Tag Archives: Uber

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Uber Naughty Tricks Hide Evidence of Theft

First a disclaimer:  I am not a lawyer and don’t pretend to be one on the Internet – at least most of the time.

The Uber Waymo trade secret theft trial is being delayed once again.

Why?  Because the Department of Justice showed the Judge a 37 page letter from the lawyer of a former Uber employee that Uber had not shared with Waymo.  The judge now wants the former employee to appear in court.

The judge is “unhappy” with Uber because he asked them to produce all relevant documents months ago and this document was not among those produced.  The judge said that he can’t trust anything that they say because they have been proven wrong so many times before.  That is probably not the best way to get on the good side of the judge.

The ex-employee was fired from his job at Uber in April but still works for them as a consultant.  They paid him $2+ million plus another million at the end of his consulting contract plus $1 million plus in Uber stock.

The ex-employee said that Uber has a unit within the company called marketplace analytics who’s job is to obtain competitive intel, “acquire” trade secrets and gathering code base.  Your basic dirty tricks organization who’s job it is to break the law and steal confidential information from competitors.

OK, maybe I am being a bit harsh on them, but the methods and techniques really determine whether they broke any laws or not and that is still to be seen.

The ex-employee said that the employees of this group were trained in impeding, obstructing or influencing any lawsuit against Uber.  This includes working very hard to make sure that there was no paper trail of what they were doing.

The employees used self destructing messaging services like Wikr, computers that could not be traced back to Uber and separate servers from the rest of the company.  They even made up reasons – apparently not legally valid ones – for attorney-client privilege.  They also engaged 10 outside security firms.

Waymo is suing Uber for almost $2 billion for theft of trade secrets.

Uber of course, said this is all made up.

There is one thing that is crystal clear as I play a lawyer on the Internet (no this is not legal advice).  *IF* and that is a big if, Uber hid information that they should have disclosed to the other side, that qualifies as a big no-no and could cause Uber all kinds of problems all the way up to the judge providing a verdict in Waymo’s favor.  That level of pain is VERY unusual, but the judge could fine the company, hold them in contempt or even instruct the jury to interpret certain facts in a way that is very unfavorable to Uber because of this.

Right now, he has delayed the trial while Waymo’s attorneys review the letter and decide what to do.

As far as how this affects you and me – if you believe that you MAY be sued, you have  “a duty to preserve” evidence that may be relevant to the future case.  Not preserving the evidence could cause you to lose the case.

OK, that seems pretty straight forward.

Well, maybe.  What if your employees, on their own, decided to use Telegraph or Wickr; decided to use other non-company systems to process or store data – all of which could be part of your duty to preserve.  And what if they did this without telling senior management about this.

The company could be in a world of hurt legally.

What this means is that you as an employer need to understand what tools your employees maybe using, even unofficially or unsanctioned and work with your corporate attorneys to figure out if that is a problem.

For certain industries, you have a duty to preserve even if there is no lawsuit anticipated, so for those companies, without regard to any potential lawsuit, using these tools can get them in trouble.

Something else for you to deal with.  Sorry.

Information for this post came from Reuters.

Uber Paid Hacker $100k Hush Money; Didn’t Disclose Breach

This may turn out to be a lesson in Internet law for everyone.

In October 2016, hackers breached Uber’s systems and made off with personal information for 57 million customers.  They also made off with other information for 7 million Uber drivers and 600,000 drivers license numbers.

Uber says that no socials or credit cards or trip information was taken.

At the time, Uber was fighting with U.S. regulators regarding privacy violations.  Someone inside the organization decided that, given what was going on, maybe burying this breach might be a better idea than fessing up.

So Uber paid the hackers $100,000 to “delete” the data.  I am sure that they did that because they are people of honor.  Then they buried the incident.

Fast forward a year and Uber has a new CEO after a whole bunch of bad press.  The CEO hires an outside law firm to help clean up the old west and what do they discover but an old breach, a $100,000 ransom and an oopsie, we forgot to report this.

Paying the ransom is probably not illegal.

Not telling shareholders that they were breached, well that is less clear.  I guess they could say that a breach of 57 million customers is not material.  Unless, that is, word about it gets out and they get sued – which is exactly what is happening now.

Not telling regulators about that – pretty clear that is illegal.

And, given that Uber operates in most states in the U.S. and there are different privacy laws in each of the states, they likely broke the law in a whole bunch of states.

IF, and this is not clear, there was information on residents of foreign countries, they likely broke foreign laws as well.

Here is the lesson in Internet law.

Since the breach was disclosed, the New York AG has said he is investigating and a lawsuit has been filed seeking class action status.

Uber’s co-founder learned of the breach in November 2016, right after Uber had settled a privacy lawsuit with the New York AG and was negotiating with the FTC over the handling of consumer data.  Apparently he decided not to tell the AG or the FTC.

The hack was pretty simple.  The hackers found a private Github repository that apparently was not adequately (or at all) protected and found Amazon web services credentials in that repository.  They logged on to Amazon, found the data and attempted to extort Uber.

Uber does not have a reputation as a model citizen; in fact they have been involved in at least five criminal probes over bribes, illegal software, questionable pricing schemes and other issues.  This fits right in there.

Uber has brought in some high priced talent to help sort out the mess and rehabilitate their image.  Former GC of the NSA (not sure they sould be a role model for Uber), for example.  Based on some questionable NSA activities in the past, he may fit right into Uber’s culture.

What we don’t know at this point is what the various state regulators are going to do about this.  I assume that regulators COULD revoke Uber’s license to operate in their state, but I doubt that will happen.

Could the various states file criminal and/or civil charges – that I suspect is much more likely, especially since they knowingly covered up the breach?

I am sure that it will be at least a few months before we have any idea on the scope of the fallout.  Given Uber’s past and very rocky relationship with regulators, those same regulators may decide that it is payback time.

Information for this post came from Bloomberg.

Uber Spies on Customers, Including Celebs

One thing about data rich environments – you have to trust that the data keepers do what they say they are going to do.

As we all know, Uber collects a lot of data – even data that they don’t know what they will use it for – but surely they will need it in the future – for something.

Uber has said that it can’t access ride information for users, but a former Uber security expert says that is not the case.  He says that Uber employees stalked ex boyfriends and girlfriends and celebrities.

Spangenberg, who is now suing Uber for age discrimination, says that employees can track politicians, Ex’es, celebrities and personal acquaintances of Uber employees.

A couple of years ago, the concept of “God View” became public – a feature in the Uber software that allowed employees to bypass privacy and security controls.

According to Spangenberg, even driver’s socials are at risk.

The only data, he says, that is not at risk, is credit card information.  That is not because they protect it but rather because they use a third party (Braintree) to process credit card transactions.

Spangenberg objected, he says, to reckless and illegal practices and Uber fired him.

Another ex Uber employee, Michael Sierchio, a former senior security engineer, said that when he was at Uber, you could stalk an ex or look up anyone’s ride with the flimsiest of excuses.  There was no approval required.  He said that Uber was interested in growth at all costs and was told that they were not a security company.

Uber said that it fired fewer than 10 employees who abused the feature.  Of course, if you don’t look, you won’t find any problems, so that number is meaningless.  They claim to have hundreds of security and privacy experts working around the clock.

According to security experts, Uber’s policy is based on the honor system, which employees can abuse at any time.

While Uber has instituted some controls, Spangenberg says that if you know what you are doing you can get around them forever.

Personally, taxis work pretty well for me most of the time.  If you do use Uber, you should probably kill the app or reboot your phone after you get out of the car.

Information for this post came from Fox News.

Uber Releases Data on 11.6 Mil Passengers, 583k Drivers

One of the downsides of collecting data is that you may have to disclose it.  In Uber’s case, it collects a lot of data, so regulators and law enforcement can ask for that data.  In this case, even though the release of all this data is not a breach, it still could be a cause for privacy concern.

I was in New York this week and took a taxi on several occasions.  I went to the corner, got into the cab, told the driver where I wanted to go and when we got there, gave the driver some cash.  While the taxi company could tell the taxi and livery commission that they took a passenger from this address to that address, that is about all they know.

Contrast that to Uber.  They know exactly who there customer is.  Their customer is required to pay with a credit card.  They know where you started and where you ended and how many trips you take.

This is the first transparency report Uber has released, so let’s look at what they said:

  • For the second half of 2015, they gave information on 5 million passengers and 300,000 drivers to California regulators.
  • Nationally, they gave regulators information on 11.6 million passengers and 583,000 drivers.
  • Airport authorities received information on 1.6 million passengers and 156,000 drivers.
  • On the other hand, law enforcement only asked for information on 408 passenger accounts and 205 driver accounts.  Of course, that could represents thousands of trips, or more,  in total.  Most of this was to catch customers using stolen credit cards, they said.

While I agree that this is far from a data breach, still it is a concern.  How many data elements did Uber release?  Why do regulators need it?  How are the regulators protecting it?   Regulators are not required to have a reason for asking for the the data other than they want it – no subpoena, no judge, no warrant – and there is no real appeals process.  For companies like Uber, the threat is that the regulators could make their life pretty messy if they make a stink.

For me, I continue to use taxicabs.  They seem a lot less invasive than Uber’s big data collection machine.  And, as far as I can tell, taxis don’t use surge pricing.

Call me old fashioned.

Information for this post came from the San Jose Mercury News.