Uber has been hacked and the boy looks not good. A hacker who boasted of his achievements via Telegram this week claims to be an 18-year-old who allegedly gained such liberal access to the tech giant’s network that he was able to paralyze Uber’s workforce and put a picture of a dick on it. internal company website.
Uber hasn’t said much about its security debacle, other than Thursday, when it happened he admitted that a “cyber security incident” has occurred. On Friday, the company also released a a short update in which they claimed that “there is no evidence that the incident involved access to sensitive user data”.
Online security researchers quickly analyzed the episode and analyzed what tactical mistakes could have led to the breach, based on the information leaked by the culprit. Admittedly, everything the hacker has said at this point is just that alleged and it is not entirely clear whether he is telling the truth or not. However, Gizmodo reached out to a few experts to ask about the hack and get their perspective on how this whole thing could have happened.
How a hacker claims to have breached Uber
Like a lot recent breakthroughs into large enterprise networks, the Uber hack appears to have been done using pretty basic hacking techniques. If the culprit really turns out to be a teenager, it would mean that one of the biggest tech companies on the planet has just been hacked by someone who probably doesn’t qualify for more than script kid.
The hacker was happy to tell everyone how he got into Uber’s network. In statements published on the Telegram page and in conversations with the New York Times, the alleged hacker said he tricked Uber employees into flipping their credentials through a social engineering attack that made them look like colleagues. Dave Masson, director of enterprise security at security firm Darktrace, told Gizmodo that it’s not a particularly sophisticated method of intrusion.
“From what the hacker said, they didn’t actually get in,” Masson said. “They basically tricked someone into giving up their multi-factor authentication details and then walked in the front door.” These kinds of attacks have always been common, but since the pandemic has thrown most companies into a semi-permanent work-from-home state, they’ve become more widespread, Masson said.
The attack appears to have allowed the hacker to gain access to a user’s VPN that provided access to Uber’s corporate network. From there, the hacker allegedly discovered a document, or “internal access share,” that contained credentials for other services and areas of the network. After that, it would be relatively easy to escalate privileges to the wider company environment.
AND Error in MFA
For a long time, we’ve heard that the surest way to keep our digital lives safe is to use multi-factor authentication. MFA authenticates users by forcing them to submit multiple pieces of information (usually from at least two different devices) to log into their online accounts. However, some forms of MFA also have a rarely discussed vulnerability, namely that they can be easily maneuverable by a hacker who uses social engineering or basic The man in the middle-style attacks to obtain credentials.
Bill Demirkapi, an independent security researcher, told Gizmodo that the kind of MFA Uber appears to have been using isn’t the most secure. Instead, Demirkapi suggests using FIDO2, which masquerades as a “phishing-resistant” form of authentication. FIDO2 is a web-based authentication mechanism that, unlike more standard forms of MFA, verifies that the origin of the MFA challenge is from a real login server, Demirkapi said. “If an attacker were to create a fake login page and request FIDO MFA, the U2F device would not even respond, preventing authentication from continuing,” he added.
“Standard forms of multi-factor authentication such as push notifications, text messages, OTP [one-time-password]etc. protect against attackers who only have employee credentials, but often not against phishing,” he said.
The problem is that phishing standard MFA users can be done fairly easily using widely available web tools. Demirkapi refers to one such instrument, called “bad gynx”, which is available online for free. An attacker can use such a tool to create a fake login page that looks identical to the real one. If they convince the victim to visit the phishing page, the attacker’s server can “replicate the connection to the real login server” so that everything the victim enters is simply passed on to the attacker.
“The victim can enter their credentials, the attacker logs them and then sends a login request to the real server,” Demirkapi said. “Once the victim is prompted for ‘standard MFA’, no verification is done to ensure that the victim is actually on the real login page. The victim accepts the challenge, the real server sends authenticated cookies for the victim to the attacker’s server, and the attacker records this and forwards it to the victim. It’s a seamless process that allows an attacker to obtain a victim’s credentials, even with common forms of multi-factor authentication,” he said.
Is user data safe?
One lingering question about this incident is whether user data may have been affected. On Friday, Uber released declaration which claimed there was “no evidence” that the hacker accessed “sensitive user data (such as trip history). However, the company didn’t exactly provide much context for what that means. Security experts who spoke to Gizmodo said that (given the broad access the hacker appears to have gained), it was certainly possible that they could view user data.
“Is it possible? Sure,” Demirkapi said. “Actually, some of the leaked screenshots by the attacker seem to show limited access to customer information. But that doesn’t mean much by itself, because what really matters is the scope , in which the attacker gained access to customer information.” This scope is, of course, unknown.
Masson similarly agreed that it was possible. “We don’t know that yet, but I wouldn’t be surprised if it happened,” he said, pointing to a 2016 hack that affected the company. In that particular case, the impact was pretty bad. Hackers stole personal information about 57 million Uber users. The company failed to disclose the incident and secretly paid cybercriminals to wipe the data.
At this point, the more relevant question for Uber might be what dirt the hacker found on the rideshare company. business practices and whether they would even know what to look for.
#Massive #Uber #Hack