Ubiquiti / UniFi Data Breach January 2021

[Moogle Stiltzkin]

https://www.youtube.com/watch?v=TezMyECFE4k


viewtopic.php?f=320&t=139875


hm i don't use unifi equipment, but in case this affects you, best find out more.

[Toxic17]

if you failed to get the notification then you can see official (limited) response here: https://community.ui.com/questions/Acco ... cdbf6906f3

[Bob Zelin]

I use UniFi equipment -
I am going to do nothing about it. Am I stupid ? Probably - let's see what happens. QSnatch never affected any of my clients (and I was totally panic stricken when that happened around December 2019).

Bob Zelin

[moody_blue]

Let's not be dramatic. Any organization (including this forum) can be penetrated and userid's (and sometimes passwords) exposed. I've received the warning e-mail, changed my Unifi PW, and that's it. I do not share passwords among my dozens of accounts, and my passwords are randomly generated with 16+ non-trivial characters. I value organizations that alert me that it's time to change my PW's (idealy PW's should be changed every 3 months unless a breach is discovered, which forces an unplanned pw change).

[Moogle Stiltzkin]

https://www.youtube.com/watch?v=EhC_JgXjoBg

seems the latest update by a whistle blower was that the breach was more serious than initially thought.

if you don't use ubiquiti, or you don't think this is a concern to you, feel free to ignore. but for everyone else, watch the video for what to do. namely change your ubiquiti password if you hadn't yet, and possibly enable 2factor authentication (ideally). And if possible use a local account for ubiquiti (i did this from day 1 since i'm not a fan of the cloud ), and once you confirmed your admin account for your ubiquiti device is enabled, procede to then disable remote access.

at this point you should be done.

[casw1000]

Thanks Moogle, I am a Unifi user and to be honest, I always use 2FA on these types of account. I find it shocking how companies can get away with this blatant security breach and then get a 'slap on the wrist'. Case in point is the facebook 500 Million account breach. Anyway, I digress, but think we all have to use complex passwords and 2FA. This really doesnt help the older generations who struggle with basic passwords, never mind 2FA etc. Last rant. Any Corp company that suffers security breaches where our personal information is leaked should suffer a financial penalty and pay the people who suffer, after all, its us that have to then go and change all our passwords !!! [/rant over]

[Moogle Stiltzkin]

...

but the breach was on ubiquiti's side. even though they claim it was a third party, the server security was supposed to be managed by themselves so...

if your password is stored on their server, maybe password could potentially leak. so it wouldn't matter how strong your password is, if it's readable. thats why after most breaches you need to change your password regardless.

this is why i don't like cloud. i do my unifi using local account, and it works just fine


for password management i recommend using a password manager (that is not cloud based). My recommendation is keepass because it's free, good and open source
https://keepass.info/

this site also helps somewhat (it's not perfect but it's better than nothing) to alert you if your registered email was detected as being breached. sites that get breached don't always inform the user about it or ask you to change your password, unfortunately, hence why we need haveibeenpwned
https://haveibeenpwned.com

[casw1000]

yeah, I am aware of the pwned site. I use 1Password myself, been using it for years. Like you, I prefer local login anyways. Some systems needs to be accessed by the cloud, so I enable the 2fa as that added layer of security.

[Toxic17]

this site also helps somewhat (it's not perfect but it's better than nothing) to alert you if your registered email was detected as being breached. sites that get breached don't always inform the user about it or ask you to change your password, unfortunately, hence why we need haveibeenpwned
https://haveibeenpwned.com

Google chrome also allows you to check for username/password issues/leak throughout the net in the security check feature. I also use a Google Titan key for my Google accounts for 2FA

Capture.PNG

[Moogle Stiltzkin]

....

https://www.zdnet.com/article/new-side- ... rity-keys/

https://www.securityweek.com/researcher ... -be-cloned

The obtained encryption key can allow an attacker to clone the device and use it to log in to the targeted user’s account, assuming that they have also obtained the account username and password.

However, the researchers pointed out that an attack is not easy to conduct. First of all, the attacker would need to obtain the victim’s security key for several hours without raising suspicion — the victim could change the password or take other steps to secure their account if they notice that their security key is missing and they suspect that an attack on their account is imminent.

The attacker then needs to open the Titan Security Key casing without damaging the chip, perform the EM radiation analysis (which takes several hours), and create a clone of the security key. The researchers also highlighted that the equipment needed to conduct the analysis costs roughly €10,000 ($12,000), and the attacker would also need to have the technical skills to develop custom software and conduct an attack.

“Thus it is still clearly far safer to use your Google Titan Security Key (or other impacted products) as FIDO U2F two-factor authentication token to sign in to applications like your Google account rather than not using one,” the researchers explained in their paper. “Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”

ATTACK REQUIRES PHYSICAL ACCESS

i do like titankey yubikey. it's not perfect like the links pointed out, but as long as you don't leave it out where people can get to it, should be fine but these types of devices you may want to have a backup of it locked in a safe. just in case the 1st one dies or gets lost for some reason

[Toxic17]

i do like titankey yubikey. it's not perfect like the links pointed out, but as long as you don't leave it out where people can get to it, should be fine but these types of devices you may want to have a backup of it locked in a safe. just in case the 1st one dies or gets lost for some reason

without password and usernames the hacker may as well get a life.