How could some one change my program via the internet?

Some time today my prgram to turn lights, heaters, and fans on/off been screwed with.

How and what can I do to keep from happening agian!!!

Jim Mc

Boy, that's really bad; is everything in the tank OK?

One option; change password routinely! The AC3 password is transmitted in clear text (no https) making it semi-easy to hack the account using a simple sniffer.

Another option would be to use Aquanotes, which is website based and could be configured with a cert and use https but a cert isn't that cheap.

So far I haven't found any other options but maybe others have some ideas???

Where you connecting straight to the AC3 or was it another type of connection; just curious?

Kenargo..................????

This is your expertise!

No nothing happen. But i think i caught it within hours of it happening and with 750g of water the heaters being on did effect it that fast.

[Another option would be to use Aquanotes, which is website based and could be configured with a cert and use https but a cert isn't that cheap.] I do have Aquanotes...but dont understand what a "cert" is and how to do it. Cost is realative when I have as much in the system as I do.

The AC3 is connected straight to the modem.

HELP

Jim Mc

I would disconnect it until I figured out the probem. So it doesn't happen again.

A few more lower cost options:

Hackers attack using some tried and true methods, the most common user name is 'admin'. Passwords are hacked using a dictionary that just tried and tries until it hits (there are also common passwords; 'password'...)

'If' you where hacked using the above it would be more simple to elude another hack by:

* Change the user name
* Create a challenging password (for example 1 of my old passwords wat "2BeOrNot2Be"' try and hack that. Take a phrase and change the number words to digits, that is nice trick and easy to remember.
* DO NOT user port 80!!!!! Should I say this one again!!!! Why, because port 80 is the most common port hackers trace for (don't use port 446 either). Pick something up high, you can go all the way up to 9999, pick something out of the way.

Lastly, to answer your question; a cert (short for certificate) is a special key value which can be used to secure the communications channel and everything send over it. If you have a cert and properly configured IIS then you can connect to AquaNotes using a secured channel and that would make things more secure (the same thing banks use to protect your web access; https, aka SSL (secure socket layer)). What you would do in this setup would be access Aquanotes and not the AC3 because AquaNotes uses IIS, which can use SSL (Secure Socket Layer).

The pass word your talking about is the one on the AC3 or the one on the Aquanotes?

Is it the one I use to get into the system from another computer?

Port 80...where is that changed and what do I need to change and where?

Jim Mc

I am talking about the 1 for the AC3 (if that is what you have connected to the internet). Yes, it is the password you use to get into the AC3 from the web browser.

Port number is changed the same menu (Setup->NetSetup) as the password (Setup->Net Setup->Http Port)

I will change the password and the port to something .... do I need to change the port any place else?

And thanks for ALL the help!!!

Jim MC

No, username, password and port are all in the "Setup->Net Setup" menu section. Once you change them you will, likely need to reset the controller (either by unplugging or using the "Setup->Net Setup->Reset menu).

Remember to update the username and password in AquaNotes. The AquaNotes port does not need to be changed; the port you are changing in the aforementioned menu is only used for HTTP.

Oh, when you access the AC3 using a port other than 80 you will need to provide the port number on the connect line like this:

http://myreef.mydomain.com:9999/

or

http://192.168.1.50:9999/

Last, if you are running the gadget you will need to update the connection information, use the same format as above but don't include the "http://" (e.g., 192.168.1.50:9999 or myreef.mydomain.com:9999).

Ii think that should about be it but I'll be online for a while so if you need help you know where to find me....

I don't recommend opening the web server or Telnet port externally at all (at this point). If you have to, do as Ken suggests above, plus if it's possible only open it when you have to. If you're not actually traveling or something, block all access to this device at your firewall if you can. Most cable and DSL routers (such as Linksys) have a built-in basic firewall you can configure to simply block external access. For many, this is the default setting.

A hacker can find the port you're using for the web server easily with simple (and free - Nmap) tools. Changing it from port 80 makes great sense though, because you'll at least force them to look for it. I just tried running a simple security scan (using a free tool - Nessus) against my AC3 Pro and it went nuts within two minutes - without supplying a userid or password. So, you don't actually need to even hack it to cause serious problems. On mine, almost everything simply turned off, my Tunze units just started pumping air, and the Neptune clock went backwards about 4 hours. If someone knew (or discovered with a scan) your IP address and your Neptune isn't blocked by a firewall, they could do the same to you.

I'm going to run a more complete test later today or tomorrow to find all the vulnerabilities, and will post more information when I do. Hopefully these are things Neptune will be willing to correct with an update.

The exact same thing happened to me about 6 months ago. Everything survived, but I am not comfortable to put it online anymore. :(

Even better yet, move the web port to something that will cause a malformed request. Put it on 443, 23, 110, etc. If someone tries to go to https://yourIP, it won't work because the device doesn't support secure transport. However, you can access it via http://yourIP:443.

Truly, the device should move to using all secure/encrypted data, however it has to have the horsepower to do so (which probably won't happen with this model).

Good idea on choosing one of those ports. I never did get a decent test on the AC3 box, as nearly everything I did caused it to stop communicating, even a light nmap scan. Suffice it to say that someone with access to the address and port could easily cause trouble.

If you want it to be secure, set up an SSH proxy server on your home computer and then route all traffic through it. It has numerous advantages for secure surfing when out & about. Anytime I use a public computer, I proxy through to my computer so that my data is never "in the open." I originally started doing this because my work blocked yahoo and a few other sites. This is a way to bypass almost any firewall that blocks certain traffic or sites. But basically all communication will be secure and encrypted from the computer you're using to your home cpu.

They are very easy to set up. But for those that don't keep a computer running all the time, you might not like the idea of leaving it on.

Here's a site that has an easy way to set one up.

http://www.linquist.net/geek/proxy

The only drawback is you need to carry around a usb drive with the ssh client on it. This is only necessary is you're using a computer that you haven't used before for this purpose. If it's only for your work computer then once you get it once, it'll always be there.

gkyle,
I've run both nmap, and the nessus scan, and have not been able to replicate the crashes, clock setting, etc. It was run on both an AC3, and 3Pro with previous generation firmware as well as the latest. I ran the most intense scans available on both of these tools. Please email me support@neptunesys.com the configuration you run ran to see the problem. Please don't post the settings as we don't want someone purposely trying to crash controllers.
I think the biggest security hole in the controllers is the user name and password fields. I don't know how many times that customers have called in for support, and still have the default user name and password in the their controller. If the program/configuration of the controller is changed, I would say that this is the most likely way that it occurred. Definitely, change the user name/password, and make it sure that it is at least 8 characters, both upper and lower case, numbers, and punc. character. Don't give out the username and password.

Curt

Mail sent.

Sorry to hear this happened. I use a VPN router (WRV200) from Linksys. I think you can get it for 80 bones now, and it's my Wireless G access point.

http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1147850074625&pagename=Linksys%2FCommon%2FVisitorWrapper

It has a weak 128 bit encryption, but I doubt anybody would waste the time to hack it. It works with dyndns just fine. I VPN in with its cheesy little client and then access my ACIII with its IP on my home network.

Curt, I found it odd I could only use an address of 194.194.xxx.xxx and have my ACIII accessable on my home network (not using VPN). If I went any higher, say 195.xxx.xxx.xxx it would not respond. Using 192.168.xxx.xxx at home confuses the poor router if I VPN from a hotel's network and its a private network as well and it has to translate between the two same ranges over VPN tunnel.

are you sure someone hacked in to screw with your tank? not to be a dink but that would be the last thing a hacker would want to be messing around in... i would see statements/passwords/account info/video files and the like.. might want to setup a router with mac address filtering, possibly peer guardian is pretty good and free..

kflick, that's a function of VPN. You need seperate IP subnets on both sides. I wouldn't recommend 194.194.x.x as that IP space is used by RIPE, but these are available for home NAT'd use:

192.168.x.x
10.x.x.x
172.16.x.x - 172.31.x.x


bigclops, mac filtering typically has to do with wireless connectivity on the LAN, not external access. Peer Guardian is an app typically written for workstations, so wouldn't do anything to protect the AC3.

<a href=showthread.php?s=&postid=12790469#post12790469 target=_blank>Originally posted</a> by kenargo
Another option would be to use Aquanotes, which is website based and could be configured with a cert and use https but a cert isn't that cheap. I created a self signed cert. via w2003 server / XP resource kit. It can't be verified but it still encrypts.

It's very easy.

Simple instructions here.

http://www.somacon.com/p42.php

RokleM, I did try 192.168.2.x but the router still hung with a hotel using 192.168.1.x. I don't see why the router can't handle this, it hides one network from the other. What is RIPE and why would it bother my home network?

What is the best range to use that is the least likely to conflict with another private network?

Do you recall what the subnet was at the hotel? If it was 255.255.252.0, yes that would have caused an issue (192.168.1.x/255.255.252.0 = 192.168.1.0 - 192.168.3.255).

194.194.x.x is a publicly available space used by RIPE (http://ws.arin.net/whois/?queryinput=194.194.0.0). In other words, it's not for use on internal private networks and is owned/assigned to someone. There are a couple of things with VPN. 1) the network/router you're on/behind has to actually support it (many hotels do, but I've seen a lot that don't as well) 2) The IP space on either sides have to be different. It doesn't "hide" one network from the other. When you VPN in, your client sees both networks, in turn if they're running the same IP space there are routing issues as it doesn't know where to send traffic.

These IP's I listed above are the ones that are allocated for internal use only. That means you won't find them live on the internet or assigned to some organization.
192.168.x.x
10.x.x.x
172.16.x.x - 172.31.x.x

192.168.0.x and 172.16.0.x are probably both of the most commonly used ones. I'd pick a random number in 10's and you're much more likely to not run into conflicts (i.e. 10.239.35.x)

Great info!

RokleM, thanks for the info. Odd place to get a lesson on IP ranges in a reef forum, but I'll take it :D

I'm not sure why more people don't use these routers, it keeps my webcam off the web as well.

I find it interesting that a lot of reefers here work in techie releated fields. Must be the analytical mind enjoys the challenge of a reef tank.

Or maybe the tie to toys/gadgets in both career/hobby;)

Yeah, the STUFF is most of the fun for me. So what craziness is hooked up to your tank?

<a href=showthread.php?s=&postid=12850820#post12850820 target=_blank>Originally posted</a> by kfick
RokleM, thanks for the info. Odd place to get a lesson on IP ranges in a reef forum, but I'll take it :D


Who said electricity and water don't mix?

<a href=showthread.php?s=&postid=12850820#post12850820 target=_blank>Originally posted</a> by kfick
RokleM, thanks for the info. Odd place to get a lesson on IP ranges in a reef forum, but I'll take it :D


Who said electricity and water don't mix?