SN 888: The EvilProxy Service

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

With regard to Qnap, why would you put a NAS with your most valuable data on the Internet? My NAS is securely behind my firewall and not accessible from outside. If I want to put something on the web, I’ll rent a server.

One thing Steve said wasn’t 100% correct, Qnap didn’t, I believe, force an update on locked ransomed devices, tunt many devices had automatic updates enabled and the users didn’t deactivate them, and in some cases, they actually tried to update manually after the attack. The updates overwrote the ransom message.

Still a bad record from Qnap.

From a security and probably even sanity perspective, I agree with your implied thinking. On the other hand, Synology actively promotes this use case by marketing their NAS as an “own cloud” type of device, with apps for photo sharing, and note sharing, and many other sharing purposes, as well as [S]FTP uses.

I do understand why they want to promote it this way though. If it’s already always on and burning power, and the CPU is generally underutilized why not produce more “user value” from that electricity?

In my opinion, if they were serious about using the device as a public facing server, and an all-in-one solution, then it should act like 2 separate servers (with separate IPs) and an external pair of RJ45s with a jumper between them (or something with a hardware switch to disable the interconnection.) Software wise it should be constructed with layered defense, so that breaking the first layer doesn’t automatically mean you whole device is at risk.

As for QNAP: I’ve heard people suggesting they want to use a plugin app on QNAP to make it a pfSense firewall too. I cringe an the thought of putting all my eggs in one basket on a device made by a manufacturer who clearly has no security focus.

1 Like

I am the only one who double checks the url every time I get a logon dialog? I always double check the domain, that it is TLS and that the certificate is valid?

Although that is hard at work, as the anti-virus solution uses its own global master certificate and replaces the websites certificate with its own! Very annoying.