[NOTICIA RAPIDA] Un Whistleblower dice que el "breach" de Ubiquiti fue terrible

Dicen las malas lenguas que un Whistleblower dio la alerta de que el "breach" que sucedió en las redes y equipos de Ubuquiti Networks. Fue devastador y la severidad fuertemente minimizada por Ubiquiti.

El Whistleblower dice que un equipo tercero permitió que personas de malos tratos obtuvieran datos críticos como claves de millones de clientes de todo tipo de aparatos. Incluyendo cámaras de seguridad, routers, switches, etc...   Este equipo tercero siendo el servicio de cloud de AMAZON AWS.



.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”Ubiquiti has not responded to repeated requests for comment.According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

 Para resumir: Hackers obtuvieron acceso de lectura y escritura a las bases de datos de Ubiquiti que Amazon AWS hosteaba. 
.
krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/  

Ars Technica da mas información al respecto.

.
.

Device passwords stored in the cloud

Tuesday’s report from KrebsOnSecurity cited a security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020. The individual said the breach was much worse than Ubiquiti let on and that executives were minimizing the severity to protect the company’s stock price.

The breach comes as Ubiquiti is pushing—if not outright requiring—cloud-based accounts for users to set up and administer devices running newer firmware versions. An article here says that during the initial setup of a UniFi Dream Machine (a popular router and home gateway appliance), users will be prompted to log in to their cloud-based account or, if they don’t already have one, to create an account.

“You’ll use this username and password to log in locally to the UniFi Network Controller hosted on the UDM, the UDM’s Management Settings UI, or via the UniFi Network Portal ( network.unifi.ui.com ) for Remote Access,” the article goes on to explain. Ubiquiti customers complain about the requirement and the risk it poses to the security of their devices in this thread that followed January’s disclosure.

.

arstechnica.com/gadgets/2021/03/ubiquiti-breach-puts-countless-cloud-based-devices-at-risk-of-takeover/