Information Technology

A whistleblower involved in the response to a data breach suffered by Ubiquiti Networks has claimed the incident was downplayed and could be described as “catastrophic.”

On January 11, the networking equipment and Internet of Things (IoT) devices provider began sending out emails to customers informing them of a recent security breach. The company said that someone had obtained “unauthorized access” to Ubiquiti systems hosted by a “third-party cloud provider,” in which account information was stored for the ui.com web portal, a customer-facing device management service.  At the time, the vendor said information including names, email addresses, and salted/hashed password credentials may have been compromised, alongside home addresses and phone numbers if customers input this data within the ui.com portal.  Ubiquiti did not reveal how many customers may have been involved.  Customers were asked to change their passwords and to enable two-factor authentication (2FA).  Several months later, however, a source who “participated” in the response to the security breach told security expert Brian Krebs that the incident was far worse than it seemed and could be described as “catastrophic.”

Speaking to KrebsOnSecurity after raising his concerns through both Ubiquiti’s whistleblower line and European data protection authorities, the source claimed that the third-party cloud provider explanation was a “fabrication” and the data breach was “massively downplayed” in an attempt to protect the firm’s stock value.  In a letter penned to European regulators, the whistleblower wrote: “It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” According to the alleged responder, cybercriminals gained administrative access to AWS Ubiquiti databases via credentials stored and stolen from an employee’s LastPass account, permitting them to obtain root admin access to AWS accounts, S3 buckets, application logs, secrets for SSO cookies, and all databases, including those containing user credentials.  The source also told Krebs that in late December, Ubiquiti IT staff found a backdoor planted by the threat actors, which was removed in the first week of January. A second backdoor was also allegedly discovered, leading to employee credentials being rotated before the public was made aware of the breach.  The cyberattackers contacted Ubiquiti and attempted to extort 50 Bitcoin (BTC) — roughly $3 million — in return for silence. However, the vendor did not engage with them.  ZDNet has reached out to Ubiquiti Networks and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mobile technology legend BlackBerry this afternoon reported fiscal Q4 revenue that fell short of analysts’ expectations, and profit that was in line with consensus, and said it was talking with a North American company about selling patents from its portfolio pertaining to mobile technology. The report sent BlackBerry shares down about 3% in late trading. CEO John Chen remarked that the fiscal year just ended had “been an exceptional year to navigate,” adding, “however we are pleased with QNX’s continued recovery, despite new challenges from the global chip shortage,” referring to the company’s operating system software. Added Chen, “QNX now has design wins with 23 of the world’s top 25 electric vehicle OEMs and remains on course to return to a normal revenue run rate by mid-fiscal 2022. Added Chen, We are seeing tangible signs that our efforts and improvements in go-to-market are starting to pay off and have a positive impact. This quarter we generated strong sequential billings growth for our Software and Services business, including significant improvements for both Spark and QNX.  Total billings are back to pre-pandemic levels.Chen said the company’s revenue from licensing its patents had been reduced by talks during the quarter to sell the patent portfolio:During the quarter BlackBerry entered into an exclusive negotiation with a North American entity for the potential sale of part of the patent portfolio relating primarily to mobile devices, messaging and wireless networking. The Company has limited its patent monetization activities due to the ongoing negotiations. If the Company had not been in negotiations during the quarter, we believe that Licensing revenue would have been higher.Revenue in the three months ended in January fell to $215 million, yielding a net profit of 3 cents a share.

That revenue number was below the company’s own forecast back on December 17th, and below the average analyst estimate for $244.8 million. Analysts had been modeling profit of 3 cents per share.Revenue from licensing and “other” totaled $50 million in the quarter, the company said  BlackBerry plans to offer its outlook on the company’s earnings conference call that starts at 5:30 p, this evening. Wall Street is modeling $238.2 million and a 2-cent profit per share this quarter, and for the full year, $1.019 billion in revenue and a 13-cent profit per share.

Tech Earnings More

Ransomware is becoming more successful than ever before because of a combination of factors which allow cyber criminals to easily gain access to corporate networks – and they’re finding success because a significant number of organisations which fall victim to attacks are willing to pay the ransom.A report by defence think tank, the Royal United Services Institute (RUSI) and cybersecurity company BAE Systems warns that the ‘perfect storm’ of conditions have come together and allowed ransomware attacks to run rampant against organisations around the world.Those elements range from how easy it is for cyber criminals to acquire and distribute ransomware, and the frequency of ransomware payouts, to the way the Covid-19 pandemic has made it simpler for malicious hackers to gain entry to networks.But it’s the way in which enough victims of ransomware are paying ransoms which ultimately helps encourage cyber criminals to pursue this line of attack – and normalises the act of giving into the ransom demand.”The more organisations that pay a ransom, the more acceptable the notion of paying a ransom to solve the problem becomes,” the paper warns, adding that the ability to claim ransom payments back via cyber insurance may further encourage payments to criminals.And with the rise of ransomware-as-a-service, it’s relatively simple for even low-skilled cyber criminals to get involved with ransomware. The attackers pay a fee or a subscription for pre-packaged ransomware which they can then use as part of their attacks.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

Some of these as-a-service offerings are relatively small-time, while others such as REvil result in attacks where victims pay out hundreds of thousands of dollars – with the authors of the ransomware getting a part of the fee. Keen to make as much money as possible, many ransomware operators will publicise their offerings on underground forums to attract as many users as possible, complete with customer service.”Recent evidence suggesting that ransomware operators are on active recruitment drives for new talent are a concerning sign that the scale of the threat is still increasing,” warns the research paper.Ransomware groups are always evolving and this has also helped contribute to the success of the attacks. Ransomware attacks were already proving effective, but the attackers behind Maze added another weapon to force victims to pay up – threatening to leak stolen data if the ransom isn’t paid.The success of this “double extortion” technique has been adopted by a number of other ransomware groups who are using it as an additional method to coerce victims into paying the bitcoin ransom. The range of ways which cyber criminals can gain access to networks is also adding to the success of ransomware. Attack methods like phishing, brute-force attacks looking to crack weak passwords on remote desktop protocol services or abusing technical vulnerabilities are all playing a part in allowing ransomware attackers to gain the access to systems they require.Something which has helped cyber criminals gain a foothold in networks for ransomware attacks is the boom in remote working. With employees working from home and relying on email and remote services more than ever before, cyber criminals have been taking advantage by exploiting the reduced security of remote employees as a stepping stone to installing ransomware on corporate systems.Ultimately, the report concludes, ransomware attacks will only stop if ransomware becomes unprofitable – and that relies on organisations becoming secure enough to not fall victim to attacks in the first place, so never having to even consider paying a ransom due to an attack.Recommendations on securing networks include ensuring the timely patching of critical vulnerabilities and the use of multi-factor authentication wherever possible, along with reinforcing phishing awareness training.MORE ON CYBERSECURITY More

Email accounts belonging to US Department of Homeland Security (DHS) officials may have been compromised during the SolarWinds attack by Russian threat actors. 

The Associated Press reports that unauthorized intrusions occurred during the SolarWinds supply-chain attack. SolarWinds, the central point of entry, was compromised by threat actors in December who were able to plant a malicious Orion software update which was deployed to thousands of organizations including Microsoft, FireEye, the US Treasury Department, the Cybersecurity and Infrastructure Agency (CISA), and the DHS, among many others.  According to the news agency, the DHS breach allowed suspected Russian cybercriminals to access email accounts belonging to the Trump administration’s former head of the DHS, then-acting Secretary Chad Wolf.  Based on interviews with past and current US government officials, who chose to remain anonymous, the AP reports that other DHS officials were also targeted including members of staff focused on investigating foreign cybersecurity threats.  Wolf, and others, were required to use new phones and to communicate via the Signal encrypted messaging platform in the days after the security fiasco.  A DHS spokesperson said a “small number of employee accounts” were targeted in the breach and there are no longer any indicators of compromise. 

General Paul Nakasone, the leader of United States Cyber Command (USCYBERCOM), said last week (.PDF) that Russia is a “sophisticated cyber adversary” which is on the radar when it comes to national security, in the same manner as China, North Korea, and Iran. “Moscow conducts effective cyberespionage and other operations and has integrated cyber activities into its military and national strategy,” Nakasone said. “Despite public exposure and indictments of Russian cyber actors, Russia remains focused on shaping the global narrative and exploiting American networks and cyber systems.” The commander added that in light of the SolarWinds breach, the US is considering a “range of options” to combat cybersecurity risks during 2021 and beyond. The US named Russia as the “likely” culprit behind the SolarWinds hack in January, and labeled the incident as “an intelligence-gathering effort”. Russia has denied any involvement.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A ransomware attack has infected IT systems at schools across London, leaving tens of thousands of pupils without access to email or school-issued devices.The Harris Federation, which runs 50 primary and secondary schools in London and Essex, fell victim to a ransomware attack on Saturday 27th March – just days after the National Cyber Security Centre (NCSC) put out an alert warning schools, colleges and universities about the “growing threat” of cyber criminals targeting education with ransomware.Harris Federation has revealed that cyber criminals accessed IT systems and encrypted data with an undisclosed form of ransomware. In a statement, Harris Federation said ransomware attack will have a “significant impact” and that as a precaution the email system has been disabled. The school phone services, which also run via the internet, have also been disabled, aside from some “very limited” switchboard services. Students who have been issued devices by the schools can’t currently use them as they’ve been disabled as a precaution.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) The school has brought in a “specialised firm of cyber technology consultants to investigate the exact details of the ransomware attack and is also working with the National Crime Agency (NCA) and NCSC. “We are at least the fourth multi academy trust to have been targeted in March,” it said.

Harris Federation hasn’t detailed the exact nature of the information which has been accessed and encrypted by cyber criminals, but says it recognises that the families of school pupils will have “individual concerns around data”.ZDNet has attempted to contact Harris Federation for additional information about the ransomware attack but is yet to receive a reply at the time of publication.Harris Federation is the latest in a string of schools, colleges and universities which have been disrupted by ransomware attacks.To help protect against ransomware attacks, the NSCC recommends that organisations have an effective strategy for vulnerability management and applying security patches, ensure that remote online services are secured with multi-factor authentication and that anti-virus software is installed and enabled. It’s also recommended that organisations have up-to-date and tested offline backups, so if the network is taken down by a ransomware attack, it can be restored without the need to give into the extortion demands of criminals. MORE ON CYBERSECURITY More

Panasonic and McAfee are joining forces to establish a vehicle security operations center (SOC) to tackle the ongoing threat of cyberattacks. 

Announced on Tuesday, the new partnership involves both companies jointly creating an SOC to “commercialize vehicle security monitoring services,” with a specific focus on early detection and response.  Smart and intelligent vehicle features, now becoming more common in new models, require connectivity. This is usually established through Bluetooth and internet connections, which — unless properly protected — can also give attackers a chance to establish a foothold into a vehicle’s system. In addition, software vulnerabilities can also be exploited to tamper with a car’s functionality.  While everything from machine learning-based driver assistance, maps, and entertainment apps are being developed in the automotive industry to appeal to modern drivers, cybersecurity is not necessarily being given the same attention — a gap Panasonic and McAfee aim to plug.  This isn’t Panasonic’s first rodeo in vehicle-based cybersecurity. The company has already developed an automotive intrusion detection system, which can be mounted on a car, to scan for evidence of suspicious activities or cyberattack attempts. This data is then transmitted to the vehicle SOC and event system that can analyze the potential threat.  It is this threat data that McAfee can then contribute to, by providing threat intelligence and general support to the vehicle SOC, which is intended to become a global service.  “With the innovative development of autonomous driving, the advancement of digitalization, and the increasing number of connected cars, the risk of cyberattacks against automobiles is increasing every year,” the companies commented. “It has become urgent for the automotive industry to establish mechanisms to protect and monitor vehicles.” Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Clop ransomware group has posted financial documents and passport information allegedly belonging to the University of Maryland and the University of California online. 

On March 29, the threat actors began publishing screenshots of data allegedly stolen from the US educational institutes.  These screenshots, including records that allegedly belong to the University of Maryland, Baltimore, show a federal tax document, requests for tuition remission paperwork, an application for the Board of Nursing, passports, and tax summary documents. The leaked data snapshots exposed sensitive information points including the photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport numbers. Sensitive information has been redacted in the screenshots below.The University of California, Merced, also appears to have been subject to the same group’s tactics. Screenshots published by the group, viewed by ZDNet via Kela’s threat intelligence suite Darkbeast, include lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment requests. 

In addition, the leaked data appears to include late enrollment benefit application forms for employees and UCPath Blue Shield health savings plan enrollment requests. Clop has been linked to a string of cyberattacks against businesses. Clop is one of many threat groups that will employ a ‘double-extortion’ tactic, in which ransomware may be deployed on a compromised machine first, and then the cybercriminals threaten to make corporate or sensitive stolen datasets public on a leak site unless blackmail demands are met.Earlier this month, the group leaked data allegedly belonging to the universities of Miami and Colorado. On the same day, records allegedly belonging to Shell were also posted online. The oil giant revealed that a cyberattack had occurred through the compromise of Accellion FTA servers earlier this month.On March 22, the REvil ransomware group published what appears to be financial data from tech giant Acer following a ransomware incident. Acer was subject to a $50 million ransom demand, of which it is not known if anything was paid. The company did not confirm that a ransomware attack occurred but did say that IT “abnormalities” had been discovered.  Update 14.20 BST: The University of Maryland, College Park, said the leaked sample files shared appear to relate to the Baltimore campus, UMB, rather than UMD, as listed. ZDNet has reached out to the universities and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Two years after a mass surveillance system with thousands of facial recognition security cameras was introduced to the streets of Serbian capital Belgrade, concern continues to grow about the impact of the technology.The Huawei-based surveillance system sparked controversy when it was initially introduced in 2019. And now human and digital rights organizations in the country are pushing back and warning about the risks that facial recognition software can bring.

More on privacy

During the summer of 2020, the SHARE Foundation, a Belgrade-based digital rights organization that advocates for data privacy and digital security, launched a website called “Thousands of cameras”, as a space where Serbian citizens could share their concerns over the mass surveillance project. “The total loss of anonymity represents a certain loss of our freedom – the awareness that we are under constant surveillance drastically changes our decisions,” it warns.SEE: Network security policy (TechRepublic Premium)People responded to the initiative and started submitting photos and snaps of the cameras that have already been installed and pinpointing their exact locations.”Such infrastructure would enable mass surveillance of all citizens of Belgrade, having in mind that police already confirmed that they would use ID card databases for identification purposes. This is an enormous power that anyone who has access to this system would gain, and it seems that there are not enough sufficient safeguards to prevent the misuse of such power,” Danilo Krivokapic, director of the SHARE Foundation, told ZDNet.During last year, there were several pivotal moments that have highlighted concerns about the introduction of such systems.

In May 2020, there were mass rallies in Belgrade in support of the Serbian government, organized by the ruling party in Belgrade, as the country was getting ready to for parliamentary elections in June. Serbian President Aleksandar Vucic later gave a statement in which he stated the exact number of people that were present at the rally – 5,790 supporters of the ruling party. This prompted a debate in Serbian as to whether the surveillance system was actually being deployed to monitor and count the number of the people in rallies and protests.The second event came in July 2020, shortly after the elections. The government, which convincingly won the elections, wanted to add stricter measures against the COVID-19 epidemic in the country and to reintroduce lockdowns. Vucic faced protests where the police had to use force in order to disperse the protesters. After this happened, human rights organization Amnesty International warned about “credible reports” of police use of facial recognition cameras in Belgrade to identify protestors. “Amnesty International opposes use of facial recognition technology for mass surveillance, such as at protests and demonstrations. The new technology is still largely unregulated and tends to disproportionately target specific groups of people, it can have a chilling effect on the right to protest,” the organization noted in its report.According to Krivokapic, the initiative that the SHARE Foundation introduced is a part of opposition to the installation and the use of biometric surveillance not only in Serbia, but across Europe as well, as a part of the ReclaimYourFace movement.”It’s clear that deploying biometric mass surveillance on the streets of Belgrade would be unlawful and against the rights to privacy, since it can’t be considered as necessary and proportionate in a democratic society, which is a requirement proposed by both national and international legal framework in this field.” Krivokapic points out. While Serbian authorities have usually kept quiet about the scope of the project, an official document from the Serbian Ministry of Interior showed that the total number of cameras used for the surveillance system is up to 8,100. In addition to the 2,500 cameras on the traffic poles, the police also bought 3,500 mobile cameras, 600 cameras for the police vehicles and 1,500 body cameras, as a part of the police uniforms.Meanwhile, tech companies are rolling out various camera projects elsewhere across Eastern Europe as well – one of them being currently implemented in the Ukrainian capital of Kyiv. Ukrainian authorities are planning to install more than 3,000 cameras on the main roads and highways in Kyiv. SEE: Facial recognition: Don’t use it to snoop on how staff are feeling, says watchdogWhile an analytical facial recognition system has been in place in Kyiv since 2019, data privacy activists have warned about the overall lack of legal clarity when it comes to this type of technology.And much has been discussed about the shortcomings of facial recognition elsewhere across Europe, too. As ZDNet reported earlier, the Council of Europe recently published new guidelines that should be followed by governments and private companies that are considering the deployment of facial recognition technologies. Some of those guidelines include strict parameters and criteria that law enforcement agencies should adhere to when they find it justifiable to use facial recognition tools.”Facial recognition data is, obviously, tied to users’ immutable physical characteristics which some people find intrusive, and there is an additional burden of ensuring compliance with data protection legislation such as GDPR,” Michal Kratochvil, CEO of 2N Telekomunikace, a Czechia-based manufacturer of IP intercom and access-system technology, told ZDNet.And while the debate about the use of facial recognition is ongoing, with some governments and companies opting against it and others embracing it, citizens themselves, as illustrated in the case with Serbia, could also have the final say on how this and similar technologies will be used in the future.  More