High Tide Aquatics

Put those aquarium controllers on a guest network

rygh

BOD
BOD
Fun news from a few days ago: A casino was hacked by an aquarium thermometer.
https://thehackernews.com/2018/04/iot-hacking-thermometer.html

Ok, unlikely to happen to you.
But poor software is very likely.
Most routers have a guest network option, to allow devices on the internet, but not on your internal network.
A suggestion is to use that feature for Apex, lights, and so on.

Also, you can sometimes make the guest network 2.4GHz only, leaving the 5 GHz band
for your computers that need the higher bandwidth.
 
Well, what they fail to mention is most of the IOT are hacked because someone open a port for it to be accessible from the outside. Device like Apex or Nest does not do that. Your data is proxied through their infrastructure which would have a higher bar for infiltration.

In short, if any device requires you to open up firewall to operate, run away.
 
Well, what they fail to mention is most of the IOT are hacked because someone open a port for it to be accessible from the outside. Device like Apex or Nest does not do that. Your data is proxied through their infrastructure which would have a higher bar for infiltration.

In short, if any device requires you to open up firewall to operate, run away.
I think I'm gettin' old! The only part of this I understand is "run away"
 
"Run away" may not be a bad plan. A lot of things go "IOT" just to check off the buzzword, and don't really need it.

Note that some devices, particularly really cheap video cameras, have had viruses installed on them when you get them.

Is Apex specifically risky - no.
Possibly susceptible to DNS spoofing, may have a bug or two, and who knows how old the OS network stack is they are using.
But in reality, almost certainly very low risk.
 
For the older crowd, "IOT" stands for "Internet of Things". All those consumer devices connected to your home network are part of the IOT.
Also, an open network port on one of these devices is similar to leaving your front or back door open.
 
For the older crowd, "IOT" stands for "Internet of Things". All those consumer devices connected to your home network are part of the IOT.
Also, an open network port on one of these devices is similar to leaving your front or back door open.
So does this mean that since my daughter has an Alexa device in the bathroom that Mark Zuckerberg is able to track my family's bowel movements :eek:
 
So does this mean that since my daughter has an Alexa device in the bathroom that Mark Zuckerberg is able to track my family's bowel movements :eek:
Well, the echo cancelation hardware might get confused if you toot really loud in the bowl.
:)

But really - they could probably calculate fiber content, bladder size, and a few other things, just from audio.
 
Well, what they fail to mention is most of the IOT are hacked because someone open a port for it to be accessible from the outside. Device like Apex or Nest does not do that. Your data is proxied through their infrastructure which would have a higher bar for infiltration.

In short, if any device requires you to open up firewall to operate, run away.

I'm in tech and I don't agree. Many of my company's products require that Enterprise "opens" a port on a firewall, in fact, we have an entire list of ports that need to be opened. It is an incredibly common practice and a necessity depending on how the firewall is initially configured. Also, any time data is "proxied through their infrastructure," which I'm not sure if you mean they are actually proxying data or accessing applications/compute (i.e. Cloud), you are 100% relying on that company's best practices and investment in their own security design. Now, if you talked to the same InfoSec teams for some of the companies that I work with, you'd realize that, well, that's not always the best or more secure option.

Equifax ring a bell? (NOT my customer)

When configuring a device that you don't trust for a wireless connection, you want to put that device on a separate SSID that is running NAT mode. This way, client devices receive IP addresses in an isolated network. Now - I'm no systems engineer, but as a sales guy I've paid attention over the years ;) FYI - This is what I did with my Arlo Pro camera system, the way they "protect" you is by creating a hidden SSID with their wireless router...unreal.

The article is incredibly eye opening - I attended RSA this week so security is fresh on the mind. It is amazing with what is possible out there and how creative hackers have become. The truth here is that if someone wants access to your information and it is being passed wirelessly, hope you've got the right amount of encryption running, because chances are that information is easily accessible. They won't need a silly aquarium computer to gain access.

I run nearly all my traffic through a VPN, which is sitting behind an Enterprise firewall with some pretty dope Zero Day exploit malware and IDS/IPS technology. That being said - I still am concerned about data privacy because it is so difficult to maintain. One cool thing out there - there are more and more consumer options for VPN proxies, they started out to hide consumers information from the movie and music industries, but now are being used for public protection when surfing the net at Starbucks.

Also! A free technology solution for all of you that costs my customers a lot of money - point your DNS at Cisco Umbrella for free! https://deployment-umbrella.readme.io/docs/point-your-dns-to-cisco
 
I have been looking at getting a VPN lately. I have read a few things in the last week showing some VPN services bleeding your ip address to public in certain conditions.

Do you have one to recommend?
 
I'm in tech and I don't agree. Many of my company's products require that Enterprise "opens" a port on a firewall, in fact, we have an entire list of ports that need to be opened. It is an incredibly common practice and a necessity depending on how the firewall is initially configured. Also, any time data is "proxied through their infrastructure," which I'm not sure if you mean they are actually proxying data or accessing applications/compute (i.e. Cloud), you are 100% relying on that company's best practices and investment in their own security design. Now, if you talked to the same InfoSec teams for some of the companies that I work with, you'd realize that, well, that's not always the best or more secure option.

Equifax ring a bell? (NOT my customer)

When configuring a device that you don't trust for a wireless connection, you want to put that device on a separate SSID that is running NAT mode. This way, client devices receive IP addresses in an isolated network. Now - I'm no systems engineer, but as a sales guy I've paid attention over the years ;) FYI - This is what I did with my Arlo Pro camera system, the way they "protect" you is by creating a hidden SSID with their wireless router...unreal.

The article is incredibly eye opening - I attended RSA this week so security is fresh on the mind. It is amazing with what is possible out there and how creative hackers have become. The truth here is that if someone wants access to your information and it is being passed wirelessly, hope you've got the right amount of encryption running, because chances are that information is easily accessible. They won't need a silly aquarium computer to gain access.

I run nearly all my traffic through a VPN, which is sitting behind an Enterprise firewall with some pretty dope Zero Day exploit malware and IDS/IPS technology. That being said - I still am concerned about data privacy because it is so difficult to maintain. One cool thing out there - there are more and more consumer options for VPN proxies, they started out to hide consumers information from the movie and music industries, but now are being used for public protection when surfing the net at Starbucks.

Also! A free technology solution for all of you that costs my customers a lot of money - point your DNS at Cisco Umbrella for free! https://deployment-umbrella.readme.io/docs/point-your-dns-to-cisco

Correct me if I’m wrong but IOT should be behind your firewall. Unless it requires an outside connection, no ports need to be open through your firewall.


Sent from my iPhone using Tapatalk
 
Correct me if I’m wrong but IOT should be behind your firewall. Unless it requires an outside connection, no ports need to be open through your firewall.


Sent from my iPhone using Tapatalk

You are correct, if the device doesn't need to reach out to the internet, it doesn't need any "open" ports. However, opening a port on a firewall doesn't mean that it simply allows any traffic through that port. There has to be a request from inside of the network out, not the other way around. That is how they work.

In this article, the IOT device WAS behind the firewall. That is the difficulty with security today - everyone in Enterprise has badass firewalls - Cisco, Palo Alto Networks, Check Point, Juniper, Fortinet - I can go on and on. The challenge is the dynamic nature of the devices connecting to those networks, especially when "behind" the firewall. If you're a trusted device with no NAC policy in place, what is to stop you from accessing a Data Base? Simple network segmentation is not enough, you can easily mask as an "approved" 3rd party device to jump VLANs.

The issue with IOT, especially ones that communicate via RF (WiFi) is that they act as a gateway behind your firewall to the internal network. Think of it like a wide open side window on your house when the front door has 10-pad locks and a security camera.

And, let's compound the issue - encrypted traffic is flowing over Enterprise networks more and more, and the resources to decrypt these approved traffic AT the firewall is essentially non-existent. More malware threats are polymorphic and when they are encrypted, become zero day exploits without ANYONE being able to detect it...That outbound request? Totally encrypted. Challenging stuff!
 
Last edited:
I have been looking at getting a VPN lately. I have read a few things in the last week showing some VPN services bleeding your ip address to public in certain conditions.

Do you have one to recommend?

I don't - I am usually connected to my corporate VPN 100% of the time. I've seen some advertisements out there, but be really careful who you trust your data with. Once it is on their network, they have access to it.

Honestly - a huge upgrade that is free is simply point to Umbrella's DNS servers instead of unknown DNS servers. Want a funny fact? Umbrella WILL NOT allow me to connect to nano-reef.com...lol

-Mark
 

Attachments

  • Screen Shot 2018-04-21 at 10.25.44 AM.png
    Screen Shot 2018-04-21 at 10.25.44 AM.png
    372.7 KB · Views: 224
I guess you can just deny all outbound traffic on that guest Network or isolated network for those devices.


Sent from my iPhone using Tapatalk Pro
 
Slightly off topic but not too far off... my buddy was teaching me about hacking and cyber security a while ago. He told me to never auto connect to free public WiFi, and then proceeded to show me why. He had what I believe he called a pineapple server in his back pack. He named its Starbucks wifi, so people that had auto connect on would connect to his pineapple server. Then, from his computer, he was able to open up command prompt, and check out everyone’s info (ip address and the like I believe). Funny thing is, I noticed this old man turn his laptop away from us, and soon after, command prompt would close every time my buddy opened it. The old man was onto my friend, and somehow shut down his operation lol
 
Oooh... love seeing my favorite things combined -- reefing and cybersecurity!!

My non-reefing hours are spent faking a job in cybersecurity. :) how deep into the rabbit hole do you guys wanna get? Lol.

So, I run a bunch of Aqamai devices which are all IOT that have their own local access points you connect to. They were pretty harmless but recent update let's you control the devices from anywhere in your network. So, I will segment them of into their own little area when I get around to doing the update.
 
Back
Top