Uber was hacked last year (its board and new CEO just found out).
Late Tuesday, in an announcement its CEO posted to the company's website, Uber disclosed that it had sustained a breach in October 2016 (Uber). It's just now making the data loss public (Bloomberg). The breach isn't record-setting, but it's big enough: Uber says that 57 million individuals (mostly users, but including some 600 thousand drivers) were affected. Riders' names, email addresses and mobile phone numbers were lost; drivers' names and license numbers were exposed. User information was lost in many countries around the world, but the affected drivers appear to have all worked in the US. Users may get more information from Uber here, and drivers may go to this site for help. (The company says that the following information was not affected: "trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth.")
How the ride service was hacked and whodunnit.
The breach is said to be traceable to stolen credentials. Bloomberg and others report that the hackers got credentials from a private GitHub site Uber software developers used, and then employed those credentials to access data stored in an Amazon Web Services (AWS) bucket (Security Week).
Users began complaining of suspicious activity on their Uber accounts early this year, with irate tweets spiking in April and May. The suspects will surprise few: Russian criminals, apparently a gang of two (Times). The Times reports soberly enough, but the prize for the best headline goes to Fleet Street tabloid The Sun, which screamed: "PUTIN ON THE METER Has your Uber account been hacked by Russians for cab rides around MOSCOW?" (capitals in the original). (One hopes the drivers at least got tipped, perhaps in the popular Russian cryptocurrency WhopperCoin. And why just Moscow? There are surely cabs in St. Petersburg and Chelyabinsk, too. Where's the love, Sun?)
Uber's response.
Uber's current CEO, Dara Khosrowshahi, said that two executives responsible for security were "no longer with" the company (ABA Journal). The company's Chief Security Officer, Joe Sullivan (a former Federal prosecutor who joined Uber in 2015 after a stint as General Counsel at Facebook) and one of his direct reports, in-house counsel Craig Clark (Legal Director, Security and Law Enforcement) are reported to have both ignored reporting requirements and paid the hackers $100 thousand to delete the stolen data and keep quiet about the incident. Clark is said to have been fired; reports say that Khosrowshahi asked for (and got) Sullivan's resignation (Law.com).
Khosrowshahi also said he'd brought in Matthew Olsen, an attorney, former senior US counterterrorism official, and co-founder of IronNet, to help Uber move forward from the incident (Uber). Khosrowshahi took over as CEO at the end of August, recently enough that he may be able to preside credibly over the painful house-cleaning.
Consequences for Uber?
The usual class action suits have begun, the first one filed in Federal court by a San Francisco law firm seeking to represent everyone whose data were compromised in the incident (Bloomberg). Forty-eight US states have laws regulating breaches and incident disclosure, and at least three states—Connecticut, Illinois, and New York—say they've begun inquiries (recode).
Concern and regulatory attention have, like the breach, been international (US News and World Report). In the UK, the Information Commissioner's Office (ICO) has opened an investigation The ICO said Wednesday, "It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies." HM Government has also said that Uber failed to give accurate figures concerning the number of British citizens affected (Times).
While the EU's General Data Protection Regulation (GDPR) doesn't come into full effect until May 2018, observers have noted how large Uber's exposure would have been under GDPR, and that the incident shows that there's a need for GDPR (PCR). It's also interesting to see the ways in which GDPR is already affecting people's notions of reasonableness in breach disclosure (SC Magazine).
The US Federal Trade Commission (FTC) has opened an investigation into the breach (Reuters); observers speculate that the Commission will view it in the light of an earlier consent decree the FTC reached with Uber (TechCrunch).
Uber has seen other troubles over the past year. Some arose from outside, often from skepticism concerning the gig economy that the popular ride-service is held to exemplify—such skepticism is particularly pronounced in organized labor and highly regulated industries (Nation). Other troubles were self-inflicted, particularly the lad culture of misbehavior that took down the founding CEO in June (Reuters, Quartz, New York Times). One of the earlier self-inflicted wounds arose over Uber's slow-rolling disclosure of a 2014 breach (Los Angeles Times). That breach prompted a 2017 consent decree with the FTC: no fine, but an agreement to submit to security audits and an undertaking to do better in the future (WIRED).
Not all the consequences are legal or regulatory. The breach disclosure is believed likely to affect a large investment Japan's SoftBank has been negotiating with Uber, and prospects for a successful IPO in 2019 have also grown cloudier (US News and World Report).
Secret clouds.
Amazon Web Services has announced a new cloud designed to meet the needs of the US Intelligence Community: AWS Secret Region. Secret Region will allow intelligence agencies to ingest, store, share, and handle classified data. The CIA's Chief Information Officer likes it, and says he believes Secret Region to be a better, more secure solution than the CIA's own data centers (Defense One). The new service is said to be a multi-leveled one, capable of handling information from unclassified through top secret (Washington Post)
That big big leak from a contractor's S3 buckets? It wasn't secret, but it appeared sensitive. It was benign, the US Department of Defense said this week. Open-source collection efforts by a now-defunct contractor, VendorX, on behalf of US Central Command and US Pacific Command archived 1.8 billion social-media posts, many of them by US citizens. UpGuard found the archive in unsecured Amazon Web Services S3 buckets ("centcom-backup," "centcom-archive," and "pacom-archive") established by VendorX.
Representatives of the Defense Department say the whole effort was benign, and that not only were the posts public and freely accessible, in any case the data weren't analyzed into intelligence products. It is indeed difficult to see how this effort differs from what a conventional clipping service might offer, but of course large-scale information sweeps always seem to carry a creepy vibe. UpGuard says it's "shocked," over both the appearance of surveillance and the carelessness that let UpGuard's researchers find the stuff in the first place. All the bucket owners would have needed to do was change a few settings and their data would have been much harder to acquire (Threatpost).
The OWASP Top Ten Vulnerabilities of 2017 are out.
OWASP's Top Ten Vulnerabilities show some changes from 2016's version. The top two remain Injection and Broken Authentication, but Sensitive Data Exposure has risen from number six to number three. Rounding out the ten in order are XML External Entities, Broken Access Control, Security Misconfiguration, Cross-Site Scripting, Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging and Monitoring (Security Week). Three new categories figure on the list: XML External Entities, Insecure Deserialization, and Insufficient Logging and Monitoring. Broken Access Control merges two former categories, Insecure Direct Object Reference and Missing Function Level Access Control (Dark Reading).
Information operations.
Google and Twitter, in their ongoing efforts to dissociate themselves from the widespread sense that they're passive conduits of lucrative fake news, have restricted the ability of Russian outlets RT and Sputnik to appear in their channels. Google has "deranked" their stories from its search results, and Twitter says it's no longer interested in accepting advertising from them (Naked Security). (Forbes has a piece on Google's TrustRank process. How Google actually does this isn't publicly documented, but it's widely believed to employ various algorithms, whose output the Forbes contributor takes a shot at discerning.)
Official US efforts at countering state-sponsored online disinformation are generally regarded as having been less than fully successful. The State Department's Global Engagement Center (GEC), to take one initiative, initially focused on countering terrorist messaging, but under the Countering Foreign Propaganda and Disinformation Act of 2016 received the additional mission of working against state propaganda. Observers assess the GEC's performance as less than mixed (WIRED).
Social media amount to a privatized panopticon.
Or so they say. But don't take it from us. Here: former Facebook operations manager Sandy Parakilas thinks so (Naked Security). He argued in a New York Times op-ed Monday that social media won't regulate themselves. "This makes for a dangerous mix: a company that reaches most of the country every day and has the most detailed set of personal data ever assembled, but has no incentive to prevent abuse. Facebook needs to be regulated more tightly, or broken up so that no single entity controls all of its data." The piece's anti-trust goals are arguably more within reach than would be the sort of AI-driven content filtering many others anticipate. (Also easier than the remediation through the humanities a Guardian op-ed recommends.)
Internet-enabled terrorist movement.
US Federal prosecutors describe the accused Manhattan truck killer, Sayfullo Saipov, as having been thoroughly committed to and inspired by ISIS. In some respects the prosecution breaks new ground: the theory is that the defendant committed murder in support of a racketeering enterprise, but it hinges on inspiration as opposed to more traditional grounds of material support (New York Law Journal).
ISIS's intelligence service, in the few remaining pockets of territory where it can operate, is both enduring and thoroughly penetrated by hostile governments and, more importantly, by its local victims and their survivors (Foreign Affairs).
Has everyone actually been hacked?
Or is this just a hyberbolic way of encouraging caution, good hygiene, and so forth online? The warning came from a senior British police official, Peter Goodman, National Police Chiefs' Council lead for cybercrime and Chief Constable for Derbyshire. Behind the headline, the claim is more modest and more supportable: odds are, given the amount of information individuals connected to the Internet place there in the ordinary course of buying, selling, and communicating, it's a safe bet that any given individual has had at least some information exposed in a data breach, leak, or misconfiguration. But the notion that some bad actor has established persistence or loaded malware into everyone's phone, table, laptop, or home system? Implausible (Security Week).
Artificial intelligence could be made naturally nice?
There's no shortage of interest in artificial intelligence, and no shortage of work being done in the field by government labs, established companies of all sizes, universities, and of course startups. AI has aroused both extravagant hopes and very dark fears. One Israeli start-up, Coneuron, is developing a platform that aspires to take AI down a better path. Its intention is to use AI to "monitor and detect certain harmful activities that take place in the virtual space and request feedback from users about those activities" (CTECH). So a kind of crowd-sourced education in virtue.
Do you need an RFID-blocking wallet (and other notes on consumer security products)?
Black Friday came and went, Cyber Monday is tomorrow, but the holiday shopping season will persist up to the New Year. There's no shortage of advice on staying safe online (Fox59, Help Net Security, Barracuda) and there also are many offers for consumer security products. Among those on offer are RFID-blocking wallets, purses, other items. These are basically Faraday cages for carrying your credit cards and other RFID-readable media around in. The idea is that they can protect you from virtual pickpockets. But a column in CSO calls them "snake oil," since, as the writer says, there's really no evidence anyone is stealing RFID data in casual brush-by pilferage. Fair enough, but still, we saw KnowBe4's Kevin Mitnick demonstrate something very much like this kind of hack at the Cyber Investing Summit on Wall Street this past summer, so maybe the snake oil has some value after all. At least as a lubricant?
Patch notes.
Microsoft policed up issues lingering from earlier patches this week (Computerworld). The way in which Redmond patched Equation Editor (an Office component) has led outsiders to speculate that Microsoft may no longer have the source code (Ars Technica). Amazon Echo and Google Home were patched against BlueBorne (Naked Security). The most significant fix this week, however, is Intel's patch to its Management Engine (eWEEK). The US Department of Homeland Security strongly advises enterprises to apply this one quickly (Reuters).
Industry notes.
The Red Herring Top 100 Global winners have been announced. Twenty-four of them look like security companies to us. Here they are, in alphabetical order: Averon, Beagle, BluVector, Contrast Security, CTM360, Digital Guardian, Disk Archive, Exabeam, Fraud.net, FraudBuster, Haystax, IntelliVision, Kyriba, Nozomi Networks, NSS Labs, Onapsis, RedSeal, RiskIQ, Seceon, Sift Security, SparkCognition, Trillium, vArmour, and Versa Networks. To compete for this award, a company must be privately held, operate in technology or life sciences, and be headquartered in Asia, Europe, or the Americas. Among the criteria Red Herring uses in selecting winners are: level of specialty, IP created through internal research and development, social contribution, market "disruptiveness," venture investment, market maturity, international footprint, revenues and "overall globalisation," growth stage, growth rate, awards and recognitions, market size, "execution index," technological advantage, number of customers and users, "regional considerations," branding, team experience and record, and team quality. Congratulations to all the winners.
There are some companies on this list who've recently been honored elsewhere. Onapsis, for one, figured among Deloitte's Fast 500 earlier this month. And both Haystax and vArmour took home honors in 2017's SINET 16 competition.
At-Bay, a new company specializing in cyber insurance, emerged from stealth this week (BusinessWire). Israeli IoT security specialist SCADAfence has raised $10 million in a Series A round (Globes).
Broadcom's failed (so far) bid for Qualcomm is seen as representative of a shift in the chip industry, which is seeking to diversify away from mobile device chips and into products that will serve the coming market for artificial intelligence (Financial Times). One acquisition that seems likely to go through is Marvell's purchase of Cavium, regarded as an attempt to position the combined company to compete with Broadcom (Ars Technica).
After all major browser vendors decided they will no longer trust the company's certificates, StartCom, a certificate authority based in Beijing, is being shut down by its board of directors (Security Week).
After six years at the head of HP, during which time the company split into four entities, Meg Whitman has announced that her work there is done: the business is better and more agile. She's stepping down as CEO of HP Enterprise this coming February. She does plan to retain her non-executive chair role (Computing).