Home Network Question

[video321]

That said, my SSID is hidden and I currently have no encryption or other setup. So if any of you wants to sit in my driveway and guess around for a while as to what my SSID is, you would be free to use my internet connection if you figured it out

Don't take this as an attack, but that is being absolutely naive.
Figuring out an SSID is the easiest part of getting into a network. In fact it is so easy it makes no sense to disable it and only complicates things when trouble shooting a client's wifi issues. Maybe you shouldn't be worried about someone getting into your HA server or free Internet and more worried about what someone may be doing with your Internet when they go get in....easily. Do you really want to try to explain to the FBI that you weren't the one DL'ing all that warez or on child pr0n sites????

 

[video321]

Exposing your home automation webserver isn't just a security issue. What if there is a worm outbreak, which scans machines really aggressively, and crashes your home automation server because the internal webserver can't handle that kind of behavior (something similar has happened in the past). Now your home automation is offline, which could become a real problem if you rely on it for critical things (or if you don't want to make the significant other mad ).

As for hiding your SSID, it's useless, your network can still be found. But since you aren't using any encryption, you make it pretty easy for others to get on your network, and snoop your credit card transactions Then you also have to worry about someone using your wifi network to download illegal materials (has happened/been documented), so you really need to be more careful with your wireless.

I would definitely try LogMeIn as well. If the MCE app is HTTP based, then you could set up a reverse proxy, but this is where things get complicated. You could also run an SSH server on that port, and then use SSH port forwarding on the client side to get into any machine you want. Lots of options!

Ha!
I see we where both making the same points at the same time B)

 

[drvnbysound]

Exposing your home automation webserver isn't just a security issue. What if there is a worm outbreak, which scans machines really aggressively, and crashes your home automation server because the internal webserver can't handle that kind of behavior (something similar has happened in the past). Now your home automation is offline, which could become a real problem if you rely on it for critical things (or if you don't want to make the significant other mad ).

As for hiding your SSID, it's useless, your network can still be found. But since you aren't using any encryption, you make it pretty easy for others to get on your network, and snoop your credit card transactions Then you also have to worry about someone using your wifi network to download illegal materials (has happened/been documented), so you really need to be more careful with your wireless.

I would definitely try LogMeIn as well. If the MCE app is HTTP based, then you could set up a reverse proxy, but this is where things get complicated. You could also run an SSH server on that port, and then use SSH port forwarding on the client side to get into any machine you want. Lots of options!

Understood about the said worm outbreak, and I know it is possible, but it hasnt happened yet. Fortunately, I dont think I will, personally, ever rely on a PC for critical things. If it were to fail for whatever reason, I could rebuilt in a matter of hours (if software) or possibly a day or so if new hardware were required. Again, I dont find it as being a HUGE deal - it's just a computer

As far as the SSID hiding. I agree, it can be found/hacked, but it does take someone who knows what they are doing to do it. I think the last reports I read (maybe 6 months ago) said this would take approx. 30 min to do. However, being that there are 4-6 wide open networks that I can find from inside my home (never tried from my front or back yard, but I know there would be more), I do feel like I would have to be targeted. Fortunately, I also have 3 neighbors within 3 houses of mine who are police officers (with patrol cars usually in their driveways), so I feel it's rather unlikely to have a hacker sitting outside my home

 

[electron]

And that's why so many people now have their wireless access point 'listed' in the Google database This probably should be continued in another thread, since I don't want to go off topic, but please secure your Wi-Fi network

GadgetBoy: if you need help configuring some of these solutions, don't hesitate to post.

 

[GadgetBoy]

When you enter the external IP address (from your ISP) now, from a remote location, you said that you are directed to your HS computer... correct? As is, does it require login information to connect to it? If not, can you add it?

Yes, when you hit my IP address remotely, you are forwarded to the HS box and yes, it does require a password. You basically get the Homeseer main page.

 

[GadgetBoy]

Ultimately, there will be two PC's hosting two separate "websites" on my network. One PC (HS) will be hosting the Homeseer application and the other PC (MCE) will be hosting the remote potato application.

I would want to not only be able to access them from work, but also from a mobile phone, remotely while on vacation, etc...

Maybe expose the MCE for media purposes on port 80 and switch the Homeseer box to 8080.

 

[video321]

I wouldn't do that. Like it was said already, either setup SSH or VPN. Neither is difficult and even a PPTP VPN is better than nothing.

 

[video321]

As far as the SSID hiding. I agree, it can be found/hacked, but it does take someone who knows what they are doing to do it. I think the last reports I read (maybe 6 months ago) said this would take approx. 30 min to do. However, being that there are 4-6 wide open networks that I can find from inside my home (never tried from my front or back yard, but I know there would be more), I do feel like I would have to be targeted. Fortunately, I also have 3 neighbors within 3 houses of mine who are police officers (with patrol cars usually in their driveways), so I feel it's rather unlikely to have a hacker sitting outside my home

Again, please don't take this as me picking on you...I'm only trying to educate.
Nobody is sitting in front of your house getting into your Internet. They are quite a distance away, have no idea where you live or how many cops are on your block. They have software that will instantly, not 30 mins, pick up all SSIDs and tell them the security mode. Lookup earlier type hacks of using a pringle can or a staining basket to make home-made long range WiFi antennas.

 

[wuench]

I agree with the others that you should look into a VPN. Since your company blocks ports, your best bet is an SSL VPN since it operates over port 443 and it is very hard to block/interfere with since it is encrypted traffic and commonly used your work can't really distinguish your home traffic from other SSL traffic.

There are several options like OpenVPN but most require you to install a client on your work PC. If you are ok with that then OpenVPN may be the way to go if you are willing to deal with the complexity. OpenVPN will run on ddwrt routers that have enough memory, windows servers, linux, there is even a VMWare appliance VM out there you could load.

An easier option to setup on Windows is SSLExplorer. It doesn't require a client on your PC, your PC will download a Java based client via the web browser and launch tunnels. It is open source and no longer being updated as it was bought out, but the older version is still available on SourceForge. I have yet to find a simpler SSL VPN solution. With it you login to your web page and then it will launch encrypted tunnels automatically, you can use terminal server, VNC, have direct file access, access web interfaces, etc.

 

[signal15]

If the devices being accessed have login pages does that suffice for security? I have ports exposed (and not SSL connection either) and have always wondered about that.

Absolutely not. Especially with something that really was intended for internal use. Flaws in the application code could allow an attacker or worm to gain access to the box. Flaws in the web server software could also allow this. Keep in mind that most web application developers have not had any formal training in secure web application coding, and even among those that have, mistakes or flaws within the framework can still cause issues.

When we do penetration tests for companies that have web applications *designed* to be exposed to the internet, we almost always are able to gain full access to the server or steal confidential information from the database.

The ELK XEP is actually running a fairly crusty version of an embedded OS that has at least one major flaw that would allow remote code exection. I don't remember the details, but it's a publicly disclosed exploit. I determined that the XEP was vulnerable about 1.5 years ago.

Don't expose things to the net unless you want the world at large to access them. Use a VPN.

 

[signal15]

I agree with the others that you should look into a VPN. Since your company blocks ports, your best bet is an SSL VPN since it operates over port 443 and it is very hard to block/interfere with since it is encrypted traffic and commonly used your work can't really distinguish your home traffic from other SSL traffic.

There are several options like OpenVPN but most require you to install a client on your work PC. If you are ok with that then OpenVPN may be the way to go if you are willing to deal with the complexity. OpenVPN will run on ddwrt routers that have enough memory, windows servers, linux, there is even a VMWare appliance VM out there you could load.

An easier option to setup on Windows is SSLExplorer. It doesn't require a client on your PC, your PC will download a Java based client via the web browser and launch tunnels. It is open source and no longer being updated as it was bought out, but the older version is still available on SourceForge. I have yet to find a simpler SSL VPN solution. With it you login to your web page and then it will launch encrypted tunnels automatically, you can use terminal server, VNC, have direct file access, access web interfaces, etc.

OpenVPN and SSLExplorer are your best options. You could set up an IPSec VPN, but many companies have chosen not to pass that traffic through their firewalls. If you have some money to spend, get a Juniper SA700 for your house.

 

[up2late]

Absolutely not. Especially with something that really was intended for internal use. Flaws in the application code could allow an attacker or worm to gain access to the box. Flaws in the web server software could also allow this. Keep in mind that most web application developers have not had any formal training in secure web application coding, and even among those that have, mistakes or flaws within the framework can still cause issues.

When we do penetration tests for companies that have web applications *designed* to be exposed to the internet, we almost always are able to gain full access to the server or steal confidential information from the database.

The ELK XEP is actually running a fairly crusty version of an embedded OS that has at least one major flaw that would allow remote code exection. I don't remember the details, but it's a publicly disclosed exploit. I determined that the XEP was vulnerable about 1.5 years ago.

Don't expose things to the net unless you want the world at large to access them. Use a VPN.

So does that open a risk to that machine only, or my entire network? Hypothetical- If I open a port to an analog DVR, Linux embedded base like a Dedicated Micros or Speco, then what are the potential threats? I guess it's unlikely someone will hack my ECO4 at home, but i might worry about some of my clients being targeted.

 

[pbeaulieu]

Potentially your entire network. The attacker can then try to locate other devices on the same subnet and attempt to penetrate them. That's why things can spread within a company even when the company is diligent. It only takes one computer inside to potentially start a problem. Usually that is because the other computers on the same network may trust the computer just because it is on the "company" network.

That's why the first thing I do if a computer is suspected of being infected is to immediately unplug it from the network connection or wireless connection.

 

[video321]

So does that open a risk to that machine only, or my entire network? Hypothetical- If I open a port to an analog DVR, Linux embedded base like a Dedicated Micros or Speco, then what are the potential threats? I guess it's unlikely someone will hack my ECO4 at home, but i might worry about some of my clients being targeted.

While not being a Linux embedded security expert by any means, I would think you would not be at that much risk since the OS is stripped down and specialized. Of course, it all depends on what is part of the embedded OS and what is not and how the code is written.

Like PaulB said - things can run wild real fast. Once 1 machine behind the firewall is compromised then the entire network also becomes at risk; which makes client/server firewalls important...to control further probing and worms. As Paul said too, get it off the network which is why when I do any repairs it is always on a VLAN separate from the other networks.

 

[signal15]

While not being a Linux embedded security expert by any means, I would think you would not be at that much risk since the OS is stripped down and specialized. Of course, it all depends on what is part of the embedded OS and what is not and how the code is written.

Like PaulB said - things can run wild real fast. Once 1 machine behind the firewall is compromised then the entire network also becomes at risk; which makes client/server firewalls important...to control further probing and worms. As Paul said too, get it off the network which is why when I do any repairs it is always on a VLAN separate from the other networks.

Just because it's embedded doesn't make it any more secure. It's still running a turing complete operating system, it still has a kernel, and most importantly, it still has software listening on network ports serving out an application. Embedded or not, the risk is about equal.

The only way an embedded OS is more secure is if it's something that's a black box, or used by very few people. And that's only because there are less public exploits for them.