Info Security and your DSM setup

Currently reading
Info Security and your DSM setup

Wouldn’t it be nice if there was a location you could visit that would test your security system settings to tell you the GOOD and BAD parts about your home system, and report the results and suggestions?
yes, the place is called: life or reality
nothing is perfect
because the real cost of lost data isn’t about binary written expression
it’s about lost memories, ideas or experiences written in the binaries

and people are irrational creatures
they invest 800€ into new smartphone rather than 400 into safe and long-lasting memories

… try to explain them about such attacks. No one will believe.
“it can't happen to me”. People will believe the catastrophe when they see an asteroid in the sky. Until then, it's nothing.
 
I was thinking more that this could become a profit center for someone, as long as it was good, and also secure.

Sure.
However, you must return to the essence of this civilization, based on the irrational behaviour of 80% of them:
1. The masses prefer to pay a fee to the ISP for connecting to the Internet, including a router.
2. For this reason, the ISPs very often use low-cost routers, which will meet the most crucial requirement - connect the user to the Internet. Even they offer WiFi. And that is included in the price of the internet fee.
3. For this reason, they (customers) perceive that the router is for free.
4. When something is for free, it is always cheaper than a router for 400Eur.
5. Why should they spend additional costs when the Internet is running? Surely someone wants to rob them.
6. Especially after two years they (customers) need to buy a new smartphone. And that's really expensive for them, but more important - because so it is perceived by their social bubble. Who cares about the router or firewall or something such irrelevant?
After all, none of them sees an asteroid in the sky.

For the rest of 20%, it is essential to be continuously educated in this forum. They know that meteorites are constantly falling.
As I understand it, a few people here are also involved in such "profit centres".
Or you can check Willie Howe or Lawrence Systems YT channels for new inspirations.
 
Okay I have the fear of god put in me.... I am one who is on the very fringes of knowledge but sure as hell want to know.
How can I as an "unskilled user" fix my "nice black box".
Is there a tutorial which guides "the unwashed" through some starter steps to check the top priority settings?
I had thrown out my ISP router on day one and use Ubiquity Dream Machine. But honestly I do not know how secure my nice black box is! I sure wish I kew what y'all do... or maybe in my hands that would be a dangerous thing too!
 
@buckland
Just to be sure: did you mean: Unifi Dream Machine (UDM) or UDM Pro?

Re: Secure setup of the NAS. You can find here (forum) plenty of advices and recommendations how to do it better. It will help you stay in the safe part of operation. For the start stage you can use Search and keywords (security, …).
However, you need to understand networking basic first. Otherwise you will just blindly follow some steps and never understand why.
In this forum you can find lot of trustworthy sources for your new skills.
Good luck! Enjoy!
 
Glad you asked ... it is Unifi Dream machine (the cylinder) not the pro. I have to set aside more time to take advantage of the knowledge based here. It's too easy to bellyache ... I just have to delve into it. Winter is my time to do computer based stuff. Just got the cordwood in... seasonal chores first. When I got internet the router from ISP was lousy so as I could not afford to go with the Pro I went with the UDM. I watched this video and set it up pretty much exactly as he suggested. The thinking at the time was I needed to get this done as the wife wasn't into my learning curve.... and so it goes! I will be back when the snow flies!
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Regarding the UDM. This is all in one box. True.
I don’t like the guy from the video = too much entertainment there. You can cut first 8 minutes. Next 11 minutes - there is useful content for newbies. Rest of the 9 minutes you can cut also.

I like Unifi controller. Also the user manual is really great. You can find there more information. But what you need is someone, who will prepare for you network basic training. You can find lot of topics over YT. Mentioned channels are more about knowledge, than the guy from your video.
There is no way, how to create efficient and secure networks in few clicks (as was promoted in the video). It’s just a dream.
 
Agree 100% on his over wired presentation... I too fast forwarded to the setup. Thanks again for taking the time to reply and suggest where to go for knowledge based video.
 
Agree 100% on his over wired presentation... I too fast forwarded to the setup. Thanks again for taking the time to reply and suggest where to go for knowledge based video.

you can start also here:
don’t be scared from the Docker topic. You can find there more basics about the Unifi Firewall operation/setup
 
Wouldn’t it be nice if there was a location you could visit that would test your security system settings to tell you the GOOD and BAD parts about your home system, and report the results and suggestions?
Jan,
I do sometime use the following sites to check from outside in:
- GRC | ShieldsUP! — Internet Vulnerability Profiling (shieldsup)

Then from the inside,
- Synology security advisor,
- MAC/ W10 there are many free and paid tools to check your network for issues, as well it is included in most antivirus tools.
 
Yes, I use all the free tools at Shields Up.... and Pass all those tests there. I also contacted them about a more in depth security test, as I asked above...
and they said the didn't have one, and wern't considering doing one. I have asked a couple other places, and I'm still awaiting answers.
 
So,
some experiences from Synology Product Security Incident Response Team communication.

Last week I sent them a description of the whole problem, which is summarized in this thread. Including a proposal for a possible solution on how to minimize the growth of such exposed NASes. In third email response in row I suggested them a video call, because it's a more efficient way than an offline email conversation. They insist on email communication, I quote:
To arrange a call might cost more time since we didn't know what issue you found.

If this thread is not enough for someone to create a problem, then I have doubts about the expertise of the members of the PSIRT analytical team.

Because delaying the solution of this problem causes support for the growth of the botnet network in the Syno NASes environment.
 
Because delaying the solution of this problem causes support for the growth of the botnet network in the Syno NASes environment.
This has become a problem larger than any single company in the industry, and it's only getting bigger. The way I see it, synology is just playing the same game as other companies: act/invest just enough to try to NOT be a top offender to avoid bad PR.

I don't think any single company can do much to improve the situation, the problem should be tackled at the government/regulation level. I don't know exactly what should be done, but if the car industry, aviation industry, etc... are liable for problems with their products due to negligence or lack of support/focus, so should the computer industry. It has become very clear that problems with networked computers can and will derive into personal injury and damage to property.

Just my opinion...
 
1634563084316.png


A consideration, based on this thread information:

I have exposed almost 3M NASes. And there may be many more because there is no scan of the whole internet.
I know from the Shodan report list of their IP addresses.
I can make a script in PY that will examine it all over again.
I can get S/N, model, port opened for all the IP addresses. Really valuable csv for a deep analyse.
I will compare these data by my DB of users/devices that I have registered for each account.
I have email addresses for them.
I have everything that I need for these steps. Almost free of charge. Need a day or two.

Since the NAS owners will usually not be skilled admins, I can offer them (target group) a centralized download of small .sh that will run a deeper assessment. I can collect these verdicts in my lab. I will analyze and create a central segmented patch according to the problem areas.

However, I will first create a script to disable the SSDP response from the WAN (firewall rule settings). No one needs this feature for the WAN. Only allow it to run via SSH for the admin account. Done.

I don't have to be an expert in security networking for this consideration.

I can monetize this service as the most secure NAS vendor in the SOHO market by PR.
1000x better than the whole pointless circus about the DSM7.

Edit:
+ new 12ths of new IPs in the report during this weekend
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Since I dismissed the ones about crontab's they haven't come back. I just check and the idrive backups...
Replies
3
Views
2,922
Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,014
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
548
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
439
  • Question
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,180
Why sad Mr. T? I’ve learned much in past 5 years, but last 2…. It’s like someone stepped on the gas! I...
Replies
1
Views
899

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top