88 stories
·
2 followers

Whistleblower: Ubiquiti Breach “Catastrophic”

4 Comments and 5 Shares

On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.

A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Ubiquiti has not responded to repeated requests for comment.

According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

In its Jan. 11 public notice, Ubiquiti said it became aware of “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” although it declined to name the third party.

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Adam says Ubiquiti’s security team picked up signals in late December 2020 that someone with administrative access had set up several Linux virtual machines that weren’t accounted for.

Then they found a backdoor that an intruder had left behind in the system.

When security engineers removed the backdoor account in the first week of January, the intruders responded by sending a message saying they wanted 50 bitcoin (~$2.8 million USD) in exchange for a promise to remain quiet about the breach. The attackers also provided proof they’d stolen Ubiquiti’s source code, and pledged to disclose the location of another backdoor if their ransom demand was met.

Ubiquiti did not engage with the hackers, Adam said, and ultimately the incident response team found the second backdoor the extortionists had left in the system. The company would spend the next few days furiously rotating credentials for all employees, before Ubiquiti started alerting customers about the need to reset their passwords.

But he maintains that instead of asking customers to change their passwords when they next log on — as the company did on Jan. 11 — Ubiquiti should have immediately invalidated all of its customer’s credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

If you have Ubiquiti devices installed and haven’t yet changed the passwords on the devices since Jan. 11 this year, now would be a good time to care of that.

It might also be a good idea to just delete any profiles you had on these devices, make sure they’re up to date on the latest firmware, and then re-create those profiles with new [and preferably unique] credentials. And seriously consider disabling any remote access on the devices.

Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today. By market close Tuesday, UI had slipped to $349.

Read the whole story
martinbaum
209 days ago
reply
“And seriously consider disabling any remote access on the devices.” Sadly, that’s not an option with most of their products, which run all remote sessions through their cloud admin infrastructure.
Share this story
Delete
3 public comments
MotherHydra
210 days ago
reply
Couple this with the terrible performance of their Dream Machine product (heavily pushed btw) and I'm running towards Microtik. I'll never install one of these again. Maybe Meraki is the more sensible alternative for people wanting the feature-set on offer...
Space City, USA
awilchak
210 days ago
reply
These people have been caught several times with absolutely terrible opsec. Remember when their accounting dept got phished for $46M? Seriously, I would stay the fuck away. Also, I have used their networking products before and they are not great.
Brooklyn, New York
JayM
210 days ago
reply
Wow.
Atlanta, GA

Steam Drops MacOS From VR Support

2 Comments

Steam:

SteamVR has ended OSX support so our team can focus on Windows and Linux.

You can see how relevant Steam has considered the Mac to VR gaming by the fact that they call it “OSX” — a name they misspelled and which Apple changed four years ago.

Read the whole story
martinbaum
543 days ago
reply
I suppose you could also ask, "How relevant is VR gaming?" I'm sure there is an enthiastic fanbase, but how significant is it?
duerig
542 days ago
Much like the gaming fanbase on Macs themselves: a small niche that is slowly growing. I can see why a niche of a niche would not be really viable.
tingham
542 days ago
The macOS gaming market is not growing.
duerig
542 days ago
I'd assumed that the installed userbase for Macs was growing still (if slowly). But I think that they are both similar (niche markets with special needs for programming/porting games for them) even if the derivative has a different sign.
Share this story
Delete
1 public comment
jhamill
542 days ago
reply
People still call it the iwatch. Who cares about a stupid name?
California

WeWork and Counterfeit Capitalism

1 Comment

Matt Stoller, in his Big newsletter:

Endless money-losing is a variant of counterfeiting, and counterfeiting has dangerous economic consequences. The subprime fiasco was one example. Another example was the Worldcom fraud in the late 1990s, which forced the rest of the U.S. telecom sector to over-invest into broadband. Competitors have to copy their fraudulent competitors. It’s a variant of Gresham’s Law, which says that “bad money drives out good.” If you can counterfeit something for cheap, the counterfeit will eventually take over the entire market and drive out the real commodity. That is what is happening in our economy writ large, a kind of counterfeit capitalism as ‘leaders’ like Neumann are celebrated and actual leaders who can make things and manage are treated like dogshit.

This kind of counterfeit capitalism is terrible for society as a whole. At first, with companies like Walmart and Amazon, predatory pricing can seem smart. The entire retail sector might be decimated and communities across America might be harmed, but two day shipping is convenient and Walmart and Amazon do have positive cash flow. But increasingly with cheap capital and a narrow slice of financiers who want to copy the winners, there is a second or third generation of companies asking Wall Street to just ‘trust me.’

Compelling argument. I have always been deeply suspicious of any company whose business model is “lose a ton of money for the foreseeable future and eventually we’ll make a fortune”. It’s the South Park “Collect Underpants / … / Profit” business model, but real investors pump billions into it.

As a kid, when I heard the fable of the emperor with no clothes, I never bought the lesson, because I just couldn’t believe adults would go along with a sham that their own eyes told them wasn’t true. Turns out it happens all the time, over and over.

Read the whole story
martinbaum
760 days ago
reply
In this case, though, you could argue that the market is acting exactly as it should be, now that the IPO is a shambles, the CEO is out, and the venture fund that tried to ram this exact philosophy through wasn't able to pull off exactly what is being described, here.
Share this story
Delete

∞ People who remember every second of their life

2 Comments

As someone who can’t remember what he had for lunch last week, this “ability” is fascinating to me.

Read the whole story
martinbaum
1098 days ago
reply
I would die of shame reliving all of the stupid things I've said at the wrong moment.
Share this story
Delete
1 public comment
MotherHydra
1098 days ago
reply
Sounds like a slightly torturous existence if you ask me.
Space City, USA

★ Scuttlebutt Regarding Apple’s Cross-Platform UI Project

3 Comments

Back in late December, Mark Gurman published an intriguing report at Bloomberg regarding a secret cross-platform project at Apple:

Starting as early as next year, software developers will be able to design a single application that works with a touchscreen or mouse and trackpad depending on whether it’s running on the iPhone and iPad operating system or on Mac hardware, according to people familiar with the matter. […]

Apple is developing the strategy as part of the next major iOS and macOS updates, said the people, who requested anonymity to discuss an internal matter. Codenamed “Marzipan,” the secret project is planned as a multiyear effort that will start rolling out as early as next year and may be announced at the company’s annual developers conference in the summer. The plans are still fluid, the people said, so the implementation could change or the project could still be canceled.

I wrote an extensive piece speculating on what it might really mean.

This “Marzipan” rumor got a lot of people excited. But Gurman’s report is so light on technical details that the excitement is based mostly on what developers hope it could mean, not what’s actually been reported. The less specific the rumor, the easier it is to project your own wishes upon it. And, oddly perhaps, we haven’t seen any additional rumors or details about this project in the four months since Gurman’s original report.

I’ve heard a few things, from first- and second-hand sources. Mostly second-hand, to be honest, but they’re all consistent with each other.

The Name: There is indeed an active cross-platform UI project at Apple for iOS and MacOS. It may have been codenamed “Marzipan” at one point, but if so only in its earliest days. My various little birdies only know of the project under a different name, which hasn’t leaked publicly yet. There are people at Apple who know about this project who first heard the name “Marzipan” when Gurman’s story was published.

What Is It? I don’t have extensive details, but basically it sounds like a declarative control API. The general idea is that rather than writing classic procedural code to, say, make a button, then configure the button, then position the button inside a view, you instead declare the button and its attributes using some other form. HTML is probably the most easily understood example. In HTML you don’t procedurally create elements like paragraphs, images, and tables — you declare them with tags and attributes in markup. There’s an industry-wide trend toward declaration, perhaps best exemplified by React, that could be influencing Apple in this direction.

There’s nothing inherently cross-platform about a declarative control API. But it makes sense that if Apple believes that (a) iOS and MacOS should have declarative control APIs, and (b) they should address the problem of abstracting the API differences between UIKit (iOS) and AppKit (MacOS), that they would tackle them at the same time. Or perhaps the logic is simply that if they’re going to create a cross-platform UI framework, the basis for that framework should be a declarative user interface.

When: I’m nearly certain this project is not debuting at WWDC 2018 in June, and I doubt that 2018 was on the table in December. It’s a 2019 thing, for MacOS 10.15 and iOS 13.1 I would set your expectations accordingly for this year’s WWDC.


  1. My guess is this is all part of the updated UI for iOS 13 coming next year. ↩︎

Read the whole story
martinbaum
1275 days ago
reply
Anybody else feeling like Gruber’s been cut off from the high level sources and is wandering in the Apple PR wilderness?
MotherHydra
1273 days ago
He’s fallen out of favor to be sure and his “little birdies” are retail-tier employees (they all get @apple.com addresses). Essentially it is live action role-playing.
Share this story
Delete
1 public comment
sirshannon
1275 days ago
reply
So... XAML?

Elon Musk Memo on the State of Tesla

1 Comment

Skip the Electrek summary and scroll down to the memo itself. It’s a cogent and inspiring read:

Most of the design tolerances of the Model 3 are already better than any other car in the world. Soon, they will all be better. This is not enough. We will keep going until the Model 3 build precision is a factor of ten better than any other car in the world. I am not kidding.

Our car needs to be designed and built with such accuracy and precision that, if an owner measures dimensions, panel gaps and flushness, and their measurements don’t match the Model 3 specs, it just means that their measuring tape is wrong.

Some parts suppliers will be unwilling or unable to achieve this level of precision. I understand that this will be considered an unreasonable request by some. That’s ok, there are lots of other car companies with much lower standards. They just can’t work with Tesla.

Read the whole story
martinbaum
1288 days ago
reply
Many seem to think Musk is the second coming of Jobs. He might prove himself worthy of that, and he might not, but Jobs shipped at scale. That’s incredibly difficult and I don’t see a Tim Cook anywhere near Tesla.
satadru
1287 days ago
Shipping at scale is easy if you're willing to go to China, integrate yourself into a Shenzen supply chain, and have people on the ground to monitor and resist quality fade. I'm not sure that works for vehicles, which have much of their (much more slowly iterating) supply chain here in the US.
martinbaum
1287 days ago
Very good point. But, of course, Musk has bet the company on scale with the Model 3. He can always fall back on revolutionizing space launches, though. Pretty incredible success, there.
thepyrate
1287 days ago
Wasn’t Tim Cook almost singularly instrumental in the scale of distribution Jobs demanded through his decade+ managing the supply chain? You basically listed Tim Cook’s achievement and then said Tim Cook would never come near achieving that...
martinbaum
1287 days ago
I said Elon Musk has no Tim Cook. By many accounts he is directing operations himself.
thepyrate
1287 days ago
Ah yes, I think I read your original comment back to front
satadru
1287 days ago
@martinbaum agree on space launches vs Tesla, (especially with regard to Roscosmos throwing in the towel on competing with China & SpaceX today, supposedly) but I'd also note that Musk's primary goal with Tesla, like with SpaceX was not to make electric cars and compete in the rocketry business, but to totally redefine the field and make electric cars a viable market with the goal of saving the planet. In that, he has wildly succeeded. Electric cars are no longer the micro-niche market they used to be, but high end competitors which threaten every company vehicles for prestige and which have set the goal for multiple vehicle manufacturers. (Similar to how SpaceX has always been a means to an end of the colonization of Mars via lowering the costs of taking goods and people to space from the exorbitant costs charged by legacy state-subsidized conglomerates.) The proximal goal of Tesla and SpaceX has always been to survive and push the market. That they've recently led the market is a surprise I don't think Musk anticipated. But unlike Apple (& Jobs) at least Musk seems to be willing to fail fast and try new things, without stubbornly sticking to what worked yesterday and hoping it works tomorrow. In that he's very much unlike Jobs, and amusingly, somewhat a combination of the good traits we recall in both Tesla & Edison...
martinbaum
1287 days ago
I'm coming around to your way of viewing Musk, but I'd still hate to be a Tesla investor. I do think he's got a tin ear about that, as his April Fool's joke demonstrates.
satadru
1287 days ago
100% I'd hate to be a Musk investor. His short term goals aren't aligned with those of investors looking to make short-term monetary gains, and frankly, I'm ok with that...
Share this story
Delete
Next Page of Stories