Connect with us

Tech

Ubiquiti breach puts countless cloud-based devices at risk of takeover

Published

on

Stylized image of rows of padlocks.

Network devices maker Ubiquiti has been covering up the severity of a data breach that puts customers’ hardware at risk of unauthorized access, KrebsOnSecurity has reported, citing an unnamed whistleblower inside the company.

In January, the maker of routers, Internet-connected cameras, and other networked devices, disclosed what it said was “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The notice said that, while there was no evidence the intruders accessed user data, the company couldn’t rule out the possibility that they obtained users’ names, email addresses, cryptographically hashed passwords, addresses, and phone numbers. Ubiquiti recommended users change their passwords and enable two-factor authentication.

Device passwords stored in the cloud

Tuesday’s report from KrebsOnSecurity cited a security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020. The individual said the breach was much worse than Ubiquiti let on and that executives were minimizing the severity to protect the company’s stock price.

The breach comes as Ubiquiti is pushing—if not outright requiring—cloud-based accounts for users to set up and administer devices running newer firmware versions. An article here says that during the initial setup of a UniFi Dream Machine (a popular router and home gateway appliance), users will be prompted to log in to their cloud-based account or, if they don’t already have one, to create an account.

“You’ll use this username and password to log in locally to the UniFi Network Controller hosted on the UDM, the UDM’s Management Settings UI, or via the UniFi Network Portal (https://network.unifi.ui.com) for Remote Access,” the article goes on to explain. Ubiquiti customers complain about the requirement and the risk it poses to the security of their devices in this thread that followed January’s disclosure.

Forging authentication cookies

According to Adam, the fictitious name that Brian Krebs of KrebsOnSecurity gave the whistleblower, the data that was accessed was much more extensive and sensitive than Ubiquiti portrayed. Krebs wrote:

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Ars Senior Technology Editor Lee Hutchinson reviewed Ubiquiti’s UniFi line of wireless devices in 2015 and again three years later.

In a statement issued after this post went live, Ubiquiti said “nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11.” The full statement is:

As we informed you on January 11, we were the victim of a cybersecurity incident that involved unauthorized access to our IT systems. Given the reporting by Brian Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information.

At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.

These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.

At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.

All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

At a minimum, people using Ubiquiti devices should change their passwords and enable two-factor-authentication if they haven’t already done so. Given the possibility that intruders into Ubiquiti’s network obtained secrets for single sign-on cookies for remote access and signing keys, it’s also a good idea to delete any profiles associated with a device, make sure the device is using the latest firmware, and then recreate profiles with new credentials. As always, remote access should be disabled unless it’s truly needed and is turned on by an experienced user.

Post updated to add comment from Ubiquiti.

Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech

Latest Edelman survey rates trust in tech at a 21-year low

Published

on

Social media is not a trusted source of information.

The technology sector plummeted from being the most trusted industry sector in 2020 to 9th place in 2021, according to the 21st annual analysis from communications firm Edelman. Lack of accountability and unwillingness to self-govern is eroding the public’s trust in technology.

Trust in technology reached all-time lows in 17 of 27 countries over the past year, Edelman said in its recent 2021 Edelman Trust Barometer: Trust In Technology report. The report is based on a survey of more than 33,000 people from 28 countries, including both general population respondents and what the firm calls “informed public respondents” for a well-rounded picture.

Trust and fear have a reciprocal relationship: The faster one rises, the faster the other drops. Traditionally, the technology sector was something of an expert at managing the two, but that is no longer the case. Edelman found that fear of technology is growing at a faster rate than trust in technology. It will take years for the technology industry to bounce back and regain the public trust.

Tech broke trust

Edelman’s survey results show respondents feel both betrayed by, and fearful of, technology. Job loss is the single greatest driver of societal fears, followed by the loss of civil liberties. There is a 6% drop in the number of people who are willing to share their personal information online. Social media, traditional media, and search engines are also at record low levels of trust.

Above: Respondents did not view many information sources favorably when asked to rate each one on how trustworthy they were for general news and information. Source: 2021 Edelman Trust Barometer: Trust in Technology.

Image Credit: Edelman

While the technology industry is full of entrepreneurs who believe in unleashing creativity and innovation and pursuing moonshot ideas, there are also those who monitor customers and invade privacy. The tendency to use technology as an authoritarian tool to monitor dissent is a concern, which explains China’s 16% drop in trust. The sheer drop is ironic, because China is also a global leader in tech R&D, innovation, and tech manufacturing.

Pandemic amplified fears

Edelman recorded one of the steepest declines in trust in the eight months between May 2020 and January 2021, when the public’s trust in technology dropped from 74% to 67%. People were increasingly concerned about AI and robots, and 53% of the respondents in Edelman’s survey worried the pandemic would accelerate the rate at which their employers would replace human workers with AI and robots. Cyberattackers capitalizing on the pandemic didn’t help matters, as 35% of respondents reported being fearful of attackers and breaches.

Edelman’s Trust in Technology study presents a paradox between tech employees and their employers. Employer trust is highest among tech sector employees, with 83% saying they trust their employers, and 62% believing they have the power to make corporations change. Yet the public’s trust in those employers is plummeting. The disconnect comes from the public perception that humans are not controlling technology, but that technology is trying to control them. There is a growing perception that technology — especially social media — is more capable at manipulating people than previously believed.

One way for the industry sector to regain some trust is to re-evaluate how they handle customer data and to be transparent about what they do with the information.

Gain trust by guarding information quality

Businesses as a whole are still trusted in most of the countries surveyed, with 61% of all respondents trusting companies above nonprofit organizations, government, and media. The most effective step businesses can take to increase trust is to guard the quality of information. Additional factors include embracing sustainable practices, implementing a robust COVID-19 health and safety response, driving economic prosperity, and emphasizing long-term thinking over short-term profits.

However, just saying they will protect information isn’t enough. Businesses need to take a data-centric security approach to achieve greater resiliency and cybersecurity. Businesses should also address the concerns employees have over job loss and automation. They should be transparent and honest with their employees if robotics and automation are part of the business plan. Investing in re-skilling employees for new jobs is a great way to transform a business digitally.

In short, senior management teams should remember that lasting transformation starts with employees.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Continue Reading

Tech

Google makes business process tool AppSheet Automation generally available

Published

on

Google AppSheet Automation

Join GamesBeat Summit 2021 this April 28-29. Register for a free or VIP pass today.


Last year, Google launched AppSheet Automation, an “intent-driven” experience in Google Cloud powered by AI that enabled enterprises to connect to a number of data sources to model automated business processes. After several months in early access, Google today announced that AppSheet Automation is generally available with new capabilities, including document processing, a monitoring app, and expanded eventing support.

According to Forrester, while automation has been a major force reshaping work since before the pandemic, it’s taking on a new urgency in the context of business risk and resilience. A McKinsey survey found that at least a third of activities could be automated in about 60% of occupations. And in its recent Trends in Workflow Automation report, Salesforce reported that 95% of IT leaders are prioritizing workflow automation, with 70% seeing the equivalent of more than 4 hours saved each week per employee.

AppSheet Automation, which arose from Google’s acquisition of AppSheet in July 2020, is an AI-enabled, no-code development platform designed to help automate existing business processes. The service offers an environment for building custom apps and pipelines, delivering governance capabilities and leveraging AI to understand goals and construct process artifacts.

One new feature in AppSheet Automation, Intelligent Document Processing, automatically extracts text from unstructured files like invoices and W-9s to eliminate the need for manual entry. Another, a monitoring app, allows customers to build AppSheet apps that can then monitor their automations.

Google also extended AppSheet Automation’s data source eventing, which previously supported Salesforce, to include Google Workspace Sheets and Drive in the general release. Looking ahead, the company says it’s building the ability to embed rich AppSheet views in Gmail to enable users to perform approvals on the go.

Google AppSheet Automation

“Digital transformation has been an enterprise priority for years, but recent Google Cloud research reinforces that the mandate is more pressing today than ever, with most companies increasing their technology investments over the last year,” Prithpal Bhogill, product manager on AppSheet’s business application platform, wrote in a blog post. “While there are many dependencies shaping the future of work, the challenge is to leverage technology to support shifting work cultures. Automation is the rallying point for this goal.”

The launch of AppSheet Automation follows news that Google will collaborate with robotic process automation (RPA) startup Automation Anywhere to accelerate the adoption of RPA with enterprises “on a global scale.” As a part of its agreement with Automation Anywhere, Google plans to integrate the former company’s RPA technologies, including low- and no-code development tools, AI workflow builders, and API management, with Google Cloud services like Apigee, AppSheet, and AI Platform. Automation Anywhere and Google said they’ll also jointly develop solutions geared toward industry-specific use cases, with a focus on financial services, supply chains, health care and life sciences, telecommunications, retail, and the public sector.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Continue Reading

Tech

1Password expands into secrets management to help enterprises secure their infrastructure

Published

on

1Password expands into secrets management to help enterprises secure their infrastructure

Join GamesBeat Summit 2021 this April 28-29. Register for a free or VIP pass today.


Password-management platform 1Password is expanding into the “secrets management” space, helping developer teams across the enterprise safeguard private credentials, such as API tokens, keys, certificates, passwords, and anything used to protect access to companies’ internal applications and infrastructure.

Alongside the launch, 1Password has also announced its first acquisition with the purchase of SecretHub, a Dutch startup founded in 2018 that claims to protect “nearly 5 million enterprise secrets” each month. Following the acquisition, SecretHub will be shuttered entirely, with its whole team — including CEO Marc Mackenbach — joining 1Password.

Secret sauce

Recent data from GitGuardian, a cybersecurity platform that helps companies find sensitive data hidden in public codebases, revealed a 20% rise in secrets inadvertently making their way into GitHub repositories. If this data falls into the wrong hands, it can be used to gain access to private internal systems. By way of example, Uber revealed a major breach back in 2017 that exposed millions of users’ personal data. The root cause was an AWS access key hackers discovered in a personal GitHub repository belonging to an Uber developer.

There has been a flurry of activity across the secrets management space of late. Israeli startup Spectral recently exited stealth with $6.2 million in funding to serve developer operations (DevOps) teams with an automated scanner that finds potentially costly security mistakes buried in code. San Francisco-based Doppler, meanwhile, last month raised $6.5 million in a round of funding led by Alphabet’s venture capital arm GV and launched a bunch of new enterprise-focused features.

1Password has built a solid reputation over its 16-year history, thanks to a platform that can store passwords securely and simplify log-in. It allows consumers and businesses to log into all their online services with a single click (rather than having to manually input passwords) and can also be used to store other private digital data, such as credit cards and software licenses. The Toronto-based company raised its first (and only) round of funding back in 2019, securing $200 million to help it push further beyond the consumer sphere and cement itself as an integral security tool for the enterprise.

Machine secrets

Today, 1Password claims some 80,000 business customers, including enterprise heavyweights such as IBM, Slack, Dropbox, PagerDuty, and GitLab. With its latest “secrets automation” product, the company is striving to make its platform stickier for existing and potential clients searching for an all-in-one platform that protects all their credentials — from employees’ email passwords to core backend business systems.

Above: 1Password: Secrets automation

While 1Password’s existing password-management toolset helps people securely access accounts without having to remember dozens of passwords, the “automation” facet of its new product name refers to machine-based system workflows that, for example, enable an application to securely “talk” to a database. “This means being able to roll secrets into your infrastructure directly from within 1Password,” chief product officer Akshay Bhargava told VentureBeat. “We are the first company encompassing human and machine secrets.”

Typically, infrastructure secrets can be splayed across countless cloud providers and services, but according to 1Password, it’s not uncommon for companies to cut corners or use a dubious combination of hacks and homegrown tools to manage the security around this issue.

According to Bhargava, 1Password was working on a secrets management solution before it acquired SecretHub. In fact, many of 1Password’s customers were already storing their infrastructure secrets in its vaults.

“Our customers have raised this workflow as something they’d like 1Password to solve,” Bhargava said. “It’s fair to say our first version is homegrown, and we’ve been focused on solving this problem for a while.”

Secrets automation allows admins to define which people and services have access to secrets, as well as what level of access is granted. At launch, it integrates with HashiCorp Vault, Terraform, Kubernetes, and Ansible, with “more on the way.” However, 1Password is also announcing a deeper partnership with GitHub, which will see the duo collaborate to “solve problems for our shared customers and users,” according to Bhargava. “We plan to build a workflow to support customers in delivering secrets and configuration into their CI/CD pipelines on GitHub,” he said.

As for costs, all companies will receive three credits for free. The cost then rises to $29 per month for 25 credits, $99 for 100 credits, and $299 for 500 credits. “We prorate based on usage,” Bhargava added. “We will work with companies needing more than 500 credits a month on an individual basis.”

In terms of how credit is consumed, companies configure the 1Password vaults they want secrets automation to access and then stipulate the permissions for a development environment with tokens. “If an API client needs read and write access to data stored in a 1Password vault, that access is defined using a token,” Bhargava explained. “One token, accessing one vault, is what defines a credit. If that same API client needs to access two vaults, that then becomes two credits. And similarly, if a single token is created for read access to vault A and another for write access to vault B, that becomes two credits.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Continue Reading

Trending