Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
Mr Snotty
8078 posts

Uber Geek
+1 received by user: 4052

Moderator
Trusted
Lifetime subscriber

  Reply # 1507931 8-Mar-2016 09:44
Send private message

xpd:

If a VPN isnt an option, then a different way, is use Teamviewer.... not exactly FPS friendly, but its an option.......



Try Anydesk (anydesk.com) - seems to be more FPS friendly.




215 posts

Master Geek
+1 received by user: 92

Subscriber

  Reply # 1507946 8-Mar-2016 10:06
One person supports this post
Send private message

xontech:

 

Agree with the above about not doing port forwarding.

 

But I was wondering what is the opinion on systems where the camera is registered to a service (ezviz for example) and you can then remotely view the camera by logging on to the service. No manual port forwarding involved, but perhaps UPNP? More secure/same/less secure?

 

 

Why would I want to entrust frame-by-frame video of the interior and exterior of my house to someone 'in the cloud'?
How would I ever have confidence that the cameras were actually off or that the 'cloudy' video data is secure from unauthorised viewing?

 

All far too easy to go from 'my home is my castle' to 'my home is a video studio' or from 'securing my premises' to 'confirming when the place is empty'

 

Just "NO"

 

 


 
 
 
 


27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1507949 8-Mar-2016 10:12
One person supports this post
Send private message

xontech:

 

Agree with the above about not doing port forwarding.

 

But I was wondering what is the opinion on systems where the camera is registered to a service (ezviz for example) and you can then remotely view the camera by logging on to the service. No manual port forwarding involved, but perhaps UPNP? More secure/same/less secure?

 

 

There are two ways these cloud services work - one is storing the data on their cloud services (and I saw a lot of new companies offering this at CES), and the other is P2P functionality to let you log in via their website but still keep the data local.

 

Here's a view on the Foscam P2P security

 

http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

 

 


BTR

1493 posts

Uber Geek
+1 received by user: 449


  Reply # 1507956 8-Mar-2016 10:30
Send private message

The cameras I deal with at work are on a separate network with no internet access going out. The NVR has dual ethernet so one is used to access the cameras and the other is setup simply for viewing the footage.

 

 

 

Our building access control is also on a separate network. 


21614 posts

Uber Geek
+1 received by user: 4430

Trusted
Subscriber

  Reply # 1508005 8-Mar-2016 11:32
Send private message

The one for Chinese cameras I had a play with just acted as an inbeteen if there were no ports able to be forwarded. All traffic was passed back to the camera/NVR which did the authentication so long as you had the code from the QR code to authenticate. Changing that number by 1 from the "cloud URL" for my camera lead to other cameras. Most still accepting the default password. Many Chinese factorys, schools, apartment building entrances, nail shops etc all visible.

 

If there was an authentication backdoor/programming stuffup/exploit in the cameras, then they were all accessible if they had the cloud service ticked.

 

This was not xmeye, but another one that only one of the cheap cameras I got used on it.





Richard rich.ms

246 posts

Master Geek
+1 received by user: 51


  Reply # 1508058 8-Mar-2016 12:45
Send private message

Ok, convinced me to:
- Remove default gateway and "disable" all external heading services on camera (upnp, p2p etc)

 

- Add a rule to my firewall stopping all traffic from the camera from leaving the network

 

- Set up a VPN to be able to remotely view camera streams / playback

Should be enough?


BDFL - Memuneh
61784 posts

Uber Geek
+1 received by user: 12438

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1508156 8-Mar-2016 15:04
One person supports this post
Send private message

sbiddle:

 

xontech:

 

Agree with the above about not doing port forwarding.

 

But I was wondering what is the opinion on systems where the camera is registered to a service (ezviz for example) and you can then remotely view the camera by logging on to the service. No manual port forwarding involved, but perhaps UPNP? More secure/same/less secure?

 

 

There are two ways these cloud services work - one is storing the data on their cloud services (and I saw a lot of new companies offering this at CES), and the other is P2P functionality to let you log in via their website but still keep the data local.

 

Here's a view on the Foscam P2P security

 

http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

 

 

This is just an example. Now expand this. Imagine the company selling these cheap cameras close down and the domain these cameras call to report lapse. Some Bad Person (TM) buys the domain and suddenly this Bad Person starts receiving data from thousands of cameras from around the world. And no one knows it is happening.

 

Would you be happy with that?





Awesome
4815 posts

Uber Geek
+1 received by user: 1063

Trusted
Subscriber

  Reply # 1508166 8-Mar-2016 15:23
Send private message

I do two things to protect my network/cameras

 

1) IPTables rules on the router firewall to discard any UPnP requests. I was finding my D-Link camera was opening ports, even with UPnP turned off in its config. dropping the UPnP packets seems to solve this nicely.

 

2) Only outside access is 1) web based via a reverse proxy that uses certificate auth. Don't have the cert, no access. and 2) via SSH tunnel, also only via certificate auth.

 

(If anyone seeing any flaws in my approach please let me know!)





Twitter: ajobbins


1433 posts

Uber Geek
+1 received by user: 375


  Reply # 1508168 8-Mar-2016 15:23
Send private message

OK this thread was an eye opener. Muchas muchas gracias.

 

I'm logging into a remote site now to disable some port forwards...


6752 posts

Uber Geek
+1 received by user: 594

Trusted

  Reply # 1508197 8-Mar-2016 15:26
Send private message

As someone involved in this area for work, it's always interesting to see how companies and trades simplify the install of items down to just the pure physical side of things.


By that I mean the likes of structured cabling, security cameras, TV aerials etc are all installed by a range of different companies, with a range of different grasps of the underlying fundamentals/concepts.  Some might know why RG59 is different to RG6, and when you might want to use each.  Some my know exactly why you shouldn't leave long leads of cable unterminated and still connected to multi splitters.  Some may know you shouldn't do certain things, but not exactly why that is the case, and some just go and do the stupid thing and are completely oblivious to it.  It's cables right, so an electrician deals with wires.


All too often even the product selection phase is handed over to resellers/wholesalers, who will just advise as to what's popular.  Doesn't matter if it's suitable or not, just as long as it's what everybody else got right?  Safety in numbers and all.


An example would be the popularity of the gizmo combination UHF/VHF TV aerials when VHF TV transmission was clearly on the way out.  The last 10 electricians may have purchased this, but it doesn't make it the best choice.


Networking is all to often a dark art, where someone in the organisation knows how to set these up, and even then they're following step by step instructions handed to them once by a support person on a call to the manufacturer to chase up why it wasn't working.  Security on networks is an even darker art, which comes in once you've got it all up and running, and is often glossed right over, because it's working already...


Like anything there are good people and poorly skilled people in the industry.  Some of these industries are quite small, and you see the same staff bouncing between different companies.  Naming companies can be a bit rough, but then again...


27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1508291 8-Mar-2016 16:51
Send private message

You've raised some good point, and in the security (and dare I say it PBX as well) space it comes down to one thing - the migration from "traditional" equipment to IP. Many people installing this kit may have been doing this for their entire life and be very good at it, but the IP world opens up a whole can of worms.

 

Networking is something that you either grasp or don't grasp. I'd go as far as saying many of these people don't understanding network, and simply don't want to learn. Even if you understand networking there are many things that can catch people out, and a lack of understanding of the risks of things as simple as port forwards which we've discussed in this thread is over the heads of many of these people.

 

Anybody who's never seen http://shodan.io should have a play with it - for many people it's an eye opener.


1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.