Title fixed by fenderman. I mistakenly though I was hacked. Turns out, I didnt read the help file.

[IpCam_User]

Unless I'm very mistaken you cannot hack a Virtual Machine.

This is not an accurate statement. Any company that is using Amazon Web Services, VMWare Web Services, Microsoft Azur, are all using Virtual Machines. It would be most excellent if it were impossible to hack a VM but they have the same flaws as physical servers/workstations do. Virtual networks have the same flaws a managed switches. This is why we have to continue to apply security patches that are released by VMWare to our ESXi servers. We also apply Microsoft's Monthly Security Patches to all of our MS VMs and our Linux teams apply security patches to all of our Linux VMs. (Lets not get started on updating all the programs we us when a new version comes out that closes a security hole.}

VMs used for live virus testing would be similar to someone using a workstation that was air gaped from the world, or a set of say 4 workstations plugged in to a 4 port ethernet switch so they can see how it spreads across a network that is air gaped from anything other than those 4 workstations. The advantage of using a VM in this situation is the single airgaped VM can run all four VMs on a virtual switch and thus is cheaper to use/operate than buying all the extra hardware that used to be needed to do the same setup {granted there are some other advantages}.

Also, as a better practice, do not use the same username/password to log in to each workstation. Create different accounts. Use something like KeePass to keep all the information on each workstation, account, password so you do not have to remember them all. {I use it on my Windows, Linux, and Android with my Windows one being my authoritative one and sync the rest to it.) This is even more so for the BI workstation/VM. This one act can help slow down a worm attempting to move through your network where as if all the workstations have the same username/password it is like giving the worm the keys to the castle.

 

[IpCam_User]

... but I know for sure there was no user in there named anonymous ...
anyhow that above log and the fact the computer restarted and I don't know why is a problem. I

Windows comes with and uses the "anonymous" account for many legitimate networking connections. One of which is, that is what is used when you first connect and it sends back the statement in essence of, "please provide your username/password".

Windows System logs should show you when the workstation was rebooted, which account rebooted it, and why. If your Windows workstation rebooted on Tuesday, 12 Jan 2021 night then chances are the logs will show you that the system was rebooted to install the Jan 2021 monthly security patches (as Microsoft releases them on the second Tuesday of each month and systems set to auto-install the patches will do so and then reboot if needed). This would be a legidimate reboot. In addition, each workstation and VM that is running Windows would do this and thus it may appear that all the Windows computers on a network rebooted in the same night and if not expected by the user(s) might seem like a hack. {Windows System Log Event ID:44 Source: WindowsUpdateClient}. I show a bunch of these on 1/13/2021.

 

[alastairstevenson]

Unless I'm very mistaken you cannot hack a Virtual Machine. It's completely isolated from the rest of your PC and network and the system files are software simulated and so can't be deleted or altered as they exist in the memory only - hence why VM's are used for live virus testing - because it cannot get out and spread to the actual pc or network.

Sorry but that's not correct.
A VM appears on the network just like a hardware machine, especially if the adaptor is in bridge mode. It's hard to spot that's it's virtual.
As @mikeynags has also affirmed.

A VM provides a fast and convenient way of spinning up and tearing down a variety of operating environments for experimenting or testing - or even to use as a honeypot to see what the seekerbots and hackers are up to.
Or even for occasionally using Windows when Linux is the preferred environment ...

 

[spend2much]

I edited this post, long story short here, I made a mistake by opening ports for testing, didn't verify what user accounts were active, one was anonymous with no password required, I didn't know it was there and should have looked. I selected some box that allowed no password for local for my convenience and didn't realize that this other user was there, so someone logged in and messed with the cameras,

IT WAS OPERATOR ERROR ON MY PART, NOT THE SOFTWARE'S FAULT. I was careless and hope that this post helps others.

Thank you everyone for your help in this matter.

 

[IAmATeaf]

Where is this anonymous user account, I don't have that in my BI system?

Maybe a screenshot would help?

 

[IAmATeaf]

OH, and let me add... after the anonymous online account is created by default upon clicking the box to open ports, the logs are also OFF by default. it's almost as if it were designed for a hacker or voyeur of sorts to gain access on the users that click on the boxes using the wizard instead of thoroughly reading the manual.

There is logging enabled but you need to enable the option to save the logs, not everybody needs the logs saved so enable the option if you need it.

 

[spend2much]

go into settings, Web server tab, enable the HTTP web server in the Web server tab and open your outside port, when you click that box it creates the account unknowingly to the user. it is stated in the manual also.. but that is completely stupid that it would do that during the process of opening ports. I removed that user and then reopened the port and it re created the user. I am using a demo of version 5.

if I were the creator I would never sit there and think "why don't I have my software create an anonymous user automatically so their public ip will just pop right in without having my customer need to enter a user name and password... anyone else with their ip can do the same." Oh and by default I will have all the logs turned off so they can't view the logs after they realize they opened their cameras to the outside world. LOL it's in the manual!

IpCam_User
thank you for that information, very helpful!!

 

[spend2much]

I hit enter too quickly on that last one.... sorry
I plan on doing a screen recording of me doing this process of opening my port for remote access to make sure I'm not crazy, and to warn other new users like myself about this software creating a wide open account behind the scenes and not warning you. of course, unless your read the manual.... but the wizard doesn't warn or advise anything, and if the wizard works why consult the help file and manual? I consider this a flaw in the default options. and again. logs all off by default.

 

[wittaj]

The save log file is off by default because depending on how someone sets up their system, the log file can get rather large very quickly as it logs EVERYTHING....so one trigger on a camera could result in many log entries (logged that it triggered, log that it took an image, log that it sent an email, log that it ....) When I was demoing Sentry, my log file for that month was 67MB - that doesn't sound like a lot, but try opening up a text file that large....you wait and wait and wait and wait...and wait some more.

You can be mad at the BI software all you want but opening a port is what allows this access regardless of which program. Which is why so many here say do not open a port.

Do you really think that Arlo or Nest or Ring or Lorex or Amcrest or Nightowl or any other company that allows someone to simply scan a QR code is providing anything more secure? A wifi camera will be even worse. That is essentially what these units are doing - opening a port and making it easy to connect, probably even less secure than the way BI goes about it. At least BI basically states in the user manual what happens if you go this route. Even if it didn't create the anonymous account, the same potential access to your whole system exists. Cannot say that for any of these other companies - heck most do not even provide a manual. The end user simply says "Look honey how easy it was to set up these Arlos - I just hung it up and scanned this code and done" and they are totally unaware of what they just did to their system and the consequences of such ease of connection. That is why companies use QR codes and P2P and UpNp for the end user that simply wants an easy way to access their cameras. I showed my friend how easy it was for someone to get into their camera because they set it up with a QR code... Or we see stories of someone hacking into a baby cam or a Ring camera, or even worse, someone buys one of these types of cameras and sets it up and see not only their house but someone elses as well

BI allows for basically that same flexibility (although not as simple as a QR code) for the end user that doesn't know any better and doesn't want to deal with VLANS or dual NIC or VPNs because believe it or not, users like us are probably a small fraction of the total BI sales. The user that goes the route you did wants to just be able to get access to their cameras when away from the home, so they do not want to deal with all the steps necessary to lock down their system. And based on the number of sales and revenue of the Nest and Arlo's of the world, clearly people are either not aware or not concerned that something bad can happen by allowing one to setup their system this way. I suspect they don't care. Look at how many people didn't care that Facebook was selling their private information. People like the use of it.

And it just isn't limited to cameras and Blue Iris. My friend set up their printer with just the QR code and someone was then printing things to their printer. How many people use default or common passwords? With this easy setup for the end user, it is bound for these type of things to happen. I do not allow WPS or anything QR code related to connect to my router - that is opening up your entire system. Is it a pain to have to key in a password for every new item - yes - but at least it helps keep the system secure. Do you allow WPS easy access for any peripherals to your system? If so you should shut those down right now.

The good news is most here probably believe you were not hacked....it sounds like you had a middle of the night blip in power and it reset your cameras and that particular computer decided to shut down and the others stayed on. But that ended up being a wake-up call for you and like you said hopefully for others that come to this site. The threat is real. Maybe the potential that it actually happens to you is low, but that doesn't mean it cannot happen.

 

[IpCam_User]

the software CREATES AN anonymous user (UNKNOWN TO ME, THE BI USER!!) that requires ZERO credentials, not even required to enter a user name!!! ??? Who in their right mind decided this was a good idea??? forget around you should read the manual... this is SUPER STUPID and I doubt anyone would WANT THIS!!! Why would it create a user without your knowledge and let alone create one anyway and no credentials at all on top of that!! ?

the "anonymous" account for many legitimate networking connections. One of which is, that is what is used when you first connect and it sends back the statement in essence of, "please provide your username/password".

 

[spend2much]

The save log file is off by default because depending on how someone sets up their system, the log file can get rather large very quickly as it logs EVERYTHING....so one trigger on a camera could result in many log entries (logged that it triggered, log that it took an image, log that it sent an email, log that it ....) When I was demoing Sentry, my log file for that month was 67MB - that doesn't sound like a lot, but try opening up a text file that large....you wait and wait and wait and wait...and wait some more.

You can be mad at the BI software all you want but opening a port is what allows this access regardless of which program. Which is why so many here say do not open a port.

I agree with pretty much everything you said, and I thank you for taking the time.
it surely does amaze me at how fast someone got in... they must have the BI anonymous account bookmarked and alerts are sent to them they have another person that just opened up... I know they were in, 100%, there is an out of the country android phone that logged in, the cameras were not in any type of "parked" or "reset mode, I went into their logs and you can see where the BI PC was using them, I can SEE the recording of them moving... LOL again, this is a demo, I am learning, not necessarily mad about it, in fact glad it happened so fast, and hey, scroll up... I learned a lot on this post as to the proper way to set up the software and network advice, I really appreciate ALL of you and your input to assist me.

I'm not necessarily mad at BI, Confused is more like it. I look at it this way, if you and I sat down as programmers for our customers, I'm quite certain we would not want to auto create an anonymous user requiring ZERO credentials during the process of opening web access for our customers using a "security" software. I'm more making a big deal of it because I'm sure another new user like myself will make this same mistake as I have, in fact if you search anonymous user you will find others confused at how the account just popped up out of nowhere.

So I'm not really mad, I'm not saying I will or will not buy this software either... this just doesn't make sense to me as to why it would default like that and I guess I sort of over stated that.. Again thank you all for the help on this, I will surely mark this solved and post what happened on a post to help assist others if they search for this.
again I can't thank all of you enough for taking your time to help me out, and we have solved my issue as and end result, plus even more help as to network inner structure.

 

[spend2much]

I will do a video this weekend, I put my public ip with the port on the browser, the whole interface just opened without ever prompting for anything at all, I mean a box never showed up... nothing, it just opened it right up as though I had been logged in using the web interface the whole time. I was shocked!

 

[IAmATeaf]

The help quite clearly states:

The Anonymous user also is created automatically if you allow access without
authentication (without a password) on either a LAN or WAN connection.

So why would you do that? Probably explains why I don't have an anonymous account.

 

[IpCam_User]

This is not the fault of the "anonymous" account. This means that the next step, authentication on the BI server's web page was not setup to tell people they need permission to view the website.

When you view this website, and have not logged in, you are actually logging in to that web server using the "anonymous" account. Each article you read uses it. If you want your BI web server to actually have Internet facing connection, there should be something in the BI security settings for the website to require authentication. Once that is checked when someone goes to your BI's website they will initially connect using the "anonymous" account. The BI web server will then send them a box asking them to tell it who they are. After they enter a username/password the BI web server will start using that account.

Please follow best practices for passwords. No less than 8 characters. Passwords are case sensitive so make sure to use both. More modern practice talks about creating four or so random words that you can remember, a number or two, and putting them in to a phrase. {i.e port star 987 yoda best = pOrtStar987yoDabest} I still like my 16+ truly random character password but that takes me a good solid two weeks of contently typing it to learn.

 

[wittaj]

I'm not necessarily mad at BI, Confused is more like it. I look at it this way, if you and I sat down as programmers for our customers, I'm quite certain we would not want to auto create an anonymous user requiring ZERO credentials during the process of opening web access for our customers using a "security" software. I'm more making a big deal of it because I'm sure another new user like myself will make this same mistake as I have, in fact if you search anonymous user you will find others confused at how the account just popped up out of nowhere.

But at the same time, every product coming out that has QR codes or something similar to connect to the internet is doing exactly this. They just hide the fact how easy it now is to exploit your system. At least Blue Iris has a manual that tells you what it is doing. Nowhere on probably any other product page will they tell you in specific detail how they are making that process easier for the end user looking for simplicity. Go buy a Ring camera and show me in the manual where it tells you that they have opened ports and exposed your system.

My friend I told you about that used the QR code to set up her printer - she was getting printed pages saying stuff like "I see you" and printing pics from her Foscam camera. I helped her track down that it wasn't a neighbor or someone that got into her wifi because we changed the password and it continued with pictures after she changed the wifi password. It even continued after she changed her password in the Foscam camera. Guess what, apparently they also must not have an authentication step either so it is probably an anonymous account. She is one of the millions of people that look for simplicity when connecting new devices to their system. Many more people like that than folks like us.

A lot of systems are setup this way. Why do these companies do this - to stop all the calls from illiterate end users asking why they can't see their camera or what is the user/password. It is well known how many of these cameras have ways for people to see the user and password with any computer skill ability that any hacker would have. It is the same reason why most of us here isolate the cams from the internet.

It just so happens that Blue Iris was the vehicle with which you learned this. But that android device could have connected via any other internet device that you or someone in your family connected to your system. A wifi printer, Alexa, basically anything that makes it easy to connect. If you used a QR code at any point in the past, that could potentially be the vehicle used to get into your system. Many of us don't have Alexa type devices for that very reason, yet Blue Iris also allows that functionality for folks that want it and either don't care or don't know what that could entail. Maybe it was Blue Iris, but I doubt it. As @IpCam_User stated, it was not the result of this anonymous account, but rather a hole that was opened up in your system by opening the port - either by you doing it or another peripheral on your system.

You can do as many of us here and further lock down your router to only let known connections on. Depending on the router, it could be it sends you a notice whenever someone tries to get on the first time, or you assign IP and MAC addresses allowed to connect. It is an additional step and many do not do this because it is a hassle to do this every time you get something new. That android device - did you ever return or sell an android device - that could be how as well if someone knew what they were doing.

 

[spend2much]

I thought the no password selection was for local only, I saw that in a YouTube video that I probably shouldn't have watched, and I do for sure agree this mistake was mine to make... very stupid of me, and I'm glad it wasn't worse. In reality this was the root cause of my problem, and something that is not advisable, but even still I would never imagine as a software developer you would automatically create a wide open account for remote access without the end user having to do that manually. To bounce back to the other side, I did ask for no password local, so why not none at all? LOL whatever, I guess someone has a use for that. The whole reason for messing with BI is have so much control and versatility, that's why I'm not mad at the software, or still not sure I will buy it (I have 9 days left on the trial) I think I will, my repurposed PC does have quite enough power to run all the cameras from the looks of it.

I also agree this was just how I finally got burned.

I have only been using this software for a few days, I installed it on the PC 1/9/21, for 3 days I did a demo on a virtual PC not allowing any remote access and after that installed a copy on an old stand alone machine. within 3 days of having remote access I noticed cameras moved. That android phone is for sure not mine, it's a telefone mi 9, they don't even sell them here in the USA, I saw the video of the cameras moving around, and I checked their logs. also upon looking into a few things I have heard that printers get hacked the most, and I think we all know that the ring cameras are very un secured, that's why I have been a part of this community for many years, and I currently have an NVR that is locked down quite well, I went through and only allow my devices on it, that particular device actually comes fully secured so much that it's a pain to open up, as I think it should be,

I did make some bad mistakes, and also gathered much very useful information and advice, can't thank you all enough. my system will be very secured the next time I turn it on. HAHA

 

[IAmATeaf]

LAN = Local Area Network
WAN = Wide Area Network

So BI was only doing what you as the Admin user asked it to do. Glad you now understand and have a clearer idea

 

[Holbs]

I will also have to research this when I get back home from work. I have anonymous logins but I can tell it's from my local network machines for UI3 purposes. I forget the exact wording of the checkmark box but I have it so no passwords required for LAN.

 

[CCTVCam]

I agree with pretty much everything you said, and I thank you for taking the time.
it surely does amaze me at how fast someone got in...

If someone did get in it shouldn't amaze you. There are security tools out there that lets someone find every single unsecured device on the internet at a click in seconds It's just then a matter of choosing what you want to hack. At a hackers conference not so long ago, as a demo the lecturer, searched for devices in a certain geographic area and within seconds had found a security camera or maybe a ships navigation interface, (I forget which), onboard a yacht and was able to hack into it equally as quickly due to flaws in the security interface.

The point to take away here is unsecured you're searchable in seconds from a search engine designed to detect IOT's. That's what make port forwards so dangerous. You're not some anonymous device that's hard to find. You're listed as sure as someone is listed in the phone directory and the searcher can pinpoint the location of your device on a map. If someone's looking to hack, it's as simple as searching for device in eg Reno, Nevada. In seconds every unsecured device is listed and the potential hacker can see the name, type of device and it's location to a very small area.

 

[IpCam_User]

Virtual Private Networks (VPNs) are your friend {especially vs port forwarding}! If you really need to see something on your network from the Internet, such as remotely viewing a BI web server, setup a VPN Server and use a VPN client to connect to it. There are tonns of instructional information on how to do this and how to do it using the current better practices {I am really beginning to like Wireguard!}.

One positive thing about this set of posts. You got to see a community come out and assist you with your issue! As a fellow team mate of mine likes to say, "Go Team!"