Jump to content
C4 Forums | Control4

Smart Home networks are easy to hack


Recommended Posts


1 minute ago, ekohn00 said:

Your'e a frigging underpowered over priced Pen Test

Please don't call it a Pen Test - that insults the people that do testing for a living!

It's a vuln scan - VERY different then a pen test

Link to comment
Share on other sites

I called control4 snake 🐍 oil because I am using your logic of saying proprietary = snake oil and it was referenced that control4 has their own unique way for designing their products.

Your second logic of review of the product really , how do you know I am a dude ? But at this point I will go away. Discussion over. 

Link to comment
Share on other sites

7 minutes ago, msgreenf said:

Please don't call it a Pen Test - that insults the people that do testing for a living!

It's a vuln scan - VERY different then a pen test

true that....  pen was easier to spell....    i doubt they do any manual hack, so you're right it's just a vulnerability scan.

Link to comment
Share on other sites

There's an obvious lack of intelligence in this world.  So since you don't own a dictionary or have google....

 

dox
/däks/
 
verb
INFORMAL
gerund or present participle: doxing
  1. search for and publish private or identifying information about (a particular individual) on the internet, typically with malicious intent.
    "hackers and online vigilantes routinely dox both public and private figures"
Link to comment
Share on other sites

Just now, ekohn00 said:

There's an obvious lack of intelligence in this world.  So since you don't own a dictionary or have google....

 

dox
/däks/
 
verb
INFORMAL
gerund or present participle: doxing
  1. search for and publish private or identifying information about (a particular individual) on the internet, typically with malicious intent.
    "hackers and online vigilantes routinely dox both public and private figures"

PS.....  if there's any doubt, feel free to reach out this board's admin to have the informational post removed. 

Link to comment
Share on other sites

@ekohn00wasn’t your intention of posting someone’s public profile with malicious intent when you said they could reach out about the bad sales approach.  So in that moment you showed your intent not sure 🤔. I guess courts that can decide stuff like that. I do not even know.

Link to comment
Share on other sites

6 minutes ago, chiuu said:

@ekohn00wasn’t your intention of posting someone’s public profile with malicious intent when you said they could reach out about the bad sales approach.  So in that moment you showed your intent not sure 🤔. I guess courts that can decide stuff like that. I do not even know.

Dear Dummy, 

I posted a link to a PUBLIC LinkedIN profile. There's no private information that I have or posted.

And that profile is clearly marked FOUNDER of the company.....  Obviously the information has been made public for the reasons of contact and discussion.

NOTHING PRIVATE is known or shared, so good luck with your threats....

 

Link to comment
Share on other sites

@ekohn00but the definition of Doxing states “Publish Private or identifying information with malicious intent” I think someone’s public information is one thing but your intent was malicious when you said go there and tell them about their sales tactic. I am using that dictionary definition you put out there. 

Link to comment
Share on other sites

5 minutes ago, chiuu said:

@ekohn00but the definition of Doxing states “Publish Private or identifying information with malicious intent” I think someone’s public information is one thing but your intent was malicious when you said go there and tell them about their sales tactic. I am using that dictionary definition you put out there. 

Nothing Malicious about asking folks to share bad sales tactics to a public email

Oh and since the email is locked on linkedin...it's not even possible.....   

 

Link to comment
Share on other sites

5 minutes ago, chiuu said:

@ekohn00I see your point , but how can you prove whether it was malicious or not ? I am actually learning doxing right now. I am going of the dictionary definition.

sharing an opinion is not malicious.

there's no harm letting you know your sales tactic of spamming a private bulletin board is a horrible way to go about things.

 

 

 

Link to comment
Share on other sites

In my unprofessional opinion, it feels like some of this advice isn't the best way to deal with security, and misses some common security issues (keep in mind, security isn't my day-job, and never was).. 

 

1. Backing up to external HDD. That's not considered a backup unless its using a Copy on write filesystem. Ransomware will totally destroy it next time its plugged in. You actually should save to a device or appliance designed for backups, and support versioning, which many cloud storage systems do.. On Synology for instance, DS Drive can save copies of files so if ransomware corrupts them all once, you can simply revert to an older version. 

 

2. There is no mention of IPS, or ransomware protection at all (network appliances such as Watchguard literally send all downloads to a VM online, and monitor them for long periods to identify if they are running malicious code which runs on a timer. If it's discovered to be malware, all infected computers can be identified instantly). It's all great to run tests, but that only shows you your security at a specific point of time, and uses specific valnerabilities, whereas an IPS may be able to block packets with certain characteristics which indicate a high likelihood of malware.

 

3. No mention of Wifi security. We had the argument on the Control4 Professionals group a few months ago, where it was discovered some installers were installing OPEN wifi networks which were hidden. In all likelihood, those networks are now listed in wardriver search engines. 

 

4. "watch out for phishing emails" isn't sound advice. It doesn't mention strategies to identify them, and doesn't offer any strategies to avoid them.  The number of clients we see running outlook and a cheap Cpanel based mail system is fairly alarming.. 

 

5. No mention of password reuse. These days, that's how most people get hacked. Cycling the passwords won't help a huge amount if the client is using the same password on their email account as  their bank account.  

 

 

Link to comment
Share on other sites

4 hours ago, Andrew luecke said:

2. There is no mention of IPS, or ransomware protection at all (network appliances such as Watchguard literally send all downloads to a VM online, and monitor them for long periods to identify if they are running malicious code which runs on a timer. If it's discovered to be malware, all infected computers can be identified instantly). It's all great to run tests, but that only shows you your security at a specific point of time, and uses specific valnerabilities, whereas an IPS may be able to block packets with certain characteristics which indicate a high likelihood of malware.

 

3. No mention of Wifi security. We had the argument on the Control4 Professionals group a few months ago, where it was discovered some installers were installing OPEN wifi networks which were hidden. In all likelihood, those networks are now listed in wardriver search engines. 

 

4. "watch out for phishing emails" isn't sound advice. It doesn't mention strategies to identify them, and doesn't offer any strategies to avoid them.  The number of clients we see running outlook and a cheap Cpanel based mail system is fairly alarming.. 

 

5. No mention of password reuse. These days, that's how most people get hacked. Cycling the passwords won't help a huge amount if the client is using the same password on their email account as  their bank account.  

 

 

Good points but some realistic add ons (my 2 cents):

2. Typically, Scanners are not capable of IDS/IPS. IDS/IPS requires an inline sensor. What you're describing by Watchguard sounds like a sandbox. The IDS/IPS can only act on known signatures. The Sandbox has the ability to execute items and see if they act in an unauthorized way and can then take action on them. Best to use both if available, especially if you're worried about ransomeware. 

3. Web based Scanners have limited, if any wifi capabilities. They're not capable of wireless access obviously. Any installer who installs OPEN and hidden should be blacklisted! that's basically a backdoor for anyone.

5. I wouldn't want to give access to files to determine password reuse to random crappy scanner anyway.

 

Link to comment
Share on other sites

Another point to add:

The cornerstone of any security (especially network security) is TRUST.  

Who do I trust to access my network?  What code / programs do I trust to run?  Which websites do I trust with my info.  etc....

Public free security scanners from any unknown party.....    That would be like negative infinity on the trust scale.

IMO most security training should start with discussions about who/what to trust and why.

Link to comment
Share on other sites

  • 2 years later...
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.