
Uber
Haven't they run out of money and gone bust yet?
Uber is tonight reeling from what looks like a substantial cybersecurity breach. The food delivery and ride sharing disruptor has admitted that something is up, saying it is investigating the matter with the Feds: We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post …
trolling? No, I know what it takes to sign a powershell script and I'm sure that I could find a microsoft signing cert, even if currently revoked, that would allow me to sign a modified script. Correct me if I'm wrong, but once a script is signed, its valid regardless of the state of the signing cert (expired, revoked).
In any event, unless things are different in Server 2019, Windows won't proxy connections to CRLs.
You can't sign anything with a certificate. Certificates contain public keys; signing requires private keys. The signature includes the certificate – that's what identifies the signing party – but you need the private key to encrypt the hash.
Authenticode code signatures are timestamped, and the timestamp is itself signed by a timestamping service provided by a CA. The signature isn't valid if the timestamp is after the certificate's expiration date.
It's certainly possible you could find a certificate and private-key pair that chain back to a trust anchor in a given Windows system's machine certificate store, or in the user certificate store for the account you're trying to run the script on. Code signing is by no means a panacea and has been suborned many times by attackers. But it's not as trivial as you make it out to be.
Maybe the hack is an insider job to give them the Shaggy defense for their demise instead of their shabby treatment of members and IMHO scandalous abuse of country's social security mechanisms.
I realise that the hacker probably isn't going to be reading comments on El Reg and even if they were who wants to waste valuable blackmail material, but it would be pretty sweet to do an rm -rf across every system they have access to, which sounds like it's basically all of them. Starting with the back-ups. It would be nice if something happened to persuade organisations to take security seriously and it couldn't happen to a more deserving company than Uber.
You can also wipe the SPD of the RAM turning it into a (thin lightweight) brick, the manufacturer will be able to reflash it but it would be a huge task to replace every stick of RAM. Many monitors also allow you to flash the EDID over the HDMI connection. You can also wipe the BIOS and Video BIOS from the mobo and graphics card, wipe the firmware from hard drives and SSDs, wipe the TPM.
If you have a basic understanding of i2c and Linux then you can turn most parts of a PC into a brick as it is very rare for them to be write protected (which is good when I want to mod my own hardware but not good for servers).
While that sort of sentiment is amusing, it is also wrong.
It is not fun for the people dealing with it. If data is dumped out on the internet it won't be fun for those affected. Moreover, don't pretend that it couldn't happen to your organisation. Do you personally vet every email that has an attachment, or check every script that Joe has written, or check S3 bucket configurations (if you use that or an equivalent), or every firewall rule? Unless you are a one-man band, you won't be doing that.
Indeed it would be good if organisations took security more seriously. But perhaps Uber thought they were doing that. Perhaps they have a security team with written rules about not hard coding usernames/passwords, yet Joe did it anyway. They should certain keep data segregated. That is an architectural failing. But that is not the fault of everybody at Uber or anywhere else.
Before doing that, use corporate assets to buy a ton of crypto, then get it converted to cash in some third world nation's bank, and start moving it around until it's all safe in some Cayman account. And, if you're a USAian, make sure to declare it all as foreign income. It wasn't the FBI that got Al Capone, it was the IRS. Keep the IRS happy and you'll get away with it.
Seems you were right.
*Various corporate systems have now been shut down by Uber."
We are cooperating with the feds, by flipping them the bird and shutting everything down.
Sooner Uber die the better.
Proud to say my city chucked them out long ago and we have plenty friendly taxi apps instead, taxes are paid and nobody gets raped or murdered on the back seat of a fake cab with people in the states listening in and laughing.
From the new York Times: "The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering."
If the policy says "don't share your password" it shouldn't make any difference who asks for it - you just don't share it. Plus of course there should be some way to distinguish between internal and external phone calls. It's obvious that corporate "user policies" still don't work - probably to a great extent because they're not backed by effective training, monitoring or incident response. The greatest source of failure in infosec is still not technical - it's sloppy management.
"If the policy says "don't share your password" it shouldn't make any difference who asks for it - you just don't share it."
We get "pen tested" every now and then by an outside company. It's usually, from a users point view, some "important" email with a link to follow where we need to log in. The link is long that's nigh on impossible to check where it's really going from the browser address bar. It's looks very much like the common sort of stupidly long links our system use. I usually follow the link, find a realistic looking login page, enter my username (my publically available email address", then enter "password" for the password. A page open telling me all about what just happened, why I shouldn't follow "unknown" links and auto-subscribes me to a 10 minute security "training" course, which I complete. After the 3rd or 4th occasion, I get a phone call from my manager, sounding a bit upset. So I tell him I was testing out the quality of the phishing attempt because it was abnormally good but wasn;t stupid enough to use my real password and if the pen testers were doing their job properly instead of using automated scripts, they'd have know that I'd not fallen for it.
He asked me not to do it again as it was raising red flags but copied me in on the email back to "security" explaining how poor the pen testing was and was it really worth the money :-)
Our annual anti-phishing training arrives as an email with a link to the training website; when you click it, you get the corporate SSO login webpage. That's the actual login for the training, not a phishing exercise in itself, but of course it's indistinguishable from phishing (unless you're vigilant and technically competent enough to verify that it's the real SSO site).
So our security team is training users to avoid phishing by training them to fall for it.
Many of us have pointed this out to them, time and again. They either don't understand, or they don't care.
I have used Uber quite a few times and have found it fairly handy.
Saw this article and nipped into the app to change password.
It didn't prompt me for MFA when I logged in.. odd.
Checked my account settings and MFA was disabled, also odd as I keep track of when I enable MFA on my accounts - with Uber i enabled it end of last year.
Not sure why it was disabled again, either something nefarious going on or an update to the app over the last few months reset some stuff including MFA but didn't let me know.
*sigh
password changed, MFA re-enabled.
@iron
Curses!
You're right. I didn't think that through did I.
Now all I've done is flag the account is certainly active (I hadn't used it for months before changing pw today)
Rats.
I guess one good thing is my payment method is linked to PayPal which pings me with an MFA message before going through, other than that my phone number/address/last trips etc are probably all in the hands of the fiend.
It's the dunce hat for me.
Why did anyone trust a jumped-up start-up which shafted some more ethical business models, and expect it to have any moral fibre let alone a proper budget for network security? I'll get my coat even though the fresher mornings here in Cornwall only require such protection when the rain falls which has been often of late. That same precipitation helps to dilute the shit that flows into the ocean from South West Water's "treatment works"
Uber are incredibly lucky it wasn't someone with more evil intent. By the sounds of it, they could have pretty much wiped out Uber if they had cared enough to do so. A $$multi-billion business, everything online, cloudy stuff they can't properly protect. I wonder if they could have recovered from someone wiping all those systems where access was gained? Is *everything* backed up? Offline backups? Tested offline backups?
Our company does a "disaster recovery" exercise every year. The official start of the process is someone quite senior pulling the breaker switch on a Friday evening. The guys have until 8am Monday to be 100% back up and running on the original kit. It normally takes about 12 hours to recover fully while everything ticks over on the backup systems so hopefully no actual downtime.
At the beginning of the article, Uber is called a "disruptor". When I see the "D" word, I think of a company that has lots of investor cash and has had enough time to build a big enough user base so that normal laws won't apply to them. Those are the laws and regulations that the rest of their industry has abided by for years and had set a high enough barrier to entry to make the endeavor worth pursuing. New York City had/has a medallion program for taxis to place a limit on how many taxis there would be. That's good for all. The pie is only so big and having an unlimited number of taxis just makes it unprofitable for everyone. The cost of the medallions was pretty substantial, but market forces set the price. Uber and Lyft come along and give the authorities the finger because App. Everybody driving for them is an independent contractor so the company doesn't have much of an employee cost. They don't have an equipment costs or have to pay for maintenance. The drivers often don't have a commercial driving license with a passenger endorsement nor commercial insurance while at the same time all of the insurers of private vehicles have in their terms that no coverage is extended if the policy holder is driving for Uber/Lyft in particular or in any capacity where they are driving people and sometimes products for compensation.
It looks like we can see that Uber went further with their outsourcing to running their operation on other companies' hardware. Still, they don't make money. Journalists need to take a magnifying glass to a dictionary and look up the word "disrupt". To me, it's a negative. If somebody came along with a real Mr Fusion that was safe and cheap, that would be a true disruption to the energy industry. A company coming along and just building nuclear power plants while bypassing all of the laws that pretain to them for planning and approvals aren't disruptors, they're criminals.
"The cost of the medallions was pretty substantial, but market forces set the price."
That's actually a major part of the problem IMHO. Why should "market forces" determine the price? It's effectively a social service provided and managed by the city, hopefully to an optimum level. Surely it would be better to sell the medallions to applicants at a reasonable rate based on fitness for the job, aptitude and whatever other relevant qualifications are deemed necessary. Not the people with the deepest pockets. If the medallions weren't sold at extortionate rates, maybe the drivers could make a living while charging lower rates to passengers and truly be independents.
I do like your more correct description of a "disrupter" though. :-)
"Why should "market forces" determine the price?"
Mostly because city officials aren't competent enough to make the determination. The taxi companies are in a much better position to know what the maximum price worth paying is and that price will adjust much faster to match the current market. Anything the city does takes ages.
I have suggested a similar thing for concert tickets rather than the odd laws against "scalping". Set it up on big shows as an auction starting at $1 (or whatever). The front row will go for the most money and prices will diminish as you get to the nosebleed seats. The thing is that the nosebleed seats might sell for some minimum price, but it's still butts in seats from people that have paid for parking, concessions and merch. If you got a ticket for $1, you may have money for a $30 tour T-shirt. The band plays to a full house more often and the maximum money has been extracted for that show. Of course, if Ticket Disaster is handling the tickets, it will be $1 for the ticket and $30 in fees for the cheap seats so they might not sell.
The intruder "found ... a Powershell script with hard-coded credentials for an administrator account ..."
This isn't the first major data breach at Uber; therefore, the logical conclusion is that they're hopelessly incompetent (in addition to being duplicitous, evil, and exploitative, which are evident from other events). A competent IT and security team would long since have stopped hard-coding account credentials in shell scripts.