Synology Inc.

[Trolli]

I don't agree with this concerns. I think everybody knows that placing high security data on any PC or NAS that is connected to the internet is an extreme sercurity risk no matter of the installed software. If you can access your data through the internet then there is a small chance, that your system can be hacked. Especially when the hacker knows what hard- and software you are using. The provided protection against random attacks is good enough for me. If you want to be sure, you have to secure your network so that there is no way to get to your important data from the outside.

Trolli

[dguido]

ahem.. err, Trolli, please read the entire thread before commenting. Your misconceptions have been addressed multiple times:

http://www.synology.com/enu/forum/viewt ... =15#p31074

http://www.synology.com/enu/forum/viewt ... =15#p31079

http://www.synology.com/enu/forum/viewt ... =15#p31159

http://www.synology.com/enu/forum/viewt ... =30#p31242

http://www.synology.com/enu/forum/viewt ... =30#p31797

I think everybody knows that placing high security data on any PC or NAS that is connected to the internet is an extreme sercurity risk no matter of the installed software. If you can access your data through the internet then there is a small chance, that your system can be hacked.

In a nutshell, no, not *everything* plugged into the Internet is at extreme risk of attack. The Synology boxes can be configured in a way that they are actually very safe, and it's not too difficult for Synology to change them to be that way, however, they seem to have been haphazardly thrown together and have misconfigurations and old software in them that DO make them an "extreme security risk."

Especially when the hacker knows what hard- and software you are using.

The boxes, as they are, contain a number of Information Disclosure vulnerabilities that make it VERY EASY for a hacker to fingerprint the device and all of its vulnerabilities. This can be changed. These holes can be plugged so that the Synology boxes look like every other one out there and so that hackers can't enumerate a list of users or network shares from me. You want that right?

The provided protection against random attacks is good enough for me.

Then maybe you didn't read this thread close enough. Go back to the original post and look through some of the extremely serious vulnerabilities there are.

If you want to be sure, you have to secure your network so that there is no way to get to your important data from the outside.

Again, that is what I'm trying to do here. I bought one of these devices, I gave it a security audit to see if it was safe. It was not. I told other people it wasn't so they didn't have to redo all the work I did.

Your concept of "inside" and "outside" is harmful though. I've tried to make the case in other posts to this forum: attacks are just "remote" (from the network) or "local" (from a shell on the box). What if someone hacks your desktop? What if someone breaks your wireless key? What if you let a buddy on your wireless network? What if you have 50 users on your internal network, behind your firewall, and one of them is hostile or gets their computer hacked? What if a hacker uses Cross-Site-Request-Forgery to access your internal devices? What about the ports you DO have forwarded over the Internet? It's not safe just because you put a firewall in front of it.

[Trolli]

Your concept of "inside" and "outside" is harmful though. I've tried to make the case in other posts to this forum: attacks are just "remote" (from the network) or "local" (from a shell on the box). What if someone hacks your desktop? What if someone breaks your wireless key? What if you let a buddy on your wireless network? What if you have 50 users on your internal network, behind your firewall, and one of them is hostile or gets their computer hacked? What if a hacker uses Cross-Site-Request-Forgery to access your internal devices? What about the ports you DO have forwarded over the Internet? It's not safe just because you put a firewall in front of it.

Sure. And you forgot to mention that there is a possibility that someone could break into my house and take the Synology box away. There is no perfect security.

I didn't want to say that there are no security risks on the Synology boxes. But for me it is safe enough. I think this is a legitimate opinion.

Trolli

[dguido]

Using a Synology box right now is like leaving your doors wide open and having a big sign that says "STEAL ME" on it. Of course someone could break into your house, but you try to make it reasonably difficult to do so. Right now it is unreasonably easy to break into a Synology device, and I'd like for it to at least be the equivalent of having the doors and windows closed.

If you are OK with leaving your doors open and putting that sign up, then sure, you're entitled to your opinion. I'm not though, and neither are a lot of other people around here.

[Trolli]

No. I keep my doors and windows closed. Also my internet connection. I don't use a wireless connection and I keep all unneccessary ports closed to the internet. Security issues fron inside my LAN are not a factor for me and I know how to keep my desktop as safe as possible.

Trolli

[dguido]

Then you're obviously aware of how these might be issues for most people and you're just being a troll, Trolli.

[aguida]

Using a Synology box right now is like leaving your doors wide open and having a big sign that says "STEAL ME" on it. Of course someone could break into your house, but you try to make it reasonably difficult to do so. Right now it is unreasonably easy to break into a Synology device, and I'd like for it to at least be the equivalent of having the doors and windows closed.

If you are OK with leaving your doors open and putting that sign up, then sure, you're entitled to your opinion. I'm not though, and neither are a lot of other people around here.

Dguido, thanks for pointing me to this thread. Now that you have been in contact with Synology, do you know if they are going to do anything to fix problem no.1 (the main door left open). As I wrote in the other thread for me it is absurd that the whole world knows that in any Synology device there is a user called "administrator" that everything can on the box. The account cannot be renamed making it a trivial excercise to just guess the password.

1. Will there be the possibility to rename "administrator" to something else (or just delete/disable it and creat a new full administrator account)?
2. Will the "administrator" radio button in the login screen for the web-management be removed (that's like a sign saying "hey this door is left open")?
3. Will the IP blocking functionality available for the FTP server be extended to all the outside faceing services including the web-management? That would be really nice.

I tried to open the FTP ports in my router, and sure enough the box was immediately attached by people trying to login on my FTP sevrer as "administrator". Fortunately their IP addresses where immediately blocked after few tries.

Thanks

[icerabbit]

I cannot believe the reaction from some of the more seasoned synology users here. Let's not even start about analogies with cars and physical house security ... and quit using the "oh but behind a router you are safe" & " just buy a professional solution" excuse.

Synology sells the product and advertises it as secure. Thus it should be security first. Up to date features (patching individual aspects) next and new features last.

I accept no system is invulnerable, but I think we are all allowed to expect a Synology NAS to be secure, as in: every port - apart from the one needed to access the interface as admin - is closed by default. There is no justification to have every possible port open by default out of the box. Only after enabling a certain service on the device should a port be opened. That is the only logical and safe approach that makes sense and that allows the end user to control the risk they're taking.

I totally agree with dguido it should be security first.

[dguido]

Dguido, thanks for pointing me to this thread. Now that you have been in contact with Synology, do you know if they are going to do anything to fix problem no.1 (the main door left open). As I wrote in the other thread for me it is absurd that the whole world knows that in any Synology device there is a user called "administrator" that everything can on the box. The account cannot be renamed making it a trivial excercise to just guess the password.

1. Will there be the possibility to rename "administrator" to something else (or just delete/disable it and creat a new full administrator account)?
2. Will the "administrator" radio button in the login screen for the web-management be removed (that's like a sign saying "hey this door is left open")?
3. Will the IP blocking functionality available for the FTP server be extended to all the outside faceing services including the web-management? That would be really nice.

I tried to open the FTP ports in my router, and sure enough the box was immediately attached by people trying to login on my FTP sevrer as "administrator". Fortunately their IP addresses where immediately blocked after few tries.

Thanks

Hi aguida, and thanks for coming along with your suggestions. Over the course of the last 2 weeks or so I've actually found even more serious vulnerabilities than the ones you've mentioned, however, I will add yours to the list. Knowing, right from the onset, that a certain device must have a given username is probably not the best idea and Synology should implement more robust user management. A lockout function on the web interface is a great idea as well. I'd encourage you to go back through this thread and take a look at what's already been discussed -- you might find it both enlightening and a little bit scary!

[minorroadskill]

I have to strongly disagree with those who believe that security starts and ends with your NAT router configuration.

A) The box is clearly targeted at storing data. Data must be protected, regardless of what the box costs. It shouldn't matter whether you own a DS or an RS. Although I particularly have never met a rack server owner that thought security on that server wasn't of primary importance.

B) It's called security in depth. The Syno box has to be as secure as possible, and depend upon the security outside the box as little as possible. A LAN is as strong as the weakest link within it. Without securing the servers on your LAN, your servers are only as secure as that weakest link, which is much less secure than the server can and should be. LAN vectors are numerous, from Windows vulnerabilities, to social engineering leading to owned desktops, to configuration errors made by administrators. No LAN is totally immune, but servers can be easily made to be resilient to compromised LANs, using a few widely accepted best practices.

C) Of course security is never perfect. There are other threats too, and they should be addressed appropriately, or you're not doing your job. Yes, someone could even steal the box. But that's what encrypted offsite backup is for.

If my Syno box is breached, I lose money, my client, my rep, or all of the above. So do I expect my Syno boxes to use common best security practices? Of course. Instead, the Synology box makes a number of poor choices, which limits the appeal and applicability of their products. Namely:

1) services running as admin that don`t need to
2) open ports for unnecessary or unused services
3) unpatched services, sometimes years out of date
4) poor or no user config / home directories

There are a few things we can do to mitigate the damage.

A) Don't forward any ports from the WAN. Consequene: reduced usability, no usability for public purposes
Comments: This is the stupid solution, but currently necessary. If you require public users, the Syno box is not currently usable. Until the patch levels of public services are brought up to snuff, we're stuck with the situation. Patching should be a no-brainer, which Synology is ignoring and therefore crippling their own product.

Workaround: Use SSH port forwarding (aka SSH tunneling). This adds a lot of bandwidth overhead and administration, and is only viable for private use. On the plus side, if private access is all you need, you are a lot more secure. Think of it as a poor man's VPN.

Workaround #2: Go with a full-blown VPN. Similar trade-offs.

Note though that this does nothing to mitigate attacks from within the LAN.

B) Close those unnecessary ports by killing off the unnecessary services that use them. Do this in a startup script or as a cron job. I haven't gotten around to doing this, but should. Has anyone got a script for this?
Consequences: none, really, unless you also needed those services running for admin tasks purely within the box, but I can't think of any.
Notes: the box is still vulnerable on those ports at least temporarily

OK, so after doing these two things, we have a somewhat crippled box that isn't available to the public, and that is still vulnerable due to unpatched services to various LAN users, including:

- malicious users
- other administrators
- compromised desktops
- WLAN crackers

OK, so I don't have to use WLANs. But at one site I have another LAN administrator, and we have to share an SSH login on the server, which is very, very dumb. Plus, much as I'd love to be rid of Windows, it's a fixture on my LAN, so you never know when they're going to get owned.

In other words, Synology has work to do to make the product viable in a real office.

MRK

[Trolli]

Hello minorroadskill!

I fully agree with your points of view. My previous posts were reflecting my own situation where the provided security is more than enough. For office use you need a higher security standard especially from inside your LAN. And you are not only treated by random attacks from the internet - there also is a much higher risk to be faced with a targeted hacker attack.

Although software security is very important, the threats of physical attacks are often underestimated. You can simply press the reset-button to blank out the admin PW on your Synology Station. Anybody who doesn't care about such threats has no need to complain about software security.

High security standards don't go very well with high functionality. Every function and running service may lead to new security issues. Maybe it would be a good choice for Synology to release two different firmware packages for their Stations. One high security package with less functionality for industry use and one package focussed on a wide range of functions.

Trolli

[dguido]

FreeNAS is "high security" yet has all the same functionality that Synology has. It's the difference between taking the time to implement it correctly and throwing it together haphazardly. Right now, the security that we are talking about, is not a trade-off for functionality,

[n8plukker]

In our RFI, we asked following questions and received following answers from Synology* related to this topic.
*) Questions 1 till 5 where answered by Edward Lin on 25 March 2008 17:15 PM and question 6 was answered by by Michael Tsao on 27 March 2008 07:20 AM

1. Q: What is your policy on developing firmware-updates in order to solve critical bugs (which may be reported by users, for example via your forum*)?
   *) e.g., viewtopic.php?f=84&t=7304
   A: As a dedicated NAS product designing company, we do our best to avoid/fix any bug that could put user's data in danger, either having the possibility of corruption or being hacked. As long as the 2 things are involved, it's always on our top priority.
2. Q: Which maximum leadtime do you guarantee, between when a critical bug is being reported and the release date of a patch/ update which solves that bug?
   A: No accurate answer for this, as each critical bug needs time to reproduce in our lab, develop a firmware update, and test. However, if the bug concerns the 2 items mentioned in the previous item, we'll do our best to provide the patch to users who report it even before our official release. Of course, users can always wait until the official release if they are worried about the temp patch.
3. Q: To what extend do you give "fixing critical (security) bugs" a higher priority than "developing new software-features"?
   A: As a dedicated NAS server designing company, we do our best to develop features as well as fix bugs on our products. If the bugs are related to the security issue, then we will certainly fix the bugs with our full support to protect our customers' data.
4. Q: To what extend do you consider security bugs less critical, if they can only be exploited from within an internal/ private LAN?
   A: For us, as long as security is concerned, it does not matter if it's internal or external network.
5. Q: (When) Will your products support (open)VPN?
   A: Our products do not support VPN. Currently our policy tends not to add it, instead, we recommend our users to leverage the router to provide the VPN.
6. Q: Your previous answers sound promising and professional. However, is there any "proof" that you are, not only in theory but in practice too, committed to solving critical (security) bugs asap? For example: Do you have a feedback procedure in place to continuously search for new critical bugs reported by users (on your forum for example)? What priority does investigating such reports have? How many experts and how quickly do they investigate reported critical bugs and perform impact analyses)? These questions may be difficult to answer. However, security/ availability/ performance is of main concern to us, our clients and you.
   A: Customer service is always our first priority in our company. Customer's investment is enhanced with 24/7 online support and frequent firmware upgrades. We make sure every single customer is being helped and has question answered as soon as possible. Every letter received on online support, FAQ, or Product Inquiry will be evaluated and replied within 24 hours. If the bug is highly critical, we will do our best to provide the patch for users before our official release. You can always go to the User Comments page to see the feedbacks from our former customers. Again, I agree that security/ availability/ performance are of main concern to all of us and we will always do our best to take care of each of our customer.

[dguido]

n8plukker, what they really ought to do is set up security@synology.com so people have a fast-tracked way of reporting these things. Instead I spent a lot of time trying to talk to someone on this public forum and through general tech support (not ideal).

I reported A LOT of issues to them which they've said most of which will get fixed in an upcoming release of their firmware. I'll publish something official when that happens. They were decent to work with and, after a bit of convincing, understood that these issues were serious and warranted their immediate attention.

[n8plukker]

... what they really ought to do is set up security@synology.com so people have a fast-tracked way of reporting these things. ...

Processing unstructured changerequests submitted via email or fora is just way too time consuming (expensive) and thus unlikely to be handled properly. We would prefer an online bug tracking system. Such systems allow users to indicate (among other things) 1) how likely it is that the bugs they report actually occur and 2) what impact such bugs would have (on performance/ availibility/ uptime and/ or data integrity/ security).
Thanks to this topic, we decided to postpone buying products van Synology, untill the critical issues have been solved. Their answers on our questions sound promising, but we only consider a firmware update (which is developed, tested and released quickly, after critical bugs have been reported) as proof. As a potential customer, we thank all posters who report critical bugs. If critical firmware updates are not quickly released, one could ask how this relates to Synology's policy as stated in our previous posting in this topic.