Early this year, Ubiquiti Networks announced to their customers that they'd been breached. The Internet of Things (IoT) device maker let customers know via an email that the company had recently become aware of an unauthorized breach via a third-party cloud provider.
The information that was compromised pertained largely to profiles used to log in to account.ui.com, the web portal used by customers to manage their Ubiquiti-related products. The data exposed contained numerous PII data points like:
- Salted and Hashed Passwords
Ubiquiti said ultimately, although exposed, they saw zero unauthorized access and there was nothing to worry about. Ubiquiti recommended their customers change their passwords and turn on two-factor authentication.
However, according to a new report from a whistleblower attached to the incident, not everything is what it appears to be. The whistleblower claims, in a statement to Krebs on Security (man, that guy sure is popular this week), that Ubiquiti purposefully downplayed the breach in order to protect their stock prices.
The whistleblower claims hackers were able to gain full read/write access to Ubiquiti databases on Amazon Web Services (AWS), seemingly via the use of credentials stolen directly from Ubiquiti. Those credentials, according to Krebs, came from a compromised LastPass account. The credentials gave the hackers root administrator access to all of Ubiquiti's AWS accounts.
The whistleblower also claims Ubiquiti engineers first discovered the breach in December when a backdoor was discovered and removed. A second backdoor was discovered in January. Shortly after hackers contacted Ubiquiti and demanded 50 bitcoins (worth about $2.8 million at the time) to stay quiet.
It's unclear what exactly the hackers will do with the information they stole, but if you're a Ubiquiti end-user and you haven't changed your password since being notified of the breach in January, you probably should.
Now might be a good time to talk about the importance of healthy password hygiene and why you should regularly change your passwords to maintain security.
The National Institute of Standards and Technology (NIST) has a set of rules you should consider following should you encounter a situation where your PII is breached.
NIST recommends using 8 characters minimum (and 64 maximum) when creating a password. Obviously, we don’t recommend you use all 64 characters (you’ll never remember them), but we do recommend using something above the minimum. 10 or 12 characters should do the trick.
Passwords can include any and all printing characters (ASCII) or Unicode characters so there are plenty of combinations available for you to choose from but that leads us to our next point…
Even if you follow the 8 character minimum, the number of combinations you can come up with is almost unlimited. Using both cases (upper and lower), numbers and special characters provide over 6 quadrillion potential combinations.
Despite all those possibilities, there are people out there who still use passwords like “123456” or the incredibly original “Password.” If you’re reading this and saying to yourself “Darn, they’ve guessed my password” we apologize and maybe you should think about changing things up before we log into your Instagram and delete all those cat memes you’ve been sharing.
The best way to avoid password ubiquity check your password against a list of commonly used poor choices like the ones in this list (http://www.huffingtonpost.com/entry/2016-most-common-passwords_us_587f9663e4b0c147f0bc299d)
Things to look out for when creating a new password include:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context specific words, such as the name of the service, the username, and derivatives thereof.
Now that you’ve avoided using too few characters and gotten away from commonly used passwords let's move on to why you shouldn’t use password hints or knowledge-based authentication…
Don’t Use Password Hints or Knowledge-Based Authentication
When you set up a password you’re usually prompted to set up a Q&A that, when entered correctly will reveal your password or allow you to reset it.
They’re mostly pre-generated and fairly commonplace: What was the name of your childhood best friend? What was the make and model of your first car? What street did you grow up on?
The problem with these is they’re fairly easy to guess and people are willing to surrender the information willingly without even thinking about it. If you’re on Facebook you’ve more than likely encountered people sharing a status that asks questions in the same vein. It’s called “Status Phishing” and the people behind it are rooting around for personal information.
The NIST recommends using open-ended questions INSTEAD of password hints and knowledge-based authentication (KBA). An open-ended question can be anything ranging from one word to a complete paragraph but it’s definitely more personal and customizable than a simple password hint or KBA.
Passwords Don’t Have to Expire or be Changed Periodically
Here’s the big shocker. Those passwords you’ve been using? As long as they haven’t been compromised don’t have to be changed. If you’ve ever logged into a computer and been prompted to enter a new password because you’re existing one has expired you know what we’re talking about.
NIST is very, very clear on this:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator.”
The excuse is a password becomes less secure the longer it’s in use and to be honest, there’s no information backing that up. If you’re responsible with your password and you’ve followed the steps above you should be, in theory, protected.
We’re not saying the NIST rules are the end all be all for authentication security but they should definitely point you in the right direction if you’re trying to stay secure while simplifying your security policy and procedures. It’s worth the read.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.