STE WILLIAMS

The ride-sharing company has confirmed an October 2016 data breach that compromised 57 million accounts.

Uber late yesterday disclosed that hackers in October 2016 had gained access to data stored in a third-party cloud storage account resulting in a breach affecting 57 million people, including users and drivers. The ride-sharing service paid the attackers $100,000 to keep the attack quiet.

What’s especially alarming about the data breach is not its size – previous attacks on Yahoo, Equifax, Anthem, and Target were comparatively larger – but how Uber handled it.

“What makes this one stand out is absolutely the time duration,” says McAfee Labs vice president Vincent Weafer. “It’s almost a year ago that the actual event occurred; we’re just finding out about it now.”

Hackers were able to access and download names and driver’s license numbers of about 600,000 drivers in the US. Compromised rider data includes names, email addresses, and mobile phone numbers, Uber’s CEO Dara Khosrowshahi said in a blog post.

Uber’s forensics experts have not seen signs indicating attackers downloaded trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.

Several federal and state laws require businesses to alert both customers and government agencies following data breaches. Not only did Uber fail to do this, but it also paid the attackers who stole the data then demanded $100,000 from the company to delete it.

Uber tracked down the hackers and pushed them to sign nondisclosure agreements,and disguised the payout as part of a bug bounty program, the New York Times reports. While Uber did launch a bug bounty program in 2016, rewards are capped at $10,000 for critical bugs. It’s unclear whether the actors in this case were malicious, or gray-hat hackers who merely wanted to give Uber a vulnerability wake-up call.

The company’s chief security officer Joe Sullivan, who led the response to last year’s attack, has been terminated for concealing the breach, as well as his deputy. Former CEO and cofounder Travis Kalanick learned of the attack in November 2016 but has not yet commented, Bloomberg reports.

How it happened

Hackers reportedly gained access to a private GitHub coding site used among Uber software engineers. There, they found login credentials for an Amazon Web Services account where Uber handled computing tasks. The account contained an archive of customer and driver data.

“This appears to be a prime example of good intentions gone bad,” says Imperva CTO Terry Ray. “Using an online collaboration and coding platform isn’t necessarily wrong, and it isn’t clear if getting your accounts hacked on these platforms is even uncommon.”

While technical details are still unclear, Snyk CEO and co-founder Guy Podjarny says it’s likely attackers compromised one of the developers, who typically work in privileged environments. Developers “aren’t necessarily the most secure individuals,” he points out, and they’re quick to be early adopters and try new tools.

The hackers’ path could have been as simple as a phishing attack or unsecured WiFi network. Once an attacker had access to one developer’s machine, they could have gained access to the rest of the network, the GitHub account, and the credentials they needed to log into AWS.

The problem starts with using live production data on an online platform where credentials were accessible on GitHub, Ray explains.

“It’s all too common that developers are allowed to copy live production data for use in development, testing, and QA,” he says. “This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.”

These repositories are usually private but unless someone takes time to fine-tune access, large portions of the development team can see them. “It takes special effort to fine-tune which developers have access to which repositories,” adds Podjarny.

One mistake was checking a password into GitHub, which could have been surfaced during an internal pen test or security audit. Another was granting developers access to the repository with so much sensitive data. Given how many attacks start with compromised credentials, it’s on companies to ensure employees use 2FA for critical applications and don’t have access to sensitive data they don’t need.

“You should never have the keys to the kingdom shared,” says Podjarny of storing credentials in GitHub. “If they’re compromised in one place, they’re going to be exploited in another area.”

Experts agree: paying hackers is a risky move and should be avoided, but there are circumstances in which it’s necessary. “Even if you pay money to hackers, you’re relying on them being honest,” says Weafer. “They could have copies or be selling it on the Dark Web.”

Casey Ellis, founder and CTO at Bugcrowd, calls the Uber scenario “garden variety extortion.” While it was not best practice to pay in this scenario, there are circumstances in which it’s economically rational and less risky. The big problem here is with responsible disclosure; organizations have a “clear responsibility” to disclose breaches and alert those affected.

“Paying off hackers without following disclosure laws is ill advised at best,” Ellis says. “Extortion is not a dying practice – as long as there are economically incented adversaries and companies willing to pay we’ll continue to see it.”

What’s Next

Khosrowshahi, who took the wheel at Uber in September 2017 and says he recently learned about the hack, reports the company took “immediate steps” to secure the data and prevent further unauthorized access by attackers.

“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” he writes. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Khosrowshahi has hired Matt Olsen, former general counsel of the National Security Agency, to help guide response efforts. Drivers whose license numbers were downloaded will be individually notified and receive free credit monitoring and identity theft protection. Uber is also notifying regulatory authorities and flagging affected accounts for fraud protection.

“None of this should have happened, and I will not make excuses for it,” says Khosrowshahi in his post. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Related Content:

• Samsung Pay Leaks Mobile Device Information
• We’re Still Not Ready for GDPR? What is Wrong With Us?
• Terdot Banking Trojan Spies on Email, Social Media
• North Korea’s Lazarus Group Evolves Tactics, Goes Mobile

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/uber-paid-hackers-$100k-to-conceal-2016-data-breach/d/d-id/1330487?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There is never a good time to reveal a cyber attack. But with EU’s GDPR looming, the fallout is only going to get harder and more expensive if you wait.

Uber has finally disclosed that the company experienced a cyber breach in 2016 when the personal details of both drivers and customers were hacked by cybercriminals. Apparently, the company also paid a small ransom to have the data destroyed.

Here we go again. Another data breach … another CSO gets the axe and departs for mishandling a major incident which, sadly, is becoming a common trend. 

The big news here is that Uber concealed the data breach, which increased the cyber-risk of both drivers and customers, as well as a loss of trust from investors and governments. The mishandling of credentials for an Amazon Web Services (AWS) account was reportedly behind the data breach, a deficiency that demonstrates that companies really need to adhere to the industry recommendations on securing and protecting privileged credentials.  Not protecting these credentials can lead to major cyber incidents, making the difference between a simple perimeter breach and a cyber catastrophe. Privileged access management (PAM) has long been a major problem and this incident is just another example of a company not managing access and securing the keys to the kingdom. 

According to Forrester Research, approximately 80% of data breaches (registration required) are a result of stolen or compromised privileged credentials making privileged credentials security a must for many industry regulations. Not protecting them exposes companies to compliance failure as well as data breaches like we have now seen with Uber. This data breach also demonstrates the importance of incident handling as a major part of an organization’s cybersecurity policy – and doing it right can change the outcome of many cyber incidents. You cannot wait until it is too late to get your incident response plan in place.    

In the time since this data breach occurred, Uber has experienced a change in CEOs and disclosure of this breach gives Uber CEO Dara Khosrowshahi an opportunity to set things straight and change a perception that has dogged Uber for the past few years surrounding many scandals.

Why now? Why should organizations follow Uber’s poor example of disclosure ASAP?

With the upcoming EU General Data Protection Regulation (GDPR), which goes into enforcement in May 2018, businesses of all sizes, around the world, will face huge financial penalties for failure to disclose data breaches and be required to follow a strict 72-hour breach notification to authorities in the countries impacted. The GDPR replaces the European General Data Protection Directive from 1995 and provides the foundation for companies taking responsibility for protecting European citizens’ private data. 

This means organizations are accountable and responsible for all the information they collect. The more information they gather, the more data they must account for, and therefore the more data they are responsible for. If a data breach occurs, and it is found that adequate security measures were not in place, there are significant penalties and fines: 20 million euros or 4% of annual turnover.  In my rough calculation, if we use Uber’s gross bookings from 2016 of $20 billion (USD), then Uber, in a post May 2018 GDPR, could face possible financial penalties of $800 million, which of course would be much higher than they would be facing by disclosing the data breach today. 

Bottom line: If you are you hiding a major data breach like Uber, you might want to pull an Uber and disclose it ASAP.

Or maybe you have not found the data breach yet. Then you had better get looking immediately before it is too late and you put your entire business (and with it, your reputation) at risk.  I suspect many companies that provide services to EU citizens will need to think hard about keeping major data breaches a secret. We may see more companies, like Uber, face the reality that now is a good time to put out their dirty laundry and survive the tougher cyber regulations looming on the horizon.

Cybersecurity should never be an afterthought. Protecting privileged accounts, especially those that provide access to customer and employee personal data, should be a major priority along with a solid incident response plan and training on how to respond effectively and according to regulations and compliance requirements. Lastly, in today’s threat environment, cybersecurity has to become everyone’s responsibility. We need to empower our employees to be the strongest link because we are all on the front line and we need to ensure that everyone on the front line is educated and protected.   

Related Content:

• Uber Paid Hackers $100K to Conceal 2016 Data Breach
• How to Make a Ransomware Payment – Fast
• We’re Still Not Ready for GDPR? What is Wrong With Us?
• Customers Punish Breached Companies

 

Joseph Carson is a cybersecurity professional and ethical hacker with more than 25 years’ experience in enterprise security specializing in blockchain, endpoint security, network security, application security and virtualization, access controls and privileged account … View Full Bio

Article source: https://www.darkreading.com/risk/time-to-pull-an-uber-and-disclose-your-data-breach-now/a/d-id/1330488?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here we go again: another mass shooting, another killer’s iPhone that police can’t get into, and potentially another legal battle over Apple’s encryption.

Earlier in the month, the FBI announced it couldn’t break into the iPhone of Devin Patrick Kelley, the shooter in the mass murder of 26 people in a church in Sutherland Springs, Texas.

Now, court records seen by the San Antonio Express-News show that two days after the FBI’s announcement – and its bemoaning of the way Apple’s encryption hampers law enforcement – a Texas Ranger obtained search warrants for data belonging to the Sutherland Springs killer.

One warrant, issued on 9 November, is for files stored on an iPhone SE found near Kelley’s body and on a second LG phone. Another warrant seeks files stored in Kelley’s iCloud account – specifically, phone call and message information, photos and videos, and other data dating back to 1 January 2016. The warrants are also seeking social media passwords, contacts, and other data.

Apple’s policies allow it to share iCloud data with law enforcement if they secure a proper warrant. But whether there’s anything useful in Kelley’s iCloud account depends on how frequently he created backups. That makes the phones themselves receptacles of a potentially fuller, more up to date stash of evidence than that on the killer’s iCloud account.

The iPhone SE has a fingerprint sensor. Police could have used the dead killer’s fingertips to log into the device, but they missed the window of time to do so: after several hours without a login, the phone requires a passcode.

Apple has declined to comment on the ongoing investigation, including the question of whether the company has complied with the warrant and handed over Kelley’s iCloud data. As of Monday afternoon, somebody familiar with the matter told The Verge that Apple had received the warrant for the iCloud data, but not the phone data.

Days after the FBI’s announcement that it couldn’t get into Kelley’s phone, Deputy US Attorney General Rod Rosenstein was once again calling for what he’s dubbed “responsible encryption”. That, unfortunately, is the non-existent kind that can be defeated only by good guys – as in, any law enforcement agency bearing a warrant – but is somehow magically resistant to bad guys.

As encryption experts have noted at least since the San Bernardino mass killings and ensuing legal tussle over encryption, that’s not a thing. If you can defeat encryption, hackers will figure out how, and all devices will thus be rendered vulnerable.

As Naked Security’s Taylor Armerding notes, that 2016 FBI vs. Apple court battle over government access to encrypted devices never settled the issue. It was simply put on hold when the issue was made moot by the FBI hiring a company that managed to break into the iPhone of the killer.

If the FBI can get a contractor to break Apple encryption on its behalf, why is breaking its encryption still an issue?

Because doing so is quite pricey, for one thing: the FBI paid the Israeli mobile forensics firm Cellebrite about $900,000 to unlock a single phone (though the Bureau never confirmed who did the job). That price was confirmed by remarks made by Senator Dianne Feinstein during an open hearing with then-FBI director James Comey in May.

For another thing, the iPhone-breaking technology only works on a “narrow slice of phones,” according to what Comey said at that hearing. The process, or tool, or whatever it is, doesn’t work on an iPhone 5s or later. It was narrowly tailored to only work on an iPhone 5C operating on iOS 9, according to Comey.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ciiNaLiICE0/

For Google’s bug bounty accountants, lightning just struck twice.

In September 2016, an anonymous hacker called Gzob Qq earned $100,000 (£75,000) for reporting a critical “persistent compromise” exploit of Google’s Chrome OS, used by Chromebooks.

Twelve months on and the same researcher was wired an identical pay out for reporting – yes! – a second critical persistent compromise of Google’s Chrome OS.

By this point you might think Google was regretting its 2014 boast that it could confidently double its maximum payout for Chrome OS hacks to $100,000 because “since we introduced the $50,000 reward, we haven’t had a successful submission.”

More likely, it wasn’t regretting it at all because isn’t being told about nasty vulnerabilities the whole point of bug bounties?

By Chromebook standards the latest issue is a biggie: an exploit chain comprising an impressive five CVE vulnerabilities that would allow an attacker to remotely pwn the system via a web page.

Rated as high severity, these are: an out of bounds memory access in Chrome’s V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection in network_diag (CVE-2017-15403), a symlink traversal in crash_reporter (CVE-2017-15404), and a symlink traversal in cryptohomed (CVE-2017-15405).

Anyone running the stable channel who turned on their Chromebook or Chromebox on or after 27 October would have received an automatic update to version 62.0.3202.74 (or later) so the issue can be fixed by nothing more taxing than a 10-second reboot.

That update, incidentally, also fixed another high-priority flaw, CVE-2017-15400, as well as cured the cascade of Wi-Fi vulnerabilities making up KRACK.

Which all goes to show that while the Chrome OS has suffered far fewer flaws than the “full service” Windows and Apple platforms it would like to supplant, it doesn’t suffer from no flaws at all.

And the number of flaws seems to be increasing as the platform gets more attention.

A few weeks back, the platform was caught by a critical vulnerability (CVE-2017-15361) found in Infineon Trusted Platform Modules (TPMs), rapidly fixed by an update. That issue also affected many PCs, but because Chromebooks use TPMs by design they were smack in the firing line.

Not to mention, there’s also been angst about the small but expanding number of mainly nuisance Chrome extensions – like cryptocurrency miners, adware and web redirectors – targeting the platform’s users from inside Google’s Web Store.

But let’s return to the notion that the bug bounty program is paying off for Google.

A turning point was the record $150,000 Google handed to “celebrity” hacker George Hotz for finding a clutch of high-severity ChromeOS flaws at Google’s Pwnium event held during CanSecWest 2014.

By the time Google turned Pwnium into a year-round bounty programme, lightbulbs lit up inside Google at the PR possibilities. Nowadays you can hardly move for the company’s bounty programmes.

There’s even one to pay people to tell Google about rogue apps inside its Play Store, something the company has been having trouble stopping on its own.

Bug bounties have come a long way since the days a decade ago when critics convinced themselves that offering money for flaws might result in a bidding war won by criminals which, of course, was going to happen anyway.

For Google and others, it’s become a cost-effective way to crowdsource vulnerabilities without having to employ expensive researchers to do it full time.

Google particularly likes bug bounties for Chrome OS because it draws attention to how easy (automated and rapid deployment, installation on mirrored partition) the whole patching and update cycle is on Chromebooks compared to Windows PCs.

Chromebooks aren’t invulnerable. But at least when flaws strike, it’s Google’s problem to worry about, not the users.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rxl7SMjp7QM/

Google is kicking stories from Russia Today (RT) and Sputnik News into the basement. The Russian news outlets’ stories are to be deranked in the wake of Congress’ investigation into the country’s alleged meddling in the 2016 presidential election, while Twitter has said “Nyet!” to taking more of their ad-buying rubles.

As the BBC reports, Alphabet, Google’s parent company, Chairman Eric Schmidt said that the deranking was a move against the spread of misinformation. He announced the move while speaking at the Halifax International Security Forum:

We’re well aware of this one, and we’re working on detecting this kind of scenario you’re describing and deranking those kinds of sites.

Schmidt specified RT and Sputnik. He said that while he doesn’t like censorship, he’s gung-ho about ranking – that is, after all, “what we do,” he said.

The Alphabet chief said that it’s a constant battle to stay ahead of those who want to game Google’s search algorithms. Just like the search giant is always tweaking its algorithms to detect “weaponized” information, those with an agenda are always looking to get “better tools too”.

He’s right: this is hard. Google Search’s job is to decide which web pages (and in what order) represent the best response to a given user query, and that’s no easy task. As it is, Google already makes a huge amount of decisions on our behalf. Those decisions regularly include de-ranking or penalizing sites that are slow, sites that are insecure, sites that have aggravating pop-up ads, sites that are gaming the system, sites that deliver little or no value, sites that are new, or sites that aren’t user friendly, for example.

Page ranking is a secret sauce, but search engine optimization experts will tell you that there are more than 200 factors that Google takes into account.

And now, the lead-balloon of deranking is going to be foisted onto news sites that US intelligence has labelled cogs in “Russia’s state-run propaganda machine.” A report on Russia’s alleged interference in the 2016 election said that the publications “made increasingly favorable comments about” Trump as the campaign progressed “while consistently offering negative coverage” of Hillary Clinton, the Democratic nominee.

Reporting on the FBI investigation into Russian propaganda, The Los Angeles Times in September quoted former correspondents who said that the FBI is absolutely right about the news outlets being propaganda outlets.

The newspaper quoted Andrew Feinberg, a former White House correspondent for Sputnik whom FBI agents interviewed for two hours in August about how much Russia pulled the strings at the publication:

[Sputnik] is not a news agency. It’s meant to look like one, but it’s propaganda.

Feinberg said that during his five months at Sputnik, his editors had no appetite for anything but stories about political conspiracies, making it clear that this was per orders from Moscow:

They always wanted to make the U.S. government look stupid. I was constantly told, ‘Moscow wanted this or Moscow wanted that.’

The publications vehemently deny being anything but independent news sources.

Sputnik and RT Editor-in-Chief Margarita Simonyan had this to say in a scornful statement:

Good to have Google on record as defying all logic and reason: facts aren’t allowed if they come from RT, ‘because Russia’ – even if we have Google on Congressional record saying they’ve found no manipulation of their platform or policy violations by RT.

Both Sputnik and RT last week registered with the US Department of Justice (DOJ) as foreign agents. They went kicking and screaming: It was either that or face potential felony charges of violating the Foreign Agents Registration Act (FARA).

Twitter, for its part, banned RT, Sputnik and all of their linked accounts from buying advertising, effective immediately as of the end of October.

Twitter said that it didn’t come to the decision lightly:

We… are taking this step now as part of our ongoing commitment to help protect the integrity of the user experience on Twitter.

Twitter said the move was made in light of the US intelligence community having named RT and Sputnik as state-sponsored election meddlers. The company’s planning to take the $1.9 million it’s made in global ads sales from RT since they became an advertiser in 2011, including $274,100 in 2016 US-based advertising, and donate it all to support external research into the use of Twitter in civic engagement and elections.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0HeCRzqdN5U/

Miscreants, hackers – call ’em what you will – have pilfered email addresses from an unknown number of Loake Shoes customers.

In a letter sent to punters on its database – seen by The Register – the premium footwear maker said it has been “the victim of a cyber attack”.

“Despite having stringent security measures in place, this has resulted in our email server being compromised,” the missive stated.

This is more than a little embarrassing for a business that supplies handmade leather goods to the British royal family. Founded in 1880 by brothers Thomas, John and William Loake, the firm has since sold more than 50 million pairs of Goodyear welted shoes in more than 50 countries.

Loake said in the correspondence: “We do not store credit or debit card details on our system” but warned that customers “may receive spam or phishing emails which, at first glance, may appear to be from Loake.”

A spokeswoman for Loake has not responded to questions about when the breach took place, what the precise circumstances were, how many customer emails were accessed, whether all customers had been notified or about what the firm was doing to prevent a similar breach from occurring again.

Loake strangely described described the attack as “similar in nature to that which was suffered by the NHS a few months ago” – presumably the WannaCrypt ransomware worm that held systems across the world hostage through encryption.

“We are not aware of any other breach of security and we apologise for any inconvenience caused,” Loake added in its letter.

A Loake customer told us he had expected an “established brand… could be trusted with my details”.

“The fact that they have likened their data breach to the recent NHS ransomware attack – two completely different events – reduces my confidence in their ability to deal with the situation and it also makes me question their reassurance that my credit card details are safe,” the customer added.

Etienne Greef, managing director of integrator Secure Data, told The Register it was “unlikely” that the breach was similar to the NHS attack as WannaCry does not access email servers, but rather encrypts information.

He said drawing comparisons with the NHS attack implied that Loake was running old, vulnerable versions of an operating system.

Greef suspected it was most likely to be a case where an administrator password to an email server was compromised, letting hackers access customer email lists.

Firms should “understand what happened before communication,” he added. “Confused communication does more damage than good.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/22/loake_shoes_email_accounts_compromised/

Rising costs might force the UK to reduce its order of F-35 fighter jets, the House of Commons has been told.

Lieutenant General Mark Poffley, chief of British military capability, told the Commons Defence Committee that he was “sympathetic” to the idea of reducing Britain’s planned order of 138 F-35B jets.

The short takeoff and vertical landing (STOVL) aircraft is the only modern fighter capable of flying from Britain’s two new aircraft carriers, the Queen Elizabeth-class. So far the UK has ordered 48 of the aircraft and 13 have been delivered to RAF training squadrons based in America so far.

Costs have been a hot potato for the British F-35 programme – the initial order of 48 airframes has cost the taxpayer £9.2bn. This price (£191m per F-35B) includes the cost of spares, maintenance and training. The bare-bones price of the aircraft alone has been hotly disputed over recent months, though the MoD has previously said it hopes the manufacturer, US firm Lockheed Martin, will bring it down to below £100m per jet.

Negotiation for F-35 purchases is done by the American F-35 Joint Project Office. The UK has a contract with the JPO, which then carries out the actual negotiations over price. As a result of that contract, the JPO also decides which companies will win maintenance contracts – meaning British suppliers are obliged to deal with an American government agency instead of the MoD, which has previously insisted that it bought the F-35s outright and did not lease them. Though UK-headquartered multinational BAE Systems builds about 15 per cent of the F-35, it is not clear whether this is done in the UK or through BAE’s American subsidiary.

Concerningly, at yesterday’s Parliamentary hearing, committee chairman Julian Lewis MP commented that the drip-feed purchase of F-35s put it on a “similar” footing to Britain’s order of Type 45 destroyers for the Navy some years ago. Originally planned to comprise 12 warships, the order was salami-sliced down to just six ships.

“What’s clear, then, is that the 48 are safe, secure, done-and-dusted, as it were, as far as the financial cost is concerned, but after that there is inevitable uncertainty, that’s what you are telling us?” Lewis asked Poffley, as reported by The Telegraph.

The general replied: “I am afraid that is the reality of the world we are living in.”

Although Britain has publicly committed to buying 138 F-35s, something it restated yesterday, it has not said whether these will be the carrier-enabled B models or the land-based A models. Last year defence minister Harriett Baldwin refused to rule out a purchase of F-35As. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/22/uk_f35_order_cuts_parliament/

Brit regulators, security agencies and MPs have slammed Uber for covering up the massive data breach of 57 million customer and driver records.

The company – already in hot water in London for its failure to toe the regulatory lines required of a taxi firm – has been widely condemned for concealing the 2016 breach.

The UK’s data protection watchdog said that yesterday’s revelations about the breach “raises huge concerns around [Uber’s] data protection policies and ethics”.

Uber has yet to break down the numbers of affected customers on a country-by-country basis – other than to say that 600,000 US drivers’ information was leaked – so it isn’t clear how many UK employees or customers are at risk.

Deputy information commissioner James Dipple-Johnstone said that if UK citizens had been affected then his organisation “should have been notified so that we could assess and verify the impact on people whose data was exposed”.

Deputy Labour leader Tom Watson echoed his concerns about the way the taxi biz handled the breach, saying it raised questions about Uber’s “culture and internal practices”.

In an open letter to CEO Dara Khosrowshahi, shared on Twitter, Watson lambasted Uber for failing to notify customers, observing that it seems perfectly capable of contacting them when it benefits the biz.

“I note that when Transport for London announced that they would not be renewing Uber’s licence to operate… Uber emailed its customers to ask them to protest against this decision on the very same day,” Watson wrote.

He also posed a list of questions drilling into who was aware of the breach, in addition to the two employees that have been jettisoned from the firm.

I’m shocked at news that Uber concealed a data breach that affected 57 million customers and drivers. I’ve written to their CEO. pic.twitter.com/7dDbUYV0f1

— Tom Watson (@tom_watson) November 22, 2017

The ICO, the National Crime Agency and the National Security Centre said they were working together to investigate how the breach has affected UK customers.

The agencies pointed out that firms have a duty to ‘fess up to breaches so they can work together to tackle the breach and limit the harm to customers.

The ICO also indicated that deliberately concealing breaches “could attract higher fines”. Although, as many have noted, the revelation from Uber has come before the EU’s new General Data Protection Regulation – and its maximum €20m/£17m fine – kicks in next year.

Uber could not immediately offer any more information on the number of UK users or drivers affected; who was responsible for ensuring Uber complied with UK data protection law at the time of the breach; or when UK regulators and customers would been contacted. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/22/uk_regulators_condemn_uber_over_concealed_data_breach/

Researcher at Black Hat Europe will show how Samsung Pay’s security falls short and ways attackers could potentially bypass it.

Mobile users installing Samsung Pay on their devices could have sensitive information stolen by attackers due to a newly discovered weakness in the app that leaks the digital tokens that secure transactions and other technical information such as network traffic logs.

An attacker could capture this information without having to authenticate to the device, according to a Tencent researcher who goes by the name of HC, who at Black Hat Europe 2017 next month will present his findings on the Samsung Pay security weaknesses.

“This information can let the attacker learn much more about the internal mechanisms of Samsung Pay and allow them to use it to their advantage to go even deeper into Samsung Pay,” HC says.

The attacker, for example, could take the information and use it to view communication between users and their banks in plain text. With enough information, HC notes, an attacker could create another token to withdraw money from users’ bank accounts.

Samsung Pay’s tokens are unique alphanumeric identifiers generated via algorithms and designed to eliminate the need to use a credit card or debit card number.

“This is not a vulnerability in Samsung Pay, but a mistake in Samsung Pay’s app. The mistake is you don’t need privileges to get access to the phone log system,” says HC, who has notified Samsung about the issue.

HC conducted his research using a Samsung Galaxy S6 but says all Samsung Galaxy smartphones that feature Samsung Pay may be at risk.

The purpose of HC’s presentation is to discuss Samsung Pay’s security and how to generate a token without the device being physically present, which is different than a 2016 Black Hat Samsung Pay demonstration by another security researcher, HC notes.

Although HC in his research had aimed to generate a token without a Samsung Galaxy device, he acknowledged he was not able to achieve that goal because of the strength of the encrypted traffic and difficulty in accessing the secure chip to crack the encrypted key.

“It is possible to compromise Samsung Pay with the right tools and skills,” HC says, noting in his particular case the desired tools were not immediately available.

Related Content:

• 6 Real Black Friday Phishing Lures
• Samsung KNOX Takes Some Knocks
• Today’s New Payment Card Security In A Nutshell
• Apple Pay Fraud Gives Us A New Reason To Hate Data Breaches And SSNs

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/samsung-pay-leaks-mobile-device-information/d/d-id/1330480?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The United States’ Department of Justice has identified a suspect in July’s attack on Home Box Office, naming an Iranian national, Behzad Mesri, in an indictment unsealed Tuesday, November 21.

Announcing the charges, acting Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”.

HBO acknowledged the breach in late July, after the attacker began leaking news of an exploit after the broadcaster didn’t pay the US$5.5 million (in Bitcoin) ransom, later incresaed to $6 million.

While working for the military, the indictment [PDF] claimed, Mesri conducted attacks on “military systems, nuclear software systems, and Israeli infrastructure”. He also stands accused of being an occasional member of the hacking collective “Turk Black Hat Security”. As a “Turk Black Hat”, the indictment said he took part in Website defacements using the handle “Skote Vahshat”.

Game of Pwns: Hackers invade HBO, ‘leak Game of Thrones script’

READ MORE

In his hack-and-extort campaign against HBO, Mesri identified locations the company’s staff used for remote access, compromised “multiple user accounts” of staff and contractors, and from there, logged into HBO’s systems, the indictment said.

His haul allegedly included episodes of Ballers, Barry, Room 104, Curb Your Enthusiasm and The Duce, but from Mesri’s point of view the jewel in the crown was “scripts and plot summaries for unaired programming” including Game of Thrones episodes. The attack also yielded financial documents, one employee’s e-mails, and social media account credentials.

What’s missing in the announcement is Mesri himself: he’s not in the US, so there’s no arrest at this point. Kim said: “Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice”. He also added the following obligatory GoT reference

“For hackers who test our resolve in protecting our intellectual property – even those hiding behind keyboards in countries far away – eventually, winter will come.”

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/22/department_of_justice_names_behzad_mesri_as_hbo_hacker/