Ubiquiti Accused of Lying to Help Stock Price
Ubiquiti disclosed a breach in January, implying it was the fault of a “third party.” But this week, an insider says the company lied: “It was catastrophically worse,” said the anonymous source.
The self-styled whistleblower alleges the firm only cared about its stock price. It led the market to believe the breach was the fault of a cloud service provider, we’re told. But the insider says the actual problem was an insecure AWS credential.
Oh what a tangled web … was allegedly woven. In today’s SB Blogwatch, we 2FA our LastPass.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Wonderful live stream—another one.
UI PR FAIL
What’s the craic? Brian Krebs cycles in with this report—“Whistleblower: Ubiquiti Breach ‘Catastrophic’”:
On Jan. 11, Ubiquiti Inc. … disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed [the] incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.
…
“It was catastrophically worse than reported, and Legal silenced and overruled efforts to decisively protect customers,” [he] wrote. … “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” [He] said the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service: … “They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” [because] the attacker(s) had access to privileged credentials … stored in the LastPass account of a Ubiquiti IT employee.
…
“Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.” … If you have Ubiquiti devices installed and haven’t yet changed the passwords … now would be a good time.
Good advice. Brittany A. Roston adds—“Whistleblower claims security breach far worse than reported”:
Ubiquiti offers a variety of Internet of Things devices that depend on the cloud — including systems for enterprise customers. In January, the company sent out an alert warning that it had discovered ‘unauthorized access to certain of our information technology systems hosted by a third party cloud provider.’
…
The anonymous whistleblower alleges that the statement was written in such a way to imply that the vulnerability was on … the third-party cloud provider that went unnamed in Ubiquiti’s statement. [But it] was, in fact, simply the company’s own databases hosted on Amazon Web Services.
Oops. Ubiquiti’s ubiquitous PR-cum-Legal gnomes desperately scribble—“Update to January 2021 Account Notification”:
As we informed you on January 11, we were the victim of a cybersecurity incident. … Given the reporting by Brian Krebs, there is newfound interest and attention.
…
The attacker, who unsuccessfully attempted to extort the company … never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target … or otherwise accessed.
…
As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.
What we need now is a colorful metaphor. Respect Deputy Cartman’s authority:
So they **** the bed and instead of owning up to the ****ty sheets, they hid them under the bed.
If half of what is alleged is true, I hope they’re sued into bankruptcy and vanish. Behavior like that is completely and utterly unacceptable. I’d also say any upper management and C-levels who gave the orders to try and hide this should face prison time but I’m not going to bet any money on that happening just yet.
And Gravis Zero sounds slightly sarcastic:
Who could have thought that a legal system that promotes sociopathic behavior in corporate leaders would result in so many sociopathic corporate leaders?
But Matt’s view is more nuanced:
The lawyers and execs always try to do damage control. Always.
Sometimes they do the the right thing (or at least contain their spin) because they have some ethics, sometimes it’s more about the fear of getting caught. The SEC should investigate and if this crap is true, rip Ubiquiti a new one so the rest of the lawyers and execs without ethics at least have something to fear.
I’m pretty sure they wouldn’t need damage control if the technology was secure in the first place. Is rectang a squashed squa?
The state of security in the tech industry is miserable. The only companies we should trust not to leak our data are those that never collected it in the first place.
What lessons for other firms? JP’s got ’em:
Note to every company: The cover-up will be the thing that hurts you the most.
All this, and now the company is pushing obnoxious ads in the management interface. Ricardo Martín—@fluxwatcher—doth protest enough:
There seems to be a pattern in all the poor choices Ubiquiti has been making lately. I might be stuck with them in some places, but they’re certainly not a candidate in any new projects.
These things come in threes. Dakel waits for the third shoe to drop:
Between this and the advertisements … they are not having a good week. Was really looking forward to using some of their stuff. … Guess that plan has gone the way of the dinosaurs.
Meanwhile, heed the powerful prognostication of jep123:
I have a feeling their gear might get a little less ubiquitous.
And Finally:
Trigger warnings: F-bombs, scowling Thunberg, Amen break.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Brett Jordan (via Unsplash)
