Re: Posting on RISKS - hacked NAS's

[Adam Goryachev <mailinglists@websitemanagers.com.au>]

I strongly suspect that this article is talking about a NAS (Network 
Attached Storage), or as described a mini-computer with hard drives 
attached and open to the network, this is not about firmware on drives 
that you would connect to your own Linux computer.

Questions about the accuracy of the article:
1) Seagate has only sold 7000 of this product? Seems like a very small 
run for a major manufacturer...
2) 70% have been hacked? Did the hacker themselves reveal this, or did 
Seagate, or how does this source know?

I would strongly suspect a much higher number of devices sold, and would 
strongly suspect that almost all of these devices would sit behind a 
simple NAT router. Unless seagate have done something really stupid 
(like using upnp to ask the router to port forward from outside directly 
to it *by default*), then this should provide a reasonably decent level 
of protection.

PS, Not to say that the article probably is very accurate, you should 
change passwords, you should have backups, you should NOT allow direct 
connections to your backend storage, etc....

Nevermind, reading deaper:
http://www.infoworld.com/article/3118792/malware/thousands-of-seagate-nas-boxes-host-cryptocurrency-mining-malware.html
We see that they looked for all open FTP servers with public writeable 
directories (7,263) and of those a large majority were Seagate NAS 
(5137). So, Seagate almost certainly have sold more than 7000 of their 
NAS, 7000 has absolutely no correlation to the number of Seagate NAS 
sold or connected.

Of further note:
"Seagate Central's configuration makes it easier for users to expose 
insecure FTP servers to the Internet"
"By default, the Seagate Central NAS system provides a public folder for 
sharing data, ... This public folder cannot be disabled and if the 
device administrator enables remote access to the device, it will become 
accessible to anyone on the Internet"

Finally, the "infection" is just placing the files there, and then 
waiting for the user to execute them on their windows PC, it is not a 
remote code execution exploit by itself.

Regards,
Adam

On 26/09/16 07:33, Wols Lists wrote:
> Just for info. I know it's not really quite this list, but I can't quite
> make out what is affected.
>
> I get the impression this is referring to NAS systems, so it's outside
> our remit. But to me, "Seagate NAS" is actually a raid-suitable disk
> drive, so it makes me wonder whether it's hacked drive firmware...
> unlikely but eminently possible ...
>
> Cheers,
> Wol
>
> ------------------------------
>
> Date: Fri, 23 Sep 2016 11:34:21 -0700
> From: Gene Wirchenko <genew@telus.net>
> Subject: "Seagate NAS hack should scare us all" (Roger A. Grimes)
>
> Roger A. Grimes, InfoWorld, 20 Sep 2016
> An under-the-radar news story proves that computers are far from the only
> devices prey to attack
> http://www.infoworld.com/article/3121338/security/seagate-nas-hack-should-scare-us-all.html
>
> opening text:
>
> No fewer than 70 percent of Internet-connected Seagate NAS hard drives have
> been compromised by a single malware program. That's a pretty startling
> figure.  Security vendor Sophos says the bitcoin-mining malware Miner-C is
> the culprit.
>
>    [At peak, seek to tweak the weak link.  This reeks of leaks that peek as
>    well.  PGN]
> --
> To unsubscribe from this list: send the line "unsubscribe linux-raid" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Adam Goryachev Website Managers www.websitemanagers.com.au