back to article Uber reels from 'security incident' in which cloud systems seemingly hijacked

Uber is tonight reeling from what looks like a substantial cybersecurity breach. The food delivery and ride sharing disruptor has admitted that something is up, saying it is investigating the matter with the Feds: We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post …

  1. Anonymous Coward
    Anonymous Coward

    Uber

    Haven't they run out of money and gone bust yet?

    1. Cederic Silver badge

      Re: Uber

      It sounds like they're lucky someone in it for fun and fame has done this, or yes, they'd have had their bank accounts stripped by now.

      Which they deserve. Admin credentials in a powershell script.

      1. thondwe

        Re: Uber

        Worse - Thycotic is a Password manager - so creds to that database = access to lots of usernames/passwords.

        Assume script some "clever" but misguided attempt to auto-update/periodically change passwords and store them somewhere "safe"?

      2. Anonymous Coward
        Anonymous Coward

        Re: Uber

        One of the major advantages of Powershell over legacy scripting languages like BASH is the layers of inbuild security. such as secure strings and native script encryption. Clearly someone didn't know what they were doing.

        1. Anonymous Coward
          Anonymous Coward

          Re: Uber

          Hmm. What if i simply add Write-Output statements to your insecure powershell scripts? I bet that would output the plain-text passwords...

          1. TheVogon

            Re: Uber

            Powershell scripts can be digitally signed too so it wont run if changed. And also not unless you had access to the service account that ran a secured script. Just finding the script won't give you access to the passwords even if you ran it from another account.

        2. Claptrap314 Silver badge

          Re: Uber

          You forgot the troll flag.

          1. Anonymous Coward
            Anonymous Coward

            Re: Uber

            trolling? No, I know what it takes to sign a powershell script and I'm sure that I could find a microsoft signing cert, even if currently revoked, that would allow me to sign a modified script. Correct me if I'm wrong, but once a script is signed, its valid regardless of the state of the signing cert (expired, revoked).

            In any event, unless things are different in Server 2019, Windows won't proxy connections to CRLs.

            1. Michael Wojcik Silver badge

              Re: Uber

              You can't sign anything with a certificate. Certificates contain public keys; signing requires private keys. The signature includes the certificate – that's what identifies the signing party – but you need the private key to encrypt the hash.

              Authenticode code signatures are timestamped, and the timestamp is itself signed by a timestamping service provided by a CA. The signature isn't valid if the timestamp is after the certificate's expiration date.

              It's certainly possible you could find a certificate and private-key pair that chain back to a trust anchor in a given Windows system's machine certificate store, or in the user certificate store for the account you're trying to run the script on. Code signing is by no means a panacea and has been suborned many times by attackers. But it's not as trivial as you make it out to be.

            2. Anonymous Coward
              Anonymous Coward

              Re: Uber

              "Windows won't proxy connections to CRLs."

              Sure it will if you are competent to know how:

              bitsadmin /util /setieproxy localsystem AUTOSCRIPT http://yourcompany.com/proxy.pac

    2. steviebuk Silver badge

      Re: Uber

      Probably will now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Uber

        Maybe the hack is an insider job to give them the Shaggy defense for their demise instead of their shabby treatment of members and IMHO scandalous abuse of country's social security mechanisms.

  2. Missing Semicolon Silver badge
    Mushroom

    Nothing to see..

    Give it 6 months, Uber will be operating unchanged, with a token bit of money paid.

    If every single other data breach of any large company is any guide.

    1. katrinab Silver badge
      Alert

      Re: Nothing to see..

      That depends if they got access to senior executives emails, and if they contained anything even more incriminating than what we already know.

      1. druck Silver badge

        Re: Nothing to see..

        We can only hope they dump the entire lot on the web for shits and giggles, exposing the vast catalogue of illegal activity in every jurisdiction Uber operates.

  3. Ian Johnston Silver badge

    It will be very interesting to learn, as a result of the inevitable data leak, what exactly Uber high-ups say to each other about compliance with laws around the world.

  4. sitta_europea Silver badge

    ... "Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke," ...

    The culture is determined by those at the top.

  5. breakfast
    Mushroom

    Just a thought

    I realise that the hacker probably isn't going to be reading comments on El Reg and even if they were who wants to waste valuable blackmail material, but it would be pretty sweet to do an rm -rf across every system they have access to, which sounds like it's basically all of them. Starting with the back-ups. It would be nice if something happened to persuade organisations to take security seriously and it couldn't happen to a more deserving company than Uber.

    1. Spazturtle Silver badge

      Re: Just a thought

      You can also wipe the SPD of the RAM turning it into a (thin lightweight) brick, the manufacturer will be able to reflash it but it would be a huge task to replace every stick of RAM. Many monitors also allow you to flash the EDID over the HDMI connection. You can also wipe the BIOS and Video BIOS from the mobo and graphics card, wipe the firmware from hard drives and SSDs, wipe the TPM.

      If you have a basic understanding of i2c and Linux then you can turn most parts of a PC into a brick as it is very rare for them to be write protected (which is good when I want to mod my own hardware but not good for servers).

    2. VoiceOfTruth

      Re: Just a thought

      While that sort of sentiment is amusing, it is also wrong.

      It is not fun for the people dealing with it. If data is dumped out on the internet it won't be fun for those affected. Moreover, don't pretend that it couldn't happen to your organisation. Do you personally vet every email that has an attachment, or check every script that Joe has written, or check S3 bucket configurations (if you use that or an equivalent), or every firewall rule? Unless you are a one-man band, you won't be doing that.

      Indeed it would be good if organisations took security more seriously. But perhaps Uber thought they were doing that. Perhaps they have a security team with written rules about not hard coding usernames/passwords, yet Joe did it anyway. They should certain keep data segregated. That is an architectural failing. But that is not the fault of everybody at Uber or anywhere else.

    3. M.V. Lipvig Silver badge

      Re: Just a thought

      Before doing that, use corporate assets to buy a ton of crypto, then get it converted to cash in some third world nation's bank, and start moving it around until it's all safe in some Cayman account. And, if you're a USAian, make sure to declare it all as foreign income. It wasn't the FBI that got Al Capone, it was the IRS. Keep the IRS happy and you'll get away with it.

      1. John Brown (no body) Silver badge

        Re: Just a thought

        If it had been the Norks doing it, that's probably what would have happened. They are probably kicking themselves now for not getting in first :-)

  6. Anonymous Coward
    Anonymous Coward

    Hacked... or...

    Could it be another candidate for 'On Call'/'Who, Me?'... someone hit 'the feds are coming' kill switch by mistake

    1. teknopaul

      Re: Hacked... or...

      Seems you were right.

      *Various corporate systems have now been shut down by Uber."

      We are cooperating with the feds, by flipping them the bird and shutting everything down.

      Sooner Uber die the better.

      Proud to say my city chucked them out long ago and we have plenty friendly taxi apps instead, taxes are paid and nobody gets raped or murdered on the back seat of a fake cab with people in the states listening in and laughing.

  7. Mike 137 Silver badge

    Lack of adequate policies and training yet again

    From the new York Times: "The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering."

    If the policy says "don't share your password" it shouldn't make any difference who asks for it - you just don't share it. Plus of course there should be some way to distinguish between internal and external phone calls. It's obvious that corporate "user policies" still don't work - probably to a great extent because they're not backed by effective training, monitoring or incident response. The greatest source of failure in infosec is still not technical - it's sloppy management.

    1. John Brown (no body) Silver badge

      Re: Lack of adequate policies and training yet again

      "If the policy says "don't share your password" it shouldn't make any difference who asks for it - you just don't share it."

      We get "pen tested" every now and then by an outside company. It's usually, from a users point view, some "important" email with a link to follow where we need to log in. The link is long that's nigh on impossible to check where it's really going from the browser address bar. It's looks very much like the common sort of stupidly long links our system use. I usually follow the link, find a realistic looking login page, enter my username (my publically available email address", then enter "password" for the password. A page open telling me all about what just happened, why I shouldn't follow "unknown" links and auto-subscribes me to a 10 minute security "training" course, which I complete. After the 3rd or 4th occasion, I get a phone call from my manager, sounding a bit upset. So I tell him I was testing out the quality of the phishing attempt because it was abnormally good but wasn;t stupid enough to use my real password and if the pen testers were doing their job properly instead of using automated scripts, they'd have know that I'd not fallen for it.

      He asked me not to do it again as it was raising red flags but copied me in on the email back to "security" explaining how poor the pen testing was and was it really worth the money :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Lack of adequate policies and training yet again

        The problem with your fun (and I really think it is) is that were the page to be booby trapped with a zero-day, your machine would be infected regardless of the password you entered, so please don't suggest this to the masses.

        1. John Brown (no body) Silver badge

          Re: Lack of adequate policies and training yet again

          Good point! :-)

      2. Anonymous Coward
        Anonymous Coward

        Re: Lack of adequate policies and training yet again

        Our annual anti-phishing training arrives as an email with a link to the training website; when you click it, you get the corporate SSO login webpage. That's the actual login for the training, not a phishing exercise in itself, but of course it's indistinguishable from phishing (unless you're vigilant and technically competent enough to verify that it's the real SSO site).

        So our security team is training users to avoid phishing by training them to fall for it.

        Many of us have pointed this out to them, time and again. They either don't understand, or they don't care.

  8. Blazde Silver badge

    "I announce I am a hacker and Uber has suffered a data breach"

    This now has to be rock-bottom for cool hacker aesthetic, and confirmation a revival is imminent. Time to dust off the mirror-shades and stop using the letter f.

  9. This is not a drill

    Password Only Admin access??

    I assume that in UBER MFA stands for Major F***up Achieved.

  10. Screepy

    Just changed my password..

    I have used Uber quite a few times and have found it fairly handy.

    Saw this article and nipped into the app to change password.

    It didn't prompt me for MFA when I logged in.. odd.

    Checked my account settings and MFA was disabled, also odd as I keep track of when I enable MFA on my accounts - with Uber i enabled it end of last year.

    Not sure why it was disabled again, either something nefarious going on or an update to the app over the last few months reset some stuff including MFA but didn't let me know.

    *sigh

    password changed, MFA re-enabled.

    1. iron

      Re: Just changed my password..

      Nowhere does the article say Uber have booted the hacker from their network, it would appear he or she still has access, so you've potentially just given them your new password. Well done.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just changed my password..

        If UBER uses a terrible MFA application, then they also have the user keys, which never change on some organisations' applications, even when performing a reset on an account.

      2. Screepy

        Re: Just changed my password..

        @iron

        Curses!

        You're right. I didn't think that through did I.

        Now all I've done is flag the account is certainly active (I hadn't used it for months before changing pw today)

        Rats.

        I guess one good thing is my payment method is linked to PayPal which pings me with an MFA message before going through, other than that my phone number/address/last trips etc are probably all in the hands of the fiend.

        It's the dunce hat for me.

        1. M.V. Lipvig Silver badge

          Re: Just changed my password..

          Don't worry about it. The hacker has all your uber passwords. I would unlink any payment methods from it though, to be safe, and remove your home address and phone number until it's over. As long as they don't have access to money, you're golden.

  11. anothercynic Silver badge

    Slow clap

    Well done Uber. Well done. *very very slow clap*

  12. Eponymous Bastard
    Coat

    Trust?

    Why did anyone trust a jumped-up start-up which shafted some more ethical business models, and expect it to have any moral fibre let alone a proper budget for network security? I'll get my coat even though the fresher mornings here in Cornwall only require such protection when the rain falls which has been often of late. That same precipitation helps to dilute the shit that flows into the ocean from South West Water's "treatment works"

  13. John Brown (no body) Silver badge

    The disrupter disrupted?

    Uber are incredibly lucky it wasn't someone with more evil intent. By the sounds of it, they could have pretty much wiped out Uber if they had cared enough to do so. A $$multi-billion business, everything online, cloudy stuff they can't properly protect. I wonder if they could have recovered from someone wiping all those systems where access was gained? Is *everything* backed up? Offline backups? Tested offline backups?

    Our company does a "disaster recovery" exercise every year. The official start of the process is someone quite senior pulling the breaker switch on a Friday evening. The guys have until 8am Monday to be 100% back up and running on the original kit. It normally takes about 12 hours to recover fully while everything ticks over on the backup systems so hopefully no actual downtime.

  14. MachDiamond Silver badge

    Another junk company

    At the beginning of the article, Uber is called a "disruptor". When I see the "D" word, I think of a company that has lots of investor cash and has had enough time to build a big enough user base so that normal laws won't apply to them. Those are the laws and regulations that the rest of their industry has abided by for years and had set a high enough barrier to entry to make the endeavor worth pursuing. New York City had/has a medallion program for taxis to place a limit on how many taxis there would be. That's good for all. The pie is only so big and having an unlimited number of taxis just makes it unprofitable for everyone. The cost of the medallions was pretty substantial, but market forces set the price. Uber and Lyft come along and give the authorities the finger because App. Everybody driving for them is an independent contractor so the company doesn't have much of an employee cost. They don't have an equipment costs or have to pay for maintenance. The drivers often don't have a commercial driving license with a passenger endorsement nor commercial insurance while at the same time all of the insurers of private vehicles have in their terms that no coverage is extended if the policy holder is driving for Uber/Lyft in particular or in any capacity where they are driving people and sometimes products for compensation.

    It looks like we can see that Uber went further with their outsourcing to running their operation on other companies' hardware. Still, they don't make money. Journalists need to take a magnifying glass to a dictionary and look up the word "disrupt". To me, it's a negative. If somebody came along with a real Mr Fusion that was safe and cheap, that would be a true disruption to the energy industry. A company coming along and just building nuclear power plants while bypassing all of the laws that pretain to them for planning and approvals aren't disruptors, they're criminals.

    1. John Brown (no body) Silver badge

      Re: Another junk company

      "The cost of the medallions was pretty substantial, but market forces set the price."

      That's actually a major part of the problem IMHO. Why should "market forces" determine the price? It's effectively a social service provided and managed by the city, hopefully to an optimum level. Surely it would be better to sell the medallions to applicants at a reasonable rate based on fitness for the job, aptitude and whatever other relevant qualifications are deemed necessary. Not the people with the deepest pockets. If the medallions weren't sold at extortionate rates, maybe the drivers could make a living while charging lower rates to passengers and truly be independents.

      I do like your more correct description of a "disrupter" though. :-)

      1. MachDiamond Silver badge

        Re: Another junk company

        "Why should "market forces" determine the price?"

        Mostly because city officials aren't competent enough to make the determination. The taxi companies are in a much better position to know what the maximum price worth paying is and that price will adjust much faster to match the current market. Anything the city does takes ages.

        I have suggested a similar thing for concert tickets rather than the odd laws against "scalping". Set it up on big shows as an auction starting at $1 (or whatever). The front row will go for the most money and prices will diminish as you get to the nosebleed seats. The thing is that the nosebleed seats might sell for some minimum price, but it's still butts in seats from people that have paid for parking, concessions and merch. If you got a ticket for $1, you may have money for a $30 tour T-shirt. The band plays to a full house more often and the maximum money has been extracted for that show. Of course, if Ticket Disaster is handling the tickets, it will be $1 for the ticket and $30 in fees for the cheap seats so they might not sell.

  15. Steve Hersey

    The jokes just write themselves here...

    The intruder "found ... a Powershell script with hard-coded credentials for an administrator account ..."

    This isn't the first major data breach at Uber; therefore, the logical conclusion is that they're hopelessly incompetent (in addition to being duplicitous, evil, and exploitative, which are evident from other events). A competent IT and security team would long since have stopped hard-coding account credentials in shell scripts.

    1. Anonymous Coward
      Anonymous Coward

      Re: The jokes just write themselves here...

      So the more important question is how did this all get missed after the last hack. Surely they paid Mandiant (or whomever) a pretty penny.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like