Home>Blog>The Hacker News Headlines>Uber Claims No Sensitive Data Exposed in Latest Breach… But There’s More to This
The Hacker News Headlines

Uber Claims No Sensitive Data Exposed in Latest Breach… But There’s More to This

Uber Hack

Uber, in an update, said there is “no evidence” that users’
private information was compromised in a breach of its internal
computer systems that was discovered late Thursday.

“We have no evidence that the incident involved access to
sensitive user data (like trip history),” the company said[1]. “All of our services
including Uber, Uber Eats, Uber Freight, and the Uber Driver app
are operational.”

The ride-hailing company also said it’s brought back online all
the internal software tools it took down previously as a
precaution, reiterating it’s notified law enforcement of the
matter.

It’s not immediately clear if the incident resulted in the theft
of any other information or how long the intruder was inside Uber’s
network.

Uber has not provided more specifics of how the incident played
out beyond saying its investigation and response efforts are
ongoing. But independent security researcher Bill Demirkapi
characterized Uber’s “no evidence” stance as “sketchy.”

“‘No evidence’ could mean the attacker did have access, Uber
just hasn’t found evidence that the attacker *used* that access for
‘sensitive’ user data,” Demirkapi said[2]. “Explicitly saying
“sensitive” user data rather than user data overall is also
weird.”

CyberSecurity

The breach allegedly involved[3]
a lone hacker, an 18-year-old teenager, tricking an Uber employee
into providing account access by social engineering the victim into
accepting a multi-factor authentication (MFA) prompt that allowed
the attacker to register their own device.

Upon gaining an initial foothold, the attacker found an internal network share[4]
that contained PowerShell scripts with privileged admin
credentials, granting carte blanche access to other critical
systems, including AWS, Google Cloud Platform, OneLogin,
SentinelOne incident response portal, and Slack.

Worryingly, as revealed[5]
by security researcher Sam Curry, the teen hacker is also said to
have gotten hold of privately disclosed vulnerability reports
submitted via HackerOne as part of Uber’s bug bounty program.

HackerOne has since moved to disable Uber’s
account[6], but the unauthorized
access to unpatched security flaws in the platform could pose a
huge security risk to the San Francisco-based firm should the
hacker opt to sell the information to other threat actors for a
quick profit.

Uber Hack Uber Hack Uber Hack Uber Hack

So far, the attacker’s motivations behind the breach are
unclear, although a message posted by the hacker announcing the breach[7]
on Slack included a call for higher pay for Uber’s drivers.

A separate report from The Washington Post noted[8]
that the attacker broke into the company’s networks for fun and
might leak the company’s source code in a matter of months, while
describing Uber’s security as “awful.”

“Many times we only talk about APTs, like nation states, and we
forget about other threat actors including disgruntled employees,
insiders, and like in this case, hacktivists,” Ismael Valenzuela
Espejo, vice president of threat research and intelligence at
BlackBerry, said.

“Organizations should include these as part of their threat
modeling exercises to determine who may have a motivation to attack
the company, their skill level and capabilities, and what the
impact could be according to that analysis.”

The attack targeting Uber, as well as the recent string of
incidents against Twilio[9], Cloudflare[10], Cisco[11], and LastPass[12], illustrates how social
engineering continues to be a persistent thorn in the flesh for
organizations.

CyberSecurity

It also shows that all it takes for a breach to take place is an
employee to share their login credentials, proving that
password-based authentication is a weak link in account
security.

“Once again, we see that a company’s security is only as good as
their most vulnerable employees,” Masha Sedova, co-founder and
president of Elevate Security, said in a statement.

“We need to think beyond generic training, instead let’s pair
our riskiest employees with more specific protective controls. As
long as we continue to address cybersecurity as solely a technical
challenge, we will continue to lose this battle,” Sedova added.

Incidents like these are also proof that Time-based One Time
Password (TOTP) codes – typically generated via authenticator apps
or sent as SMS messages – are inadequate at securing 2FA
roadblocks.

One way to counter such threats is the use of phishing-resistant
FIDO2-compliant physical security keys[13], which drops passwords
in favor of an external hardware device that handles the
authentication.

“MFA providers should *by default* automatically lock accounts
out temporarily when too many prompts are sent in a short period of
time,” Demirkapi said, urging organizations to limit privileged
access.

References

  1. ^
    said
    (www.uber.com)
  2. ^
    said
    (twitter.com)
  3. ^
    allegedly involved
    (thehackernews.com)
  4. ^
    internal
    network share     (twitter.com)
  5. ^
    revealed
    (twitter.com)
  6. ^
    disable Uber’s account
    (hackerone.com)
  7. ^
    announcing the breach
    (twitter.com)
  8. ^
    noted
    (www.washingtonpost.com)
  9. ^
    Twilio
    (thehackernews.com)
  10. ^
    Cloudflare
    (thehackernews.com)
  11. ^
    Cisco
    (thehackernews.com)
  12. ^
    LastPass
    (thehackernews.com)
  13. ^
    physical security keys
    (thenextweb.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.