BKC Fellow Bruce Schneier writes about the Uber hack.
“In all of these cases, the victimized organizations could have very likely protected our data better, but the reality is that market does not reward healthy security.”
Read more in The New York Times.
Former Uber chief security officer Joe Sullivan has been found guilty of charges that he covered up a 2016 cyberattack where a hacker downloaded the personal information of more than 57 million people. The information stolen from Uber included names, email addresses, and phone numbers for more than 50 million Uber riders and 7 million drivers, as well as driver’s license numbers for another 600,000 drivers.
As reported by the New York Times and Washington Post, the jury convicted Sullivan on two counts: one for obstructing justice by not revealing the breach to the FTC and another for misprision, which is concealing a felony from the authorities.
This is believed to be the first time a company executive faced criminal prosecution over a hack.
He’d faced three counts of wire fraud, but prosecutors dismissed those charges in August. Sullivan had served as a security executive at other companies, including Facebook and Cloudflare, and, as the Post points out, in this case, he was pitted against the same San Francisco US attorney’s office where he had previously worked prosecuting cybercrimes.
The hack itself was described by the prosecution in their original complaint (PDF), noting that it almost exactly mirrored a 2014 breach of Uber that, at the time of the incident, the FTC was already investigating the company over. As the trial began in September, Uber’s systems were breached again in a hack linked to an alleged former member of the Lapsus$ ransomware group, forcing it to temporarily take some internal systems offline.
The 2016 breach occurred when two outsiders trawling Github found credentials giving them access to Uber’s Amazon Web Services (AWS) storage, which they used to download its database backups. The hackers then contacted Uber and negotiated a ransom payment in exchange for a promise to delete the stolen information, paid out in $100,000 worth of Bitcoin, and treated as part of the company’s Bug Bounty program. They eventually pleaded guilty to hacking the company in 2019.
Uber’s new CEO testified he “could not trust” his chief security officer.
As the Times notes, this is believed to be the first time a company executive faced criminal prosecution over a…
SAN FRANCISCO – The former chief security officer for Uber was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.
A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing knowledge that a federal felony had been committed, federal prosecutors said.
Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
It was believed to be the first criminal prosecution of a company executive over a data breach.
A lawyer for Sullivan, David Angeli, took issue with the verdict.
“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli told the New York Times.
An email to Uber seeking comment on the conviction wasn’t immediately returned.
Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.
After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.
According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,'” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry,…
A smishing attack on Thursday led to a wide range of Uber’s internal systems being breached by a seemingly unaffiliated teenage hacker, it has been claimed.
A report first emerged in The New York Times that the ride-sharing company had been hacked, with the threat actor themselves getting in touch with the publication to allege that he had gained access to internal systems such as Uber’s internal email, cloud storage systems and code repositories through a simple social engineering attack. In a text message sent to an Uber employee, the hacker impersonated an IT worker and convinced them that it was necessary to share an internal password.
As a variant of phishing in which SMS is used to mine targets for sensitive information, smishing is often combined with social engineering tricks for increased effectiveness. Victims may be more easily persuaded to hand over credentials to a supposedly trustworthy source if the attacker makes the situation seem urgent or seems to be suitably authoritative, both of which may have prompted the hacker to claim to be a key IT worker. Two-factor authentication (2FA) is a recommended measure to dull the impact of smishing attacks, and prevent compromised credentials from being used by hackers effectively.
Smishing and social engineering were recently used in sophisticated attacks on Twilio and Marriott. A report from September 2021 revealed that in the first six months of the year, smishing attacks surged 700% more than in the preceding six months.
The hacker claims to be just 18 years old, with self-taught skills in cyber security, and explained that he performed the breach because Uber’s security was especially weak. On Thursday, Uber confirmed that it was subject to a cyber attack through its official Twitter channel, and also stated that it is in dialogue with law enforcement. The company has not offered an in-depth description of the attack.
As part of the breach, the hacker gained administrator control of Uber’s HackerOne account, which it uses to pay white hat hackers bug bounties. The attacker proceeded to leave comments on all active bounty tickets reading “UBER HAS BEEN HACKED (domain admin, aws admin, vsphere admin, gsuite SA)…