8 Lessons From the Uber Hack

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Uber Investigating Breach of Its Computer Systems – NY Times
• The Uber Hack’s Devastation Is Just Starting to Reveal Itself – WIRED
• Uber’s Internal Communication, Engineering Systems Hacked – IAPP
• The Value Of Cyber Security Awareness – IT Security Guru
• Least Privilege – CISA
• How Are Embedded Passwords Used and Where Are They Found? – BeyondTrust

Episode Transcript

Brian: Hey, thanks for joining us here on the Fearless Paranoia podcast where we are decrypting. And to make it easier, just making simpler making usable the information of cybersecurity so that what you hear and what you see and what goes on around you is something that you understand and can make use of and making yourself safe making your business safe and protecting your clients, your customers data. I am Brian, the cybersecurity lawyer.

Ryan: And I’m Ryan and I do cybersecurity.

Brian: Yeah, basically, I just listen to him, in case you’re wondering. He’s smarter than me. That’s the way it works. When you’re trying to understand a certain concept. Oftentimes, there’s nothing better than an effective example, you know, something in real life that shows exactly the right way or the wrong way to do something. It’s probably because it gives us a tangible real-world example of things that can and do happen, thereby giving us behavior to emulate or behavior to avoid. Today, we’re going to focus on that. And we have a story from one of the most famous or some might say infamous companies around the world when it comes to issues of security. And let’s just say it what it is internal hubris.

Uber. 

I use Uber, I use Lyft. I think it’s a great service that’s provided. It’s something that cab companies could have provided for a long time. So am I attacking Uber? I am not. I don’t like some of their practices. I think their drivers should be employees. Regardless, it’s a better system. All that said, we’re gonna be talking about the Uber Hack, the breach that occurred at Uber that was publicly disclosed in September of 2022. Unlike most data breaches, we’re not talking about customer information being leaked online or questions about source code, we’re actually talking about a penetration that went much deeper into Uber’s system. Uber took a big chunk of its internal communications and engineering systems offline as a result of a breach that appeared to compromise a whole slew of Ubers internal systems. Apparently, that hack is at least as it’s been reported, is the result of a social engineering attack that was able to successfully override security measures that included two factor authentication, and through the access to one employee’s account, was able to gain extensive access within the company, one analyst said they pretty much have full access to all of Uber Ubers employees were instructed not to use their internal messaging system. This is one of those times where it’s simply better to listen to the person who knows more, and Ryan, give our listeners an idea of what we’re talking about here.

Ryan: Well, I want to start off by just throwing at least one small bone out to some of my colleagues on my side of the fence at Uber, mainly to their cybersecurity team who was most likely like a lot of other enterprises, a lot of startups and a lot of other tech businesses probably poorly funded, probably severely understaffed and most likely under equipped to probably do their job.

Brian: Let me echo that as well.

Ryan: If anything, this is probably a great lesson for a lot of businesses, everybody should take the moment to really just kind of understand exactly what happened, the level of simplicity that was involved and understand that this is absolutely something that could happen to anybody with not a ton of effort to be honest, because there’s always going to be a gap, there’s always going to be a hole somewhere. It’s just a matter of really finding it and finding a way to exploit that. So let’s dig in real quick. So Uber started with a couple of things. There’s numerous different blogs out there that have listed the entire timeline of what they think exactly occurred with Uber. Here’s the major takeaways that I’ve gotten, we’ll kind of dig into some of these. The first one is that this was an 18-year-old kid, and it was one person. This is not some super hacker from the KGB, from North Korea from NSA, this was Johnny Jamison from down the street somewhere who is just getting interested.

Brian: It’s Matthew Broderick from war games.

Ryan: Yeah. It’s just a kid. Since 2020, since the great era of COVID, we have seen a lot more interest, people get locked inside, and they’ve all got computers now. And people have started to get more and more interested in these types of things. Because they were just they were forced in front of things like a computer for a good period of time, we’ve seen a lot more people start entering in the space, especially on the other side of the fence, which is scary, but you hope that eventually they will start to find some opportunities over in this space as well and hopefully draw some back to the light eventually, but it was just an 18 year old kid that really was what kind of precipitated a lot of this. And it started out with social engineering.

Brian: Sorry to interrupt, but just to make sure our audience is on the same page. Can you walk us through what happened?

Ryan: Oh, sure. So I mean, this started as this kid reaching out, went on to LinkedIn, found employee information. Found a cell number and texted an employee and said, “This is a guy from your IT team. I need this privileged password,” and the user handed over the password. So you started by social engineering, effectively a smishing attack. I hate that term, but it’s what it is SMS phishing, it’s text phishing, and it was a non multifactor password or it was a abused multifactor password because it was a successful compromise. Some regardless of whether there’s multifactor. In the place, the password was successfully used to gain access to a Slack channel, which was used to contact other employees and eventually procured a access to a file share an Open File Share on the system that held management scripts inside those PowerShell. scripts were plaintext passwords to service accounts that were then used to access…

Brian: Always probably my favorite part of the news story, when it comes to a password breach.

Ryan: It’d be like me having a post it note with my master password on the thing right here behind my webcam just for you to read, right? I mean, it was on an open file share that didn’t require anything more than the compromised user credentials to get access to that particular service account was used to access the primary password repository for the company. And that’s where the keys to the kingdom live. So now you’ve got all the passwords and then there were proven access and screenshots to things like setting the one terminal to believe like a SolarWinds Orion, like a system visibility and management tool and a variety of other things. But once you’ve got that level of access, once you’ve got the main password account and all the passwords, it’s basically game over, they haven’t had access to anything Uber’s lucky they got away with what they did considering the level of access that was that was granted. Well, not granted, but taken.

Brian: What was what was taken, how much did they get? Do you know? 

Ryan: I don’t know if that was fully determined or disclosed.

Brian: I was gonna say I think it probably was determined. I don’t know if it was disclosed.

Ryan: And I from what I understand, I think the investigation I think we’re still ongoing to determine if there was any additional activity, it sounds like the actor, the threat actor was pretty forthright with everything. And so I think that they understand the full impact.

Brian: It’s so nice to find an honest thief now and again.

Ryan: I don’t think it was a thief! From what I understand there was no ransomware again, there was no major attempt to like create data loss, for sale or for compromise or for publish or Doc’s or anything like the malice was created probably by boredom, curiosity. Honestly, these are the kids that we should be out teaching that they need to get into cybersecurity, they need to flash some of the big cyber-sec money in front of them. Probably a good thing because you could probably attract some of these kids and get them into actually doing some legit, legit work.

Brian: It harkens back to the time where the best way to get a job working for the cyber divisions of the US military was to try to do is to get past a certain level of hacking them.

Ryan: Yeah, but back in those days, there was a few handfuls of cybersecurity jobs across all of the major department of defense nowadays, I mean, armies, small armies of people would be required to fill those chairs. And well over half of those chairs are empty. There’s such a huge shortage, private sector, public sector everywhere in cybersecurity, and so many more people lining up on the other side, which again, is scary, but you hope that that’ll take a turn, and hopefully somebody will find a way to harness some of that curiosity.

Brian: So it’s interesting that every step of this is a demonstration of how Uber’s set up failed in doing what it should have done and almost provided a roadmap of what the hackers next step should be.

Ryan: Yeah, it was so many failures on so many levels. And I don’t want to oversimplify them. But so many of those are basic pasture basic hygiene items in cybersecurity things like limiting access to stuff like a private share, or a really privileged share, like one that has scripts with hard coded service account passwords, that should be very limited. A standard user account should never get access to that stuff. Stuff like user training to understand stuff like don’t send passwords, do a text message that comes to your phone, no matter who they tell you they are call them, put it in a ticket, get a hold of someone through you know your company’s teams, get them on a video to make sure it’s actually somebody you know, do something before you just kind of go there you go stand over the keys multifactor anyone that’s not doing multifactor in 2022, I’m gonna, I’m sorry, I’m gonna be brutal. You don’t care about your business. If you’re not doing something simple, like making sure that all of your people have multifactor, then you do not care about what is behind there. Because passwords are no longer good enough, the machines are better than we are. They’re smarter than we are. They’re faster than we are in the run 24 hours a day. Your passwords no matter how long they are, are not going to be good enough going forward in the future, you need to come up with strong secure multi factor. The sooner we can get to password-less, the better. If you got biometrics, hell, if you can afford USB keys, please go out and buy them. Buy hardware tokens. They’re not terribly expensive there. It might be for a big business because that’s a big scaling thing. But stuff like that can absolutely decrease the activity of bad access to your accounts and secure your identity quickly. Even something like an authenticator on your phone. Just do simple things like that because it takes you away from being low hanging fruit all it takes us one password breach, somebody to publish that list on the internet and that password you’ve got done. And then if you reuse that all those accounts are done. And they’ve got again, they’ve got cameras looking for you nowadays, they’ve got printers testing those accounts and those passwords. It’s not people typing on keyboards anymore. There’s no armies. These are couple handfuls of people that have amassed bot armies and are using this technology. While it’s videotaping your street and your driveway, it’s also attacking Wells Fargo and it’s scanning their system.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. 

Brian: So beyond multi factor authentication, what are some of the other big security screw ups that you saw in the Uber hack, if we even want to call it a breach or a hack, we’ll just call it in this conflagration.

Ryan: The file share. The privilege File Share being wide open, that should be very tightly locked down either, you know, at bare minimum to a secure group of privileged access users more ideally, to privileged access users using something like a secure privileged access workstation. So that that kind of directory has access from one IP one single machine that’s completely hardened and has all of its use abstract because that’ll prevent people from getting to those places where you have to hard code in a pasture or better yet, please go through and rewrite your scripts in a way where you don’t need to leverage and having the service com password in there, you can use some sort of certificate or some sort of secret or some sort of key that you can pass back and forth to securely enable that access without just hard coding in your passwords. And if you make a service account that has that level of access, limited down to doing just the activity you needed to do. Don’t like give a global admin or domain admin or anything stupid like that. Because that right, there’s basically just handing over the keys, you might as well just like not even put the key underneath the mat, just set it right on top of the mat. So when they show up, they can just get in release,

or you can leave it in the lock that actually is another can be very convenient place to leave the key.

I’d say the the other really big one is again, it comes down to least privilege. So if you have a password management system, and you’re in it or your security team, the first thing you should make sure is that nobody on your team has access to all the passwords inside that repository. There’s no business for anybody, no matter it’s the IT team, no matter if it’s the security team doesn’t matter if it’s the CEO, it doesn’t matter who it is. Nobody should have access to all the keys at any one given time.

Brian: That’s I think, an important one, how does a small business handle that? Because to me, it strikes me that for a small business that might not be feasible, but ultimately necessarily be desirable, someone’s probably gonna have to have access to a significant portion of the passwords.

Ryan: Yeah, I mean, it depends on how small you’re talking, right, I guess I was referring a little bit more to the enterprise level, if you’re talking like a five or 10 person shop, you’re most likely going to have quite a few, you’re going to have a big over delegation of privileges, because you’re gonna have a lot of crossover and job duties also, which is going to make it really challenging to go least privilege in those kinds of small environments, which is why in those type of environments, cybersecurity training becomes all that much more required. Because if they’re going to have those levels of privileges, and you’re not going to have like a managed provider that’s controlling that privilege on the backend, your people need to have an understanding of what the threats are out there nowadays, and have to have some sort of like demonstration, or at least a detailed explanation of what those threats look like, how they’re growing, how they’re attacking people, and how to deal with those, because everybody’s going to be a major point of compromise, like in Uber’s case, that one user’s account that they got a hold of most likely didn’t have a ton of privilege, but the fact that they had access to enough privileged areas to get an account that had it was really hard to lateral movement and slack account that…

Brian: Yeah, that’s what struck me is that they had access to an internal communication tool that allowed the hacker to essentially impersonate this employee, but to do so in a way that is to me seems I mean, it’s genius in how deviously underhanded that could be because what is slack really meant to replace? Slack likes to say “we replace emails and we replace meetings,” but in my opinion, for most businesses, the one thing universally that it replaces is the watercooler. Slack does replace a lot of these things in a lot of businesses. But in almost all cases, it replaces the casual meeting spot. And so now you’ve got this access to a spot where people are used to being more free with what they say. And assuming that you are who you say you are without any additional, you know, investigation. That’s a huge, huge hole. And I’m amazed that that hasn’t been a bigger story coming out of that of that particular situation.

Ryan: Yeah, and that’s why, you know, again, you really have to get to users, right? Because with systems you can take on different approaches, you can audit things really closely you can go zero trust and you can really get away from those like implicit trust, you know, type of scenarios, users are much it’s a much more challenging factor for them to like get away from especially since we’ve moved to a more digital based era where we’re talking over slack. We’re talking over discord over teams over all these different kinds of remote collaboration tools. We miss that side of the watercooler of standing around in the little kitchen in the office, you know, and some people have gotten back to that but there’s been a large chunk of the population that is you know, either still remote or has moved to permanently remote and I think people you know people have historically just kind of always had that time and with it not being there. It makes it more or desirable to want to be comfortable in these newer scenarios that we’re in now. And then desire that need for humanity for that human touch is like has become a very exploitable thing.

Brian: Not just the need to have it, but to have it to be able to be vulnerable with another human being without entering into code first. 

Ryan: Yeah. And people prey on that. That’s why grandparents with computers and smartphones are hugely vulnerable. They don’t have typically a lot going on anymore later in life, you’re not working as much your family interactions are starting to kind of slow down a little bit more than at least when you had kids around. And so like, you start to look for those opportunities. Some nice person calls you up on the phone, and you start complaining about this machine that your nephew Johnny got you and you can’t get into your email and they say, oh, Bobby, I will send you this link, you know, let me on there and I’ll help you figure it out. And a lot of times, they might even go as far as to actually help you to help you reconfigure your stuff to make sure it works better for you. They’re building your trust.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: I think one of my favorite of the ones you’ve told me about something like that was an Excel spreadsheet, a guy looking for an accounting template went on and found a template that did a very complex process, it did exactly what he needed it to do, which is what made him completely blind to the fact that it also included a macro that embedded itself in the company’s financial system.

Ryan: It was on actually this piece of software, it was on one of their community forums. So it was on a legitimate forum. It was a file that had been uploaded as a comment basically, as a reply to some problems somebody had deep down, I think it was a couple pages deep, but had not been properly scanned properly by whoever was running the forum. And it was just sitting right there available for download because they had attachments must have been turned on in public in that form. Because people are passing Excel spreadsheets with macros and things back and forth. That’s just part of what they do in this particular forum is find ways to manipulate data and do data analytics. So that’s exactly what happened. They downloaded it. But this file was both the exact thing they needed and add been compromised to the point where it started producing malicious PowerShell commands in the background also. And so it was exactly everything that the pollster wanted it to be also, as was brought in, it was run on a computer, somebody needed macros, they probably got some sort of administrative access. And if they’re logged in with a privileged account on their workstation, that means that was probably compromised immediately. And then from there, if it’s connected to a network, it’s going to start spreading out everywhere as quickly as I can and working to find additional points for lateral movement and compromise.

Brian: And we’ve got some amazing lessons here. First of all, your password is only as good as the secondary tool that you use to confirm your password, or beyond secondary. I remember that when this conversation first started, it was two factor authentication within probably a year, everyone is saying Don’t say two factor anymore. It’s multi factor authentication. So there’s that. There’s making sure that your authorizations are appropriate for the users, but also set up to be inappropriate for someone who takes over the users access. You want to make it so that if someone does get access to that user’s information, they are nothing but frustrated and stymied when they try to gain access to more than what that user should be allowed to have. And that it records it that logs it exactly that keeps it maintained record of what their acts and they’re attempted accesses. You don’t want to log in just that someone walked through a door, you want to log in how many times they tried to open that door when they punch the code in, in addition to that, making sure that your employees are trained adequately, appropriately and in a way that they actually absorb to follow and understand this complex world of cybersecurity and make sure they understand they have a stake in it. And they have the ability to be amazing tool defending your company, make sure they know that they can help that they are empowered to do that. Are there any other key lessons that you think that this particular Uber hack has for small businesses.

Ryan: I think from the top down, education is key. Like you said, we need to get to the users and we need to train them. We do need to watch privilege as far as we can. And we need to make sure that we’re auditing all activity that’s occurring in our network. And primarily we need to make sure that if you’re going to leave a password hard coded somewhere you need to limit what kind of access it has because if it can get into stuff like your main password repository and to have access to all the secrets and stuff in there, you might as well just post the password on paste and and just be done with it and just let it happen because you had already kind of rolled over at that point.

Brian: So I still don’t think anyone could quite hold a candle to Sony keeping their passwords in an unencrypted folder titled passwords.

Ryan: I’ll be honest though I’m not gonna fault Sony, I’m not gonna fault to Uber. I feel for all their security teams because again, they’re most likely in rough shape. But let’s be honest, this has happened to a lot of people, a lot of huge businesses that had no business with stuff like this happening. Target’s been there. Home Depot’s been there. Equifax has been there. Everybody’s been hit at some point. I think they’re saying by the end of 2022, they expect that 60 to 70% of all businesses, the major online digital footprint will probably face some sort of ransomware or some sort of internal compromise.

Brian: That is, of course not suggest that taking adequate steps isn’t worthwhile, or that people who fail to take adequate steps on the basis that either they feel they have more money than is needed to survive the fallout or just simple hubris they don’t, to a certain extent deserve what’s coming to them. And what is coming to them is potentially a considerable amount of pain over time, especially if they don’t correct their mistakes.

Ryan: With people and bad decisions, eventually, you’ll either stop making bad decisions, or you’re just going to keep suffering the pain that comes attached to those. And in the realm of cybersecurity, they’re either going to shape up their practices, they’re going to put proper dollars, they’re gonna put proper effort and proper people into places to get these gaps cleaned up, or they will continue to suffer this level of attack this level of embarrassment over and over again until people finally just completely lose faith in them all together.

Brian: There is going to be one other Uber topic that we’re going to talk about in the near future that I desperately Ryan want to get your take on because both you and I actually fall in our professional realms into shared professional space with one of Uber’s ex-executives who is about to become a member of the incarcerated. A very, very specific and very sad story to be perfectly honest about the legal responsibility that a business might have when it comes to a cyberattack. I definitely want to know your opinion on all of that. But that is going to have to wait for another episode here. I want to thank you all for joining us today on Fearless Paranoia podcast. We hope you have learned some from Uber’s pitfalls and errors here along with Ryan, I want to thank you all for joining us and be sure to subscribe to us on your favorite podcasting systems and platforms tune into his again you can check us out on our website Fearless Paranoia calm. I’m Brian. I’m the cybersecurity lawyer.

Ryan: I’m Ryan please keep your passwords long. Keep your factors as multi as you can and practice all the basics and we will get through the cybersecurity era together safely and come out the other end.

Brian: Thanks y’all. See you next time.