Ubiquiti developer charged with extortion, causing 2020 “breach”

The funny thing is that krebsonsecurity.com are the ones that published the false information in the first place.<p>Good summary of the whole saga by Crosstalk youtube channel which covers mostly Ubiquiti: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=paLm0tP5GbI" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=paLm0tP5GbI</a>

For me a company of their size and, what I would expect, maturity, this new announcement does not satisfy me or provide me much assurance. Consequently I am still happy I have been recommending people against Ubiquiti since the original announcement from Krebs.<p>* Why was it so easy for a lead engineer to get access to a root AWS user without anyone else being notified? I.e. AWS GuardDuty provides FREE alerting for when an AWS root IAM account is logged in or used, this account should be under lock and key and when used, confirmed and audited by relevant persons or teams.<p>Start edit&#x2F;<p>* Furthermore on the root account being easily accessed, the root account in the companies I&#x27;ve worked at had MFA enabled, and the QR code is locked in a safe only accessible by two people agreeing it needs to be accessed in a break glass situation, where warranted.<p>&#x2F;End edit<p>* Why was he also able to delete critical CloudTrail logs and reduce their retention to 1 day? I.e. These logs should be in a S3 bucket or other environment where such changes cannot be made. Alternatively, they should be shipped to a redundant service that manages this risk to prevent data deletion<p>* Why did Ubiquti not announce they were compromised sooner? The hack started in early December, Ubiquiti noticed the compromise on Dec. 28. Ubiquiti told the market on January 11th. Is that a satisfactory turn around? Giving them some credit for the XMas break I&#x27;ll say this partially understandable.<p>All the AWS configuration I&#x27;m speaking of above, I would describe as Security 101.<p>Most of these settings can be set and managed from AWS Organisations for free, and backed up with alarming and alerts for Guard Duty trivially. That a company of Ubiquiti&#x27;s size and maturity had such basic risks not managed is still a concern.<p>I understand AWS Organisations can be difficult to set up for legacy AWS accounts, but even with that said, setting the alarms and monitoring up that would help manage the risk associated to the questions above is not difficult and should have been in place.<p>That Ubiqitui would only find relief ultimately from the developers poor OpSec rather than Ubiquiti&#x27;s own security policies and procedures provides a commending perspective of their internal security posture.

&gt; Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads.<p>Not the first time I’ve read about a VPN unable to mask someone’s ip when they were on a wonky connection.

&gt; Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads.<p>Ouch! Opsec is very easy to screw up.

Hopefully this gets upvoted more but it somewhat repairs my view of Ubiquiti&#x27;s brand now that more details have come out about what actually happened. I hope the courts will determine the full extent of the truth

2M - is this that much for a senior developer in well-known American company to risk his entire career?

Makes me wonder if (at least some of) the posts dunking at the company leadership and the engineering in various comments around the internet had also been him.

The indictment:<p><a href="https:&#x2F;&#x2F;www.justice.gov&#x2F;usao-sdny&#x2F;press-release&#x2F;file&#x2F;1452706&#x2F;download" rel="nofollow">https:&#x2F;&#x2F;www.justice.gov&#x2F;usao-sdny&#x2F;press-release&#x2F;file&#x2F;1452706...</a><p>Side note: Free suggestion for a new startup. Make indictments pretty! What is it with all these fonts? Looks they really type this on a typewriter. Are all court clerks just frustrated novelists?

If convicted, I hope this guy spends a long time in prison - what an incredible ass.<p>As a long time user of ubiquiti devices, I’m glad this was the actual story. It actually makes me feel a lot better since this kind of risk is extremely hard to defend against and unrelated to their hardware.<p>Maybe a good time to buy some 2yr leaps.

So... do the ubiquity things work again without being tied to their &#x27;cloud&#x27;?<p>Fake vulnerability or not, this is the worst part about their devices these days.<p>Speaking of which, are there any semi-pro APs that still work without going through the vendor&#x27;s servers?

I wonder why the developer had access to so many resources on AWS and GitHub? Can’t these excessive permissions be removed? Why it was undetected for such long time?

Given how often we&#x27;ve seen people shooting the messenger in our field, we probably should save our commentary until the outcome of the trial.<p>A lot of corporate leadership are extremely paranoid and that&#x27;s why whistle blowing is such a dangerous activity.<p>How strong do we all feel most digital evidence gathered really is? How much faith do we have in the technical knowledge of the investigators? Or the courts to parse this type of evidence?

&gt; <i>Investigators say they were able to [subvert the attacker’s VPN] because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to expose his real address.</i><p>Ahem, how convenient! Call me a paranoid Internet-forum dwelling cyber-loon, but that smells an awful lot like parallel construction.<p>When the authorities log the start and end times of every TCP session at both ends they don’t need a VPN leak to correlate traffic corresponding to “GET &#x2F;secrets” from the client with a response from the server.<p>It feels like a disgruntled and sophisticated Ubiquiti employee is the last person who get caught out by a DNS leak while waiting for their VPN to come back up after a flap.<p>On the other hand, I guess if you’re crazy enough to behave this criminally, you can be forgiven at least for not thinking straight in terms of opsec.

If anyone is looking for the alternative to Ubiquiti since their fall from grace in recent years, I&#x27;ve found it to be HP Aruba. I always use more open source stuff for personal projects, but Aruba Instant On is what I commonly recommend&#x2F;integrate for other people, whereas it used to be Ubiquiti. Solid design across hardware and software. It finds that unique balance in quality&#x2F;usability between cheap&#x2F;unreliable, and overcomplicated enterprise.

lol so much wrong with this:<p>using surfshark<p>talking to FBI<p>being a terrible extortionist<p>devising such a terrible way to make money

Hmm, where have I seen this before...<p>Oh, I know.<p>Sergey Aleynikov says &quot;Hi.&quot;<p>His case was less about extortion, and more just grabbing what he could on the way out the door, but it was sloppy.<p>Sharp obviously never learned Goldman Corp. Comm. Rule #1:<p>&quot;Don&#x27;t talk to the press&quot;

Buy a really cheap smartphone, with a new sim card, go to some where without cameras (hard to find) and then use the vpn

duplicate: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29411775" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29411775</a>

If he wanted 20 btc all he had to do was put up one of those shitty livestream YouTube scam videos that you always see (Elon Musk was a 2020 favorite). And he would not have been arrested either.

Also 25 btc ransom. That&#x27;s like 50k usd for such a big risk.<p>Sort of like how they show a person trying to make enough to pay some medical bills or something.