subscribe to our feed.
Paul has had some great tips about network security the past few days, especially with his write up about accessing business documents from networked devices and stuff. Pretty scary, if you ask me. But all of this got me thinking about something else… At the school I currently attend, we have a network of security cameras operational for safety and various other reasons. Along with the cameras is the ability to access these cameras remotely over the Internet, so guess what I was up to.
A few of my friends in our Cisco CCNA 4 class, which involves networking and stuff, decided to check out the cameras over the Internet just after their installation before our IT Admin changed the login and password to the Java App used to access the feeds. We did eventually get access, and it was kind of boring, so we got curious. The combination of curiosity and poking around revealed that, through Google’s network of spiders, you could do a search for that specific java applet type and access video feeds from around the country and the world! While I don’t suggest nosing around, I’ll give you guys an example:
The EverFocus EDSR Applet is a Java-based interface designed to feed live imagery from integrated cameras to anyone who has the login and password to this web-based interface. A goofy side effect of being a web-based applet is that Google’s spiders pick it up when indexing and cacheing pages. While an obscure possibility, the combination of a technical whiz and security negligence on the consumer’s part could easily allow the techie whiz to gain access to a specific network of security cameras, simply by using the default login and password!
The crazier part of this is that some of these applets are run directly from network IP addresses and are not tied into a domain! It doesn’t take a genius to use a program like Ping Plotter and basicially trace the origin of this IP down to something as small as a city. If someone were to have malicious intent and to use some of these cameras to get intimate knowledge of a facilities inner workings, we could be looking at trouble. The EDSR Applet even shows date and time, thereby allowing you to narrow down the time zone before even using an outside program. To illustrate what I’m talking about, I’m currently on a camera network for a hotel, possibly on the West Coast, judging from the time difference. The cameras are placed in a number of sensible places, such as behind the front desk, in the pool area, the parking lot; but this also reveals the nature of the business itself, at the same time. Finally, this network is run off of a local IP, just waiting for me to trace it. I haven’t done research into other web-based applet, since I’m not familiar with them, but I’m sure there are comparable systems with comparable weaknesses.
This doesn’t just affect businesses, either. Through my snooping, I’ve come across home networks, where people have installed these cameras either for peace of mind or just to keep an eye on the kids. These networks are even more likely to include home IP addresses, based on the intent. As a home, however, it’s even more at risk to malicious people than a business, in comparison; either most of these users don’t think that anyone else could come across their network or they are just lazy, so they don’t change the credentials required to access the network. In some ways, people are doing more than hopping on an unencrypted WiFi hotspot; the hotspot has grown eyes and is looking around your house or business. I’m pretty sure I wouldn’t want any old stranger to roam around MY house from thousands of miles away.
I guess the moral of this story is, above all else: CHANGE THE CREDENTIALS! If you change your login and password, the probability of someone accessing your cameras goes through the floor. Also, there’s another way you can keep your network from even showing up on Google’s search pages. Google uses things called “spiders” to crawl the web and index content, including the EDSR applet I’ve described above. You can tell these spiders to ignore and bypass certain content from being indexed, making it invisible to Google’s web search. While I don’t have enough room here to describe the process in detail, the following two sites should make removing content from Google’s search engine a breeze:
(http://www.google.com/support/webmasters/bin/topic.py?topic=8459) <–Removing Content
(http://www.google.com/support/webmasters/bin/answer.py?answer=40360) <–Robots.txt
So, along with securing your network devices, if you have any security cameras (or anything else, for that matter) at home or at work that operates by web-based applets, make sure you keep the security on THOSE up, and getting rid of them from search engines never hurt your peace of mind, either…
If you would like to make a comment, please fill out the form below.
Recent Comments