Who is watching you? Russian website puts local cameras online

chippy said:
I could really use some direction here. If I just want a simple system setup with no access to the internet, can you bullet point for me what I need to read up on to lock down my system?
Click to expand...

get a NVR with a inbuilt POE switch, and connect the camera's dont connect the lan port to your network, get a wirless mouse or a usb over ethernet adapter and a vga/hdmi over cat5 adapter run two cables to where you wish to view the cameras.

secure CCTV?
 
@nayr... well all righty then. First, thanks for the response. Clearly, there's much I don't know. You've given me lots of terms to google. LOL.

Open source firmware? Didn't even realize that was a thing! It may not be necessary? I have an Asus n66u. I was pretty impressed with the stock firmware. Lots of cool stuff in there, realtime graphs, client lists, dual band setup, and yes, even VPN. Two different servers, PPTP and OpenVPN. If I do upgrade the firmware, what features do you recommend?

Looks like all outbound traffic is allowed, so there is that. The only rules I can set are a url filter, keyword filter and the ipv6 firewall which actually allows inbound specific ip/cidr, local IP and port. Is that where the open source firmware would shine? Is it normal for a router to have firewall specific rules for ipv6? I see no mention anywhere for ipv4.
 
Last edited by a moderator:
@nayr... roger that. Thanks for the tips

Thanks @copex. Doesn't look like that firmware you linked supports additional VPN protocols, but it at least has the enhanced rules.

Cheers!
 
Last edited by a moderator:
A website out of Russia is gathering feeds from unprotected security cameras all across the world and broadcasting them online.
Click to expand...

The keyword here is add a password! Use something strong too. If you port forward chose a port that is non-standard and well above 10000. Like 27634 or 42396. If you feel the need to add a firewall, get an ITX computer with dual NICS, add 2GB more of RAM and use Sophos or Untangle. But a password should be good enough. Can't hack the password can' t get the feed. This goes for baby monitors and anything else you send through the Internet.
 
Agent Smith said:
Can't hack the password can' t get the feed. This goes for baby monitors and anything else you send through the Internet.
Click to expand...

in a perfect world, however many contain vulnerabilities that can bypass the password.. and none encrypt the password for the video stream, so if your on public wifi you just told everyone within range your password.

these things are not designed to be on the internet or the'd not allow login over unencrypted connection and they would not allow weak passwords to be set, dont be this guy ^^ use a VPN.

example, here was a massive 25k camera botnet attacking the internet.. all from a backdoor in the software, not weak passwords: http://news.softpedia.com/news/a-ma...volved-in-ferocious-ddos-attacks-505722.shtml

IPCameras are always on, usually have decent bandwidth, no locally logged in users, and will have a few handfull of hosts avilable on the network to spread the load.. the ideal drone in a botnet.
 
nayr said:
The biggest thing to avoid is the confusion between paying someone else to run a VPN Server so you can hide your IP/Location, usefull for viewing content not avilable in your country.. and running your own vpn server on your own network so you can get full access while remote.
Click to expand...

I just learned this a day or two from @fenderman. I've been out of the PC game for awhile since i moved to Mac. Coming back to Windows has really brought back memories... some good and some bad. Thanks for the information and advice @nayr, its always great to see your icon commenting since theres always some good info for noobs like myself just getting back into this.

Just one question with regards to that VPN stuff. If I close those ports for BI, but set up the VPN and access it remotely (I'm working an RT-AC68P so it was pretty easy to set up), can i just connect with the OpenVPN app and then open BI and access the live feed? Is it really just that simple (and more secure then open ports)?
 
Last edited by a moderator:
PSPCommOp said:
Just one question with regards to that VPN stuff. If I close those ports for BI, but set up the VPN and access it remotely (I'm working an RT-AC68P so it was pretty easy to set up), can i just connect with the OpenVPN app and then open BI and access the live feed? Is it really just that simple (and more secure then open ports)?
Click to expand...

I'm going through the same thing at the moment. Setting up a VPN on an RT-N66U (on the advice of nayr). Yes, it is that simple! Open a connection, and your connection is secure. Data transmitted is secure. However, be aware... I've seen several people thinking they were secure after "setting up VPN" and they were talking about setting the router up as a VPN client. Router MUST be setup as a VPN server.


<edit> I should mention, I only JUST started learning about this myself. I'm no expert.
 
Last edited by a moderator:
chippy said:
However, be aware... I've seen several people thinking they were secure after "setting up VPN" and they were talking about setting the router up as a VPN client. Router MUST be setup as a VPN server.
Click to expand...

Yup this was me, Fenderman set me straight and I'm good now. Worst part was the client certificate for the VPN. Kept getting errors and finally figured it out after about 30 minutes of swearing up and down while trouble shooting... and it wasn't even necessary haha.
 
You weren't the only one ;) Yes, client is the part giving me problems too. You're saying setting up a CA and issuing certificates isn't necessary? I thought that was the whole point.

My understanding is that the CA authenticates the public keys. May I infer, from your claim that they aren't necessary, perhaps because the administrator (me) is able to authenticate the public key physically, in person? That would make sense. If that's wrong, please advise. I'm going to take another look at this based on that assumption.
 
Mine automatically generated them for the server if I'm not mistaken. I was having a problem getting the right opvn file loaded for the client. I finally figured it out but now I don't even need it.
 
Last edited by a moderator:
I wanted to jump on this thread with another reason to properly secure your camera. One of the primary vectors of the Krebsonsecurity DDoS attack that happened recently were hijacked IoT (Internet of Things) systems. Think wifi enabled thermostats, etc. This article below describes how over 25,000 CCTV cameras were hijacked and used in a DDoS attack. It's not just about preventing others from viewing your camera feeds (which is creepy).

http://www.securityweek.com/thousands-cctv-devices-abused-ddos-attacks
 
  • Like
Reactions: alastairstevenson
Thanks. I was wondering which cameras were involved in the DDOS. I have been considering some gray market Hikvision cameras, but the security aspects have me quite worried. The article mentions that the cameras that could be identified were from, "[FONT=&quot]Provision ISR, Q-See, QuesTek, TechnoMate, LCT, Capture, Elvox, Novus and Magtec[/FONT]", so the Hikvision may not have been part of it or just weren't identified.
 
  • Like
Reactions: vlx213
dont matter if they are or not, dont put the cameras directly on the internet..
 
nayr said:
This is one of many reasons why you dont forward ports, setup a VPN or dont connect remotely, then for good measure firewall the cameras off from all access too and from the internet.. as connections coming through VPN wont be originating from the internet as far as the firewall is concerned.
Click to expand...

Anyone have a link that details how to set up the VPN and necessary equipment/software? Thanks!
 
You must log in or register to reply here.
Top Bottom