Ubiquiti Breach - How to Secure Your Account!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
i wanted to say a few words about this ubiquity breach and the subsequent articles that have come to light in the past couple of days first things first though the most important thing is how do you make sure that your account is safe from any possible you know breach activities that have happened there's three things that you need to do number one you need to login to account account.ui.com with your ubiquity single sign-on account login and then once you're logged in you want to click on security right here in security click change password put in your old password and put in a new password i recommend something like really strong with a combination of letters numbers special characters etc once you've changed your password right below that is two-factor authentication if you do not have two-factor authentication set up yet then you're going to want to enable two-factor authentication and use something like a ubi key or an app like google authenticator or like bit warden has an app lastpass has an app there's all these two factor authentication totp code apps and totp is time-based one-time password apps that's basically where you get a six-digit code that changes once every 30 seconds or a minute and that's used to help secure the account that's your two factor authentication your username and password and your totp code so if you don't have 2fa enabled enable it and set up a google authenticator app get to know it get to love it or buy a ubi key and get to learn the ubi key absolutely imperative if you're in i.t to understand and use actively two-factor authentication everywhere that you possibly can if you already have two factor authentication set up then what you need to do is disable it so we're going to do that here we're going to click disable it's going to ask you for your two-factor token submit and then once you've submitted your token your two factor is disabled now immediately re-enable it when you click it you're going to get a qr code you're going to want to scan that qr code with whatever totp app you're using in my case again i'm using these uh uv keys which work uh spectacularly and if you guys haven't seen it check out my yubikey video that i did uh probably about six months ago now now once you've added your two factor to whatever app or token you happen to be using make sure you confirm it submit that and then you also want to click over here to generate new backup codes you're going to put your token your six digit 2fa code in again and you're going to generate new backup codes and with those backup codes you want to save those to a secure location just so that you always have them okay so step one change your password step two enable 2fa or reset 2fa if you already have it enabled step three and this step is optional but i would say at this point it is recommended to disable remote access to ubiquiti's cloud because we just don't know what was compromised right and we're not getting a straight answer we're probably not going to get a straight answer on what was actually compromised so if you want to be extra safe and keep your data as well as your clients data secure then you're going to want to disable remote access from your unifi controller or any of your unified devices in older versions of unify this is done by going to the remote access settings and then remote access and you can simply turn off remote access of course before you turn off remote access you want to make sure that you have a local super administrator that can log in locally like create a local super administrator log out and log in with that account just to make sure that you do have local super administrator access to unified before you disable your ubiquity single sign-on remote access or cloud access for other devices such as the udm pro this really isn't a possibility right you just have to make sure that steps one and two are taken care of because there doesn't seem to be a way to disable the cloud sign-on for i think it's the udm and the udm pro specifically now this is something that ubiquiti has gotten a lot of flack about so hopefully they will change that especially as a result of these latest breaches and the sort of lack of trust or the loss of trust that they've received from a pretty decent portion of their user base allow us to just have a local administrator only for for all of your products right and that will go a long way towards ensuring that we can trust um you as a company as well as you know the cloud access stuff that you provide for us i should point out that if you do disable cloud access you're making it a little bit tougher on yourself there's a trade-off between that security uh of not having the cloud access stuff enabled versus the ease of use of the software-defined network right you know the part of the nice thing about having a software defined network is that you can log in from anywhere and manage that network of course the downside to that is if you know ubiquity gets breached and you're connected to their cloud there's pot there's a possibility that your stuff could also be compromised right and so you know it's a security trade-off as it always is if you disable the cloud access you have to make you know you're making a little bit harder on yourself to administer your equipment and that being said if you do disable that cloud access and you still want remote access to a unifi controller or you know a cloud key or something like that don't go poking holes in a firewall to make that happen because you could potentially cause even a worse security problem if you do that always access stuff through some sort of secure vpn or ideally what i do for my clients is we have a hosted unifi controller i have full access over which wan ip addresses can actually connect to the most secure ports such as the web gui and ssh on our hosted controller another option is to use something like hostify so hostify is a service where they host the unifi controller for you for a price and they keep it up to date right so they allow you to choose whether you want to locally administer it or enable the cloud access but they also keep your servers up to date with the latest and greatest stuff after it's been tested you know they go through qa processes and stuff like that if you're interested in learning more about hostify i have a link down below of course that's an affiliate link because i mean what isn't an affiliate link these days right okay so now let's talk about this breach and there's a there's a really a lot to unpack here now originally the breach happened somewhere around december 2020 time frame ubiquity originally announced it around january 11th of 2021 at that time i put out a tweet saying hey this is how you secure your stuff it's basically exactly what i just said earlier in this video so from that standpoint nothing's really changed but we got a significant amount of new information not from ubiquity but from a third party and the third party is a trusted resource in the community is brian krebs with krebs on security and he posted this article uh two days ago where a whistleblower had contacted him the whistleblower apparently had been working on the ubiquiti's response and made a lot of claims now i will link the article down below i don't want to just read it word for word you can go read it for yourself and see all of the claims that were made but at a high level the whistleblower essentially claimed that ubiquity massively downplayed the extent of this breach and then it's actually much much worse than was originally that we were originally led to believe so for instance in the original statement from ubiquity they say that they were breached by a third-party software something like that come to find out that third-party software is aws right and with aws or any of those sort of hosted platforms uh for for development and services and applications you're responsible for your own security on those platforms right it's not the third party that got compromised it's the way that you configured your stuff to work on that third party that got compromised and so i think that's one of the things that has people a lot of upset is that seems misleading to say well we were compromised because of a third party but if the third party was aws you're in charge of that security now apparently this breach happened because of uh privileged credentials that were stored in an it a ubiquity it employees last pass which i'm really curious to understand more about that specific aspect of this story because like how did that person's last past credentials get compromised you know was it user error that's to me what it sounds like it sounds like there was user error is the reason for this whole ubiquity breach right someone maybe had lastpass with a password that was reused from somewhere else or just a weak password maybe they didn't have two-factor authentication enabled on their lastpass and if that's the case of course that's speculation on my part but if that's the case that is really poor security hygiene on behalf of that i.t person and they definitely should know better but because they were able to get those credentials they basically unlocked the keys to the kingdom at ubiquity the whistleblower claims that they were able to get cryptographic secrets for single sign-on cookies and remote access full source code control contents and signing keys exfiltration i mean that's as bad as it gets right as far as a breach goes and so you know sort of the biggest problem here was ubiquity's original statement that was just like ah you know you should change your passwords but you know there's no evidence that anything was compromised now last night ubiquity put out a statement in response to the krebs article so let's take a look at that in more detail they say as we informed you on january 11th we were the victim of a cyber security incident that involved our unauthorized access rit systems given the reporting by brian krebs there is newfound interest and attention in the matter we'd like to provide you with an update great at the outset please note that nothing has changed with respect to our analysis of customer data and security of our products since our notification on january 11th in response to the incident we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems so again pretty vague on the details right so they hired third parties they made sure the attacker was locked out of the systems but we still don't really know what was compromised and what was not now they say these experts again saying that not ubiquity saying this but the experts are saying this identified no evidence that the customer information was accessed or even targeted now the problem with that is that subsequently there was a tweet from brian krebs where he says that ubiquity responded to the story and said that no evidence of customer information was accessed but the whistleblower also said that they didn't keep logs on access to the hacks to the hack database right so to me that's like such lawyers it's like well we found no evidence of a hack but if there was no evidence to find because you weren't taking logs that's a totally different story right did you find no evidence of the hack because you have such comprehensive logs that you've poured over and found no evidence that anyone accessed anything or you found no evidence of the hack because there was nothing to look at there was no evidence there were no logs of any sort of access to the database that's a big big problem right and it's much different story either way even though either story you can say we found no evidence ubiquity goes on to say the attacker who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific i.t credentials never claim to have accessed any customer information that doesn't give me the feel good feelings right this attacker who illegally hacked into your stuff and tried to extort you well he says he didn't access any customer information right okay we can believe him right i'm sure he's a trustworthy source that's an absolutely asinine statement this along with other evidence is why we believe that customer data was not the target of or otherwise accessed in connection with the instance so really vague i'm not impressed by this statement at all and we'll talk about this a little bit more but what's at stake here is consumer confidence in ubiquity right and this isn't helping in that regard unfortunately i wish i could say that that consumer confidence and ubiquity was not eroding with every step that they're making now to me this is the most interesting piece of ubiquiti's response and really one of the only pieces of like new evidence that we got here at this point we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure and as we're cooperating with law enforcement you know we cannot comment further who's going to have intricate knowledge of ubiquiti's cloud infrastructure an employee or an ex-employee right someone who worked in ubiquiti's world so believe it or not this piece of the puzzle actually makes me feel a little bit better about this hack because if the story here and again pure speculation on my part if the story here is that a disgruntled employee gained access to ubiquiti's internals and tried to extort them for 50 bitcoin which is you know was apparently what happened that's different than some you know malicious third party hacked into ubiquiti's stuff specifically trying to exploit whatever they can exploit does that make sense like if if this was just a disgruntled ex-employee trying to really stick it to ubiquity and you know extort them out of some money that's one thing because that person's beef is with ubiquity it's not with the customers or their consumers whereas if it's someone who's specifically just trying to get access to whatever they can get access to and then also extort ubiquity you know then it's possible that they could have you know really focused in on customer data and accessing customer networks which again if it's just a great disgruntled ex-employee i'm it seems to me that that would be less likely that they're going to be targeting ubiquiti customers specifically so that's what we know so far ubiquity of course also recommends that hey change your passwords etc they also say enable two-factor authentication if you have not already done so but they do not say disable and re-enable it if you do have it enabled which i think they should further go on to say now me personally i would like to have seen ubiquity force all users all single sign-on users to change their passwords upon their next login and i would even go so far as to say it would have been really nice if ubiquity had done something to incentivize people to enable two-factor authentication either by like just making it really easy to do like when you change your password also you should be enabling 2fa like put it right there in people's faces or do something like hey for every single sign-on account that enables two-factor authentication we're gonna give you five percent off in the ubiquity store or ten percent off in the ubiquiti store how cool would that be not only would you get more people to enable two-factor authentication but you'd sell more goods in your store turn it into a win-win for christ's sake so in response to this article like ubiquity's response didn't deny anything in the krebs article they didn't deny anything which means that he's probably on the right path and you know brian krebs being a trusted security resource in the industry is not going to post an article like that just willy nilly right you think about who has the most to gain or lose by doing something like that right does brian krebs have a lot to lose by posting that you know if he posts something incorrect that proves to be incorrect he has his reputation to lose but if he posts it and it's 100 factual he doesn't have anything to lose he really doesn't have anything to gain either just the you know his his reputation in the security industry is going to get stronger right uh now if it came out that brian krebs had you know shorted ubiquity uh stock the day before he released his article i mean that's a different story but of course there's no evidence of that now look at the other side of the coin what does ubiquity have to gain or lose by this they have a lot to lose if people's confidence in their security goes downhill right because they will get fewer business they will get less business their stock price will drop all of those things but as i've said a lot of times before you can gauge a company based on their response to a hack like this all companies can get hacked this is not something that is unusual for big tech companies these days so it's not in you know the placing blame for who got hacked that's not what loses people's trust in your company it's how you respond when you were hacked right so if when you were first hacked you said you know what we're not entirely sure exactly what this hacker was able to get or not get so what we're going to do here is we're just going to make sure everyone resets all of their single sign-on passwords that would have been maybe a little bit more of a hit to their stock price back in january but they wouldn't be dealing with this massive drop in stock over the past few days i mean look at this put myself up here look at ubiquity stock so here's the 29th the stock was up to 405 dollars and now it's down to 288 dollars right it's dropped uh 120 110 120 bucks in the past three days where the bulk of that happened right in the morning of the right after this article was released basically so this big steep drop-off right here is people selling ubiquity stock and then of course you see this big green line here which is people buying the dip right so you know will their stock come back up because of this uh you know it'll probably recover would be my guess because people have short-term memories and they'll forget all about this hack at some point uh but my point with the stock stuff is that have they been more upfront and really erred on the side of caution and aired on the side of the consumer back in january when they first announced this yes their stock might have taken a little bit of a bigger hit back then but it's certainly would not have taken a bigger hit now because this would not have been a story really at all right if they had properly responded to it originally we wouldn't be here now my biggest concern in this whole thing is for the folks that aren't watching this video right so for all of the millions of people out there that have ubiquity equipment they have unified controllers running but they're not maybe you know i.t folks in their day-to-day life they're not like all of you folks watching this that know about this breach and and are going to actively go change your passwords and reset your 2fa and disable your cloud access right there's a big chunk of the ubiquiti user base that's not going to be doing any of those things because they will have never heard about any of this they're just not in that world you know they're not going to it's not going to reach them the news isn't going to reach them on that level so i'm really concerned about those folks so get the word out if you can if you know of anyone that has ubiquity equipment make sure you tell them about this breach share this video tell them how to fix it if nothing else and yeah i mean there's got to be just tons and tons of people around the world that have ubiquity stuff set up that just maybe they're even reusing they don't have 2fa turned on they're reusing a password that they also use for all of their bank accounts or whatever you know those are the people that i'm most concerned about with this breach because they're the ones that ultimately could be affected as far as ubiquity goes listen it's so i you can't there's no crystal ball that's going to be able to tell you what's going to happen right they've made a number of moves lately that people have been upset about not just this breach i'm talking about other things as well and so consumer confidence in ubiquity to me has been dropping i mean again i i see comments on youtube videos you know i see comments in our discord chat where people are rightfully upset about a lot of the decisions that ubiquity is making and so you got to start asking yourself well is ubiquity on the side of the consumer or is ubiquity on the side of their shareholders and you know there is going to be some sort of fine line that you can walk in between those those two things right but to me it's always best to err on the side of your consumer because if you lose that consumer trust you know your entire brand is going to start eroding right you're going to have to take your comcast and turn it into xfinity at some point just to try to do damage control and we don't want to see that for ubiquity like they make great hardware we like their hardware it's my entire network with the exception of my firewall is all ubiquity right so i i'm definitely a fan of their products but it's getting it's tough to defend them when you kind of see what's going on you see the changes to their products over time you see their response to this breach and it's like you know i mean listen ubiquity we love you we want you to succeed we want you to make great products make everyone reset their passwords okay incentivize people to turn on 2fa and start listening to consumers about the changes that you're making especially to the unify interface that people are disagreeing with i mean when there's a massive uproar about a change that you made actually look at that and say did we make a mistake should we roll that change back in order to you know make sure that our customers are happy i don't know i'm sure you're doing that internally i hope you're doing that internally but uh yeah that's about it uh you know what more can you say about this it's another breach uh this one you know companies like this they they they come out with their statement of like hey we're looking into it we're hiring a third party just reset your passwords everything's cool and then most of the time people just forget about it and move on with their lives this time it came back to bite them because of this krebs article and the new information that came out it's always worse for a company when the information about your breach doesn't come from you the company all right case in point sangoma who still has not given us any additional information about their breach uh even though they said they would it's been a long time you know it's been a long time it's been enough time that we should have information about it by now and uh yeah how a company responds to a breach can reinforce or erode consumer confidence in the company period full stop okay so err on the side of your consumers air on the side of your customers and uh and and you know do the best you can to get it fixed all right what do you guys think about this let me know down in the comments below i'm happy to read all of those comments although i suspect i know what a lot of them are going to say already because i've already been receiving those comments on a lot of my videos anyways if you guys like to stay up to date with the latest information on this type of stuff make sure you hit subscribe and and also like this video if you liked it alright my name is chris with crosstalk solutions and thank you guys so much for watching
Info
Channel: Crosstalk Solutions
Views: 66,826
Rating: 4.9620314 out of 5
Keywords: Ubiquiti Breach, crosstalk, crosstalk solutions, ubiquiti breach 2021, ubiquiti breach reddit, ubiquiti data breach, ubiquiti, ubiquity, ubiquiti hack, unifi, unifi breach, unifi hack, krebs on security, ubiquiti krebs, unifi hack 2021, ubiquiti hack 2021
Id: EhC_JgXjoBg
Channel Id: undefined
Length: 24min 16sec (1456 seconds)
Published: Thu Apr 01 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.