Uber users: What you need to know about last month’s data breach | BU today

Uber users: What you need to know about last month’s data breach |  BU today

MET cybercrime expert on how the hacker likely gained access to the company’s data and systems

Last month, the internal databases of the American multinational ride-sharing company Uber were hacked. The unnamed 18-year-old who claimed responsibility for the hack said Uber’s ineffective security measures made the breach possible. The hacker, who was in the end arrested and is in police custody, allegedly gained access to Uber’s secure data through “social engineering,” which means manipulating or tricking someone, often by email or phone calls, to gain access to personal or financial information. These methods of manipulation are becoming commonplace in the world of cybercrime. Posing as a corporate information technology worker, the hacker claimed to have convinced an Uber supplier to reveal the password to Uber’s systems. Uber says it’s also possible the hacker bought the corporate password on the dark web.

According to Uber, the hacker sent repeated login requests to the contractor’s account, after obtaining the contractor’s password, and was then able to bypass Uber’s two-factor login authentication – a system where a user is granted access after electronically verifying their identity. twice – when the contractor finally accepted the authentication. The hacker was also recorded on the Uber Slack account, posting a message that read: “I am announcing that I am a hacker and Uber has suffered a data breach.”

A security update from Uber says it believes cybercrime group Lapsus$ is responsible for the attack. “We are working with several leading digital investigative firms as part of the investigation,” Uber writes. “We will also take this opportunity to continue to strengthen our policies, practices and technology to further protect Uber from future attacks.”

BU today spoke with Kyung-shick Choi (MET’02), a Metropolitan College professor of practice and director of the Cybercrime Investigation & Cybersecurity Programs, about the implications of the hack and how companies and users can protect themselves.

This interview has been edited for length and clarity.


with Kyung-shick Choi

BU today: Can you briefly describe the scope of Uber’s security breach?

Choi: Uber’s security breach is quite an interesting case because unlike other major breaches, I wonder if the hacker achieved what they really wanted to achieve. I expected some kind of ransom attack so they could seek financial gain. But this time it seems they didn’t really get much. Of course, Uber’s cybersecurity may have reacted quickly to the incident, but they clearly said they hacked right into Slack. And so for me there is much more the motivation can be.

See also  How do people get Aimbot for Fortnite? A look at the banned cheat

They have already identified the potential suspect, Lapsus$. It’s a Brazilian hacker group – I guess it’s a group of teenagers. We call them “cyberpunks”. They have been very active lately and have gained fame. I think maybe that’s why they targeted such a big company.

BU today: Can you talk about their methods, how they possibly gained access?

Choi: According to Uber, the hacker group has purchased the login password from the dark web. It is very common for hackers to trade, sell and buy old passwords and login names. So consider that if they are cyberpunks and not extremely skilled, just getting the credentials through the dark web is the easiest way to commit crime, rather than a complicated hacking process. So maybe that is what is happening in this case.

Uber now has a two-factor authentication system, which means double protection. With two-factor authentication, you get that notification and you have to press the buttons. So maybe [an Uber worker] thought, okay, I did it, and then they approve it. So there is a way, and it’s pure luck to be honest, if [the hackers] did it that way.

Another way, if they are really dedicated hackers, [is to] get deeper into the system. And then they [would] escalate the privilege and change the information to change the contact to their own. It must be a burner phone so you can get your own authentication using the burner. That’s what pretty skilled hackers do, but it looks like it [Uber hackers were] not at that level. That is my assumption. But usually cyberpunks try and try and try and luckily can get in.

BU today: What are the potential consequences for users and their data as a result of the hack?

Choi: Personal data is so important. Every single person’s data can be weaponized and used against them. Your data can be used for criminal purposes, for account takeover or financial gain. And then, of course, [hackers] may sell the information. And that is why privacy is so important, as we really have to protect ourselves.

I can extend that to sex crimes. And so if hackers find out date of birth, place and all that, they can stalk people and then even commit sextortion. I have seen those cases a lot.

People think, oh, this is just one hack. But it’s not just one hack. The damage can be significant for individuals, families and society at large. Therefore, we must be very careful.

See also  Facebook Business accounts hacked via new PHP version of Ducktail Malware

BU today: What data is believed to be compromised by the attack?

Hackers downloaded financial information from Slack. The financial information can be anything. It could be invoices or employment information. I think so [Uber and the authorities] is currently investigating that and what types of information were compromised. According to them, non-sensitive data was exposed, but we won’t know until we actually see what happened. Credit card information is encrypted so that information is safe, and other travel information is secure.

I think right after the event [Uber] reported it to the police and now the FBI is involved. I think [Uber] did the right thing, so when the FBI gets involved and they do a very extensive investigation, we will receive much more accurate information.

BU today: Do you think Uber handled the situation well?

I didn’t see the evidence. If I looked into it, I might be able to see the log file and when they were really hacked. In most hacking incidents, especially on a large scale, the companies do not report the victim right away. I hope Uber reported it right away. At least the suspect and the hacker group left a message, but we don’t know when they actually started. And so maybe they took a long time, maybe a month’s time, before they got to that stage.

Usually, big issues are similar that way because [hacked companies] don’t want to ruin their reputation on the part of the company. They don’t want to give bad pictures to the audience. Who will use Uber if they keep getting hacked?

In this case, [Uber] saw the sign of the hack and they reported it to the police. I think that’s the right way to do it. And that is perhaps why the damages, according to Uber, are minimal. Although we don’t know yet.

BU today: Are other rideshare apps vulnerable to similar attacks?

Of course. Because of the tendency of hackers, if they are professional hackers, they will never attack the headquarters, because the headquarters has a lot of security built right there. All the big hacks, if you really examine them, don’t really happen by hacking directly into the main server. [Hackers] always finds the small suppliers. The size of the company can be very small. There is a vulnerability there. It is also how you handle digital information, and it is very important.

But definitely Lyft and all the others should be careful. So that means they need to train their employees.

BU today: What steps should Uber and other rideshare apps take to prevent similar attacks in the future?

I have my own theory and my theory has become dominant in computer crime. It’s called “cyber routine activity theory.” Very simple. There are two factors that contribute to the victimization of computer crime. So either online behavior, it means a human error, and/or it’s a security issue. Compromised business emails are always the biggest victim of cybercrime in the history of the internet or email.

See also  This App Knows If Your iPhone Has Been Hacked – Do You?

Another factor is cyber security. What if you don’t have basic protection? What if you don’t have the internal security management? That means, do you have a strong policy in place in your company? If something happens, response to the incident is so important. If you don’t have an incident response policy…they do. You just have to wait for law enforcement and watch the hackers steal every single thing. You can’t do anything because you don’t know what to do.

It is also important to train employees. It is critical.

Many [hacking] cases, I would say closer to 50 percent, come from an insider. So that is why you need to maintain all the security credentials especially when [employees] leave the company. Revenge is a big factor. [If] they don’t just ride nicely…[if] they do something with it, maybe sell the information, or share all the credentials, or sell it to the dark web.

BU today: It is believed that the hacker potentially gained access to Uber’s internal systems through a psychological manipulation tactic referred to as social engineering. How can Uber and other companies better prepare and train their employees to identify these persuasive techniques?

The effective training must be practical training. So statistically, practical training really does increase your long-term memory. This type of training is essential so that you feel it when you click on it and see what happens. Our programs at MET are designed to train our future law enforcement in cybercrime investigation and cyber security. We create a scenario. So we have a suspect and a victim. The students really feel it. They investigate the matter and see how [the hacker] send a phishing email and they really observe.

Moreover, technology is developing rapidly, almost every day. And so our online behavior adapts quickly. The companies should think about that and the changing technology. Companies should really know their employee populations and the characteristics of using social media, for example.

BU today: How can users protect themselves and their personal data when using rideshare apps?

Whenever you hear that an incident has occurred, the first thing you need to do is change your passwords. If you see something happening, like a hacking incident from the company’s side, I strongly recommend changing your password like this [hackers] can do nothing more.

And then of course, never use the password you’ve used before. If I were an Uber customer, I would have a very strong password. And be careful when downloading apps by making sure you download genuine apps because there are many replicated ones.

Explore related topics:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *