Skip to content

Uber breached

Moved Discussion
5 3 300 1
  • In the news are several reports that Uber has once again become the victim of a large scale (this time with extremely wide ranging implications) attack on it’s internal network infrastructure. One security vendor has already described the breach as by far more extensive than the 2016 global incident (which impacted all of Uber’s entities).

    ca44a46f-3aa5-4f05-b120-19a86b935ad1-image.png

    The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology employee. The relatively simple social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. The huge gain from the perspective of any bad actor is that the level of access obtained is typically referred to as “god mode” (gamers might be familiar with this phrase, making your character invincible via a number of cheats). Essentially, this is much like an “access all areas” pass with absolutely no locked doors, or any area off limits in terms of Uber’s internal network infrastructure.

    The real problem with “god mode” is that it allows the holder to assume complete control over systems without addition challenge, and essentially, lock out the original owner (Denial of Service) – basically, a complete compromise. If you’ve seen Die Hard 2, then you may remember that the plot involved an attack on Dulles Tower where all of the runways, flight management systems, and radar etc. were in full control of a remote entity who’d setup communication links in the adjacent church with the real tower being completely powerless whilst sea level was re-calibrated to minus 200ft causing a landing plane to hit the runway far earlier than they anticipated. Clearly, this is all very “Hollywood” – although it’s 100% feasible as the Uber breach has easily demonstrated and proved.

    The impact on Uber is unimaginable – to the extent where they have been forced to close all internal systems whilst a full analysis of the breach is conducted, with the confidence and trust severely damaged from any client perspective.

    The success of this attack highlights the increasing importance of awareness around Social Engineering. Through a myriad of techniques, a complete stranger was able to coerce an Uber employee with system admin access to accept the “push request” on his cell requesting access. Evidently, we was told (quite unbelievably) that the requests would stop if he accepted the request. Once he accepted, this effectively gave the remote attacker complete control. I fully expect the ripple effect of this attack to be felt for some considerable time with stolen financial records no doubt finding their way into the hands of those willing to use them for their own personal gain.

    Everyone should be aware of the risks that impersonation attempts pose, and it is for this reason that you should always question any access request outside of the expected audience. If it doesn’t look or feel right, or the language used doesn’t match that particular person being impersonated, do not provide the access.

  • In the news are several reports that Uber has once again become the victim of a large scale (this time with extremely wide ranging implications) attack on it’s internal network infrastructure. One security vendor has already described the breach as by far more extensive than the 2016 global incident (which impacted all of Uber’s entities).

    ca44a46f-3aa5-4f05-b120-19a86b935ad1-image.png

    The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology employee. The relatively simple social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. The huge gain from the perspective of any bad actor is that the level of access obtained is typically referred to as “god mode” (gamers might be familiar with this phrase, making your character invincible via a number of cheats). Essentially, this is much like an “access all areas” pass with absolutely no locked doors, or any area off limits in terms of Uber’s internal network infrastructure.

    The real problem with “god mode” is that it allows the holder to assume complete control over systems without addition challenge, and essentially, lock out the original owner (Denial of Service) – basically, a complete compromise. If you’ve seen Die Hard 2, then you may remember that the plot involved an attack on Dulles Tower where all of the runways, flight management systems, and radar etc. were in full control of a remote entity who’d setup communication links in the adjacent church with the real tower being completely powerless whilst sea level was re-calibrated to minus 200ft causing a landing plane to hit the runway far earlier than they anticipated. Clearly, this is all very “Hollywood” – although it’s 100% feasible as the Uber breach has easily demonstrated and proved.

    The impact on Uber is unimaginable – to the extent where they have been forced to close all internal systems whilst a full analysis of the breach is conducted, with the confidence and trust severely damaged from any client perspective.

    The success of this attack highlights the increasing importance of awareness around Social Engineering. Through a myriad of techniques, a complete stranger was able to coerce an Uber employee with system admin access to accept the “push request” on his cell requesting access. Evidently, we was told (quite unbelievably) that the requests would stop if he accepted the request. Once he accepted, this effectively gave the remote attacker complete control. I fully expect the ripple effect of this attack to be felt for some considerable time with stolen financial records no doubt finding their way into the hands of those willing to use them for their own personal gain.

    Everyone should be aware of the risks that impersonation attempts pose, and it is for this reason that you should always question any access request outside of the expected audience. If it doesn’t look or feel right, or the language used doesn’t match that particular person being impersonated, do not provide the access.

    @phenomlab Very good article that I would put on my forum if you don’t mind.

  • @phenomlab Very good article that I would put on my forum if you don’t mind.

    @DownPW Of course. No issues at all.

    Thanks

  • In the news are several reports that Uber has once again become the victim of a large scale (this time with extremely wide ranging implications) attack on it’s internal network infrastructure. One security vendor has already described the breach as by far more extensive than the 2016 global incident (which impacted all of Uber’s entities).

    ca44a46f-3aa5-4f05-b120-19a86b935ad1-image.png

    The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology employee. The relatively simple social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. The huge gain from the perspective of any bad actor is that the level of access obtained is typically referred to as “god mode” (gamers might be familiar with this phrase, making your character invincible via a number of cheats). Essentially, this is much like an “access all areas” pass with absolutely no locked doors, or any area off limits in terms of Uber’s internal network infrastructure.

    The real problem with “god mode” is that it allows the holder to assume complete control over systems without addition challenge, and essentially, lock out the original owner (Denial of Service) – basically, a complete compromise. If you’ve seen Die Hard 2, then you may remember that the plot involved an attack on Dulles Tower where all of the runways, flight management systems, and radar etc. were in full control of a remote entity who’d setup communication links in the adjacent church with the real tower being completely powerless whilst sea level was re-calibrated to minus 200ft causing a landing plane to hit the runway far earlier than they anticipated. Clearly, this is all very “Hollywood” – although it’s 100% feasible as the Uber breach has easily demonstrated and proved.

    The impact on Uber is unimaginable – to the extent where they have been forced to close all internal systems whilst a full analysis of the breach is conducted, with the confidence and trust severely damaged from any client perspective.

    The success of this attack highlights the increasing importance of awareness around Social Engineering. Through a myriad of techniques, a complete stranger was able to coerce an Uber employee with system admin access to accept the “push request” on his cell requesting access. Evidently, we was told (quite unbelievably) that the requests would stop if he accepted the request. Once he accepted, this effectively gave the remote attacker complete control. I fully expect the ripple effect of this attack to be felt for some considerable time with stolen financial records no doubt finding their way into the hands of those willing to use them for their own personal gain.

    Everyone should be aware of the risks that impersonation attempts pose, and it is for this reason that you should always question any access request outside of the expected audience. If it doesn’t look or feel right, or the language used doesn’t match that particular person being impersonated, do not provide the access.

    @phenomlab said in Uber breached:

    In the news are several reports that Uber has once again become the victim of a large scale (this time with extremely wide ranging implications) attack on it’s internal network infrastructure. One security vendor has already described the breach as by far more extensive than the 2016 global incident (which impacted all of Uber’s entities).

    ca44a46f-3aa5-4f05-b120-19a86b935ad1-image.png

    The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology employee. The relatively simple social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. The huge gain from the perspective of any bad actor is that the level of access obtained is typically referred to as “god mode” (gamers might be familiar with this phrase, making your character invincible via a number of cheats). Essentially, this is much like an “access all areas” pass with absolutely no locked doors, or any area off limits in terms of Uber’s internal network infrastructure.

    The real problem with “god mode” is that it allows the holder to assume complete control over systems without addition challenge, and essentially, lock out the original owner (Denial of Service) – basically, a complete compromise. If you’ve seen Die Hard 2, then you may remember that the plot involved an attack on Dulles Tower where all of the runways, flight management systems, and radar etc. were in full control of a remote entity who’d setup communication links in the adjacent church with the real tower being completely powerless whilst sea level was re-calibrated to minus 200ft causing a landing plane to hit the runway far earlier than they anticipated. Clearly, this is all very “Hollywood” – although it’s 100% feasible as the Uber breach has easily demonstrated and proved.

    The impact on Uber is unimaginable – to the extent where they have been forced to close all internal systems whilst a full analysis of the breach is conducted, with the confidence and trust severely damaged from any client perspective.

    The success of this attack highlights the increasing importance of awareness around Social Engineering. Through a myriad of techniques, a complete stranger was able to coerce an Uber employee with system admin access to accept the “push request” on his cell requesting access. Evidently, we was told (quite unbelievably) that the requests would stop if he accepted the request. Once he accepted, this effectively gave the remote attacker complete control. I fully expect the ripple effect of this attack to be felt for some considerable time with stolen financial records no doubt finding their way into the hands of those willing to use them for their own personal gain.

    Everyone should be aware of the risks that impersonation attempts pose, and it is for this reason that you should always question any access request outside of the expected audience. If it doesn’t look or feel right, or the language used doesn’t match that particular person being impersonated, do not provide the access.

    Wow 😧

  • @phenomlab said in Uber breached:

    In the news are several reports that Uber has once again become the victim of a large scale (this time with extremely wide ranging implications) attack on it’s internal network infrastructure. One security vendor has already described the breach as by far more extensive than the 2016 global incident (which impacted all of Uber’s entities).

    ca44a46f-3aa5-4f05-b120-19a86b935ad1-image.png

    The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology employee. The relatively simple social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. The huge gain from the perspective of any bad actor is that the level of access obtained is typically referred to as “god mode” (gamers might be familiar with this phrase, making your character invincible via a number of cheats). Essentially, this is much like an “access all areas” pass with absolutely no locked doors, or any area off limits in terms of Uber’s internal network infrastructure.

    The real problem with “god mode” is that it allows the holder to assume complete control over systems without addition challenge, and essentially, lock out the original owner (Denial of Service) – basically, a complete compromise. If you’ve seen Die Hard 2, then you may remember that the plot involved an attack on Dulles Tower where all of the runways, flight management systems, and radar etc. were in full control of a remote entity who’d setup communication links in the adjacent church with the real tower being completely powerless whilst sea level was re-calibrated to minus 200ft causing a landing plane to hit the runway far earlier than they anticipated. Clearly, this is all very “Hollywood” – although it’s 100% feasible as the Uber breach has easily demonstrated and proved.

    The impact on Uber is unimaginable – to the extent where they have been forced to close all internal systems whilst a full analysis of the breach is conducted, with the confidence and trust severely damaged from any client perspective.

    The success of this attack highlights the increasing importance of awareness around Social Engineering. Through a myriad of techniques, a complete stranger was able to coerce an Uber employee with system admin access to accept the “push request” on his cell requesting access. Evidently, we was told (quite unbelievably) that the requests would stop if he accepted the request. Once he accepted, this effectively gave the remote attacker complete control. I fully expect the ripple effect of this attack to be felt for some considerable time with stolen financial records no doubt finding their way into the hands of those willing to use them for their own personal gain.

    Everyone should be aware of the risks that impersonation attempts pose, and it is for this reason that you should always question any access request outside of the expected audience. If it doesn’t look or feel right, or the language used doesn’t match that particular person being impersonated, do not provide the access.

    Wow 😧

    @JAC Yes, not clever at all, and not the first time either (or even the last in my view)

  • phenomlabundefined phenomlab moved this topic from Security on

Related Topics
  • 5 Votes
    5 Posts
    223 Views
    and BOUM Personally, I don’t hate American companies. I use their products like everyone else, but I think their economic weight is such that they impose their own rules instead of respecting those of the countries where they do business. And here, for once, the DMA is putting the church back in the middle of the village (French Expression).
  • 0 Votes
    1 Posts
    160 Views
    No one has replied
  • Ex GCHQ employee risk to national security

    Discussion gchq security
    4
    1 Votes
    4 Posts
    273 Views
    @phenomlab said in Ex GCHQ employee risk to national security: I can’t believe also that security is so lax that someone without adequate clearance can waltz into a restricted area and take what they want. Yeah I can’t believe that either. It is crazy
  • Microsoft in talks to buy TikTok

    Discussion microsoft tiktok
    2
    3 Votes
    2 Posts
    168 Views
    @phenomlab well I hope that a better company steps up and puts in a higher bid. If I had the money I would buy TikTok. That platform is a money makers dream. So many people on it now er or was. I think MS will just mess it up like they do everything else. Hell, they can’t even get their own software to work correctly, how would they even keep that one up and running.
  • Ross Ulbricht pardoned by Trump

    Discussion ulbricht silkroad trump
    3
    0 Votes
    3 Posts
    149 Views
    @Panda said in Ross Ulbricht pardoned by Trump: So @phenomlab are you arguing that a ‘Double life +40’ sentence is what you would have been in support of, i.e. no release at any stage?? Yes, exactly. Let’s not forget the reason for the sentence in the first place, plus the fact that he created Silk Road with the intent for it to be used for nefarious purposes, and stood to make a lot of money from it. He fully intended to take advantage of the profit being returned at the expense of those people who died, and couldn’t care less about the demise of others as long as he was able to make money.
  • Note Taking App

    Discussion notetaking opensource
    13
    4 Votes
    13 Posts
    495 Views
    @Madchatthew A simple PWA would probably suffice in the meantime
  • Best Search Engine?

    Discussion google duckduckgo startpage
    13
    1 Votes
    13 Posts
    542 Views
    @phenomlab and that is the exact moment you double click on the browser icon and start typing away what you want to search for haha
  • Which email client do you use?

    Discussion email client
    56
    22 Votes
    56 Posts
    4k Views
    @phenomlab said in Which email client do you use?: @DownPW Isn’t this more of an email server in it’s own right rather than an email client? Oh yes sorry… I didn’t pay attention