Month: December 2017

Uber breach affected 57 million users, covered up for a year

Posted on

By: Michael Heller, Senior Reporter, Security Digest,Tech Target

A 2016 Uber breach affecting data for 57 million users was covered up by the company, including a $100,000 payment to the attackers to keep the incident quiet.

Malicious actors stole personal data on hundreds of thousands of Uber drivers and millions of Uber users and the company allegedly covered up the breach for one year, including reportedly paying the attackers to keep quiet.

According to new CEO Dara Khosrowshahi, the Uber breach was due to two malicious actors accessing “a third-party cloud-based service” — reportedly GitHub and Amazon Web Services (AWS) — in late 2016 and downloading files containing names and driver’s license information on 600,000 U.S. Uber drivers and personal information — names, email addresses and phone numbers — for 57 million Uber customers from around the world. According to Bloomberg, which was first to report the Uber breach, the incident was covered up by two members of the company’s infosec team.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi wrote in a blog post. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Khosrowshahi said the “failure to notify affected individuals or regulators last year” prompted a number of actions, including firing the two individuals responsible for the Uber breach response — Joe Sullivan, former federal prosecutor and now ex-CSO at Uber, and Craig Clark, one of Sullivan’s deputies — notifying and offering ID and credit monitoring to the affected drivers, notifying regulators and monitoring the affected customer accounts.

Details of the Uber data breach

According to Bloomberg, the attackers accessed a private GitHub repository used by Uber in October 2016 and used stolen credentials from GitHub to access an archive of information stored on an AWS account.

Terry Ray, CTO of Imperva, said the use of GitHub “appears to be a prime example of good intentions gone bad.”

“Using an online collaboration and coding platform isn’t necessarily wrong, and it isn’t clear if getting your accounts hacked on these platforms is even uncommon. The problem begins with why live production data was used in an online platform where credentials were available in GitHub,” Ray told SearchSecurity. “Sadly, it’s all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.”

Sullivan reportedly took the lead in the Uber breach response and, along with Clark, worked to keep the incident under wraps, including paying the attackers $100,000 to delete the stolen personal data and to keep quiet.

Khosrowshahi mentioned communication with the attackers in his blog post, but did not admit to any payment being made.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” Khosrowshahi wrote. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Jeremiah Grossman, chief of security strategy at SentinelOne, said it can be “difficult, if not impossible, for an organization to lock down” a vector like GitHub.

“Developers accidentally, and often unknowingly, share credentials over GitHub all the time where they become exposed,” Grossman told SearchSecurity. “While traditional security controls remain crucial to organizational security, it’s no good if individuals with access to private information expose their account credentials in a place where they can be obtained and misused by others.”

Willy Leichter, vice president of marketing at Virsec Systems Inc., said if the details of this Uber breach cover-up are verified, it could been extremely damaging for the company.

“This is a staggering breach of customer trust, ethical behavior, common sense and legal requirements for breach notification. Paying hackers to conceal their crimes is as shortsighted as it is stupid,” Leichter told SearchSecurity. “If this had happened after the EU GDPR kicks in, Uber would cease to exist. That may be the outcome anyway.”

Uber breach ramifications

The 2016 breach is the latest in a long line of issues for Uber. At the time of the incident, Uber was already under investigation for separate privacy violations. The company is also battling various lawsuits from cities and users.

Jim Kennedy, vice president North America at Certes Networks, said Uber’s already questionable reputation should take a big hit.

“Most likely the Uber C-suite, seeing the repercussions of cyberattacks on similar household names, were keen to avoid the reputational damage — a massive error of judgment,” Kennedy told SearchSecurity. “The reality is that customer distrust of the brand will be amplified by the company’s attempts to hide the facts from them and points to the need for change in the industry.”

Adam Levin, cybersecurity expert and founder and chairman of CyberScout, said the Uber breach is another example of the company “placing stock value over and above privacy at the expense of drivers and consumers.”

“Uber did a hit and run on our privacy and created a completely avoidable extinction or near-extinction event, and further damaged and already tarnished brand,” Levin told SearchSecurity. “As ever, the goal for a company faced with a breach or compromise should be urgency, transparency and above all else, empathy for those affected.”

Ken Spinner, vice president of field engineering at Varonis, said the Uber data breach will likely “fire up already angry consumers, who are going to demand action and protection.”

“Every state attorney general is going to be salivating at the prospect of suing Uber. While there’s no overarching federal regulations in place in the U.S., there’s a patchwork of state regulations that dictate when disclosures must be made — often it’s when a set number of users have been affected,” Spinner told SearchSecurity. “No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year. This is the latest example of how hiding a breach rarely benefits a company and almost surely will backfire.”


Top five Windows 10 migration fears

Posted on

By: Alyssa Provazza, Senior Managing Editor, Tech Target

Less control over Windows OS updates. Windows 10’s automatic updates and patches mark a drastic change for IT professionals

The changes to Microsoft’s model — in which organizations now receive fewer, larger Windows OS updates rolled up with all of the previous month’s patches — are cause for concern, said Hector Cortez, global infrastructure manager and architect at Neovia Logistics Services, a global logistics company.

“Patching seems to be more of a long-term concept from the OS level,” Cortez said. “There’s not that granularity anymore, so we’re making sure that we’re able to manage and support that.”

For that reason, the organization has decided not to use the Long-Term Servicing Branch for updates, and instead test and manage individual Windows OS updates as they come in, he said.

The size of the rolled up patch updates can present other problems. They can be up to 7 GB, so they require a lot of storage and network bandwidth to deliver to users, said Chris Cobb, vice president and desktop engineering manager at Chemical Bank in Midland, Mich.

“When you’re talking about doing that to 250 remote sites and not impacting productivity and killing their network connection, that was probably the thing we have been most challenged with,” he said.

Earlier this year, Chemical Bank implemented Adaptiva to help with this issue. The software distribution tool uses bandwidth harvesting, which enables IT to send Windows updates out to a branch, where they only consume the bandwidth the branch isn’t using at that exact time. Before, employees had a hard time serving customers because there was such latency when the network was downloading an update.

“There had been mighty struggles with patching,” Cobb said. “Now, I’ve pushed out terabytes of data to our branches, and the one call I haven’t gotten that I used to get every day is ‘Our network is slow.’ It gets it done behind the scenes.”

Taking application inventory before a Windows 10 migration

An information and analytics provider plans to start its Windows 10 migration for thousands of employees across multiple sites early next year — right after moving its on-premises virtual desktops to the cloud.

As IT tests applications to ensure they will function properly on the cloud desktops, it is also testing them for compatibility with Windows 10. The application inventory process is especially tricky because different employees — developers, human resources staff and finance workers, for instance — use a lot of in-house custom applications for bespoke work.

“It’s good old-fashioned contacting the user and sitting down with them and asking, ‘How does this work?'” said an IT manager at the company, who requested anonymity because he is not authorized to speak to the media. “It’s making sure that we’ve got all the information and we haven’t under-scoped it.”

The company uses AppTracker, an application workflow and management tool from MigrationStudio, an IT systems migration software provider, to help with application inventory. It provides a dashboard where IT can keep track of information about all the applications and other data that are critical to a Windows 10 migration, such as the number of users and devices at each site and which devices need to be updated before the transition.

“You don’t want to be using Excel spreadsheets because that’s just a nightmare,” the IT manager said. “It’s nice to have a single pane of glass.”

MigrationStudio also enables IT to schedule Windows 10 application tests with users. IT spins up a VMware ESX or Microsoft Hyper-V virtual machine (VM), deploys the app to a Windows 10 desktop, ensures that it installs, then lets the user log in to the VM and test the application at an appointed time.

Windows 10 Edge browser compatibility

When Chemical Bank began its Windows 10 migration, it found that nearly 90% of its web applications didn’t have Edge browser compatibility.

The IT department at the banking company based in Midland, Mich., is in the process of slowly rolling out Windows 10 to 5,000 computers across more than 250 branches.

One major concern has been the Windows 10 Edge browser, the default for the operating system. Most of the bank’s apps use ActiveX controls, an add-on that Edge doesn’t support, but that Internet Explorer (IE) does.

Edge gets added to the taskbar when users sign in to Windows 10 for the first time, so IT must run a script that updates the taskbar to remove it as an option and put IE as the default. That process gets broken after every OS feature update, however, so IT has to continuously fix it, said Chris Cobb, vice president and desktop engineering manager at Chemical Bank.

“Trying to make Edge disappear is a challenge,” he said.

Windows 10 user experience concerns

When the IT department for NASCAR began its Windows 10 migration this year, it put user experience in the driver’s seat.

The stock car racing organization, based in Daytona Beach, Fla., is 85% done with a migration for about 1,500 endpoints throughout its business, including office workers’ PCs, PCs in conference rooms and on kiosks. NASCAR also plans to move to Windows 10 for PCs that run race timing and scoring apps and that process car inspection information at nearly 40 events per year, said Steve Worling, manager director of IT.

Going into the migration, the biggest fear was around the Windows 10 user experience because employees were so used to Windows 7, Worling said.

“They were happy with that and did a lot of training on that,” he said. “Windows 10 does look and feel different. How do we put a new OS out there and make people comfortable with it?”

The IT team decided to do in-place upgrades on users’ existing PCs, which essentially upgrades the Windows 7 desktop image to Windows 10 and enables the users to keep many of the familiar settings and the look of their previous OS. IT used Microsoft System Center to schedule upgrades for each new Windows 10 user, and then met with them in person to make sure it went smoothly.

“It allowed the support team to be there to answer any questions and handle any challenges,” Worling said.

IT also sent out a couple pages of information to every Windows 10 user about what would look different.

“The changes weren’t big enough to make people upset about it,” Worling said.

It also helped that the company used some tech-savvy employees and IT staff as guinea pigs to test Windows 10 and give feedback before migrating, he said.

Windows 10 data privacy issues

When the University of Arkansas moved endpoints across its campus off of Windows 7 as part of a VDI project earlier this year, some IT administrators were concerned about Windows 10 data privacy.

Student labs and kiosks at the university in Fayetteville, Ark., have Windows 10 virtual desktops, while physical desktops available to staff and faculty are in a gradual rollout from Windows 7 to Windows 10. The data that Microsoft collects from Windows 10 users may include error reports, app usage information and even search terms, plus much more.

“Just using it, you are agreeing to all of that data being siphoned up,” said Jon Kelley, associate director of enterprise systems at the university.

To address these Windows 10 data privacy concerns, the desktop team tweaked some of the operating system’s settings, he said.

Like in other organizations, Kelley and his team were also concerned about the more consumer-focused aspects of Windows 10, such as the Cortana digital assistant and the Windows app store being available to enterprise users. To make sure the Windows 10 migration was strictly business, the university adopted the Long-Term Servicing Branch, which is available for Windows 10 Enterprise and doesn’t include the Windows Store, Cortana or Edge browser.





Trump signs bill barring US government use of Kaspersky

Posted on

by Steven Musil, CNET

The antivirus software has been prohibited on US government networks due to concerns of Russian government influence.

It’s now against the law for the US government to use Kaspersky Lab software.

A ban on the antivirus firm’s products was included in the 2018 National Defense Authorization Act, a sweeping defense policy bill signed into law by President Donald Trump on Tuesday. The prohibition, reinforcing a directive issued by the Trump Administration in September, comes amid concern the Moscow-based company might be vulnerable to Russian government influence.

Cybersecurity has become a hot topic in Washington as concerns have mounted over email leaks during the 2016 presidential election campaign and reports of Russian online meddling, as well as breaches at government agencies and in the business world. In May, President Trump signed an executive order on cybersecurity that calls for US government agencies to modernize and strengthen their computer systems.

“Considering the grave risk that Kaspersky Lab poses to our national security, it’s necessary that the current directive to remove Kaspersky Lab software from government computers be broadened and reinforced by statute,” Democratic Sen. Jeanne Shaheen, who led efforts to remove the software from government computers, said in a statement. “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue.”

Kaspersky Lab, which has repeatedly denied the allegations, said in a statement it continues to have “serious concerns” about the law “due to its geographic-specific approach to cybersecurity.

“Congress singled out Kaspersky Lab based solely on the location of its headquarters, resulting in substantial and irreparable harm to the company, its US-based employees, and its US-based business partners,” the company said. “Kaspersky Lab is assessing whether any further action is appropriate to protect its interests.”

In September, the Department of Homeland Security issued a binding directive ordering all federal departments and agencies to remove Kaspersky Lab products from government computers, saying it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”