Being able to access your data from anywhere is hugely empowering, but it brings with it an element of risk. We explain how to keep your precious files safe
The key advantage of a NAS drive is the ability to access your data from across your network, and even over the internet - otherwise you may as well just add a few extra hard disks to your desktop system. But making your data visible over the internet also puts it at risk. Unlike additional hard drives in an existing computer, NAS storage won’t be protected by a computer’s antivirus, anti-malware or firewall provisions. It needs protections of its own.
This was brought to the fore around a year ago, when some unlucky users of Synology products tried to access their NAS devices only to be met with a disturbing message purporting to be from “SynoLocker”. This stated that all the files on the device had been scrambled with strong cryptography, and they eventually discovered they would have to pay 0.6 bitcoins (around $200) via the Tor network to get the key to retrieve their files. This is known as a “ransomware” attack, and what was particularly worrying was that it didn’t come from a rogue trojan running on a local system - it was caused by the SynoLocker scammers directly attacking Synology devices they found visible on the internet. (Synology quickly fixed the vulnerability in its operating systems, so neither of the company’s devices on test this month are susceptible.)
When there’s a known exploit in the software used to run a NAS device, it can be pretty hard to do anything about it until the developer of the software has fixed the problem. But there are many steps you can take to protect your device and the data held on it from opportunistic attacks, and also so that it doesn’t become a beachhead for attacks on other systems on your local network.
Despite the possibilities for the latter, we haven’t heard of any significant attacks to local networks from exploited NAS devices. Netgear ReadyNAS devices were shown to be vulnerable in 2013, giving access to stored data that might make other systems on the network vulnerable. In October, Qnap released a patch to counteract the ShellShock attack on its devices’ Linux OS, which could also be used as a way to find other vulnerable devices on the local network. Many of these vulnerabilities are technical possibilities discovered by researchers rather than examples of users being hacked, though.
A compromised broadband router is a much more dangerous proposition. The primary concern is for the NAS itself and the data contained therein. It may seem like a good idea to put your NAS drive inside the router’s demilitarised zone (DMZ), as you won’t need to set up port forwarding to expose its services to the outside world. However, this is a bit like leaving your jewellery lying in the street. The NAS should be kept behind your router’s firewall and only the necessary ports should be forwarded to it, such as 80 or 8080 for HTTP, and 21 for FTP. Only open and redirect the ports you actually need - if you don’t plan to use FTP, don’t forward that port.
TAKING CARE OF ADMIN
Another sensible step is to create a new administrator account on your NAS device with a non-standard username (so not “admin”, “administrator” or “support”), and then disable the default admin account. This way, anyone trying to gain entry will have to guess your username as well as your password.
Some NAS device software allows you to force users to set strong passwords - for example, preventing the username or part of the description being used in the password, and forcing the user to include at least one numeric and one special character. It may also be possible to enforce a minimum password strength. Where available, you can set up user accounts with greatly reduced service availability, to limit any damage from compromise, and only use the administrator account when actually performing administration. There may be an option to block an IP address after a set number of failed login attempts over a certain period of time.
Synology devices even offer two-step verification using Google Authenticator (Android/iOS/BlackBerry) or Authenticator (Windows Phone) mobile apps. The process displays a key on your mobile device, which you then use to log in to the NAS drive. An assailant would need your smartphone and your username and password to get into your account. Some devices, such as Qnap’s, have specific network access protection tools that log activity and let you block any IP addresses that appear to be attempting nefarious activities. It will usually be possible to turn off services you don’t use, too. Many NAS devices even have their own built-in antivirus software, or make it available through an installable add-on.
Devices that support HTTPS or SFTP will allow web and FTP access with SSL/TLS encryption. If it’s possible to enable this and disable the unencrypted HTTP/FTP alternatives, much greater privacy and security will be available. For remote administration, it’s highly recommended that you turn on SSL for system administration, where available, so that all web-based configuration activities are encrypted. As a corollary to this, if you’re using a public computer to access the web interface, put the browser in Incognito Mode (Chrome) or Private Browsing mode (Firefox). This means cookies and logins won’t be remembered by that browser, and nor will your browsing history - so the next user won’t have easy access to the location of your NAS drive’s web interface.
At the device level, you should always use a fault-tolerant RAID option, even though this will reduce the amount of storage available below the native capacity. For a two-drive NAS, this would be RAID1 mirroring, and for three or more drives we’d recommend RAID5, for reasons we explained earlier. If you’re really worried about losing your data, it’s worth backing up your NAS drive from time to time to another external device that you keep locked away. This means that even if someone physically steals your NAS drive, your data should theoretically be safe. All of this month’s drives support this, and many allow your external backup to be cloud-based. However, enough online storage to back up a multi-terabyte NAS device won’t come cheap. Amazon S3 storage, as supported by a number of this month’s devices, which costs around $40 per terabyte per month.
Of course, the surest way to keep your NAS data out of the hands of virtual assailants is not to make it accessible via the internet in the first place. However, that would be missing out on some of the huge potential of these incredibly useful devices. The ability to access all the files on all your devices from any location is hugely empowering. If you take good care of the security settings of your NAS device, and ensure everything on it has a secondary backup elsewhere, you can enjoy the benefits of using a NAS as an online repository with very little risk.