P3R wrote: ↑Thu Jan 27, 2022 8:53 am
FSC830 wrote: ↑Thu Jan 27, 2022 4:22 am
Not QNAP is the culprit, that is only you! You have put your NAS unsecure into the internet!
I strongly disgree with all of that. Qnap have for years told their customers that they should expose their Qnaps so that they have easy access to their data from anywhere. They have used insecure defaults that have lead even non-aware users into exposing their systems. To demand that the non-professional home and SMB users that Qnap target with their low-end products should understand security and be responsible for exposing their systems is absurd when the manufacturer have pushed them into doing exactly that. Also it's Qnap that have these constant fatal 0-day vulnerabilities, many caused by sloppy programming, like the backdoor account that caused the first QLocker campaign. Not to mention all the downplaying and secrecy around all of these vulnerabilities.
Qnap have the full responsibility for the attacks being possible and the customers have every right to be furious for the attacks being possible and occuring so frequently.
Once again sorry, but this is also a mistake from a majority of users: they often think "hey, its a NAS, my data is secure" And this is also wrong, a NAS can break down, not only a single drive (for that is Raid), but the complete NAS can fail. Therefore an actual and periodical backup strategy is mandatory.
This is correct.
While Qnap have a responsibility to deliver a reasonably secure system, which they have failed with big time, they can never be responsible for protecting the user data. That is always the responsibility of the data owner himself and that is best done with external backup copies of data on other systems and with at least one stored at another site. For those that think so, no a real-time sync is not considered a good backup.
Malware attacks is just one of many threats to data on a single NAS and users that don't have external backups of their data have failed to protect it to at least a minimum level.
Qnap is responsible for the attacks being possible. The users are responsible for their failure to protect their data from single-system threats, which have caused the attacks to have much worse consequences, like data loss. One can't expect home users to be able to evaluate security threats and protect themselves against them but everyone must have heard that they need to backup their data.
This post is spot on. There is plenty of blame to go around....both QNAP and the user community.
I deal with enterprise customer success issues with one customer who cannot afford something like this to happen (the entire world would freak). Yet weeks ago I was in daily meetings on mitigating Log4J issues company wide. Hey, vulnerabilities can happen to the most prepared companies.
First, let's look at QNAP. They need to be better, especially if they are promoting cloud services or other features where their products are facing the exposed Internet. Lots of warnings like "here's what can happen if you do this....do you really really really want to proceed?" Customers, especially home users and small to medium sized businesses who buy this technology have to understand the risks. I don't know if they have a bug bounty program but I'd start one if they don't. It's a lot cheaper to reward a white hat security guy then be burned time and time again and lose customers.
And for the companies who do use these products, find someone in your city who does IT security consulting....there is usually a resource you can pay for this. Yes, I know you don't want to spend the money but the security audit and education is cheap compared to the alternative.
For all of us who depends on the data these things house...that's not your data on this NAS. At least, it's not your data unless it's in at least three places. One copy on the NAS, yes. Another local copy has to be available in case the worst happens (ransomware, hardware failures, theft, fire, flood, you name it). DO NOT use the same platform to keep your data copy, no matter how convenient it might be. I use a different RAID on a different OS to keep my QNAP NAS files. This is not a cheap thing to do, but it's cheaper than losing years of work and personal data forever. I don't even use QNAP's copy sync tools to keep them synced....don't trust 'em, there are other alternatives not written by the same software teams. And then there needs to be a cloud backup of the data for the third copy. And I make the cloud backup from the backup server, not from the QNAP. Because I'm paranoid.
Then there are the things you must do to keep a NAS safe. If you don't need it facing the Internet, don't. Most people don't. If you do need to get to it from the outside, use a VPN. Don't have a VPN feature on your router? Find a better router and buy it. Features like UPnP is asking for trouble. None of the devices on my LAN need it and if it ever was needed, I'd probably VLAN that ** away from everything else. Because you need to be paranoid. Do you have a port open for a Plex server (or worse, you're using UPnP)? DON'T. An exposed Plex server only tells people scanning IP addresses that something interesting is on the other side. Not worth the risk.
I don't use QuTSCloud and don't have a reason to. The fewer vectors to the outside world, the better. Admin account is disabled and strong passwords used everywhere else. That was the lesson last time this happened...good advice.
I'm running QuTS Hero 5.0.0.1892 and I literally begin my day scanning QNAP's website for firmware updates since they are often posted there before the upgrade servers than the NAS would talk to. Once I saw what was happening after the email from QNAP (thanks guys!), I did a cursory check of my NAS to see if anything was amiss. No problems seem to be in flight so I shut the unit down for the night and I'll do a proper security sweep tomorrow morning. I think there is a .1900 code base in beta but with this attack I'm wondering if that will change once we get more information on the attack vector.