JackDaWack 2,894 Posted December 13, 2019 17 hours ago, Sniper said: This is getting a TON of coverage today: A family in DeSoto County, Mississippi, bought a Ring security camera so they could keep an eye on their three young girls in their bedroom. Four days later, they learned that a hacker had broken into the camera and subjected their children to continuous bedroom surveillance, taunting the children through the camera's built-in speaker. Motherboard identified several crime-forums where hackers were trading automated tools to break into Ring cameras, using credential-stuffing attacks (previously), which involve trying a succession of leaked username/password combos until you find one that has been recycled on the service you're trying to break into. These tools sell for as little as $6. Using good passwords and 2FA is good advice, but better advice is to never put networked cameras or microphones in your home, ever. Ever. These people were using default passwords and usernames.. Not that you cant get hacked otherwise, but using these examples is not really being genuine to the "flaw" in using them. Realistically, the werent even hacking anything... they just tried default passwords and gained access to the system via the online software. The internet has never been kind to stupid people. 1 Quote Share this post Link to post Share on other sites
SW9racer 262 Posted December 13, 2019 Interesting article, but this is what happens when you don’t read the manual. People can watch you take a dump, or toss your pistol over the wall to unjam it. I think an interesting discussion is if my neighbors have an argument on their lawn and my camera captures it. Would this not be the same as any spectator filming on their cell phone, like you see on the news all the time? Quote Share this post Link to post Share on other sites
Sniper 6,372 Posted December 13, 2019 2 hours ago, JackDaWack said: These people were using default passwords and usernames.. Realistically, the werent even hacking anything... they just tried default passwords and gained access to the system via the online software. Yes, much of the fault falls on the end users for sure. They used the default passwords and never changed them (which happens a lot MORE than what's reported) They used the same passwords they use for many other sites, and hackers who have penetrated other sites, share these passwords all over the place. They put cameras in sensitive areas of their homes, then store that recorded video in some cloud somewhere, that has access by who knows how many other people (and subsequently any hacker that gets in). 2 hours ago, JackDaWack said: Not that you cant get hacked otherwise, but using these examples is not really being genuine to the "flaw" in using them. The point being, these aren't just one off, rare occurrences, this is happening to thousands, and not just with Ring, but with Alexa, Google, Facebook, Nest and many other IoT connected items and cameras. There used to be a site that posted links to hundreds of home security video systems not protected. You could scroll through all these camera images and decide who's house you wanted to watch, in real time. 2 hours ago, JackDaWack said: The internet has never been kind to stupid people. And you can't protect people from themselves. So in the case of video security, as is with gold, if you don't hold it, you don't own it. These videos should be stored on a DVR in the users house, with robust security protections, not out in the cloud somewhere. But, as we see here, people are willing to give up personal freedom and TONS of personal privacy, for the sake of convenience. Quote Share this post Link to post Share on other sites
Scorpio64 5,119 Posted December 13, 2019 2 hours ago, JackDaWack said: using these examples is not really being genuine to the "flaw" in using them. The "flaw" in all electronics manufactured in China is the surveillance capability that they secretly embed into firmware of all kinds of electronics. The Chinese were modifying firmware on American branded products and burying the code deep to avoid detection. Ten years ago the Pentagon and a bunch of gov't agencies found that wired and wireless network hardware like routers and switches were storing data and sending it back to China. Quote Share this post Link to post Share on other sites
raz-0 1,256 Posted December 13, 2019 Don't blame the end users. Yeah lots of them are naive with regards to security, but there are fixes to this. The problem is that IoT devices like this are developed with all the care put into a $1.99 digital watch, and the repercussions of this are significant. The worlds biggest botnet attack was powered by useless wi-fi connected color changing lightbulbs and similar pointless shit. The default password thing has been solved for routers for a while. The default passswords are now complex and random per device and printed on the device. This has drastically cut down on compromises of home routers. IoT stuff needs to be doing the same thing. They also need to stop putting back doors in the things. There are a bunch of IP video cameras out there with hard coded backdoor passwords. Changing the default helps nothing in terms of vulnerability. As for having a DVR at home, most of these have a networked component and still need to have the same precautions taken with them as you would an IP video camera. Quote Share this post Link to post Share on other sites
JackDaWack 2,894 Posted December 13, 2019 19 minutes ago, Scorpio64 said: The "flaw" in all electronics manufactured in China is the surveillance capability that they secretly embed into firmware of all kinds of electronics. The Chinese were modifying firmware on American branded products and burying the code deep to avoid detection. Ten years ago the Pentagon and a bunch of gov't agencies found that wired and wireless network hardware like routers and switches were storing data and sending it back to China. I recall that, but then youre left with US based products, and there is very little options there. Quote Share this post Link to post Share on other sites
Zeke 5,504 Posted December 13, 2019 Soo my password shouldn’t be admin 1? Quote Share this post Link to post Share on other sites
Scorpio64 5,119 Posted December 13, 2019 Just now, Zeke said: Soo my password shouldn’t be admin 1? it needs to be at least 8 characters long. change it to admin123, much stronger. 1 Quote Share this post Link to post Share on other sites
Zeke 5,504 Posted December 13, 2019 6 minutes ago, Scorpio64 said: it needs to be at least 8 characters long. change it to admin123, much stronger. https://youtu.be/a6iW-8xPw3k Quote Share this post Link to post Share on other sites
JackDaWack 2,894 Posted December 13, 2019 6 minutes ago, Scorpio64 said: it needs to be at least 8 characters long. change it to admin123, much stronger. How can I possibly remember all those letters and numbers? Password would probably be easier to remember. 1 Quote Share this post Link to post Share on other sites
Sniper 6,372 Posted December 13, 2019 37 minutes ago, raz-0 said: Don't blame the end users. The top 10 most common passwords were: 123456 123456789 qwerty password 111111 12345678 abc123 1234567 password1 12345 Quote Share this post Link to post Share on other sites
raz-0 1,256 Posted December 13, 2019 21 minutes ago, Sniper said: The top 10 most common passwords were: 123456 123456789 qwerty password 111111 12345678 abc123 1234567 password1 12345 not for IoT type devices. The most common passwords are the factory default. which is why making that random and strong from the factory works. Quote Share this post Link to post Share on other sites
Sniper 6,372 Posted December 13, 2019 35 minutes ago, raz-0 said: not for IoT type devices. The most common passwords are the factory default. which is why making that random and strong from the factory works. That list are the passwords people CHOOSE to replace the factory defaults. So yes, they are still idiots, for not picking a strong or random password when they change them. Quote Share this post Link to post Share on other sites
raz-0 1,256 Posted December 13, 2019 1 hour ago, Sniper said: That list are the passwords people CHOOSE to replace the factory defaults. So yes, they are still idiots, for not picking a strong or random password when they change them. That list of passwords comes from looking at all the major breeches for the year, lowercasing every password, and counting the occurrences. It is mostly derived from compromised online accounts, not actual hardware devices. If calculated across all major breeches to date, the ranking changes. This is the first year in a while no plain english words made it to the top ten. Unfortunately that's because people are using things even worse than "sunshine" in greater numbers. Quote Share this post Link to post Share on other sites