Jump to content

Uber was so thoroughly breached, they didn't realize it until the hacker announced the breach on their internal Slack...

Ghost_MH

By Ghost_MH
in The Political Re-Education Camp

 Share

Recommended Posts

Ghost_MH

Ghost_MH

Posted
Posted

I don't think it's possible for a company to have been breached any worse than this. The hacker had access to EVERYTHING including their internal vCenter and AWS environments...

 

GettyImages-917398260-760x380.jpg

Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known

ARSTECHNICA.COM
“I announce I am a hacker and Uber has suffered a data breach,” intruder says on Slack.

 

Ars chose to highlight a tweet thread from one of Microsoft's security engineers, but I disagree with him to a certain extent. He's complaining that this is an inherit flaw when it comes to centralized authentication with two factor authentication. Basically, if someone gets a hold of your credentials and can trick you into approving the second factor, there's a good chance they can reset your multifactor key and then approve themselves while going about their day. The issue with complaining about this is that people are ALWAYS the weak link. If we moved away from centralized authentication, we could get issues like those that came up when some rando on Twitter was bragging about how his access to the OSS Github page was still active, even after he stopped being an employee. Basically, we then need to rely more and more on people making sure they disable all these disparate accounts when an employee leaves. We also then have to knowingly take on the risk of someone just documenting all their passwords in plaintext because now they have to manage twenty different accounts for twenty different applications.

 

From what we can tell here, there were two major issues. An Uber employee clicked on a malicious link sent to them over WhatsApp, typed in their credentials, and then clicked on their multifactor prompt when it came up. The issue there being the site wasn't real and the multifactor prompt was being generated elsewhere by the hacker trying to access a real Uber resource. The next major issue was that Uber had scripts being stored on network drives which contains passwords to some service accounts written in plain text.

 

The first one is fixed with better education. It's crazy to have an employee in 2022 that would click on a link sent to them over WhatsApp and enter their real creds  on the site from there. I'm guessing Uber will be sending out a corporate wide email, if they haven't already, informing everyone that they will never be contacted over WhatsApp or SMS with instructions to log into a page from there. If Uber does have a practice of contacting employees over Uber for real corporate business...my god, is that stupid.

 

Next...don't store scripts with passwords on network shares. Just...don't do that. Store those scripts in an encrypted database using an app like Thycotic's Secret Server.

 

Best practices people. My lord.

 

Let's see if this kid breached them for fun or if he managed to steal loads of user data while he was in there.

  • Shocked 1
Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
  • Author
Posted
7 minutes ago, GeneticBlueprint said:

It's always somebody who doesn't need to he a technical person as part of their job that causes this shit. Your HR reps. Your salesmen. Without fail.

 

Was it a decade ago where security firm RSA was breached thanks to someone in, like, HR opening a malicious Excel document?

 

I was working on this when I was in full control of my company's IT department prior to a few acquisitions. I was on the way to completely doing away with all direct email attachments internally so the rule for employees was simple and easy to follow. Never open email attachments, ever, because they don't exist here. We also stripped all incoming attachments and links on in-coming emails.

 

You can't trust people, so it's best to build everything like you're childproofing the house for an exceptionally suicidal toddler...which, after having three kids, is really just all toddlers.

Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
  • Author
Posted
1 minute ago, b_m_b_m_b_m said:

Thousands of boomers just cried out in terror

 

Oh, I had complaints from people trying to send attachments and then complaining about how nobody would get them. Yes, they're stripped unless you send them by paying this button in Outlook. Same for incoming attachments. Those folks would have to go to a separate site to retrieve them. People would get an email every day with a list of all the attachments they have yet to retrieve and I'd still get people asking me where they all are.

Link to comment
Share on other sites
b_m_b_m_b_m

b_m_b_m_b_m

Posted
Posted
6 minutes ago, Ghost_MH said:

 

Oh, I had complaints from people trying to send attachments and then complaining about how nobody would get them. Yes, they're stripped unless you send them by paying this button in Outlook. Same for incoming attachments. Those folks would have to go to a separate site to retrieve them. People would get an email every day with a list of all the attachments they have yet to retrieve and I'd still get people asking me where they all are.

I’m assuming this is all before sharepoint and one drive

Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
  • Author
Posted
5 minutes ago, b_m_b_m_b_m said:

I’m assuming this is all before sharepoint and one drive

 

Nope, this was just a few years ago. However, everything we did was a little more secure than your average company since we often dealt with ITAR and other controlled data being a government contractor and all.

Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
  • Author
Posted
6 minutes ago, b_m_b_m_b_m said:

 

 

I love that the Uber's only saving grace was that this kid seems to have been more interested in seeing how far he could get rather than stealing actual data.

 

I wonder if they're beefing up the team or replacing a bunch of folks they fired. The biggest failing here is that everything I read about this should have been uncovered during regular red teaming. Either this want being regularly done, which is insane, contracted the work to someone that's about to lose every contract they have, or had an internal red team which makes no damn sense for a company like a Uber.

 

For those that don't know, a red team in the security worlds are people/teams that will stimulate trying to break into your environment. Sometimes that involves phishing real employees for credentials. Sometimes it involves just giving the red team dummy creds so they can skip the social engineering part. Sometimes it involves literally breaking into or somehow sneaking hardware into an office to relay attacks from within the LAN. I know folks that have broken into banks, gotten control of email servers from the plug for a phone in the lobby, or popped thumb drives into receptionist PCs while posing as an interviewee.

 

So much of what I read about the Uber hack sounds like stuff that would have come up during a red team audit or even a basic, internal penetration test.

Link to comment
Share on other sites
b_m_b_m_b_m

b_m_b_m_b_m

Posted
Posted
7 hours ago, legend said:

I get so annoyed having to do annual security training and reporting the fake phishing attempt emails (to make sure you're correctly identifying them as phishing) because it's all so fucking obvious,

 

But here we are.

I dunno my last two companies had some pretty difficult fake phishing emails and at least quarterly trainings. But they were a utility and a company that was being acquired by a foreign company (subject to cfius regulation and approval) and took security extremely seriously. I’d imagine most non critical to national security companies just buy some package from a vendor and call it a day though (based on my current company) and that’s why they suck

Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
  • Author
Posted
5 hours ago, b_m_b_m_b_m said:

I dunno my last two companies had some pretty difficult fake phishing emails and at least quarterly trainings. But they were a utility and a company that was being acquired by a foreign company (subject to cfius regulation and approval) and took security extremely seriously. I’d imagine most non critical to national security companies just buy some package from a vendor and call it a day though (based on my current company) and that’s why they suck

 

You got it correct. Most companies just buy the bare minimum they need to say they train their employees. The cheapest solutions out there are far too obvious to actually be very effective. There are better solutions out there that do a good job of faking emails from like Amazon or FedEx or CDW, but the best ones I've seen will customize their emails to include whaling attacks along with their phishing attempts. That is, they'll make a template off some senior exec and make their email look like it's coming from that person. I remember a number of years ago at a security firm I was working at, security managed to catch a ton of people with an email that looked like it came from the CFO. They also managed to catch the CFO with an email that looked like it came from the CEO. Professional services like that are usually crazy expensive, though, and so few companies ever bother.

Link to comment
Share on other sites
legend

legend

Posted
Posted
10 hours ago, b_m_b_m_b_m said:

I dunno my last two companies had some pretty difficult fake phishing emails and at least quarterly trainings. But they were a utility and a company that was being acquired by a foreign company (subject to cfius regulation and approval) and took security extremely seriously. I’d imagine most non critical to national security companies just buy some package from a vendor and call it a day though (based on my current company) and that’s why they suck

 

TBC, I mean that a lot of this security training seems super obvious and unhelpful, but the failure point at Uber was such a botched response by the person that clearly people do in fact need the obvious training and I have to suffer for it! :p 

Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
  • Author
Posted
1 hour ago, Anathema- said:

A couple years back I was in the office of the new technologies lead just chatting when the Director called and said he accidentally clicked on a phishing link and asked if he really needed his computer wiped.

 

My rule here has always been yes, I don't care who you are. I've interrupted meetings to snatch laptops from people presenting because we got a suspicious activity hit. Can't make exceptions for anyone, though I've never actually wiped machine. I prefer just pulling the drive, popping in a new one, and then retrieving the files of the old drive in a secure environment. It might be a week before you get your files back, but that's better than finding your data on Pastebin.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...