STE WILLIAMS

A senior US lawmaker Tuesday slammed ride-hailing giant Uber for not promptly disclosing a November 2016 breach that exposed personal data on 57 million people, choosing instead to pay $100,000 to keep the two perpetrators of the theft silent.

At a hearing before the Senate Committee for Commerce, Science Transportation, Sen. Richard Blumenthal (D-Conn.) described Uber’s action as “morally wrong and legally reprehensible.”

Uber’s payoff violated not only the law but also the norm of what should be expected in such situations, Blumenthal said. “Drivers and riders were not informed and neither was law enforcement. In fact, it was almost a form of obstruction of justice.”

Uber CEO Dara Khosrowshahi last November disclosed that the company had a year ago quietly paid two hackers $100,000 to destroy data they had stolen from a cloud storage location. The compromised data included names and driver’s license information for some 600,000 Uber drivers in the US, and also the names, email addresses, and cellphone numbers of some 57 million Uber riders and drivers worldwide in total.

Khosrowshahi claimed he learned of the data breach and the payoff only just prior to disclosing it and vowed to make changes to ensure the same lapse would not happen again. He also disclosed that Uber had fired CISO Joe Sullivan and another executive who had led the response to the breach.

In testimony before the Senate Committee Tuesday, Uber CISO John Flynn admitted the company had made a mistake in not disclosing the breach in a timely fashion. But he claimed the primary goal in paying the intruders was to protect the stolen data.

“I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier,” Flynn said. There is no justification for Uber’s breach notification failure, Flynn candidly admitted. “The real issue was we didn’t have the right people in the room making the right decisions.”

According to Flynn, Uber first learned about the breach on November 14, 2016, when one of the attackers sent an email informing the company that its data had been accessed. The attacker demanded a six-figure ransom payment for not leaking the data.

Uber security engineers were quickly able to determine the thieves had accessed copies of certain databases and files stored in a private location on Amazon’s AWS cloud.

The attackers had apparently managed to gain access to the data using a legitimate credential that they found within code on a repository for Uber engineers on GitHub. The discovery prompted Uber to take immediate measures like implementing multifactor authentication on Github and across the company and adding auto-expiring credentials to protect against similar attacks.

In response to questions, Flynn admitted that Uber’s decision to pay the $100,000 ransom amount, as a bug bounty, was a mistake as well. Like many other companies, Uber runs a vulnerability disclosure program that offers cash rewards to white-hat hackers who find and report exploitable security bugs in its services. HackerOne has been managing Uber’s bug bounty program since 2018.

Blumenthal and Sen. Catherine Cortez Masto (D-Nev.) wanted to know why Uber had decided to pay the attackers the demanded $100,000 in the form a bug bounty. Both lawmakers pointed out that the actions by the two individuals was criminal in nature and not something that anyone would consider as responsible bug disclosure activity.

“The key distinction is they not only found a weakness but also exploited it in a malicious fashion to access and download data,” Blumenthal noted. “Concealing, it in my view, is aiding and abetting the crime.”

Masto expressed some incredulity that Uber would try to point malicious attackers to its managed bug bounty program in the first place. “So there was a criminal element trying to get into your data…and you are trying to put them on the right path?” she asked.

Flynn admitted that the intruders in this case were fundamentally different from usual bug hunters. He claimed that Uber decided to use the bug bounty program only as a means to gain attribution and assurances from the attackers. “We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he noted.

Casey Ellis, founder of managed bug hunting service Bugcrowd, said today’s hearing shines a spotlight on the ethics of Uber’s response. “This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous.”

Related Content:

• Uber Paid Hackers $100K to Conceal 2016 Data Breach
• Uber’s Security Slip-ups: What Went Wrong
• Time to Pull an Uber and Disclose Your Data Breach Now
• 9 of the Biggest Bug Bounty Programs

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/informationweek-home/ubers-response-to-2016-data-breach-was-legally-reprehensible-lawmaker-says/d/d-id/1330997?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A senior US lawmaker Tuesday slammed ride-hailing giant Uber for not promptly disclosing a November 2016 breach that exposed personal data on 57 million people, choosing instead to pay $100,000 to keep the two perpetrators of the theft silent.

At a hearing before the Senate Committee for Commerce, Science Transportation, Sen. Richard Blumenthal (D-Conn.) described Uber’s action as “morally wrong and legally reprehensible.”

Uber’s payoff violated not only the law but also the norm of what should be expected in such situations, Blumenthal said. “Drivers and riders were not informed and neither was law enforcement. In fact, it was almost a form of obstruction of justice.”

Uber CEO Dara Khosrowshahi last November disclosed that the company had a year ago quietly paid two hackers $100,000 to destroy data they had stolen from a cloud storage location. The compromised data included names and driver’s license information for some 600,000 Uber drivers in the US, and also the names, email addresses, and cellphone numbers of some 57 million Uber riders and drivers worldwide in total.

Khosrowshahi claimed he learned of the data breach and the payoff only just prior to disclosing it and vowed to make changes to ensure the same lapse would not happen again. He also disclosed that Uber had fired CISO Joe Sullivan and another executive who had led the response to the breach.

In testimony before the Senate Committee Tuesday, Uber CISO John Flynn admitted the company had made a mistake in not disclosing the breach in a timely fashion. But he claimed the primary goal in paying the intruders was to protect the stolen data.

“I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier,” Flynn said. There is no justification for Uber’s breach notification failure, Flynn candidly admitted. “The real issue was we didn’t have the right people in the room making the right decisions.”

According to Flynn, Uber first learned about the breach on November 14, 2016, when one of the attackers sent an email informing the company that its data had been accessed. The attacker demanded a six-figure ransom payment for not leaking the data.

Uber security engineers were quickly able to determine the thieves had accessed copies of certain databases and files stored in a private location on Amazon’s AWS cloud.

The attackers had apparently managed to gain access to the data using a legitimate credential that they found within code on a repository for Uber engineers on GitHub. The discovery prompted Uber to take immediate measures like implementing multifactor authentication on Github and across the company and adding auto-expiring credentials to protect against similar attacks.

In response to questions, Flynn admitted that Uber’s decision to pay the $100,000 ransom amount, as a bug bounty, was a mistake as well. Like many other companies, Uber runs a vulnerability disclosure program that offers cash rewards to white-hat hackers who find and report exploitable security bugs in its services. HackerOne has been managing Uber’s bug bounty program since 2018.

Blumenthal and Sen. Catherine Cortez Masto (D-Nev.) wanted to know why Uber had decided to pay the attackers the demanded $100,000 in the form a bug bounty. Both lawmakers pointed out that the actions by the two individuals was criminal in nature and not something that anyone would consider as responsible bug disclosure activity.

“The key distinction is they not only found a weakness but also exploited it in a malicious fashion to access and download data,” Blumenthal noted. “Concealing, it in my view, is aiding and abetting the crime.”

Masto expressed some incredulity that Uber would try to point malicious attackers to its managed bug bounty program in the first place. “So there was a criminal element trying to get into your data…and you are trying to put them on the right path?” she asked.

Flynn admitted that the intruders in this case were fundamentally different from usual bug hunters. He claimed that Uber decided to use the bug bounty program only as a means to gain attribution and assurances from the attackers. “We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he noted.

Casey Ellis, founder of managed bug hunting service Bugcrowd, said today’s hearing shines a spotlight on the ethics of Uber’s response. “This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous.”

Related Content:

• Uber Paid Hackers $100K to Conceal 2016 Data Breach
• Uber’s Security Slip-ups: What Went Wrong
• Time to Pull an Uber and Disclose Your Data Breach Now
• 9 of the Biggest Bug Bounty Programs

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/informationweek-home/ubers-response-to-2016-data-breach-was-legally-reprehensible-lawmaker-says/d/d-id/1330997?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Adobe issued its planned security update today for a previously unknown vulnerability in Flash Player that was exploited in targeted attacks against South Korean individuals. The software firm last week promised to patch the critical use-after-free bug, which was discovered and reported by South Korea’s Computer Emergency Response Team.

The attacks, believed to be the handiwork of a state-sponsored campaign by North Korea, inserted malicious Flash content inside Microsoft Office documents emailed to the victims. The vulnerability (CVE-2018-4878) allows remote code execution.

Adobe in its Flash update also patched a second critical use-after-free flaw in Flash, CVE-2018-4877, which also allows an attacker to remotely execute code on the victim’s machine.

For details on the security update, see Adobe’s advisory here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/adobe-patches-flash-zero-day-used-in-south-korean-attacks/d/d-id/1330993?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ukrenergo, Ukraine’s state-run power distributor, will invest up to $20 million in a new cyber defense system, according to its chief executive Vsevolod Kovalchuk, reports Reuters. 

The Ukrainian energy industry has been a hot target for threat actors in recent years. On Dec. 23, 2015, attackers used stolen user credentials to remotely access and manipulate the industrial control systems of three regional power firms and shut down power for 225,000 customers in Western Ukraine. One year later, a power outage in Kiev Dec. 16, 2016 was also confirmed to be caused by a cyberattack, and linked to the same group of threat actors as the 2015 blackout. Ukrenergo was also a victim of the NotPetya outbreak in June 2017.

Kovalchuk told reporters in a briefing that the $20 million investment would go both to security technology and administrative action, and would be in place by 2020.

“We have developed a new concept of cybersecurity whose key goal is to make it physically impossible for external threats to affect the Ukrainian energy system,” he said, reports Reuters.

For more information, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/ukraine-power-distro-plans-$20-million-cyber-defense-system/d/d-id/1330994?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Businesses deploying cloud-based applications and services often overlook critical security steps as they scramble to keep up with the latest technology, and the rush is putting them at risk.

“There’s a lot of customers who have this cloud-first mandate,” says JK Lialias, senior director of cloud access at Forcepoint. “They’ve been told, ‘thou shalt move to the cloud as much infrastructure as you possibly can.'”

A lot of pressure is on line-of-business employees to adopt cloud applications and infrastructure, he continues. IT departments are essential in delivering these services and often neglect to understand how on-premises data and processes translate to the cloud.

“What’s happening in the move to the cloud has happened in the tech industry from the beginning,” says Michael Landewe, Avanan co-founder and VP of business development. “People move to new tech based on new features and capabilities. Security always follows.”

The gap between moving to the cloud and implementing strong security has shrunk as new technologies accelerate the process, he explains. However, most companies are still followers and don’t take all the necessary steps, sacrificing security in the process.

Never Assume You’re Secure
There’s a lot of assumption when it comes to cloud responsibility. “Some businesses think the whole security issue is something you put into the provider’s realm,” says Jim Reavis, CEO of the Cloud Security Alliance. “The cloud provider may have security services and capabilities, which you can order as an extra, but a lot of responsibilities shift to the cloud.”

Cloud providers typically own the hardware, network, host operator, and virtual machines, says Dan Hubbard, senior security architect at Lacework. The customer owns everything above that: operating systems, containers, applications, and all of the related access controls.

“This is where things get a little muddy from a corporate perspective,” he explains. Most companies have parameters in traditional data centers, and their core principles and rules don’t apply in the public cloud.

Landewe points to the shared responsibility model, which reminds companies they must secure data they move to the cloud. Many businesses, especially those with small IT departments, hand responsibility for data access and security to cloud providers. The service-level agreement from most vendors explains where customers are responsible for their data.

“You need to have an honest conversation with the vendor and ask, ‘where does your security responsibility end and where does mine begin?'” he explains. The owner of the data still has to be entirely responsible for that information.

Skipped Steps and Dangerous Consequences
“It’s one of those things where the speed sometimes impedes overall understanding and education,” says Lialias of the transition to cloud. “This is one of the areas where it needs to be balanced.”

Hubbard puts companies into two categories: cloud natives, which were founded in the cloud and don’t need to migrate, and larger businesses with traditional data centers. The latter group is navigating the transition to public cloud and overlooking critical steps in the process.

Proper account configuration is key here. Last year’s series of Amazon Web Services (AWS) leaks affecting major organizations, from Viacom to the Republican National Committee, demonstrated a broad oversight of basic cloud configuration steps. It’s an easy and dangerous misstep.

“From what we have seen and what we know about these, they have all come down to client-based issues; mistakes they’ve made,” says Reavis. AWS has strong security but most people don’t know to properly configure their access so that data is secured. If they’re making these configuration errors in AWS, they’re likely making them in other services, he adds.

Cloud credentials must also be secured, Hubbard emphasizes. Attackers frequently steal login data for platforms like AWS and Azure, and abuse the power of the cloud on behalf of customers to mine cryptocurrency, send spam, and distribute distributed denial-of-service attacks.

“If someone gets access to those, they can impersonate you in your portion of the cloud,” he says. “You need to manage access to the machines … who logs into machines, from where, and what do they do when they log in.”

Admins should adopt two-factor authentication and lock access so administrative accounts can only log in from certain IP addresses. Uneducated admins can do a lot of damage very quickly, says Reavis, who says phishing and credential-based attacks will be common going forward. There should be closer scrutiny on how admin accounts are hardened.

“Once someone has access to your account, they do everything in their power to maintain that control,” says Landewe. Administrators aren’t the only ones at risk, he notes. Many attackers target low-level employees and, once they’re in, use that access to target high-level workers.

Do Your Due Diligence
The average enterprise has about 1,000 software-as-a-service applications in use, says Lialias. They probably know about 600 of them, and there might be 30 that could potentially be very high risk. Businesses know they house both sanctioned and unsanctioned applications. It’s up to them to understand what’s out there and assume control over the software that employees use.

“The key for moving to the cloud is doing due diligence,” he explains. “They swipe a card and click a button, and they forget their due diligence.”

While mistakes can and will happen, businesses can stay one step ahead by ensuring accounts are properly configured, credentials are secured, and they have visibility into the applications being used and people using them. Being able to see and control data is essential.

Experts “hope” to see a slowdown in incidents like AWS bucket leaks and see companies marry caution with speed. However, many will need a wake-up call before adopting best practices.

“We’re going to see more of the same in organizations needing to make a mistake to learn that they need to take this seriously,” says Reavis. He advises businesses to look to educational programs from major cloud providers, the Cloud Security Alliance, and (ISC)², which all have cloud security courses.

Related Content:

• 2017 Smashed World’s Records for Most Data Breaches, Exposed Information
• Over 12,000 Business Websites Leveraged for Cybercrime
• Poor Visibility, Weak Passwords Compromise Active Directory
• Crypto-Mining Attacks Emerge as the New Big Threat to Enterprises

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/cloud/security-vs-speed-the-risk-of-rushing-to-the-cloud/d/d-id/1330996?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A senior US lawmaker Tuesday slammed ride-hailing giant Uber for not promptly disclosing a November 2016 breach that exposed personal data on 57 million people, choosing instead to pay $100,000 to keep the two perpetrators of the theft silent.

At a hearing before the Senate Committee for Commerce, Science Transportation, Sen. Richard Blumenthal (D-Conn.) described Uber’s action as “morally wrong and legally reprehensible.”

Uber’s payoff violated not only the law but also the norm of what should be expected in such situations, Blumenthal said. “Drivers and riders were not informed and neither was law enforcement. In fact, it was almost a form of obstruction of justice.”

Uber CEO Dara Khosrowshahi last November disclosed that the company had a year ago quietly paid two hackers $100,000 to destroy data they had stolen from a cloud storage location. The compromised data included names and driver’s license information for some 600,000 Uber drivers in the US, and also the names, email addresses, and cellphone numbers of some 57 million Uber riders and drivers worldwide in total.

Khosrowshahi claimed he learned of the data breach and the payoff only just prior to disclosing it and vowed to make changes to ensure the same lapse would not happen again. He also disclosed that Uber had fired CISO Joe Sullivan and another executive who had led the response to the breach.

In testimony before the Senate Committee Tuesday, Uber CISO John Flynn admitted the company had made a mistake in not disclosing the breach in a timely fashion. But he claimed the primary goal in paying the intruders was to protect the stolen data.

“I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier,” Flynn said. There is no justification for Uber’s breach notification failure, Flynn candidly admitted. “The real issue was we didn’t have the right people in the room making the right decisions.”

According to Flynn, Uber first learned about the breach on November 14, 2016, when one of the attackers sent an email informing the company that its data had been accessed. The attacker demanded a six-figure ransom payment for not leaking the data.

Uber security engineers were quickly able to determine the thieves had accessed copies of certain databases and files stored in a private location on Amazon’s AWS cloud.

The attackers had apparently managed to gain access to the data using a legitimate credential that they found within code on a repository for Uber engineers on GitHub. The discovery prompted Uber to take immediate measures like implementing multifactor authentication on Github and across the company and adding auto-expiring credentials to protect against similar attacks.

In response to questions, Flynn admitted that Uber’s decision to pay the $100,000 ransom amount, as a bug bounty, was a mistake as well. Like many other companies, Uber runs a vulnerability disclosure program that offers cash rewards to white-hat hackers who find and report exploitable security bugs in its services. HackerOne has been managing Uber’s bug bounty program since 2018.

Blumenthal and Sen. Catherine Cortez Masto (D-Nev.) wanted to know why Uber had decided to pay the attackers the demanded $100,000 in the form a bug bounty. Both lawmakers pointed out that the actions by the two individuals was criminal in nature and not something that anyone would consider as responsible bug disclosure activity.

“The key distinction is they not only found a weakness but also exploited it in a malicious fashion to access and download data,” Blumenthal noted. “Concealing, it in my view, is aiding and abetting the crime.”

Masto expressed some incredulity that Uber would try to point malicious attackers to its managed bug bounty program in the first place. “So there was a criminal element trying to get into your data…and you are trying to put them on the right path?” she asked.

Flynn admitted that the intruders in this case were fundamentally different from usual bug hunters. He claimed that Uber decided to use the bug bounty program only as a means to gain attribution and assurances from the attackers. “We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he noted.

Casey Ellis, founder of managed bug hunting service Bugcrowd, said today’s hearing shines a spotlight on the ethics of Uber’s response. “This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous.”

Related Content:

• Uber Paid Hackers $100K to Conceal 2016 Data Breach
• Uber’s Security Slip-ups: What Went Wrong
• Time to Pull an Uber and Disclose Your Data Breach Now
• 9 of the Biggest Bug Bounty Programs

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/lawmaker-says-ubers-response-to-2016-data-breach-was--legally-reprehensible-/d/d-id/1330997?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple