Ubiquiti Networks Breach: A “Catastrophic” cover up? Per Krebs on Security

This looks really bad. Ubiquiti Networks reported a data breach back in December into January. Apparently, per an insider at Ubiquiti

“it was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk”.

Access to Ubiquiti was gained via a third party, AWS. The attackers had admin access to Ubiquiti servers via the Amazon cloud service. Let’s just pause and reflect there. And think about the third party cloud service relationships we all have in play. You can read Krebs’ post for a more detailed account of what ensued. And if you use Ubiquiti, be very suspect. As with what happened to those Exchange servers, once pwned, twice burned. You need to sanitize what may be hiding in there.

Indian’s Fintech platform MobiKwik data breach per The Hacker News up

Thanks to a global pandemic, online payments went from nice to necessity. That’s a lot of sensitive data – payment data. Now, 8 TB of it has been found for sale, believed to be stolen from India’s MobiKwik. They provide a payment gateway and financial services to over 120 million users, including 3 million retailers. The data was being offered for 1.5 bitcoin. There has been a lot of drama with this. As a month ago it first came to light and MobiKwik vehemently denied it. Servers were secured, the data tap shut off briefly. But then the attacker came back, claiming to have all that data. Whatever is going on, this involves is a tremendous amount of sensitive data that impacts people’s lives and livelihood once out there, and it can’t be taken back. We’ve seen the impact of mass data breaches fuelling cybercrime and the dark industry of synthetic identities. As individuals more is expected of us to keep watch over our online presence. This extends in terms of data stewardship and responsible disclosure to those we trust and entrust with out data.

Privacy Cringe 😬: per Threatpost, Intel has been served up a lawsuit for breaking Florida’s wiretapping law. Because – don’t be surprised- they had software on their website to capture the keystrokes and movements of site visitors. Yes, folks like you and I. Yes, that would be the Intel in our computer chips. This was for user analytics on their site. I am sure visitors do not recall giving consent or even being asked. We are going to be confronting an increasing number of ethics and privacy concerns as AI, machine learning and data analytics converge. Be aware.

Good news maybe: for those concerned about SMS hijacks and SIM swap, an update in today’s CyberWire shows major US carriers have addressed the security loophole attacks were leveraging. You can read the article here.