely we can do much about them. Control what you can control; though, and don't do known risky things.

86,400

What is the number of seconds in a day?

Tha is correct. (applause)

Geek trivia for $200, Alex.

IoT Uber Alles

Ahhh, the Internet of Things ... what could possibly go wrong?

Re:IoT Uber Alles

[Yvan256]

Oh, so that's what it means. I thought it meant Internet of Twits.

Just buy a Synology raid

Nah, just buy a Synology RAID NAS, just because Seagate are a joke, doesn't mean all vendors are. (QNAP are supposed to be good too, but I've never used it myself).

Re:Just buy a Synology raid

[dgatwood]

SynoLocker.

NAS systems should generally be behind a NAT firewall unless attached to a hardened server, and hardened servers in the DMZ should be kept up to date religiously. If you want to use a NAS remotely, you should VPN into your network.

Re:Just buy a Synology raid

"should be kept up to date religiously"

i.e. check the "autoupdate" option so you don't get hit with exploits that were patched 2 years earlier. That's what Synlocker used, an old exploit in Synologies DSM. The advice you give is good advice, but well supported by Synology raids (+QNAP?). Just quit buying shit NAS servers!

From the description of this Seagate NAS, it opens anonymous FTP with a writeable public folder always, it sounds like an utter piece of shit. Really get yourself the cheapest Synology raid you can, stick a couple of drives in it as RAID 1, and don't waste your time with the shit NAS boxes.

Of those 'shit NAS', I have personal bitter experience of "Zyxel" : after a power cut would not start up, so could never run disk recovery, all data lost. "Dlink Share center": utter piece of shit, I put Archlinux on it and use it as an rsync box now.

Of the good RAIDs, Synology is the one I use in my homes (it runs the security cameras too, and VPNs into each other for offsite backups). The reviewers who give Synology a good review often give QNAP a good review too, so I assume they're decent too.

Re:Just buy a Synology raid

[mlts]

SynoLocker is an old issue, with DSM 5.x and 6.x patching it, and future items get autopatched if one turns that on during initial setup (the default is to auto install security patches). It also is wise to not have your internal NAS devices on the Internet (mine have a firewall script that allow incoming from the local segment, outgoing to Synology's patching sites, and blocking all other traffic.) It also is wise to use the Hyper Backup utility to back data up to somewhere (external HDD, cloud provider, etc.), preferably using encryption.

There isn't anything wrong with using unRAID, FreeNAS, or another utility. However, the main reason I use Synology products (QNAP is another good maker that tends to have an edge on hardware for the same price), is wattage use. The two I have use at most 40 watts, and significantly less than that when idle. A modern PC is thrifty on power, but having an ARM appliance is also quite nice. Of course, the PC gives a lot of flexibility, but having a NAS designed from the ground up, hardware and software for the dedicated purpose doesn't hurt either.

The price is right as well. I picked up a two drive unit with an ARM CPU for about $150, added drives, and it has been running 24/7 quite reliability.

Re:Just buy a Synology raid

"However, the main reason I use Synology products...is wattage use."

The main reason I use mine is updates. Rolling your own is fine, but can you get decent repositories with fast updates for every security issue? As soon as it becomes a manual job, you probably won't keep it up to date. I really don't want to keep ontop of all the latest security issues, I'll leave Synology to do that.

The mobile apps are nice too (DS Video, DS Download, DS File, DS Cam, DS Photo... probably a few others), you don't get a coherent set of matched mobile apps, web interface, media interfaces, etc. with a roll your own solution.

GP doesn't need to use a PC as a base to roll his own, he could get a NAS box and install Archlinux on it or similar, that way he gets the lower power and neat little box). But I f**ing love my Synology boxes, he just hasn't tried them yet.

Re:Just buy a Synology raid

[mlts]

I agree with you. I have had very good luck with the apps Synology has. The Git app, though bare-bones, is useful. The Hyper Backup function works with many sources (especially with something like Amazon Cloud Drive that provides unlimited storage), the device easily supports 2FA (I just copy my google-authenticator file to /usr/syno/etc/preferences/, and the web server will ask for the Google Authenticator ID. SSH can be locked down as well.)

For a NAS, it is surprising how much stuff the Synology (and the QNAP offerings as well) support.

Re: Just buy a Synology raid

Running a NAS without a UPS is not good practice.

Monero?

Why mine a crypto-currency that is nearly two years old? Why not mine something else, what made them choose Monero?

Re:Monero?

From their website http://getmonero.org they have both fully private and untraceable currency. This offers 100% fungibility which Bitcoin lacks and thus the criminals will have far less trouble cashing out. No wonder dark markets started using the currency as well.

PRIVATE
Monero uses a cryptographically sound system that allows you to send and receive funds without your transactions being publicly visible on the blockchain (the distributed ledger of transactions). This ensures that your purchases, receipts, and other transfers remain private by default.

UNTRACEABLE
By taking advantage of ring signatures, a special property of certain types of cryptography, Monero enables untraceable transactions. This means it's ambiguous which funds have been spent, and thus extremely unlikely that a transaction could be linked to particular user.

Re:Monero?

Monero enables untraceable transactions. This means it's ambiguous which funds have been spent, and thus extremely unlikely that a transaction could be linked to particular user.

Ah, ideal for transactions of the type "now transfer all your monero funds into my account, or I fire this sawn-off shotgun in your face". Can't be traced, no proof that such a transaction took place. Especially if I immediately transfer the money elsewhere. . .

Re:Funny how Slashdot users are okay with criminal

VICTIM BLAMING!!!!!111!!!

Re:Funny how Slashdot users are okay with criminal

Not only are they criminals they're mind-numbingly stupid ones. Ignoring that outside of tech and their drug dealers no one uses any cryptocurrency, who the fuck mines a cryptocurrency nobody has ever heard of? These microcephalic monkeys have "$86,000" of Moneria less whatever some not-so-bright neckbeards have purchased.

New Overlords, same as old overlords

Another day another massive Seagate failure. What year is it?

Re:Funny how Slashdot users are okay with criminal

[mlts]

The criminals are virtually untouchable:

1: They are likely in countries of the world that have zero interest in turning them over for justice. In fact, they may be regarded as folk heroes or equivalents of Robin Hood, taking money from corporations or countries and bringing it to the region.

2: They are likely using employees to do the dirty work, with plenty of anonymity between them and the higher ups.

3: Malware can be traced, and a lot of people suggest origin, but code can be edited and spread anywhere in the world, so code that originally came from Latveria can be used and abused by people from Lower Elbonia, and if distribution is done, the whitehats may never know the real origin.

4: Compromising an endpoint isn't too difficult these days. If someone hacks a wi-fi router and compromises a home computer, all it takes is deleting the offending stuff securely, and that becomes a dead end.

5: For every one criminal, there are others behind them.

6: LEOs have many cases on their hands. It might be doubtful they may have the resources to handle anything but the big names, so chasing after every bad guy would be about as fruitful as chasing every pot smoker in the US.

Going after criminals is nice, but that is a game of whack-a-mole. Unfortunately, computer security is a defensive war, but there are useful tools on the whitehat end which can help mitigate attacks.

Long term, it may not be something is wanted in any shape or form, but I think what may end up happening is that countries themselves will demand control of the routers that go from one nation to another and enforce rules there. China has that, Iran is building it, and other countries are looking into blocking at their virtual borders, just like physical borders. It might be a token thing now, but as time goes on and money is put into it, it may become something all countries have in place, just so another country that has IP ranges that are hotspots for attack are blocked there, so every single Internet entity in the nation wouldn't have to deal with them.

LOL

5,000 represents 70%? That's hilariously low and not newsworthy..

Re:LOL

[HBI]

It's a drive no one in their right mind would buy, and an off-brand cryptocurrency with no mindshare. I didn't even know it existed until this article.

This story really is a nothingburger.

Re:LOL

It appears each unit of the "off-brand cryptocurrency" (Monero) is worth USD $11.82 as of this writing. Criminals aren't historically renowned for being terribly picky about their currencies, either...they tend to simply convert between them as they find necessary/convenient. I don't understand why people find this concept so difficult to understand in a digital context, especially given the reality that even contemporary fiat currencies are truly only numbers in computers backed by navies and armies. The value here isn't in what's being held long term, it's in short term portability/liquidity. -PCP

Re:LOL

[HBI]

I don't understand why you question the true, obvious statement that a currency, to be viable, must have people willing to change it into other currencies. Real world currencies, or the cryptocurrency is worthless. If you're relying on someone being foolish enough to be willing to pay real money at some arbitrary rate for a virtually unknown cryptocurrency, I fear disappointment in the long run. The supply of fools may be endless, but the supply of cash backing said fools is finite.

Re:LOL

[lgw]

The currency needs to be viable only for the 5 minutes between mining it and exchanging it. Or, for darknet purchases, for the few minutes between buying it for real money, and buying drugs with it. This is just criminal activity we're talking about - no one cares if the currency will even exist a week from now. If it meets their needs this hour, it's fine. Easier to use online than Tide, after all.

Re:Funny how Slashdot users are okay with criminal

[AHuxley]

From the NSA on a HD under EquationDrug or GrayFish https://www.wired.com/2015/02/... (02.22.15) to other strange software getting in...
If we had better encryption, networking tool, smarter academics in the private sector, computer experts working on networking issues like this then we could all sit back, buy with confidence from any big brand.
With better standards the internet community can restore storage options to been useful again and not an open door for any gov or malware attempt.

Best protection

Throw the Seagate in the garbage and buy a Dropbox subscription. Chalk the cost up to a lesson learned about consumer electronics companies and security.

Re:Best protection

Yeah because we all know how secure the Cloud is...

Re:Best protection

The cloud's security is fantastic compared relative to shitty consumer electronics.

One legislation is in place that requires cloud storage to provide encryption keys to the government, then it won't be so great, but we have maybe 4-5 years before that happens.

Laws

[bestweasel]

Are there no laws to force electronic manufacturers to fix these devices, in the same way that other manufacturers are forced to fix faults? Cyber security is supposed to be really important now with important people forming important committees and yet insecure devices are being sold, not fixed and not recalled even after manufacturers have been informed of their failings.

It seems rather lopsided when a hacker is sent to jail for poking holes in an insecure voting website but Seagate can just throw their hands in the air and say, hey, these thousands of devices are nothing to do with us now. How many compromised devices are funding terrorism and other criminal activity? Maybe ISIS are mining these coins.

Re:Laws

hahaha

Laws for the corporate overlords?

When they own your "justice" system outright?

HAHAHAHAHAHAHAHAHAHAHAHA

Reminds me of

[castus]

https://blog.filippo.io/so-i-l...

TL;DR: jump to Chapter IV

No Surprises, installing a NAS can cause havoc

I've in the last week or so installed a dns-320l by dlink for shared folders and auto backups in my small office. Being available across the internet has it's attractions so I set up a mydlink account to provide access via the web,,,,

Which worked. However after a bit of analysis I found that when accessing the drives remotely I was not using an encrypted channel though the mydlink servers, it was connecting to the drive using my home IP address.
Some sort of handshaking and hand off occurs.

But how did my laptop attach itself to my nas box through the firewall?
When I'm locally attached I can access my box using its local ip on port 80 to acces the webgui.
Lo and behold I can attach to my NAS using port 80 remotely as well using my public ip,

Log in to my router to check it's firewall is set up properley.
There are no exceptions. So no incoming connections are allowed. So why is it not dropping the packets. After much head scratching I found the upnp setting hidden in the menu, on. This is the default on a dgn22000v3 and I wouldn't be surprised if that is true on most consumer routers.

So rather than setting up a ssl channel via the mydlink servers that remote access to tunnels through, it punches it's way through firewalls that have upnp switched on. Very easy to set up, but kind of like sticking your butt out a car window with "spank me" written across your cheeks.

The only way to turn off (as far as I can tell) this is by not giving the NAS the mydlink login data on initial set-up. And just in case turning off upnp on the router (which had I known would not have been on in the first place).

Makes me wonder with all these other Cloud attached NAS boxes whether they are actually doing anything securly at all?

Apart from this, the 50 quid box actually seems rather capable with a bit of hacking. A bit like a rasberry pi of the NAS world.
But caveat emptor....
YMMV.... etc.

Re:No Surprises, installing a NAS can cause havoc

Replying to self

It appears that synology boxes do a similair thing (using random ports) using upnp if it can otherwise it relays via the synology servers:

https://global.download.synology.com/download/Document/WhitePaper/Synology_Cloud_Station_White_Paper.pdf
http://global.download.synology.com/download/Document/WhitePaper/Synology_QuickConnect_White_Paper.pdf

I'd check to make sure it's not also opening itself up for problems in other ways whilst it does this, at least it has documentation of sorts...

Is it worth of it ?!?

[ctrl-alt-canc]

I was considering that, after all, they earned (ahem...) up to now "only" 86,400 USD. To do this probably more than one people was involved, so halving as a mininmum the income for each person taking part to the dirty work. Since by doing this these people demonstrated some good programming and organizing skills, why didn't they put their skills for good use working as a consultant or starting a software company ? I know, you have to deal with IRS, balances, maybe PHBs, and all the bureaucracy that affects good companies. On the other side, if you get caught your work is rapidly destroyed, and if identified you get a fine, maybe some jail or probation time, and you are known forever as a bad guy. Is it really worth of it ?

real criminals do politics.

The internet is incompatible with the hierarchical structures of governance. The hierarchical structures of governance will have to be destroyed.

  Just cos your insist on a distinction between criminal and businessman, does not make the distinction more real. Its all the same.

Re:Funny how Slashdot users are okay with criminal

[bjwest]

Who would you blame if auto manufacturers didn't offer door locks on your car and someone took all your stuff? Or they did put locks on but the key would open all the doors of each model, or even made it where attempting to open the door actually unlocked the door.

I'm sorry, but the manufacturers (not the vendors, Best Buy is a vendor, Seagate is a manufacturer) are responsible for poor/no security on their devices, and until we start holding them legally and financially responsible, breaches like this won't change.