Jump to content

FBI ‘Drive-By’ Hacking Warning Just Got Real: Here’s How This Malicious New Threat Works


Mustang65

Recommended Posts

That is why I have my network divided into multiple vlan's.  I have an IoT network that is just for this sort of thing.  It is also a reason to like things like Insteon which don't bridge to your IP network.  Hack Insteon and you get control of Insteon. . . . woop t dooo.  That just leaves ISY as a point of attack.  But ISY has a lot more horsepower and hopefully better coding.  UD seems to take security very seriously, but, of course, that doesn't mean that they couldn't make a mistake.  There is also security in obscurity.  Hackers like to have lots of targets, and ISY is, I think, still a fairly rare finding.

Link to comment
That is why I have my network divided into multiple vlan's.  I have an IoT network that is just for this sort of thing.  It is also a reason to like things like Insteon which don't bridge to your IP network.  Hack Insteon and you get control of Insteon. . . . woop t dooo.  That just leaves ISY as a point of attack.  But ISY has a lot more horsepower and hopefully better coding.  UD seems to take security very seriously, but, of course, that doesn't mean that they couldn't make a mistake.  There is also security in obscurity.  Hackers like to have lots of targets, and ISY is, I think, still a fairly rare finding.



Can you point me to a reference resource that could help set this up? My networking knowledge is better than average probably but falls short compared to many of those on this forum.

On thing I’ve wondered about is let’s say I want to use an app to control my ISY or a Phillips Hue hub (locally or over VPN let’s say) - what’s the best way to have a smartphone or other device communicate with these devices while staying firewalled? Set up a bunch of rules?


Sent from my iPhone using Tapatalk
Link to comment
1 minute ago, TrojanHorse said:

 

 


Can you point me to a reference resource that could help set this up? My networking knowledge is better than average probably but falls short compared to many of those on this forum.

On thing I’ve wondered about is let’s say I want to use an app to control my ISY or a Phillips Hue hub (locally or over VPN let’s say) - what’s the best way to have a smartphone or other device communicate with these devices while staying firewalled? Set up a bunch of rules?


Sent from my iPhone using Tapatalk

 

 

The low budget way to do this would be to use a consumer grade router that includes a guest network and put all of your iot stuff on that network.  I believe these guest networks limit each device to the internet only, no intranet device to device communication.  So that may prevent proper function of some iot devices that need to communicate with each other on the same lan.

In my case, I have gone with Ubiquiti equipment which is vastly more capable.  You can set up bunches of vlan's and up to 4 ssid's that can be tied to different vlan's.  You can do the traditional guest network as above or you can put different devices into different vlans.  By default, any device on the same vlan will see all the other devices on that same vlan.  You can create tunnels between vlan's if you have a specific situation where you want to give something on one vlan limited access to a different vlan.  You can also set up vpn very easily on ubiquiti equipment.  I have vpn's setup as site-to-site and also am able to login from a vpn client on my phone or pc.  I am just a guy who googles these things and watches youtube videos and I was able to get this all working quite nicely.  Ubiquiti is also pretty cool to manage as you can setup a free AWS account and let the controller reside there.  This is nice when you are managing multiple locations.  The controller software can have as many different networks all on the same controller and you can access the controller from anywhere in the world.

Link to comment
On 2/9/2020 at 10:42 AM, apostolakisl said:

 

In my case, I have gone with Ubiquiti equipment which is vastly more capable.  You can set up bunches of vlan's and up to 4 ssid's that can be tied to different vlan's.  You can do the traditional guest network as above or you can put different devices into different vlans.

Can you give us a list of your Ubiquiti equipment and a drawing of your equipment is setup

Thanks

Link to comment
Can you give us a list of your Ubiquiti equipment and a drawing of your equipment is setup
Thanks


I know this question wasn’t addressed to me. But can affirm doing the very same as apostolakisl.

This is probably a little over the top for many here but this is what you do when you’re dead serious about your infrastructure.

Just a small sample of one of the four racks.

311e84dce72668e2922d2246aad3be55.jpg

This is one of three APC UPS systems besides all the other three redundant layers.

7f653b4bcd5d98eaf44a1aea7caed234.jpg


Sent from my iPhone using Tapatalk
Link to comment
8 hours ago, Mustang65 said:

Can you give us a list of your Ubiquiti equipment and a drawing of your equipment is setup

Thanks

My home setup:

1) USG

2) AC AP pro (times 3)

3) 8 port switch (us 8 60w)   has 4 poe ports.

The switch is optional.  If all of your hard-wired ethernet stuff is on the same LAN, then you can use any "dumb" switch. The USG is not a switch, it only has 1 output (sort of has 2).  I you want to separate hard wired stuff into different lans, you need a managed switch.  The AP's will take care of putting stuff on different VLAN's that are wireless.  

Wiring this together is pretty basic.  No need for a diagram.  Ethernet from ISP modem to USG, then from USG to switch, then to AP's/other devices.  You can mesh the AP's if you don't want to run ethernet to all of them.  The AP's run on POE.  They usually come with a POE injector, but some packaging does not include it.  If you need the POE injector, then make sure you read the description so that you get it included.  Alternatively, you can use a POE switch to power them.    The AP's have a passthrough ethernet jack on them so if you already have just a single ethernet wire to somewhere in your house that would be good for the AP, but the wire is in use, no worries, just use the passthrough.

EDIT:  Also, I should mention.  The hard part is configuring it, not wiring it.  If you are only doing a single site, then it is probably just as well to run the controller locally.  You can run it on a PC or buy one of their little stick controllers.  You can do an AWS controller if you like, there are some good youtube videos that walk you through it.  The controller does not need to run all the time if you don't care about network monitoring.  The controller does not have anything to do with functionality, it only is for configuration/monitoring/alerts/firmware updates.  If you have multiple sites, then I highly recommend an AWS controller.  I have the AWS whitelist only the IP's of my 3 sites which makes it quite secure.  If I need to login from somewhere else, I first login into AWS dashboard and whitelist the IP where I am currently located, then remove it when done.

Link to comment

 

TEST - TEST - TEST! I really should have secured that 1 Wire sensor better. But just wanted to complete a quick test!

 

 

Sent from my iPhone using Tapatalk

 

I was thinking that with all the available space for “future use” maybe there’s room for Amazon (or/and?) Google to locate server(s) there. Then you wouldn’t need to rely on the cloud for voice!

 

Edit: it’s worth asking them I think. But maybe fix or hide the splice first

 

Sent from my iPhone using Tapatalk

Link to comment
 
I was thinking that with all the available space for “future use” maybe there’s room for Amazon (or/and?) Google to locate server(s) there. Then you wouldn’t need to rely on the cloud for voice!
 
Edit: it’s worth asking them I think. But maybe fix or hide the splice first
 
Sent from my iPhone using Tapatalk


Me so embarrassed leaving said wire poorly connected!

None of us mere mortals will ever be able to achieve the amount of storage space like AWS / Google.

But, it doesn’t mean you can’t try!

In 2020 - 2021 The Teken household will be rocking a 1.2 petabyte storage array!

Cloud, what cloud?!?


Sent from my iPhone using Tapatalk
Link to comment
6 minutes ago, LFMc said:

Ok, pictures were enough, but now I'm officially envious... ?

 

No need . . .

We all got our vices and back in the day it was fast cars - fast woman. I no longer drink, smoke, gamble, drugs (never did any of these). So my personal hobby is my home which I feel is something worthy of the time and investment.

Why not make the place you love the most enjoyable to the Nth degree!

The Peta Project has been a four year journey and believe by the end of 2021 all of the pieces will be in place. :D

Cloud?!? What Cloud . . .  

Link to comment
Given your goal, this might be an interesting article on a large cloud storage company's 3 years of testing large HDs and their reliability. Enjoy.

https://www.backblaze.com/blog/how-backblaze-buys-hard-drives/

Yes, this was one of several articles that inspired the Peta Project!

 

For high speed cache approximately 150 SSD / NVMe drives like these will be in place besides the 12 TB drives.

 

46baae1abdc6173a18b1bd49b3c9fe50.jpg

 

This is a picture of the one of eight 120-240 VAC APC Symetra On-Line systems being pulled out and being staged to my home. Eight of these massive units powered my home which is one of four layers of redundancy.

 

4ae5a075cb4b3b7d073ba68193141326.jpg

Link to comment
3 hours ago, Teken said:

Yes, this was one of several articles that inspired the Peta Project!

 

For high speed cache approximately 150 SSD / NVMe drives like these will be in place besides the 12 TB drives.

 

46baae1abdc6173a18b1bd49b3c9fe50.jpg

 

This is a picture of the one of eight 120-240 VAC APC Symetra On-Line systems being pulled out and being staged to my home. Eight of these massive units powered my home which is one of four layers of redundancy.

 

4ae5a075cb4b3b7d073ba68193141326.jpg

The term "overkill" isn't strong enough for your setup!  I love it!

I too have a bunch of Ubiquiti gear and I thought I was well into the overkill territory!  You put me to shame!!  And as has been said, wiring it up is not the hard part, it's configuration.

FWIW... here's my list of Ubiquiti hardware and their basic duties:

  • Edgerouter 12 - Main rack in office.  Uplinked to 1Gbit bi-directional fiber WAN gear.  Acts as main router/firewall.
    • Soon to be replaced by a Unifi Dream Machine Pro (UDMP)??  If they get the bugs worked out of it!
  • Edgeswitch 24 Lite (non-PoE) - Core switch in main rack in office.  Uplinked to Edgerouter 12
    • Possibly to be replaced by a Unifi Switch 24 Pro (with 10Gbit uplink/downlink ports) to compliment the UDMP's 10Gbit port for the trunk between the two.
  • Edgeswitch 10X - Living room/entertainment center
  • Edgerouter X (configured as switch for garage AP and hard-wired devices)
  • Unifi Flex Switch (5 PoE ports, powered by main rack PoE injector, providing PoE power to pool shed AP and RPi for pool data collection)
  • 2x Unifi AP AC Lite access points
  • Unifi AP HDnano access point
  • Unifi AP In-Wall AC access point

About 10 VLANs to segregate guest/IoT/server/UDI stuff/NAS/Cameras/Private wired/Private wireless/...

Serious pain in the a$$ to configure all of this but once it's all done, it actually works really well.  It's been a fun learning process though.  I now know a lot more about networking than I used to!

It provides: Wireless coverage over the whole property/house.  Fast internal/external throughput... and most importantly... it's "Secure".  Or at least a hell of a lot more secure than my "flat" network was with an ASUS router.  

Link to comment

@Toddimus @Teken

So you guys are just a WEEEEEE bit overkill.  There are probably corporations with 100's of employees with less complex setups.  For mere mortals I think the slightly more conservative setup I have is a better place for @Mustang65 to get started.  The basic USG and one or more Unifi AP's is the bare minimum, but fully sufficient to get most any home network segregated into plenty of VLAN's.  A managed switch is probably not going to be needed since most home networks have limited number of items on ethernet, and probably those few items will be granted the same permissions.  But, if you need to segregate hard wired stuff into multiple vlans, then you need a smart switch.  It is possible to use a non-Ubiquiti one, but a whole lot easier if you stick with Ubiquiti.  At my office, I have a smart switch that is not ubiquiti mixed in with my ubiquiti stuff, and I had to jump through hoops to get it to do multiple vlan's with the USG.

Link to comment
1 hour ago, apostolakisl said:
@Toddimus @Teken So you guys are just a WEEEEEE bit overkill.  There are probably corporations with 100's of employees with less complex setups.  For mere mortals I think the slightly more conservative setup I have is a better place for @Mustang65 to get started.  The basic USG and one or more Unifi AP's is the bare minimum, but fully sufficient to get most any home network segregated into plenty of VLAN's.  A managed switch is probably not going to be needed since most home networks have limited number of items on ethernet, and probably those few items will be granted the same permissions.  But, if you need to segregate hard wired stuff into multiple vlans, then you need a smart switch.  It is possible to use a non-Ubiquiti one, but a whole lot easier if you stick with Ubiquiti.  At my office, I have a smart switch that is not ubiquiti mixed in with my ubiquiti stuff, and I had to jump through hoops to get it to do multiple vlan's with the USG.

100%

As noted early on this has been a favorite pass time and endeavor I enjoy. Not very many people are going to need to have a 10 / 40 GB internal LAN all connected via fiber optics. Nor will people need four layers of redundant power when the POCO is having technical issues with the grid. Those who have or do live in disaster prone areas where flooding, tornado, earth quake, lightning, can relate to wanting some form of backup power.

My personal (disaster) experience(s) and those around me have driven the mind set to be plan ahead and build upon best practices in whatever industry.

No one should ever feel compelled to compete with others to achieve the same. But in the same vain people should do what they can afford or do to insure safety & security is always present for the home and family. This time 20 years ago if you told a group of peers that ransomware, broad daylight car jacking, home invasions, was going to be a thing everyone would have laughed you out of the room.

No one is laughing now - or dismissing such concerns. . .

Like you, I enjoy reading what others are up to and what they have been able to accomplish from shoe string budget to sky's the limit. When topics like this come up I try to balance what I wish to share vs what should be shared. My perspective with respect to this thread is to inspire others to achieve the most they can at whatever level they deem reasonable. 

One of many things I live by is *Don't strive for perfection - Strive for progress*      

On that note here's another piece of network pOrn! 

I had to wait for the other short depth server rack to arrive. Once on site it was the back breaking process of inserting the next batch of APC UPS Battery Packs. There’s another 20 to go and will need to do them in the summer.

2faa63a623a00f3bb9da902266cfa5d7.jpg

This is the other rack getting ready for their final home runs. All the cable is CAT-6, CAT-7, CAT-8, and Fibre. At the top are two 48 Port CAT-6 rated keystone patch panels.

They will help me adapt the network for CAT, Fibre, HDMI, Coax, USB, etc.

fabf7bbf08f942de1aec3ecd9c1ecf64.jpg

There are six APC 7902 power management distribution nodes. One back up for each server rack which fail over to three independent power systems should there be a interruption in power.

They are getting staged to go live in the coming months once I have finalized the three edge firewalls. There are four independent (ISP) Internet connections not including satellite as the 5th fail over. Two are cellular, one direct fibre, fibre coaxial.

cdab320b182f13250d489f582395970f.jpg

This photo is for the third rack which has two 16 Port 10 GB fibre and RJ45 switches. Of special note at the bottom is a independent dual POE switch and keystone patch panels with managed PDU.

This unit is 100% isolated and is powered by other independent power systems. Nothing in the various homes network is attached to this array. It runs in a closed loop to manage, monitor the entire super structural via a custom built guardian system.

Which is composed of 24 clustered ultra micro computers.

This is on top of the six 48 Port 500 / 700 watt POE switches. Not in these pictures is the 40 GB switch which connects the green zone and the future 1.2 Petabyte storage array.

f430789cd7b898ca03a99e9b5bd7bd06.jpg

 

 

Link to comment
here is a nice illustrated display of my setup from the Ubiquiti control software.  FYI, the ubiquiti AP's are rated for outdoor use.  My central AP is under the eve in front of my house.  I intend on getting another AP and doing the same for the back of the house.
image.thumb.png.d67d35eca2f313014292320d9865f475.png


That’s a much better “starter” system. I began with something very similar and once I drank the Kool aid, I expanded. Networking stuff is a good avocation for me. Lots of opportunity to learn and waste money on new hardware.

Along those lines, I have been digging pretty deeply into OpenHAB as a coexisting/complimentary system to the UDI stuff, primarily for pool automation/chemistry measurement and weather integration.
e901940e312e96aadf301981c3d0b825.jpge087132a43c34ed2886e145445b7df68.jpgc318ab1caca2550788764e3203309cca.jpg



Sent from my iPhone using Tapatalk
Link to comment
6 hours ago, Teken said:

We all got our vices and back in the day it was fast cars - fast woman. I no longer drink, smoke, gamble, drugs (never did any of these). So my personal hobby is my home which I feel is something worthy of the time and investment.

Ok, Ok, since everyone is showing their "stuff", I thought I would show mine too. And before you think I've over done it, I need to tell you that I gave up golf and the monthly trip to Starbucks to support my habit. I'm still waiting for the rebuilt APC Back-Ups ES 550 to power it. 

IMG_20200212_152452176.thumb.jpg.ee96501d2c6d5899d55c2e908f9f15c7.jpg

?

 

Link to comment
17 minutes ago, LFMc said:

Ok, Ok, since everyone is showing their "stuff", I thought I would show mine too. And before you think I've over done it, I need to tell you that I gave up golf and the monthly trip to Starbucks to support my habit. I'm still waiting for the rebuilt APC Back-Ups ES 550 to power it. 

IMG_20200212_152452176.thumb.jpg.ee96501d2c6d5899d55c2e908f9f15c7.jpg

?

 

Awesome! :mrgreen:

And I thought giving up fast woman and cars was hard! 

Link to comment
17 hours ago, Teken said:

100%

As noted early on this has been a favorite pass time and endeavor I enjoy. Not very many people are going to need to have a 10 / 40 GB internal LAN all connected via fiber optics. Nor will people need four layers of redundant power when the POCO is having technical issues with the grid. Those who have or do live in disaster prone areas where flooding, tornado, earth quake, lightning, can relate to wanting some form of backup power.

 

 

Quote

All this for Teken's Commodor 64 computer or was it for his Sinclair 1000.

 

Link to comment

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...