Tag Archives: Uber

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Facebooktwitterredditlinkedinmailby feather

Uber Naughty Tricks Hide Evidence of Theft

First a disclaimer:  I am not a lawyer and don’t pretend to be one on the Internet – at least most of the time.

The Uber Waymo trade secret theft trial is being delayed once again.

Why?  Because the Department of Justice showed the Judge a 37 page letter from the lawyer of a former Uber employee that Uber had not shared with Waymo.  The judge now wants the former employee to appear in court.

The judge is “unhappy” with Uber because he asked them to produce all relevant documents months ago and this document was not among those produced.  The judge said that he can’t trust anything that they say because they have been proven wrong so many times before.  That is probably not the best way to get on the good side of the judge.

The ex-employee was fired from his job at Uber in April but still works for them as a consultant.  They paid him $2+ million plus another million at the end of his consulting contract plus $1 million plus in Uber stock.

The ex-employee said that Uber has a unit within the company called marketplace analytics who’s job is to obtain competitive intel, “acquire” trade secrets and gathering code base.  Your basic dirty tricks organization who’s job it is to break the law and steal confidential information from competitors.

OK, maybe I am being a bit harsh on them, but the methods and techniques really determine whether they broke any laws or not and that is still to be seen.

The ex-employee said that the employees of this group were trained in impeding, obstructing or influencing any lawsuit against Uber.  This includes working very hard to make sure that there was no paper trail of what they were doing.

The employees used self destructing messaging services like Wikr, computers that could not be traced back to Uber and separate servers from the rest of the company.  They even made up reasons – apparently not legally valid ones – for attorney-client privilege.  They also engaged 10 outside security firms.

Waymo is suing Uber for almost $2 billion for theft of trade secrets.

Uber of course, said this is all made up.

There is one thing that is crystal clear as I play a lawyer on the Internet (no this is not legal advice).  *IF* and that is a big if, Uber hid information that they should have disclosed to the other side, that qualifies as a big no-no and could cause Uber all kinds of problems all the way up to the judge providing a verdict in Waymo’s favor.  That level of pain is VERY unusual, but the judge could fine the company, hold them in contempt or even instruct the jury to interpret certain facts in a way that is very unfavorable to Uber because of this.

Right now, he has delayed the trial while Waymo’s attorneys review the letter and decide what to do.

As far as how this affects you and me – if you believe that you MAY be sued, you have  “a duty to preserve” evidence that may be relevant to the future case.  Not preserving the evidence could cause you to lose the case.

OK, that seems pretty straight forward.

Well, maybe.  What if your employees, on their own, decided to use Telegraph or Wickr; decided to use other non-company systems to process or store data – all of which could be part of your duty to preserve.  And what if they did this without telling senior management about this.

The company could be in a world of hurt legally.

What this means is that you as an employer need to understand what tools your employees maybe using, even unofficially or unsanctioned and work with your corporate attorneys to figure out if that is a problem.

For certain industries, you have a duty to preserve even if there is no lawsuit anticipated, so for those companies, without regard to any potential lawsuit, using these tools can get them in trouble.

Something else for you to deal with.  Sorry.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Uber Paid Hacker $100k Hush Money; Didn’t Disclose Breach

This may turn out to be a lesson in Internet law for everyone.

In October 2016, hackers breached Uber’s systems and made off with personal information for 57 million customers.  They also made off with other information for 7 million Uber drivers and 600,000 drivers license numbers.

Uber says that no socials or credit cards or trip information was taken.

At the time, Uber was fighting with U.S. regulators regarding privacy violations.  Someone inside the organization decided that, given what was going on, maybe burying this breach might be a better idea than fessing up.

So Uber paid the hackers $100,000 to “delete” the data.  I am sure that they did that because they are people of honor.  Then they buried the incident.

Fast forward a year and Uber has a new CEO after a whole bunch of bad press.  The CEO hires an outside law firm to help clean up the old west and what do they discover but an old breach, a $100,000 ransom and an oopsie, we forgot to report this.

Paying the ransom is probably not illegal.

Not telling shareholders that they were breached, well that is less clear.  I guess they could say that a breach of 57 million customers is not material.  Unless, that is, word about it gets out and they get sued – which is exactly what is happening now.

Not telling regulators about that – pretty clear that is illegal.

And, given that Uber operates in most states in the U.S. and there are different privacy laws in each of the states, they likely broke the law in a whole bunch of states.

IF, and this is not clear, there was information on residents of foreign countries, they likely broke foreign laws as well.

Here is the lesson in Internet law.

Since the breach was disclosed, the New York AG has said he is investigating and a lawsuit has been filed seeking class action status.

Uber’s co-founder learned of the breach in November 2016, right after Uber had settled a privacy lawsuit with the New York AG and was negotiating with the FTC over the handling of consumer data.  Apparently he decided not to tell the AG or the FTC.

The hack was pretty simple.  The hackers found a private Github repository that apparently was not adequately (or at all) protected and found Amazon web services credentials in that repository.  They logged on to Amazon, found the data and attempted to extort Uber.

Uber does not have a reputation as a model citizen; in fact they have been involved in at least five criminal probes over bribes, illegal software, questionable pricing schemes and other issues.  This fits right in there.

Uber has brought in some high priced talent to help sort out the mess and rehabilitate their image.  Former GC of the NSA (not sure they sould be a role model for Uber), for example.  Based on some questionable NSA activities in the past, he may fit right into Uber’s culture.

What we don’t know at this point is what the various state regulators are going to do about this.  I assume that regulators COULD revoke Uber’s license to operate in their state, but I doubt that will happen.

Could the various states file criminal and/or civil charges – that I suspect is much more likely, especially since they knowingly covered up the breach?

I am sure that it will be at least a few months before we have any idea on the scope of the fallout.  Given Uber’s past and very rocky relationship with regulators, those same regulators may decide that it is payback time.

Information for this post came from Bloomberg.

Facebooktwitterredditlinkedinmailby feather

Uber Spies on Customers, Including Celebs

One thing about data rich environments – you have to trust that the data keepers do what they say they are going to do.

As we all know, Uber collects a lot of data – even data that they don’t know what they will use it for – but surely they will need it in the future – for something.

Uber has said that it can’t access ride information for users, but a former Uber security expert says that is not the case.  He says that Uber employees stalked ex boyfriends and girlfriends and celebrities.

Spangenberg, who is now suing Uber for age discrimination, says that employees can track politicians, Ex’es, celebrities and personal acquaintances of Uber employees.

A couple of years ago, the concept of “God View” became public – a feature in the Uber software that allowed employees to bypass privacy and security controls.

According to Spangenberg, even driver’s socials are at risk.

The only data, he says, that is not at risk, is credit card information.  That is not because they protect it but rather because they use a third party (Braintree) to process credit card transactions.

Spangenberg objected, he says, to reckless and illegal practices and Uber fired him.

Another ex Uber employee, Michael Sierchio, a former senior security engineer, said that when he was at Uber, you could stalk an ex or look up anyone’s ride with the flimsiest of excuses.  There was no approval required.  He said that Uber was interested in growth at all costs and was told that they were not a security company.

Uber said that it fired fewer than 10 employees who abused the feature.  Of course, if you don’t look, you won’t find any problems, so that number is meaningless.  They claim to have hundreds of security and privacy experts working around the clock.

According to security experts, Uber’s policy is based on the honor system, which employees can abuse at any time.

While Uber has instituted some controls, Spangenberg says that if you know what you are doing you can get around them forever.

Personally, taxis work pretty well for me most of the time.  If you do use Uber, you should probably kill the app or reboot your phone after you get out of the car.

Information for this post came from Fox News.

Facebooktwitterredditlinkedinmailby feather

Uber Releases Data on 11.6 Mil Passengers, 583k Drivers

One of the downsides of collecting data is that you may have to disclose it.  In Uber’s case, it collects a lot of data, so regulators and law enforcement can ask for that data.  In this case, even though the release of all this data is not a breach, it still could be a cause for privacy concern.

I was in New York this week and took a taxi on several occasions.  I went to the corner, got into the cab, told the driver where I wanted to go and when we got there, gave the driver some cash.  While the taxi company could tell the taxi and livery commission that they took a passenger from this address to that address, that is about all they know.

Contrast that to Uber.  They know exactly who there customer is.  Their customer is required to pay with a credit card.  They know where you started and where you ended and how many trips you take.

This is the first transparency report Uber has released, so let’s look at what they said:

  • For the second half of 2015, they gave information on 5 million passengers and 300,000 drivers to California regulators.
  • Nationally, they gave regulators information on 11.6 million passengers and 583,000 drivers.
  • Airport authorities received information on 1.6 million passengers and 156,000 drivers.
  • On the other hand, law enforcement only asked for information on 408 passenger accounts and 205 driver accounts.  Of course, that could represents thousands of trips, or more,  in total.  Most of this was to catch customers using stolen credit cards, they said.

While I agree that this is far from a data breach, still it is a concern.  How many data elements did Uber release?  Why do regulators need it?  How are the regulators protecting it?   Regulators are not required to have a reason for asking for the the data other than they want it – no subpoena, no judge, no warrant – and there is no real appeals process.  For companies like Uber, the threat is that the regulators could make their life pretty messy if they make a stink.

For me, I continue to use taxicabs.  They seem a lot less invasive than Uber’s big data collection machine.  And, as far as I can tell, taxis don’t use surge pricing.

Call me old fashioned.

Information for this post came from the San Jose Mercury News.

Facebooktwitterredditlinkedinmailby feather

Uber and Insurance – Things You Probably Did Not Know

Whether you are an Uber driver or Uber customer, there are some things that you should be aware of before you turn on that app to accept passengers or use that app to hail a ride.

First of all comes terminology.  Regulators call Uber, Lyft and their competitors Transportation Network Companies or TNCs.  This distinguishes them from taxis and liveries because, they say, they don’t own or lease the vehicles and the drivers are not their employees.   This is not settled in the courts yet, but, for now, we will use that definition.

The second definition is Periods.  There are 3 periods, Period 1, 2 and 3.  Very creative.  Period 1 is the time from when a TNC driver starts the app and the time he or she accepts the job to pick up a passenger.  Basically, idle time, but when the driver is looking for fares.

Period 2 starts when the driver accepts a trip and ends when the rider enters the vehicle.  Period 3 covers the time when the rider is in the vehicle.

Some insurance companies are not keen to insure drivers who work for TNCs.  In fact, a script from Geico leaked in the SF Chronicle told agents to refer TNC drivers to the fraud department – that their normal auto policy did not cover TNC drivers.  This is in spite of the fact that Uber and Lyft have provided insurance for periods 2 and 3, but not period 1 as primary coverage for quite a while.

In early 2015, Geico came out with a hybrid personal-commercial policy that would cover TNC drivers.  It is currently only available in certain states.  Likely, it costs more – that would be why the insurance companies like it.

Metromile uses an ODB II dongle to track when a driver is “on the clock” and when he or she is not to determine whether they are liable if the driver has a accident.  If there is an accident and you are a TNC driver, they will check with the TNC company to see if you were working to figure out whether you have coverage from them.

In California, they recently passed a law requiring TNCs to provide coverage during period 1 – when the car is empty but you are looking for a rider.  The catch is that the coverage is not the $1 million that Uber always talks about, but rather $50k per individual, $100k max plus $300k in property damage.  While $50k or $100k is not insignificant, it is way less than $1 million.

More importantly, the California law says that TNC driver’s personal policies coverage of stuff like comprehensive, collision and medical are not active during period 1 unless the driver has purchased a TNC aware policy.

As a driver, it is important to understand who will and will not pay in case of an accident.

As a passenger, it is important to who will be responsible for paying in case you are hurt while in an Uber machine.

Why is this a security or privacy issue?

Because the insurance carriers want to use the telematics (basically, the built in cell phone which connects to the car’s computers in order to extract data) in the driver’s car to automatically track when they are on the clock and when they are not.  They want to coordinate this data with Uber and Lyft and their competitors so that they know when they are on the hook for an accident and when they are not and don’t have to try and figure out whether you are lying when an accident occurs about whether you were working or driving personally.  If they can collect data about the car and time and conditions of the accident and then extract data from the TNCs to figure out whether you were working or not, they just might get out of paying that claim.

What they are not saying is what they are doing with that data that they collect when you don’t have an accident.  Maybe to figure out if they want you as a customer.  Just sayin’.

 

Information for this post came from TU-Auto and Uber’s web site.

Facebooktwitterredditlinkedinmailby feather