Proximus Innovation: D-Link DCS-2132L

Proximus Innovation team handed me a D-Link DCS-2132L (ver. B1) to play with. I have some experience with, what is considered, a professional (~€120 + tax) PoE surveillance camera: the Unifi Video Camera (basic version).

Amazon retails this D-Link for around €120 (including tax). So it’s worth noting it’s almost the same price as a metal, semi outdoor, cloud based camera.

The first things I noticed unpacking:

  • Plastic. And it feels very plastic.
  • Indoor only.
  • The base is a bit light if you just want to set it on a table without screwing it or using glue. The utp and power cable can make it trip easily.
  • No PoE (power-over-ethernet).
  • Infrared (you can clearly hear the filter ‘clicking’ when booting up the camera)

This thing comes with ethernet, and, surprisingly, with WiFi. That’ll make it easier to use in small shops. There’s also an option to add a micro SD card as local storage.

While setting up WiFi, I managed to already bug it and lose access by setting up both WiFi and having an ethernet cable connected; and updating the firmware didn’t seem to solve that issue. So it’s basically one or the other. Want to use WiFi? Don’t plug in a cable!

There is a live view (using Java) from the interface: FPS wise it seems quite low, around two-three frames per second, and there is some lag on the interface (setting is set to “max 25 fps” — which apparently is only used when recording).

dark-ir

dark room

desk

Quality in a close to dark room is okay-ish — infrared enabled (+ time still wrong on most of the pictures).

antwerp

Outdoor picture of Antwerp without IR. Not so detailed and CMOS sensor quality is fairly crap.

indoor-day

highview

Indoor pictures during the day (it’s always quite dark in my room — no direct sun).

god-delusion

Close up & view of my kitchen: a bit blurry.

On the other hand — for a D-Link I was surprised with the options from the interface though. You can set up motion (+ select an area to detect motion — not necessarily the whole area) & sound detection, WiFi “just works”, you can generate new self signed or upload your own SSL certificates, access list, QoS, uPnP, DDNS, PPPoE, NTP, IPv6, privacy masking (cover an area), etc.

d-link interface

UX & design isn’t their thing though.

The whole interface, unlike UVC which streams content to a cloud server (and everything is recorded/stored there), is ran from the onboard web interface. There is some separate Windows software you can download — but I have a Mac and it didn’t seem to add much value.

zoom-ie

whether-or-not

It’s still made and translated by Taiwanese people… 😉

All in all, this is a decent camera for small businesses or personal surveillance. It’s a bit too expensive, but it does the job and has a decent amount of options.

PS: the default username is admin with no password. Remember to change it, or you’ll have voyeurs looking at you (in case it has a public IP and/or if it automatically opens ports using uPnP) — like I am looking at this man using simple Google queries (I needed examples about for a panel talk at Stibbe about internet security).

angry-man-doesnt-know-his-webcam-is-on

CIFS: mount error(13): Permission denied

You’ve just updated your Raspberry Pi (or whatever Linux) and you’re noticing your CIFS (smb) mounts aren’t getting auto mounted anymore. You curse and start noticing this error:

# mount -t cifs //192.168.1.100/public -o username=public,password=public sam/
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

The solution is to add after -o username=X,password=Y the following: sec=ntlm; thus it becomes -o username=X,password=Y,sec=ntlm.

You can do the same in fstab:

//192.168.1.100/public /mnt/sam/ cifs domain=TIETE,username=public,password=public,sec=ntlm 0 0

No idea why it’s suddenly required, but whatevs.

Belgian banks & SSL — part 4

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

  • 16/02/2015:
    • Keytrade: B to A
    • Hello Bank!: C to A
    • ING: F to A-
    • Record Bank: F to A-
  • 17/02/2015:
    • ABK: F to B
    • Bank Van Breda: C to B
  • 18/02/2015:
    • MeDirect: F to A
    • Added 6 new (small) banks
  • 27/02/2015
    • Ogone: C to A-
  • 02/03/2015
    • Fortuneo: C to B
  • 03/03/2015
    • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂

The entire list updated (last partial update 18/02/2015 around 20h00):

I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.

Grade A

Grade B

  • Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • DHB Bank: weak signature (SHA1), RC4 (insecure).
  • Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy

Grade C

  • PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Respect to those that send a mailing list to their customers with more detailed information. Communication++

Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.

And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.

Belgian banks & SSL — part 3

EDIT: ING is now A- (not reflected in this blog post).
EDIT 2: Keytrade & Hello Bank also went to A. I’ll post a new blog post later tonight.
EDIT 3: Updated post here.

Part three, or how I single-handedly “fixed” SSL at the Belgian banks. 😉

Part one and two are available here. Not related but useful nonetheless NY Times article about bank hackers.

Argenta promised to fix their SSL, so it’s the time to check everything again.

TL;DR: Only Argenta’s status changed for the better.

Those that did not change:

  • Rabobank: A+
  • Triodos: A+
  • Belfius: A-
  • BNP Paribas Fortis: A-
  • bpost bank: A-
  • AXA: B
  • beobank: B
  • CPH: B
  • KBC: B
  • Keytrade Bank: B
  • Crelan (internet banking): B
  • Hello bank!: C
  • Bank Van Breda (internet banking): C
    • BvB no longer supports secure renegotiation (which, afaik, it did before). However, it’s still rated as C, as this isn’t a real issue.
  • ING: F
  • Record Bank (internet banking): F

Those that did change:

  • Argenta (internet banking): F to B
    • No longer vulnerable to POODLE,
    • Support for protocol downgrade attacks prevention,
    • Still using SSL3 (obsolete and insecure),
    • Weak signature (SHA1),
    • RC4 cipher is supported (insecure),
    • No Forward Secrecy.

Still a little way to go for Argenta, but it’s on the right path.

Those that I hadn’t tested before:


The entire list updated:

Grade A

  • Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Belfius (A-): weak signature (SHA1), no Forward Secrecy.
  • BNP Paribas Fortis: (A-) weak signature (SHA1), no Forward Secrecy.
  • bpost bank: (A-) weak signature (SHA1), no Forward Secrecy.

Grade B

  • Argenta: no SSL on main page.
    • internet banking: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
  • Bank Van Bredano SSL on main page.
    • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation.
  • Ogone: payment facilitator
    • weak signature (SHA1), RC4, vulnerable to POODLE, no Forward Secrecy

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • ABK: SSL2 (insecure), vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure), no Forward Secrecy, no TLS 1.2.
  • ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • MeDirect Bank: vulnerable to POODLE attack, OpenSSL CCS vulnerability (quite bad),
  • Record Bankno SSL on main page.
    • internet banking: vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Also, shame on you ING. More than any other bank.