Uber Paid Hacker $100k Hush Money; Didn’t Disclose Breach

This may turn out to be a lesson in Internet law for everyone.

In October 2016, hackers breached Uber’s systems and made off with personal information for 57 million customers.  They also made off with other information for 7 million Uber drivers and 600,000 drivers license numbers.

Uber says that no socials or credit cards or trip information was taken.

At the time, Uber was fighting with U.S. regulators regarding privacy violations.  Someone inside the organization decided that, given what was going on, maybe burying this breach might be a better idea than fessing up.

So Uber paid the hackers $100,000 to “delete” the data.  I am sure that they did that because they are people of honor.  Then they buried the incident.

Fast forward a year and Uber has a new CEO after a whole bunch of bad press.  The CEO hires an outside law firm to help clean up the old west and what do they discover but an old breach, a $100,000 ransom and an oopsie, we forgot to report this.

Paying the ransom is probably not illegal.

Not telling shareholders that they were breached, well that is less clear.  I guess they could say that a breach of 57 million customers is not material.  Unless, that is, word about it gets out and they get sued – which is exactly what is happening now.

Not telling regulators about that – pretty clear that is illegal.

And, given that Uber operates in most states in the U.S. and there are different privacy laws in each of the states, they likely broke the law in a whole bunch of states.

IF, and this is not clear, there was information on residents of foreign countries, they likely broke foreign laws as well.

Here is the lesson in Internet law.

Since the breach was disclosed, the New York AG has said he is investigating and a lawsuit has been filed seeking class action status.

Uber’s co-founder learned of the breach in November 2016, right after Uber had settled a privacy lawsuit with the New York AG and was negotiating with the FTC over the handling of consumer data.  Apparently he decided not to tell the AG or the FTC.

The hack was pretty simple.  The hackers found a private Github repository that apparently was not adequately (or at all) protected and found Amazon web services credentials in that repository.  They logged on to Amazon, found the data and attempted to extort Uber.

Uber does not have a reputation as a model citizen; in fact they have been involved in at least five criminal probes over bribes, illegal software, questionable pricing schemes and other issues.  This fits right in there.

Uber has brought in some high priced talent to help sort out the mess and rehabilitate their image.  Former GC of the NSA (not sure they sould be a role model for Uber), for example.  Based on some questionable NSA activities in the past, he may fit right into Uber’s culture.

What we don’t know at this point is what the various state regulators are going to do about this.  I assume that regulators COULD revoke Uber’s license to operate in their state, but I doubt that will happen.

Could the various states file criminal and/or civil charges – that I suspect is much more likely, especially since they knowingly covered up the breach?

I am sure that it will be at least a few months before we have any idea on the scope of the fallout.  Given Uber’s past and very rocky relationship with regulators, those same regulators may decide that it is payback time.

Information for this post came from Bloomberg.

Facebooktwitterredditlinkedinmailby feather

Gov May Block Malicious Content on Gov Computers but Not Yours

I have long complained about ads on web sites delivering malicious content in addition to ads.  In fact, I have even advocated blocking ads because of it, but since most web sites exist because of the revenue generated from those ads, the ad content is only getting more invasive.

There have been many incidents of ads serving up malware and infecting computers in homes, businesses and government offices, so this is a real problem.  And, of course, if that malware gets onto government computers, it could steal important stuff.  Not like the malware on your computer or mine (or at least that seems to be what they are saying).

The government has a solution.  Sort of.  US Senator Ron Wyden sent a letter to White House cybersecurity coordinator Rob Joyce asking him to coordinate discussions with the advertising industry to end the delivery of malicious ads on government networks.

That’s not a bad thing although I am not sure why Wyden thinks it is OK to deliver malicious ads to you and me – just not to the government.

The good news is, of course, if they actually implement something to stop the delivery of malicious ads to government computers, they will likely implement it everywhere.

But after he makes this sort of benign request, he ups the ante.

If, after 180 days, you are not completely confident that the ad industry will effectively address this cyber threat, then have DHS issue a binding order requiring federal agencies to block all ads containing executable code.

I am sure that Google and the advertising industry is thrilled.  NOT!

In the industry’s defense, I am sure that they are trying to block malicious content;  the only question is how hard.  After all, even malicious ads generate revenue and it is hard to filter all ads.

If the White House takes Wyden seriously that could be a problem for the advertising industry.  Whatever the government does, other businesses are likely to follow and the end result would be a reduction in ad revenue if people start blocking ads in even larger quantities than they are doing today.  Software like Ad Blocker Plus is pretty popular.  According to one stat, 26% of desktop users and 15% of mobile users currently block ads.  If that only goes up a few percentage points that would be expensive to Google and the ad industry.

Sites that look for ad blockers and which won’t let you visit the site if you are blocking ads (like Forbes.com, for example) would be completely off limits to government workers.  That alone would, I think, motivate the industry to get off its rear and solve the problem.

Stay tuned and lets see what Washington does.  If they really do something, that would be very helpful.

As I said, stay tuned.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

A Warning About Two Factor Authentication

I have been a strong advocate for two factor authentication and still am, but I ran across a situation yesterday that made me realize that there is something that you need to consider when you implement two factor.

The situation that I encountered was a user that was using text messages for two factor authentication and those text messages were going to his cell phone.  Without understanding the implications, the user cancelled that cell phone and lost control of the phone number.  When that happened, the user lost the ability to sign into the account protected by that phone number.

This is very similar to forgetting your password, but most vendors have made recovering your lost password easy – too easy in my opinion, but we are used to it.  I have to admit, I have used it.  Typically they send an email to the registered email address and you can reset your password.  If a hacker gets into your email they too can reset any password, which is why I say that it too easy.

The problem/question is if you lose access to your phone number (and notice I didn’t say your phone, but rather your phone number because if you lose your phone but still control the number, you can move that number to any new phone and still get those text messages), does the vendor have a mechanism to recover access to the account.

Lets say you protect your bank account with two factor.  Likely, you can go into the bank in person, show a banker your government issued picture ID and they can remove the two factor requirement or change the phone number.  MAYBE.  Worst case, you can go into that same bank and close your account, take your money and open a new account.

But what if the account is Facebook.  There is no Facebook store to go into to do the same thing and closing your Facebook account will cause you to be disconnected from everyone.  Of course, possibly, losing access to Facebook might give you a lot of time back in your day.

OK, so now I scared you out of using two factor authentication.  Let me see if I can make you OK with two factor.

First, if the web site allows it, you should create a backup authentication option.  For example, many companies will allow you to get your second factor via text message OR phone call. Or possibly via text message OR email.  If they allow that, then make sure that you set that up.  That way, if you lose access to your phone number, you can still log in after receiving the code via phone call or email.  DO NOT make the phone number the same phone number that you get your text messages from.  Remember that the issue is that you lost control of that phone number.  Use a home phone or work phone or spouse’s phone or just something different.

Next, make sure that you keep track of what those second methods are.  Sometimes a web site will display an option showing you how you can receive the second factor.  If it does, pay attention and make sure that you still have access to it.

Do not release your phone number unless you are sure that anything that you are using it for has been accounted for.  If you have to change your phone number for some reason, look at all the accounts that use it to protect and disable two factor before you get rid of that number and then turn it back on with the new number.

Talk to your phone carrier and add a password to your mobile phone account.  While hackers can sometimes social engineer their way around that, it makes it more difficult.  That will reduce the odds that you will lose access to that phone number.

Finally, ask the vendor what their policy is for resetting two factor authentication.  Even Google has a method to do this.  It is a bit of a pain and it can take a couple of days, but it is possible.

As two factor becomes more popular, vendors are going to have to deal with this  new reality, but it will take some time.

Finally, if you use two factor authentication apps like Facebook Authenticator, those are more portable.  As long as you don’t lose access to your Facebook account, you can still access authenticator – from any phone – as long as your access to Facebook is not protected solely by a two factor authentication to that lost phone NUMBER.

I know, something else to worry about.  I think as long as you set up two different methods to receive that second factor, you are pretty safe.  Just keep it in mind.

 

Facebooktwitterredditlinkedinmailby feather

Amazon Inside Delivery Security Already Compromised

Remember a few weeks ago when Amazon said they had a solution to packages being stolen off people’s porches?  It involved a remote control door lock and a security camera.  Many people – not just security people – winced at the idea.  After all, what could possibly go wrong?

Well just a couple of weeks later we now know the FIRST answer to that question.

That Internet enabled camera was connected to the door lock via the Zigbee wireless protocol and via WiFi to the Internet.  Neither of those channels are terribly secure.

Researchers have now demonstrated that from a computer within WiFi range (probably even a phone) running a simple program, the camera can either be disabled or left with the last image frozen on the screen.  The viewer (the homeowner) would either see a blank screen or perhaps the closed door from just before the rogue delivery person enters the house and robs you blind.

The hack is incredibly simple and a well known attack.  The crook sends the camera a “deauth” command, kicking it off the WiFi network (which is why, at the very least, you want that camera to be hard wired to the Internet.  That is not as cheap, easy or pretty as doing it via WiFi.  If you send that command, the camera will keep getting kicked off or really will never get back online.  The camera/server, for some stupid reason, does not generate an alarm warning the user that the house may be burgled, but rather it just shows the last frame that it captured.

At this point the delivery person/burglar opens the door again, moves outside of the field of view of the camera and stops attacking the camera.  Now the crook sends a lock command and everything looks like it should look.

After stealing all your stuff, the bad guy exits the house via a different exit (door or window).

The attacker could also trigger the deauth right as the driver is leaving and since kicking the camera off WiFi would also disable the lock since it piggybacks off the WiFi camera, the driver would think he locked the door when he did not.  Hopefully, the driver will verify that the door is actually locked before he leaves.

These attacks require a great deal of patience to implement, so they are not high risk and Amazon plans to issue a patch, although a deauth is a valid thing to do. Maybe they will generate an alert.

Amazon also says that they will call a customer if the lock remains unlocked (at least unlocked in the mind of the computer) for more than a few minutes – assuming they can reach the customer and assuming the customer is close to the house.  If the door is unlocked and the customer is in another city or state, what good does a call do?

And, attacks often become more sophisticated over time.  This is only the very first attack.

Stay tuned, this game is not over yet.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Feds Talk About Using Software Bugs Against You

Under President Obama, the feds created this non binding policy document called the Vulnerability Equities Process.  This came after Snowden disclosed a long assumed fact that the spy organizations were hoarding bugs to use against whomever they wanted to rather than telling the developers about them so that they could be fixed.  Of course, we are hardly alone in doing that.  Every country likely does that.

The policy was kind of loose and since it wasn’t a law, people sometimes followed the directive and sometimes didn’t – but of course, we never knew anything about it.  It was one of those “We’re from the government, we’re here to help you – trust us”.

Even the government admitted that the policy wasn’t super effective, but nothing changed.  This week they rolled out – with not much fanfare (it was released by a mid level White House bureaucrat) – Vulnerability Equities Process 2, the sequel.

One thing this new document did was explain at least some of the process, who is involved and what the guidelines are.  It also says that the government needs to report on an annual basis some statistics – how many bugs were hoarded and how many shared with the vendors.

Of course this is still just a policy document, so it really carries very little weight and no penalty at all.

This new document comes on the heels of a Freedom of Information Act LAWSUIT.  Maybe just a coincidence, but more likely, the government probably felt more dirty laundry would come out during discovery and trial and if they dribbled out a little bit of information, maybe the lawsuit will go away.  Stay tuned on that count.

The board that decides these things consists of representatives from 10 agencies including the CIA, Defense, Justice, Treasury and other agencies.

The board is supposed to consider how broadly the product affected is being used, how easy it might be for someone else like the Chinese to discover the same bug and what the consequences might be if the Chinese, for example, did discover some bug that the government is hoarding.

The new policy says that the executive branch has to generate both a classified and unclassified report to Congress.  We will see when the first report happens and what it looks like.

One hole in this policy the size of an 18 wheeler is that if a bug is disclosed to the government by a white or black hat hacker under an NDA (which is pretty common), then they don’t have to go through the process.  I guess it would be nice to have a stat on how many bugs slipped through that loophole and whether the government is suggesting to people who want to share a bug with them “hey, I think you should do this under an NSA.  Oh, oops, I meant NDA.”

 

Information for this post came from Dark Reading.

Facebooktwitterredditlinkedinmailby feather

The Active Cyber Defense Certainty Act – What COULD Go Wrong

Most of the time we feel pretty helpless when it comes to going after hackers.  There is a good reason for that  – for the most part, we are helpless.  The hackers operate under their own rules and law enforcement really isn’t equipped to deal with them.  It is hard enough for the cops to catch burglars and murderers (how many of those cases go unsolved every year), but when it comes to cyber crimes, I would hazard a guess that 999 out of every 1,000 go unsolved.

Enter ACDC, the Active Cyber Defense Certainty Act.  This bill would allow businesses, within certain parameters to hack back at the hackers to destroy stolen information and try to unmask the hackers as long as they don’t do damage.

There was a recent case where this was tried with no success and I think this is going to be the normal situation – no success.

London Bridge Plastic Surgery is a high end plastic surgery practice in England – they do plastic surgery on the rich and the famous, including the Royals.   They were hacked and the hackers shared graphic photos of their patients with the media.  So far, I don’t think they have published those photos.

Apparently, the chief surgeon fancies himself a bit of an amateur hacker and sent the hackers a word document with a link to a file on their server with the hopes of getting the hacker’s IP address from this.

Not surprisingly, the hackers detected this attempt and publicly scolded the doctor who said that he didn’t do it.  The hackers now say that they are going to punish the doctor for attempting to uncover them, although they have not said what that might be.

In the end, you run the risk of upsetting folks who may have backdoors into your system and, in this case, claim to have terabytes of your sensitive data, which they could easily dump on the web.

So if ACDC passes and you choose to hack the hackers, understand that the hackers might be smarter than you and there could be serious consequences for you, your company, your data and your clients.

On the other hand, if you think you are smarter than the hackers then why were they able to hack you?

Information for this post came from The Daily Beast.

Facebooktwitterredditlinkedinmailby feather