Page 1 of 2 12 LastLast
Results 1 to 25 of 42

Thread: How Safe is Neptune Apex Fusion from hackers ?

  1. #1
    Regular Vistor
    Join Date
    Jul 2015
    Location
    UK
    Posts
    26

    How Safe is Neptune Apex Fusion from hackers ?

    With all the services like google, dropbox etc offering 2 factor authentication or dual authentication

    How safe is Neptune Apex fusion from being hacked or accounts compromised

    I'm slowly going completely down the apex route and have seen some stories of people being hacked and their tanks destroyed due to either bad setup's at home on their routers or their PC's have malware installed and it harvests passwords etc.

    I feel these days a password is just not safe enough!

    admittedly most of these had port forwarding on their routers and didnt change the default user/pass.

    My main concern is whatever is hosting Fusion gets compramised (just like sony did back in 2015/16) and hackers can destroy our tanks.

    Is there anyway to add an addtional level of security? like 2 factor auth? or send a email everytime you login or attempted login's locks account or something??????


  2. #2
    New User
    Join Date
    Dec 2013
    Location
    United States
    Posts
    1
    I have always wondered this myself. Is Fusion white hat hacked by a 3rd party with actual hackers (not just automated bots)?

    Fusion appears to be hosted by Cloudflare.

  3. #3
    Master Control Freak RussM's Avatar
    Join Date
    Dec 2012
    Location
    California - US Pacific
    Posts
    22,463
    Quote Originally Posted by kevitra View Post
    Fusion appears to be hosted by Cloudflare.
    Cloudflare is not a web hosting provider. It front-ends web sites hosted elsewhere, providing DNS services and performance & security enhancements for those sites.
    Please do not send me PMs with technical questions or requesting assistance - use the forums for Apex help. PM me ONLY if the matter is of a private or personal nature. Thanks.

  4. #4
    Frequent Contributor zombie's Avatar
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    13,176
    I doubt neptunes servers are more secure than something like gmail, but it's waaaaay less likely to be hacked. People hack websites to make money. Since fusion doesn't store any personal information or credit cards there is no reason for someone to hack it.

    You might be an engineer if...You have no life and can prove it mathematically.

  5. #5
    Frequent Visitor
    Join Date
    Dec 2014
    Location
    Mojave Desert
    Posts
    109
    I'm more worried about the open telnet port on the apex itself than the fusion webpage.

    It would be nice to have 2FA but most companies that do it use SMS which has been proven to be insecure anyway. (Mostly the companies just want your phone number to sell to telemarketers.)


    Sent from my iPhone using Tapatalk

  6. #6
    Regular Vistor
    Join Date
    Jul 2015
    Location
    UK
    Posts
    26
    Trying not to go off topic here but if I go completely apex and I mean everything and all modules which I'm thinking about doing - I would expect a better safe guard than a single password to login to my account.

    Yes people mainly hack for money but as we have seen doesn't stop kids just getting in and renaming all the inputs and killing a tank - with a potential setup of over £20,000 I really want to have a better login system like 2FA or Authenticator app like Dropbox , gmail , Microsoft all offer and that's just to protect email! It's the only thing in the back of my mind that's stopping me completely automated.

    Even if the password or site isn't cracked or a backdoor found in the fusion hosting code PC's get compromised all the time and passwords harvested I think it's a sensible option to at least give the apex users an additional level if they wish to enable it. It wouldn't be that difficult todo either with all the API's out there namely google Authenticator. Is there an official response from apex here even if it's a no just so I can choose what I'm going todo

  7. #7
    Regular Vistor ReefSpy's Avatar
    Join Date
    Mar 2017
    Location
    Planet Earth
    Posts
    16
    I agree. For something designed to safeguard thousands of dollars in livestock and equipment, I would expect better online security. I don't think it is unreasonable to request 2 factor authentication, approved device list, or anything more substantial than the current password only security.

    If we can get notifications when our sump is low or temperature too high, why can't I at least get a notification when my account is accessed from a new location?

  8. #8
    Frequent Contributor zombie's Avatar
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    13,176
    I think you guys might be overthinking this. There has not been a single reported hacked fusion account since it's inception (at least reported onto the forums) and the one hack I could find was through the classic dashboard and the person who was hacked kept the password as default, and had an open port 80 with no firewall in his router.

    I personally would hate to have 2 step verification or location based blocking because when I want to check my tank I don't want to wait and I don't want anything that might hamper my access if the tank has an emergency.

    You might be an engineer if...You have no life and can prove it mathematically.

  9. #9
    Regular Vistor
    Join Date
    Jul 2015
    Location
    UK
    Posts
    26
    Quote Originally Posted by zombie View Post
    I think you guys might be overthinking this. There has not been a single reported hacked fusion account since it's inception (at least reported onto the forums) and the one hack I could find was through the classic dashboard and the person who was hacked kept the password as default, and had an open port 80 with no firewall in his router.

    I personally would hate to have 2 step verification or location based blocking because when I want to check my tank I don't want to wait and I don't want anything that might hamper my access if the tank has an emergency.

    You might be an engineer if...You have no life and can prove it mathematically.
    Zombie

    I disagree but agree with you not wanting it that's why I said make it a choice to enable just like all the other large tech companies do

    I think if the majority was asked do you want extra security the answer would be yes

    Just because it hasn't happened yet doesn't mean it won't also it might have happened and that person was silenced or paid.

    It would be a major flaw if the sole interface had a hole - not saying it does just speculating

    With my large tank I don't want that risk I would want 2FA option and I'm sure so would others

    Blows my mind that this hasn't been raised yet


    Sent from my iPhone using Tapatalk

  10. #10
    Frequent Visitor bigjim's Avatar
    Join Date
    Oct 2014
    Location
    Carpentersville, Il
    Posts
    367
    I'm not worried about some hacking my tank. I'm concerned someone will find a way to use Apex/Fusion to gain access to my network and computers.

  11. #11
    Frequent Visitor
    Join Date
    Dec 2014
    Location
    Mojave Desert
    Posts
    109
    Quote Originally Posted by bigjim View Post
    I'm not worried about some hacking my tank. I'm concerned someone will find a way to use Apex/Fusion to gain access to my network and computers.
    Yep.


    Sent from my iPhone using Tapatalk

  12. #12
    New User
    Join Date
    Apr 2014
    Location
    TAMPA, FL
    Posts
    5
    How large is the Apex Fusion community. I venture to guess not significant enough for hackers to care about wasting time and effort to go after this user community.


    Sent from my iPhone using Tapatalk

  13. #13
    Regular Vistor
    Join Date
    Jul 2015
    Location
    UK
    Posts
    26
    Quote Originally Posted by abhutta View Post
    How large is the Apex Fusion community. I venture to guess not significant enough for hackers to care about wasting time and effort to go after this user community.


    Sent from my iPhone using Tapatalk
    doesnt matter how big or small the fact the security is weak is a major concern for large tank owners with thousands invested in corals and time growing them

    why can we have an extra security option

  14. #14
    Frequent Visitor Torx's Avatar
    Join Date
    Dec 2013
    Location
    Blenheim, Ontario
    Posts
    406
    My $0.02, if you are that worried about it then don't use it. I mean, it will never be as secure as you want it. Duel authentication log in page? Even banks don't use that. Fusion is very well protected. As said already, hackers will never do it. It is a lot of work to hack a site and they won't do it for a system that holds 0 information. To add additional levels to raise security to NASA levels might entice someone.

    Also to note, this is a forum run by users of Neptune Apex, not Apex themselves. This might be a better suggestion to send the support team an email on it. Possibly could be a suggestion for the web designers

    Sent from my SM-G925W8 using Tapatalk
    Current: 120 Gallon Peninsula DIY system.

  15. #15
    Regular Vistor
    Join Date
    Jul 2015
    Location
    UK
    Posts
    26
    Quote Originally Posted by Torx View Post
    My $0.02, if you are that worried about it then don't use it. I mean, it will never be as secure as you want it. Duel authentication log in page? Even banks don't use that. Fusion is very well protected. As said already, hackers will never do it. It is a lot of work to hack a site and they won't do it for a system that holds 0 information. To add additional levels to raise security to NASA levels might entice someone.

    Also to note, this is a forum run by users of Neptune Apex, not Apex themselves. This might be a better suggestion to send the support team an email on it. Possibly could be a suggestion for the web designers

    Sent from my SM-G925W8 using Tapatalk
    Not sure what country your from but most banks in the UK use dual authentication

    So does gmail, Dropbox , Microsoft , Citrix and Cisco and even smaller IT outfits

    I want to use it and already invested I'm asking for Neptune to post here on their view to at least give the user the option to enable it

    I'm not talking about hacking a site that's hard work I'm talking about a PC being infected and details harvested & used something which we have seen recently and even with NHS meltdown of cryptography




    Sent from my iPhone using Tapatalk

  16. #16
    Frequent Visitor Torx's Avatar
    Join Date
    Dec 2013
    Location
    Blenheim, Ontario
    Posts
    406
    All those sites are a single login and password in North America

    Again though, Neptune doesn't typically patrol this site. If you want them to hear, then email them on your concern/suggestion.

    Sent from my SM-G925W8 using Tapatalk
    Current: 120 Gallon Peninsula DIY system.

  17. #17
    Frequent Visitor bigjim's Avatar
    Join Date
    Oct 2014
    Location
    Carpentersville, Il
    Posts
    367
    My bank is a single login if I log in from my regular pc. If I log in from a new pc I not only need my password but I have to pick the correct image from a page of images then I have to answer a security question. Only if all 3 are correct do I get access to my account. Also an email is sent to my registered email address informing me of a login from a different pc. My investment account has a similar security system and I'm in the US.

    Sent from my SM-G955U using Tapatalk

  18. #18
    Regular Vistor ReefSpy's Avatar
    Join Date
    Mar 2017
    Location
    Planet Earth
    Posts
    16
    Quote Originally Posted by Torx View Post
    My $0.02, if you are that worried about it then don't use it. I mean, it will never be as secure as you want it. Duel authentication log in page? Even banks don't use that. Fusion is very well protected. As said already, hackers will never do it. It is a lot of work to hack a site and they won't do it for a system that holds 0 information. To add additional levels to raise security to NASA levels might entice someone.

    Also to note, this is a forum run by users of Neptune Apex, not Apex themselves. This might be a better suggestion to send the support team an email on it. Possibly could be a suggestion for the web designers

    Sent from my SM-G925W8 using Tapatalk
    I think you are misunderstanding what people are asking for. No one is asking to make Fusion a burden to use, only to add the option for increased security. Wouldn't it be nice to know if your account was accessed from a new computer or smartphone? Wouldn't it also be nice to approve which devices your online account could be accessed from? This could all be done in a way that is not very obtrusive to the user, or even optional if you decided not to use it. Some hackers are not out there for money, just to cause grief. Imagine the grief they would cause if they decided to crash someone's tank just for laughs? Right now a compromised password is all it would take, and Fusion would not even need to be hacked.

  19. #19
    Regular Vistor
    Join Date
    Jul 2015
    Location
    UK
    Posts
    26
    Quote Originally Posted by reefspy View Post
    i think you are misunderstanding what people are asking for. No one is asking to make fusion a burden to use, only to add the option for increased security. Wouldn't it be nice to know if your account was accessed from a new computer or smartphone? Wouldn't it also be nice to approve which devices your online account could be accessed from? This could all be done in a way that is not very obtrusive to the user, or even optional if you decided not to use it. Some hackers are not out there for money, just to cause grief. Imagine the grief they would cause if they decided to crash someone's tank just for laughs? Right now a compromised password is all it would take, and fusion would not even need to be hacked.
    nail on the head

  20. #20
    New User
    Join Date
    Feb 2014
    Location
    Rancho Cucamonga
    Posts
    14
    @Reefspy for Chief Security Officer 2017

  21. #21
    Frequent Visitor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    153
    Asking "How secure is it?" is not really going to get you an answer either way. I've worked in the security industry for 20 years and I can tell you that although the site doesn't host personal information in terms of CC numbers (PANs) it does contain valuable data (your usernames and passwords) and is also of interest to hackers as our tanks are now part of the internet of things.

    Disappointingly, when I asked this question previously, I got a " we use https, so are secure" answer, which is what every security professional dreads to hear.

    What I would be more interested in hearing is around policy (i.e. adhering to ISO27001) controls (i.e. two factor authentication, restricting access to specific devices) and regular security testing (note: NOT just vulnerability scans).

    Now I'm not saying fusion is insecure, I'm just pointing out potential issues/areas of improvement from a people, process and controls point of view.

    I work in an industry where I could walk up to your front door, remove your wireless doorbell you are proud of and obtain your wifi encryption key in seconds. Our tanks are part of the internet of things and I'm increasingly concerned about the increase in number of wireless devices which could have serious security flaws in them (just like the wireless door bell).

    If a hacker got access to our systems, they could quite easily kill everything in our tanks without even realising what they are connected to.

    So take measures yourself.

    - Use a difficult to guess password, ensure it is unique to fusion
    - Always update any device connected to your network and ensure firewalls and antivirus are enabled
    - Use WPA2 and a difficult to guess and unique key
    - Disable Wifi on all devices which can be wired

    As far as feature requests go, PLEASE NEPTUNE: Give us the option of having two factor authentication and device control on fusion. There is no excuse in 2017 for not having multi factor authentication.

    I have in the time it's taken me to write this identified a potential security issue which needs to be addressed. Can Neptune please PM me the details of who to send the details to?

    Thanks

    Rob

  22. #22
    Frequent Visitor
    Join Date
    Jan 2013
    Location
    New Jersey
    Posts
    160
    Complicated passwords that are unique per site is your best bet. Things are as secure as they can be until something new comes out that take advantage. I am sure the folks at Neptune spend some money on security but look what happened recently with WannaCry and other ransomware.... it can happen to anyone.

  23. #23
    Frequent Visitor
    Join Date
    Dec 2014
    Location
    Mojave Desert
    Posts
    109
    Thanks Rob.

    I'd also like to add.

    For the love of God. Do not add 2FA and ask me for my phone number to use SMS as a 2FA method. This is not secure.


    Sent from my iPhone using Tapatalk

  24. #24
    Frequent Contributor zombie's Avatar
    Join Date
    Dec 2013
    Location
    Denver, CO
    Posts
    13,176
    Quote Originally Posted by Jlentz View Post
    Thanks Rob.

    I'd also like to add.

    For the love of God. Do not add 2FA and ask me for my phone number to use SMS as a 2FA method. This is not secure.


    Sent from my iPhone using Tapatalk
    Reasoning? How would someone outside of a government hacker be able to hack your password AND intercept an SMS authentication code solely to mess with your tank. That kind of skill is reserved for espionage and multimillion dollar fraud schemes.

    You might be an engineer if...You have no life and can prove it mathematically.

  25. #25
    Frequent Visitor
    Join Date
    Jun 2015
    Location
    UK
    Posts
    153
    To be fair, vulnerabilities have been exploited to intercept SMS authentication. It's not a secure method, but to be honest, two factor auth should be standard and will add significant protection from account compromise.

Page 1 of 2 12 LastLast

Similar Threads

  1. Fusion safe mode
    By goggs29 in forum Misc Apex Usage & Programming
    Replies: 2
    Last Post: 05-04-2019, 06:16
  2. Help! Neptune DDR - disappeared from neptune fusion web page
    By patdup in forum DŌS & DDR – Dosing and Fluid Metering System
    Replies: 8
    Last Post: 10-22-2017, 03:01
  3. A smart fish tank left a casino vulnerable to hackers
    By clsanchez77 in forum The Neptune Café
    Replies: 4
    Last Post: 07-26-2017, 11:10
  4. Help! can I update apex fusion without safe mode?
    By machodik in forum Updating Apex Classic Firmware & Web Pages
    Replies: 2
    Last Post: 12-20-2014, 06:52

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •