All posts by Justin Grimes

(@zelon88) - The founder, lead developer, and DPO for HonestRepair.

List of recent HonestRepair software updates

HTA-UI to v1.0.

HRConvert2 to v2.5.

Remote Executor minor documentation updates.

HRScan2 to v2.0.

Ransomware Defender to v1.4.

HR-AV to v0.8.8.

Registry Monitor to v1.1.

ScanCore to v0.2.

Sharer to v0.8.

License Chooser to v0.9.

Sponsor Us On Github!

We’re honored to have been approved to join the Github Sponsors Beta program! That means that anyone can now sign-up through Github to sponsor us with a monthly donation, and that Github will match your monthly donations to us up to $6,000!

Perhaps the best part of being a part of the Github Sponsors program is that we get to offer our supporters rewards and special offers as a way to say thanks.

To learn more about the program or to sign-up to support HonestRepair software, head on over to our Github Sponsors Account and have a look around. There you can see our donation tiers ranging from $1 per month all the way to $500 per month as well as the rewards you get for each one. Remember, for the first 12 months Github will match your donations, dollar-for-dollar, up to $6,000 per month! That means we’ll receive double your donation for the first 12 months!

As always, thanks to everyone whose interest in our products and projects have made this happen.

New Software License Model!

We’ve recently introduced a new Software License Model for all of our software releases that keeps all our code open-source while granting enough freedoms to enterprise customers to enable them to meet their needs.

In the beginning, all our source-code was available with just once license: the GNU GPLv3 license. This is still the case, but we’ve created ways for users to obtain more permissive licenses that still pays homage to the spirit of open-source.

Basically, with the latest license model any contributor to any of our projects gets a free BSD 3-Clause license for that project. That means they can then make their own changes that they to keep private even in a commercial environment. As a result, enterprise customers who aren’t allowed to use GNU GPLv3 software as a dependency to a corporate project merely has to submit one contribution to the open-source version in order to get the license they need. They win and the community wins.

However, we also realize that some companies require even more freedom or even more privacy in their code branches. To accommodate these customers as well it is now also possible to simply purchase a BSD 3-Clause or MIT license for any of our products. The prices are unambiguously made available using our new “Interactive License Chooser” which itself is Open-Source.

HRCloud2 v3.1.8 – Working on adding drag-drop-swap to appIndex

-v3.1.8.
-Add initial version of drag-drop-swap to appIndex for swapping Apps around.
-Currently very buggy.
-Adapted from https://codepen.io/cilestin/pen/ogQQBP by "Drew" (@cilestin, https://codepen.io/cilestin/).
-Original version only worked for [line elements].
-Also working on Weather app using OpenWeatherMap API functionality and an App originally by @cmfcmf (https://github.com/cmfcmf, https://github.com/cmfcmf).
-The App will store client supplied locations (optional) for monitoring.

Scams and Fraud: How Business Owners Can Avoid All Forms of Attack

Today’s guest post was submitted by Dean Burgess from Exitepreneur. Thanks, Dean!


Scams and fraud perpetrated by thieves who want to gain access to a company’s data or content cause millions of dollars of loss each year for businesses large and small. Sadly, no matter how many precautions you take against it, it’s likely that you’ll face some form of theft over the course of your company’s lifetime. With advances in technology happening every day, scammers have many more tools than they used to, making access to your computers and payment systems much easier. When this happens, private and sensitive data can be breached, leaving you responsible for large sums of money and breaking the trust you’ve built with your client base.

Fortunately, there are things you can do to avoid some of these scams and ways you can protect yourself against being hit again if you’ve already suffered an attack. It’s important to take a look at the way your company does business, and that includes determining who has access to sensitive materials such as credit card numbers and email passwords. Even if an employee isn’t purposely being dishonest, they may be playing an unsuspecting role in allowing others to gain unrestricted access to your system and data.

To keep your company and customers safe, here are a few things to consider.

When Phishing Results in a Big Loss

Phishing scams, which are perpetrated by email and used by scammers to gain information about a business that they can exploit, can result in huge losses. Unfortunately, if your company is a small one, this can mean big trouble. If you’ve been the victim of a phishing scam, it’s a good idea to go with a professional tech support company like Secure Data Recovery to help you recover that data. This is the best option when you need to get back up and running in a short amount of time. When your business is small, that time can be crucial to minimizing loss.

Train Your Employees

It’s imperative to make sure that your employees are well-trained and thoroughly understand how to spot a scam, especially the employees who have access to your company’s email address. These emails can be difficult to spy if you aren’t sure what to look for, so it’s a good idea to make sure your business email is with a reputable and secure provider. This way, many of these email scams will be caught before you ever see them. Of course, they can still get through, so teaching your employees what to look for will be essential. Grammatical and spelling errors are a major red flag, as are emails that are not specifically addressed to someone at the business.

Stay Up on the Trends

There are always new and inventive scams making their way around the web, and for this year, the ones to look out for include emails informing you that a certain account has had a suspicious login or that your account has expired. When you click the link they provide, you’re actually taken to a faux page that records your information. You should also be on the lookout for text messages and messages within apps; fraud can occur here, too.

Don’t Be Intimidated

One common form of fraud that many business owners have faced recently is an email or visit from a pushy salesperson who insists that someone from the company ordered supplies that must be paid for. Some will call a company claiming to be with Google and try to intimidate an employee into sending them payment in order to have the company show up in searches. Don’t let these scammers intimidate you! Train your employees to recognize a fraudulent claim, and let them know what to do in the event that they are the victim of one.

Scams and fraud are more common than many business owners may know, so it’s important to remember that just because you haven’t been hit before is not a guarantee that you never will be the victim of a crime. Training your employees well and taking precautions will help you keep your company — and your clients and customers — safe.

Service Outages Due To Network Upgrades (Updated)

It’s once again time to reconfigure our ever-growing storage arrays. With about 2 days worth of backup capacity remaining I have bought new backup storage and am in the process of copying everything over.

Once the initial data transfer is complete I will disable the Cloud by enabling “Maintenance Mode” and give it one quick sync. Then I will reconfigure the Cloud to run with one backup copy as primary. This will allow me to disable maintenance mode and resume public Cloud operations with one backup acting as the primary Data store and the other backup copy as a backup.

With the Cloud operating out of backup storage I can reconfigure the primary Cloud Data array without worrying about redundancy or the clock ticking. After the primary Cloud Data array is rebuilt I can sync it with the temporary primary data and recycle the extra disks back into the primary Cloud Data array for added redundancy.

The tl;dr is: our service might be spotty this weekend. We will do our best to keep the platform online and stable but there are times when we will need to take things offline for short periods. Please pardon these outages while we work to expand our capabilities and improve our services.

Update 4/30/2019

The upgrade is mostly complete and the platform is stable. There were several compatibility hiccups that prevented configuring the main storage arrays the way I wanted but I’ve ordered a new RAID controller that should hopefully do the trick when it gets here. In the meantime we’re running the Cloud out of backup storage. There will be a little bit of downtime involved when installing the new RAID controller and the Cloud will be briefly unavailable during the changeover. The upgrade is about 75% complete. Thanks for sticking with us, and keep checking back for more updates!

Update 5/6/2019

I received the RAID parts and will be installing them this week. Expect downtime in the evenings all this week while I get the hardware configured and work out the kinks.

Update 5/16/2019

The upgrade is complete and testing has passed. The Cloud has been off backup storage and running out of a new primary storage array since this past weekend, but I kept a close eye on everything for the first few days before calling it complete. The new RAID controller and drives seem to be working well and there are no signs of problems. The new configuration is also more robust than before. Our primary storage array can withstand multiple simultaneous drive failures without losing any user-supplied data and the new backup array adds yet another layer of redundancy. The OS drive on this server was also upgraded to a unit that yields a 10x performance boost over the last configuration. That’s right, our new OS storage configuration is ten times faster than before, with sub-0.5ms random seek time and up to 3GB/s of disk transfer.
This also frees up hardware that can eventually be installed into other HonestRepair servers, further enhancing our capabilities. Before I get around to that I think I want to install an onboard LCD touch screen on out DNS/DHCP server, and possibly write a How-To about it. Stay tuned!

CMS-DH Admin Login Bypass

BACKGROUND

This information is also available on Github.

CMS-DH is an old generic application created for resale, probably by Dahua or one of it’s divisions. It is used to control Digimerge security cameras. Now Flir owns Digimerge and everybody wants to forget this software exists. In reality it doesn’t matter and I don’t really care. There are configuration entries to change the name of the application in toolbar menu’s, so that should give you an idea of how generic it was meant to be.

If you lose access to CMS-DH it can be extremely difficult to connect to the DVR and make changes to it. The documentation for Digimerge hardware is practically non-existent, and the company itself doesn’t exist anymore (now absorbed into Flir Security, who don’t even have a TLS cert on their security-centric website). The lack of information presents a problem that is compounded by the fact that there seem to be different versions of documentation out there for the Digimerge equipment and not many of them seem to have accurate or useful information.

Luckily, the hardware uses CMS-DH to make configuration changes from a computer. CMS-DH is what I like to call “third world software” meaning that it was written without any consideration for security, nobody wants to own support for it, and it hangs all it’s secrets out there in the open.

GAINING ACCESS

This hack was tested to work with…..

App Version: 1.8.8.24

Service Version: 1.8.8.10

Codec Version: 3.0.2.3

Download Dll Version: 3.0.0.1

…..Although I’m not sure of a way to find this info until you log in at least once.

CMS-DH stores configuration data in C:\Users\USERNAME\Documents\CMS-DH. The “.ems” files in this folder contain the configuration data for CMS-DH and can be opened in Notepad or any other text editor.

In order for the hack to work, you must have a copy of CMS-DH installed and configured with devices and an admin connection to a DVR. This hack will only give you access to CMS-DH. If CMS-DH is connected to devices (using the device password) you will have access those devices once you gain access to CMS-DH. If CMS-DH is not connected to any devices this won’t get you anywhere. This hack is only valuable on a pre-configured CMS-DH that you do not have credentials for.

To gain access to CMS-DH without valid login credentials you must open “registry.ems” with a text editor and locating the “PASSWORD=” line.

The “PASSWORD=” line contains the user password in hashed form. If you look a little further down you’ll see another line that starts with “LOGINAC=” followed by a plain text username.

Start by backing up “Registry.ems” and then wipe out the hashed password string from the “PASSWORD=” line. So “PASSWORD=54883fsdf83nn2nb4” would become simply “PASSWORD=”. Save the file and launch CMS-DH. It will start the application and bypass the login screen.

STEALING CREDENTIALS

We know that an attacker can wipe out the cached password from CMS-DH and that it will completely skip the login screen. An attacker can leverage this to gain access to DVR’s they shouldn’t have authorization to by obtaining a copy of someone else’s CMS-DH config directory. Because all the config data for devices are stored in the CMS-DH config directory, a successful attacker would have everything they need to log into gain unauthorized access to a local security system.

Possible attack vectors for stealing the directory include…..

  1. Phishing the user and convincing them to send you CMS-DH “log files.”
  2. Misconfigured Windows Share.
  3. Boot to USB and copy/paste unencrypted HDD contents.
  4. Make the user run a script which dumps the contents of the CMS-DH directory somewhere.
  5. Gain access to the machine (physical or remote) and exfiltrate the files to a CNC server.
  6. The files are small enough to exfiltrate through a DNS TXT query.