Tag Archives: Ubiquiti

Security News for the Week Ending April 9, 2021

Ubiquiti All But Confirms Breach Story

As the stories about Ubiquiti’s really bad attempts to save their reputation after a breach earlier this year swirled, they were completely silent, other than a very short statement. Now they have posted a statement on their user forum that says that they have no evidence that customer information was accessed or even targeted. They do not say anything at all to refute the claims that were made that the reason they have no evidence is, well, because there were no log files being created. If you use a cloud provider, I recommend reading this story because it points out the joint responsibility you have. In this case, it is alleged that Ubiquiti’s bad cyber hygiene practices put their customers’ networks at risk. Credit: Brian Krebs

Is This a Breach: Terabytes of OnlyFans Data Leaked Online?

OnlyFans is an online platform for content creators to share content for a monthly subscription fee. The content creators are typically so-called social influencers and adult performers (OK, no jokes, these two are not the same, although there certainly is some overlap). There is content from almost 300 creators/performers and at least of the folders is over 10 gigabytes, so it looks like maybe, in total, a couple of terabytes of content. Google will only take down files if the performer identifies a specific file and says that I own the copyright to it. A bit of a mess, but they say they were not hacked. Credit: Bleeping Computer

Police Say White Supremacists and Conspiracy Theorists Target Cell Towers

The New York Police Department says that cell towers and other critical infrastructure have become an attractive target for conspiracy theorists, especially after the recent election. The Police Department says that conspiracy theorists and far-right white supremacist groups increasingly target critical infrastructure to incite fear, disrupt essential services, and cause economic damage with the United States and abroad. Sounds like the definition of a terrorist to me. Right now we are seeing isolated damage, but it is costing tens of thousands of dollars per incident – that you get to pay to repair and also causing service outages. Remember, for the most part, the only thing between a terrorist and critical infrastructure is a chain link fence and a padlock. The most recent case of that was the terrorist in Nashville that blew up a telephone company office and cost tens of millions of dollars of damage. That is the most that is in their way. Credit: The New York Times via the Intercept.https://theintercept.com/2021/03/17/5g-white-supremacists-conspiracy-theorists-critical-infrastructure/

LG Promises 3 Years of Security Updates After Pulling Out of Phone Biz

South Korean phone maker LG, always an also-ran in the phone biz, called it quits this week. However, they plan to provide both version and security updates for up to three years, depending on the model. The updates are based on when you bought the phone, not when the model was originally released, so this is actually good news for LG phone owners. Credit: The Record

Ex-GCHQ Staff Recommends Banning Ransomware Payments to Kill Off Ransomware

Several ex-GCHQ Staffer (like our NSA) suggest a law banning insurance paying ransoms to kill off the ransomware market. That would probably have some positive effect on it, but it is unlikely to actually kill it off. The other half of that law, however, needs to make the government pay the difference in cost between paying the ransom and not paying the ransom. For example, if the ransom demand is $250k and to rebuild the computers, restore what data you have and replace the lost business for the data that you don’t have will cost you $2 million, the gov needs to fork up the other $1.75 million. While I am not a fan of paying ransoms, this is not the right solution. What we have started to see, but need to see more of, is insurance companies declining to provide coverage to companies with inadequate security. This does not require any laws and will make companies deal with the externalities (this is the insurance company’s problem, not mine). Credit: The Register

Why We Need a Real National Breach Law

Okay, let me just say this at the beginning. This post is opinion. There is certainly factual information (or the closest to fact that we have), but in the end, this is just my opinion.

Currently, most cyber breaches are not reported. Even when breaches are reported, they are often missing key information, hard to interpret and written by spin doctors who are trying to reduce the risk of the company getting sued.

Here is one example. There are likely at least two sides to every conversation. We don’t have all of the information, so that makes things hard. I leave it to you to come to your own conclusion.

The company is UBIQUITI. They make network equipment like switches, routers, WiFi access points and firewalls and other Internet connected devices (IoT). I read somewhere that they have sold close to 100 million devices.

What happened? Someone, a hacker or hackers, got into an IT admin’s password vault and stole the credentials that gave them master access to Ubiquiti’s Amazon account.

Many of Ubiquiti’s products are remotely manageable from the Internet. By losing control of their AWS environment, the hackers likely could have taken over many of those devices remotely. Silently. And if the hackers are smart, they could stay there forever.

Here is the story from a contractor who was brought in after the breach, which started last December, to help fix the problem and who talked to cybersecurity reporter Brian Krebs.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

According to Adam, the hackers had full read and write access to Ubiquiti’s databases at Amazon. He says that the breach disclosure was written in a way to minimize the damage, imply that a third party (Amazon?) was at fault and that Ubiquiti was just an innocent bystander.

The announcement said that they had become aware of unauthorized access to certain systems hosted by a third party. They said that they were currently not aware of evidence of access to the data, but they can’t be sure that data was not exposed. They encouraged users to change their password and enable two factor authentication.

In reality the hackers had admin access to Ubiquiti’s servers at Amazon, full source code, encryption secrets for single sign-on and remote access. But what they said sounds less scary. Also in reality, Ubuiquiti didn’t have sufficient logs to know what the hackers took. That is why they could legally say they didn’t have any evidence. Because there was no evidence.

Ubiquiti found a back door the hackers left behind, but when they disabled it, the hackers said that they wanted 50 Bitcoins (about 3 million dollars) to keep quiet and also gave them proof that they had stolen their source code. Ubiquiti did not bite and eventually found another back door. Are there more? Don’t know.

Rather than scaring customers by “invalidating” their credentials, they just said, hey, you should change your password. You should probably do that when you logon again – whenever that was. Those credentials would allow a hacker to control that customer’s network devices.

According to Adam, legal, not IT, was controlling the narrative and deciding what they should do.

Ubiquiti’s stock price was $243 on January 13th. It was up to $370 by March 21st. That is when Brian Krebs broke his story. The stock is at $289 today, so at least investors have not been hurt. So far.

But likely tens of millions of users don’t understand what happened, have not taken any steps to protect their homes or businesses, and may never do so.

In the absence of a strong, national breach notification law with very specific requirements, stories like this will continue to happen.

In light of the SolarWinds breach, it is likely that the feds will issue an executive order that requires companies that sell stuff to the government to disclose any breach quickly. It is thought that the EO will be released next week. We shall see what is in it.

While an EO like that has no effect on private sales, if a company sells to the government and also to the private sector, it is going to be hard to disclose a breach to some of their customers and not others. Hopefully, the EO won’t allow a company to disclose a breach under some sort of confidentially clause.

In the absence of Congress doing what it should, this may be the best we can get for now.

As I said, my two cents.

First Fix The Easy Stuff

People say that it is too hard to stop the bad guys.  Well, you can make it a lot harder on them if you don’t just play into their hands.

Ubiquiti Networks, a tech company who makes wireless equipment, is publicly traded and had revenue of $150 million in the quarter ending Sep. 30, 2014, was duped by an age old trick.

Cyber thieves stole $46+ million from Ubiquiti by getting employees to wire money to the hacker’s offshore bank accounts.

While Ubiquiti doesn’t fess up to how exactly this happened, this is the way it usually works.  The hackers, pretending to be the CEO,  send someone who can wire money an email saying that the CEO is working on this big hush-hush deal and needs the person in accounting to wire $X to a bank account in loo-loo land.

There are hundreds of variants of this basic scam but they all work the same – pretend you are someone in charge, pretend you are working on something secret, tell people not to say anything and get them to send you the money.

They often register similar sounding domains like Ubiquuiti for Ubiquiti.  People might not notice the double U.  Or maybe Ubiguiti – depending on the font, the g and q might look similar.  Or Ubiquit1.  Again, depending on the font, the 1 and i would look similar.

Most people get hundreds of emails a day and if the email looks like it came from the CEO, you might look less closely at the details, wanting to make sure that you took care of the big guy.

These crooks made several wire transfers adding up to the $46+ million.  They do that to keep the value in a range that won’t raise any red flags.

The authorities were able to recover a little over $8 million, meaning that, an entire quarter’s profit was wiped out.  They are trying to recover another $6 million, but have not been successful yet.  The company’s 8-K filing with the SEC seems to indicate that they have no insurance that would cover this form of theft.

This fraud technique is so old it has to use a walker to get around, but still, it works quite well.  The FBI sent out a notice last January that crooks made off with over $200 million in the last 14 months using different forms of this scam.

Why, exactly, is a publicly traded company with revenues of well over $500 million a  year still requesting and approving wire transfers via email?

My mantra for today – fix the simple stuff.  For Ubiquiti, that is a $46 million lesson.  Not counting legal fees and expenses – they have, according to the form 8-k, filed a number of lawsuits in foreign countries.  That is not likely to be cheap.

Information for this post came from Krebs on Security, among other articles.