Page 2 of 2 FirstFirst 12
Results 26 to 44 of 44

Thread: How Safe is Neptune Apex Fusion from hackers ?

  1. #26
    Apex User
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    6,436
    Quote Originally Posted by Jlentz View Post
    Thanks Rob.

    I'd also like to add.

    For the love of God. Do not add 2FA and ask me for my phone number to use SMS as a 2FA method. This is not secure.


    Sent from my iPhone using Tapatalk
    Reasoning? How would someone outside of a government hacker be able to hack your password AND intercept an SMS authentication code solely to mess with your tank. That kind of skill is reserved for espionage and multimillion dollar fraud schemes.

    You might be an engineer if...You have no life and can prove it mathematically.

  2. #27
    Regular Vistor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    37
    To be fair, vulnerabilities have been exploited to intercept SMS authentication. It's not a secure method, but to be honest, two factor auth should be standard and will add significant protection from account compromise.

  3. #28
    Frequent Visitor
    Join Date
    Dec 2014
    Location
    Mojave Desert
    Posts
    109
    Quote Originally Posted by zombie View Post
    Reasoning? How would someone outside of a government hacker be able to hack your password AND intercept an SMS authentication code solely to mess with your tank. That kind of skill is reserved for espionage and multimillion dollar fraud schemes.

    You might be an engineer if...You have no life and can prove it mathematically.


    Im less worried about the government hackers in this case. What they do is far more insidious.

    However SMS 2FA is fairly easy to break.
    https://motherboard.vice.com/en_us/a...2fa-is-screwed

    While it's very tempting to think "it's just my fish tank why would someone try to hack it" it's still insecure. It's not limited to espionage and/or multimillion dollar fraud schemes, though theoretically they could hit multimillion dollar levels if they can empty enough people's bank accounts and bitcoin wallets.


    NIST recommended that everyone stop using SMS 2FA almost a year ago. (About 6 months before Wells Fargo started to require it...)



    Sent from my iPhone using Tapatalk

  4. #29
    Frequent Visitor
    Join Date
    Dec 2014
    Location
    Mojave Desert
    Posts
    109
    Quote Originally Posted by tastyfish View Post
    To be fair, vulnerabilities have been exploited to intercept SMS authentication. It's not a secure method, but to be honest, two factor auth should be standard and will add significant protection from account compromise.
    Don't get me wrong. I want 2FA on everything. If I could use my yubikey I'd be very happy.

    The other issue I have with the SMS 2FA system is that I believe the reason most companies in the last two years have brought it online is to get all their customers cell numbers. It also seems to coincide with the increase in the amount of telemarketing calls I've been getting lately.


    Sent from my iPhone using Tapatalk

  5. #30
    Apex User
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    6,436
    Quote Originally Posted by Jlentz View Post
    The other issue I have with the SMS 2FA system is that I believe the reason most companies in the last two years have brought it online is to get all their customers cell numbers. It also seems to coincide with the increase in the amount of telemarketing calls I've been getting lately.
    That's not something Neptune would do. I wouldn't put it past a slimy company like Google, but Neptune values customer privacy.

    You might be an engineer if...You have no life and can prove it mathematically.

  6. #31
    Frequent Visitor
    Join Date
    Dec 2014
    Location
    Mojave Desert
    Posts
    109
    Quote Originally Posted by zombie View Post
    That's not something Neptune would do. I wouldn't put it past a slimy company like Google, but Neptune values customer privacy.

    You might be an engineer if...You have no life and can prove it mathematically.
    Google actually has a good 2FA system if I recall correctly. They don't need your phone number, they've already got everything on you.

    I actually trust Neptune in that regard. I have to question their judgement on things like using telnet instead of ssh though.



    Sent from my iPhone using Tapatalk

  7. #32
    Regular Vistor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    37
    Quote Originally Posted by Jlentz View Post
    Google actually has a good 2FA system if I recall correctly. They don't need your phone number, they've already got everything on you.

    I actually trust Neptune in that regard. I have to question their judgement on things like using telnet instead of ssh though.



    Sent from my iPhone using Tapatalk
    Please don't tell me telnet is open on the Apex...

  8. #33
    Regular Vistor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    37
    Sigh, Telnet *is* open on the Apex... Oh and they have a SHA-1 certificate on fusion...

  9. #34
    Apex User
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    6,436
    Telnet is not "open" on the apex. It is password protected just like the classic dashboard.

    You might be an engineer if...You have no life and can prove it mathematically.

  10. #35
    Regular Vistor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    37
    Quote Originally Posted by zombie View Post
    Telnet is not "open" on the apex. It is password protected just like the classic dashboard.

    You might be an engineer if...You have no life and can prove it mathematically.
    The port is open and I can get an authentication prompt, it also has no brute force protection so I could simply script a brute force attack should I be so inclined.

    Telnet is a terrible protocol to be running TBH, everything is sent in the clear and obviously the port is open to connect to any IP. The default account is "admin". Basic Access Control table would be a starting point to limit access to the servers Apex offer support from.

    Best practice would be SSH with certificate based authentication from a particular set of support servers which Apex support could jump on from.

    Now obviously it needs to be on a protected network and not on the internet, but there are several areas of concern here. If the unit wasn't running my tank right now, I'd be running scans and exploit tests on it...

  11. #36
    Frequent Visitor
    Join Date
    Mar 2017
    Location
    US, Central
    Posts
    342
    Quote Originally Posted by tastyfish View Post
    Asking "How secure is it?" is not really going to get you an answer either way. I've worked in the security industry for 20 years and I can tell you that although the site doesn't host personal information in terms of CC numbers (PANs) it does contain valuable data (your usernames and passwords) and is also of interest to hackers as our tanks are now part of the internet of things.

    Disappointingly, when I asked this question previously, I got a " we use https, so are secure" answer, which is what every security professional dreads to hear.

    What I would be more interested in hearing is around policy (i.e. adhering to ISO27001) controls (i.e. two factor authentication, restricting access to specific devices) and regular security testing (note: NOT just vulnerability scans).

    Now I'm not saying fusion is insecure, I'm just pointing out potential issues/areas of improvement from a people, process and controls point of view.

    I work in an industry where I could walk up to your front door, remove your wireless doorbell you are proud of and obtain your wifi encryption key in seconds. Our tanks are part of the internet of things and I'm increasingly concerned about the increase in number of wireless devices which could have serious security flaws in them (just like the wireless door bell).

    If a hacker got access to our systems, they could quite easily kill everything in our tanks without even realising what they are connected to.

    So take measures yourself.

    - Use a difficult to guess password, ensure it is unique to fusion
    - Always update any device connected to your network and ensure firewalls and antivirus are enabled
    - Use WPA2 and a difficult to guess and unique key
    - Disable Wifi on all devices which can be wired

    As far as feature requests go, PLEASE NEPTUNE: Give us the option of having two factor authentication and device control on fusion. There is no excuse in 2017 for not having multi factor authentication.

    I have in the time it's taken me to write this identified a potential security issue which needs to be addressed. Can Neptune please PM me the details of who to send the details to?

    Thanks

    Rob
    I also use a 'wired' doorbell But I do agree with you that most people are not knowledgeable enough to protect themselves or even be aware of their own vulnerabilities. And I absolutely loathe using wireless signals on fixed devices. I hardwire everything that does not move. I have not been very good at unique passwords but I am getting there.

  12. #37
    Master Control Freak RussM's Avatar
    Join Date
    Dec 2012
    Location
    California - US Pacific
    Posts
    15,389
    Quote Originally Posted by tastyfish View Post
    Sigh, Telnet *is* open on the Apex... Oh and they have a SHA-1 certificate on fusion...
    Telnet is not available in Fusion, so discussion about telnet is off-topic here in this thread discussing Fusion security. Keep it on topic please.

    APEX Fusion has a SHA-256 certificate.
    I'm not a Neptune support rep. Please do not send me PMs with technical questions or requesting assistance - use the forums for Apex help. PM me ONLY if the matter is of a private or personal nature. Thanks.

  13. #38
    Regular Vistor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    37
    Quote Originally Posted by RussM View Post
    Telnet is not available in Fusion, so discussion about telnet is off-topic here in this thread discussing Fusion security. Keep it on topic please.

    APEX Fusion has a SHA-256 certificate.
    Russ, it's a SHA-1 certificate, it's 256 bit key length, but SHA-1 has been demonstrated to be crackable within a reasonable period of time. SHA-1 certificates should not be used and some browsers will give and insecure page warning.

  14. #39
    Apex User
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    6,436
    Quote Originally Posted by tastyfish View Post
    Russ, it's a SHA-1 certificate, it's 256 bit key length, but SHA-1 has been demonstrated to be crackable within a reasonable period of time. SHA-1 certificates should not be used and some browsers will give and insecure page warning.
    That is incorrect SHA-1 is always a 160bit hash. SHA-2 encompasses the larger hash sizes including sha-256.

    You might be an engineer if...You have no life and can prove it mathematically.

  15. #40
    Regular Vistor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    37
    Multi-tasking, I apologise, you are right.

  16. #41
    Master Control Freak RussM's Avatar
    Join Date
    Dec 2012
    Location
    California - US Pacific
    Posts
    15,389
    Quote Originally Posted by tastyfish View Post
    Russ, it's a SHA-1 certificate, it's 256 bit key length, but SHA-1 has been demonstrated to be crackable within a reasonable period of time. SHA-1 certificates should not be used and some browsers will give and insecure page warning.
    The thumbprint algorithm used is sha1, yes, but the signature algorithm is sha256. The sha1 thumbprint algorithm is of no concern, and is pretty much irrelevant - you'll see it on many many modern, standards-compliant SSL/TLS certificates. It's for the signature algorithm that the use of sha1 has been deprecated. And Fusion's certificate signature *is* based on sha2/sha256. If Fusion were in fact still using an outdated sha1-signed cert, most browsers would be showing a warning about it; they are not. Google started showing warnings in Chrome back in '14, for example; you won't find such a warning in Chrome when accessing apexfusion.com. Additionally, the current cert for apexfusion was issued in November last year - after most if not all CAs stopped issuing certs based on sha1 signatures.

    This article has a good overview of thumbprint vs signature: https://www.thesslstore.com/blog/ssl...-1-thumbprint/ and I'll quote a key point from it: So, to summarize: SHA1 thumbprints are okay. SHA 1 signatures are not.
    I'm not a Neptune support rep. Please do not send me PMs with technical questions or requesting assistance - use the forums for Apex help. PM me ONLY if the matter is of a private or personal nature. Thanks.

  17. #42
    Regular Vistor
    Join Date
    Jul 2015
    Location
    UK
    Posts
    27

  18. #43
    Apex User
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    6,436
    Quote Originally Posted by tomcoleman View Post
    Except we don't know what brand of controller was used there (could have been a PLC and not a hobbyist brand) and we also don't know how it was set up to the network. More than likely that was an open port on an unsecured access point for "easy" maintenance company access. You can't tunnel through fusion to access the rest of the LAN but you can with port forwarding.

    You might be an engineer if...You have no life and can prove it mathematically.

  19. #44
    VP Sales and Marketing Terence's Avatar
    Join Date
    Jan 2013
    Location
    Morgan Hill, CA
    Posts
    944
    Quote Originally Posted by tomcoleman View Post
    This article was based on pure speculation and zero information other than a casino got hacked for 10GB via an aquarium controller. Images in the article have nothing to do with the facts other than they are images of a controller by GHL and cloud interface to our product, Apex Fusion. In fact, the source of the information was a marketing packet from the security company who wants to sell their software. No specific detail has been given by the company and they will not give it out - even to us, even under NDA. So who knows what really happened here.

    Also, if something did really happen, as was just pointed out, the most likely thing that happened here was that someone left the back door open, someone found it, and then they found a way to exploit that open door locally. This is not a situation that involved Apex Fusion. Had it been, we would have been contacted, and we weren't.

    If you have an Apex, and have still not connected it to Apex Fusion, you should. This is especially true if you want enhanced security and you have utilized a port-forwarding methodology for external access of that Apex. Connect it to Apex Fusion and then remove any port forwarding rules on your router.
    Terence Fugazzi :: VP Sales and Marketing :: Neptune Systems

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •