Tag Archive for: über

Opinion | The Uber Hack Exposes More Than Failed Data Security

/in


Uber was hacked this month. The company said that the attacker — a teenager possibly linked to the incident was just arrested in London — most likely obtained the corporate password of an Uber contractor. Using that person’s access, the hacker gained access to some of Uber’s internal systems: internal Slack messages, a finance tool for invoices and the dashboard where the company’s security researchers report bugs and vulnerabilities. It’s a big deal, and an embarrassment to the company.

Uber has said that it believes that the attacker is affiliated with a hacking group called Lapsus$, whose members are mostly teenagers and which has recently targeted several technology companies. Uber also said it had not seen any evidence that user data was compromised during the incident. In the lawsuits that will invariably result, we will learn more about what happened.

But any litigation against the company, whether it be by government agencies like the Federal Trade Commission, or class-action lawsuits by shareholders or perhaps even customers, will focus on the proximate causes of the hack. More fundamental are the underlying causes of security breaches: current economic and political forces incentivize companies to skimp on security at the expense of both personal and national security. If we are to ever have a hope of doing better, we need to change the market incentives.

When you’re a high-tech start-up company, you are likely to cut corners in a lot of areas. It makes business sense — your primary focus is to earn customers and grow quickly enough to remain in business when your venture capital funding runs out. Anything that isn’t absolutely essential to making the business work is left for later, and that includes security culture and practices. It’s a gamble: spending money on speed and features rather than security is a more likely path to success than being secure yet underfunded, underfeatured, or — worst of all — a year later to market.

Security can be improved later, but only if necessary. If you’ve survived the start-up world and become a runaway success, you’ve had to scale to accommodate your customers or users. You’ve been forced to improve…

Source…

Multi-Factor Authentication Fatigue Key Factor in Uber Breach

/in


Earlier this week, Uber disclosed that the recent breach it suffered was made possible through a multi-factor fatigue (MFA) attack where the attacker disguised themselves as Uber IT.

MFA attacks are a form of social engineering consisting in spamming a target with repeated MFA requests until they eventually authorize access. This kind of attacks is possible when the threat actor has gained access to corporate login credentials but cannot access the account due to multi-factor authentication.

According to Uber,

It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware.

To make sense of the likeliness of an MFA fatigue attack to succeed, security researcher Kevin Beaumont recalled on Twitter this is the same technique used in the recent LAPSUS$ attacks, about which the attacker allegedly explained: “call the employee 100 times at 1AM while he is trying to sleep and he will more than likely accept it”.

In Uber’s case, the approach was different, though. As reported by Lawrence Abrams for Bleeping Computer, security researcher Corben Leo got in touch with the hacker behind the breach and learned they contacted the targeted contractor on WhatsApp claiming they were from Uber IT and that the only way to get rid of the unstopping notifications was to accept one.

Once the attacker got their device authorized for access to Uber intranet, they began scanning the corporate network until they found a PowerShell script with admin credentials for the platform Uber uses to manage its login secrets, including DA, DUO, Onelogin, AWS, and Gsuite. This allowed them to grab source code and, more worryingly, to get access to Uber’s HackerOne bug bounty program. This in turn gave the attacker information about vulnerability reports that have not been fixed yet.

In conversation with InfoQ, Cerby’s chief trust officer Matt Chiodi stated that “if what’s being reported is true, this would be an unprecedented level of access, even when compared to SolarWinds”. One way to mitigate the impact of such incidents, according to Chiodi, is applying a Zero Trust strategy,…

Source…

Uber investigating ‘cybersecurity incident’ after hacker claims to access internal systems

/in


SAN FRANCISCO, Ca. (CNN) — Uber said Thursday that it was investigating a “cybersecurity incident” after a hacker shared evidence that they had breached the ride-hailing giant’s computer systems with journalists and security researchers.

“We are currently responding to a cybersecurity incident,” Uber’s communications team said in a tweet Thursday evening. “We are in touch with law enforcement and will post additional updates here as they become available.”

The New York Times was first to report the incident.

Uber said in an update Friday afternoon that there was “no evidence that the incident involved access to sensitive user data” such as passengers’ ride history.

“Internal software tools that we took down as a precaution yesterday are coming back online this morning,” Uber said Friday. “All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”

Andrew Hasbun, an Uber spokesperson, declined to comment further on the incident.

It’s not the first time Uber has dealt with a security breach. Hackers stole data on 57 million driver and rider accounts in 2016, and Uber paid to cover up the breach.

Uber allegedly paid the hackers $100,000 to get rid of the data. The company in 2018 agreed to pay $148 million in a settlement related to the incident with attorneys general from 50 states and DC.

The-CNN-Wire™ & © 2022 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.

Source…

Uber Hack Was So Huge Employees Thought It Was a Prank

/in


“I think IT would appreciate less memes while they handle the breach.”

Not A Joke

When a hacker announced that they had breached Uber’s security, some of the ride-sharing company’s employees reportedly thought they were being pranked.

As screenshots provided to The Washington Post show that when the still-unknown hacker announced themselves via a company Slack channel, many employees responded with emoji reactions that suggest they thought someone was playing a joke.

As the WaPo noted, there were others who took the hack announcement a bit more seriously.

“Sorry to be a stick in the mud,” the person whose messages were reviewed by WaPo wrote, “but I think IT would appreciate less memes while they handle the breach.”

Trolling, Trolling, Trolling

Further details that have since been revealed about the Uber hack, which was initially confirmed by the New York Times, reveal that the person who took credit for the hack claimed they are 18 years old, and that they had an, er, interesting way of trolling the company.

An Uber employee who spoke to Fortune told the magazine that when they opened their work computer, the company’s internal website displayed an “erect penis” along with text that read “FUCK YOU WANKERS.”

This reporting seems to corroborate details provided to Yuga Labs security engineer Sam Curry, who tweeted yesterday that Uber employees said they found themselves redirected to web pages that featured “a pornographic image” and the same “wanker” epithet.

As Ars Technica and other outlets have reported, the hacker appears to have accessed Uber’s internals via a successful phishing attack they took out on an employee via WhatsApp.

The company told Reuters that it’s investigating the breach and claims no sensitive user data had been accessed. Until the company — or the hacker — provide more updates, we won’t really know what happened or why the hacker went after the ride-sharing giant. But it’s clear, at least, that it was not a joke.

READ MORE: Uber was breached to its core, purportedly by an 18-year-old. Here are the basics [Ars Technica]

More Uberism: The Disgraced Uber Guy Is Back With a Fun New Plan to Kill Restaurants

And more hack news: Parent-Teacher Messaging App Hacked…

Source…