Crypto mining malware clarification of terms

#1

Hi,
Read with obvious trepidation about the crypto malware attacking NR machines "exposed" to internet without applying any security.
Can someone clarify the term "exposed" vs "connected".

"Exposed" to me is having the NR port and ip exposed and accessible via port forward, reverse proxies,or no firewalls controls, etc.

My node red is running on a windows pc connected like millions others. I would interpret that my pc is "connected" to the internet, (not exposed?) with usual router and firewall setup but no port forward nor reverse proxies. Would I be ok without enabling adminAuth? or have I got it wrong?

Thanks
Ken

0 Likes

#2

You are correct, by 'exposed' is meant that your node-red can be accessed from the internet via port forwarding or similar means. If it can only be accessed from the local network then you should be ok.

0 Likes

#3

Well, you are one step ahead of many by asking the question :slight_smile:

And as Colin has said, you are correct.

Of course, security is an ongoing battle. With so many "moving parts" on any modern PC and network, it is really hard to keep things secure and real easy to make a mistake or be unaware of a new threat.

So, in my view, it is always worth thinking about your risks, no matter what network you are on.

If your Node-RED system is used for convenience, that's one thing. If it is used to control critical systems that might cause expensive damage, that might be a different risk calculation.

Just something to keep in mind as you develop - like the rest of us - your addiction to all things Node-RED :wink:

0 Likes

#4

Thanks for that,

What I am concerned about was what developer said in a recent post to the effect:

"The node-red runtime exposes an http API for deploying updates. It is the API the editor uses whenever you click the Deploy button. Any action the editor can apply to the runtime is done via this API - installing new nodes, etc. It is fully documented on nodered.org 1.

It is fairly trivial to craft an http request to perform any of these actions in the runtime - because it's a simple API to use."

Not understanding the statement in depth technically, and as a novice, I read that there will be potential risk by some clever hacker (rather trivial for them) to hack into the system every time I click Deploy button as you do (just connected to the internet).

However, I take your point that basic security is common sense, perhaps the next release will automatically include at least basic adminAuth as part of the installation, one thing less to worry about.
Thanks,
Ken

0 Likes

#5

A default username and password is no security at all - and will encourage a false sense of security.

There are some steps we can take to alert the user they have not got security enabled, but we can't absolve the user from all responsibility here.

1 Like

#6

This is always a tempting approach. However, as Nick points out, this is generally not a great idea.

The thing to remember is that Node-RED is a general purpose tool for creating all manner of services. As such, it is very powerful and flexible. Great for us users. Unfortunately, also great for attackers with knowledge.

Security is firstly about understanding the risks. Then about adding layers of defence to reduce the risks (where necessary) to acceptable levels.

The community is just getting more aware of the risks thanks to the "help" from some attackers. We've a ways to go to communicate the best approaches to risk reduction.

Honestly, the risks are really pretty low as long as you haven't connected your Node-RED service to the Internet - especially the admin interface or any other interfaces that allow control of critical systems.

We don't need to go mad about risks but I do want to keep raising the prominence of security so that we don't become part of a wider problem.

So far, the attacks we've seen haven't been too destructive and this is pretty common. A lot of attacks are looking for footholds in networks from where useful data can be extracted or platforms used to further attack more high-profile systems. Basic security will generally keep us safe from those.

More concerning would be targeted attacks against higher-value control systems - heating, security systems, commercial systems and so on. If you are using Node-RED to help run commercial services or anything critical, the risks - or at least the impacts - become significantly higher. In that case, more layers of protection would be warranted even on supposedly closed networks.

In the meantime, let's not be put off from using Node-RED. It is a great system, useful for many tasks and fun to use. Just be aware.

1 Like