Serious breach at Uber spotlights hacker social deception
San Francisco (US), Sep 17: The ride-hailing service Uber said on Friday that all its services were operational following what security professionals are calling a major data breach, claiming there was no evidence the hacker got access to sensitive user data.
But the breach, apparently by a lone hacker, put the spotlight on an increasingly effective break-in routine involving social engineering: The hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials.
They were then able to locate passwords on the network that got them the level of privileged access reserved for system administrators.
The potential damage was serious: Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.
It is not known how much data the hacker stole or how long they were inside Uber's network. Two researchers who communicated directly with the person who self-identified as an 18-year-old to one of them said they appeared interested in publicity. There was no indication they destroyed data.
But files shared with the researchers and posted widely on Twitter and other social media indicated the hacker was able to access Uber's most crucial internal systems.
"It was really bad the access he had. It's awful," said Corbin Leo, one of the researchers who chatted with the hacker online.
The cybersecurity community's online reaction Uber also suffered a serious 2016 breach was harsh.
The hack "wasn't sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures", tweeted Lesley Carhart, incident response director of Dragos Inc., which specialises in an industrial-control systems.
Leo said screenshots the hacker shared showed the intruder got access to systems stored on Amazon and Google cloud-based servers where Uber keeps source code, financial data and customer data such as driver's licenses.
"If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people's passwords," said Leo, a researcher and head of business development at the security company Zellic.
Screenshots the hacker shared many of which found their way online showed sensitive financial data and internal databases accessed. Also widely circulating online: The hacker announcing the breach Thursday on Uber's internal Slack collaboration system.
Leo, along with Sam Curry, an engineer with Yuga Labs who also communicated with the hacker, said there was no indication that the hacker had done any damage or was interested in anything more than publicity.
"It's pretty clear he's a young hacker because he wants what 99 per cent of what young hackers want, which is fame," Leo said.
Curry said he spoke to several Uber employees on Thursday who said they were "working to lock down everything internally" to restrict the hacker's access. That included the San Francisco company's Slack network, he said.
In a statement posted online on Friday, Uber said "internal software tools that we took down as a precaution yesterday are coming back online".
It said all its services including Uber Eats and Uber Freight were operational and that it had notified law enforcement. The FBI said via email that it is "aware of the cyber incident involving Uber, and our assistance to the company is ongoing".
Uber said there was no evidence that the intruder accessed "sensitive user data" such as trip history but did not respond to questions from The Associated Press including about whether data was stored encrypted.
Curry and Leo said the hacker did not indicate how much data was copied. Uber did not recommend any specific actions for its users, such as changing passwords.
The hacker alerted the researchers to the intrusion on Thursday by using an internal Uber account on the company's network used to post vulnerabilities identified through its bug-bounty programme, which pays ethical hackers to ferret out network weaknesses.
After commenting on those posts, the hacker provided a Telegram account address. Curry and other researchers then engaged them in a separate conversation, where the intruder provided the screenshots as proof.
The AP attempted to contact the hacker at the Telegram account, but received no response.
Screenshots posted online appeared to confirm what the researchers said the hacker claimed: That they obtained privileged access to Uber's most critical systems through social engineering.
The apparent scenario:
The hacker first obtained the password of an Uber employee, likely through phishing. The hacker then bombarded the employee with push notifications asking they confirm a remote log-in to their account.
When the employee did not respond, the hacker reached out via WhatsApp, posing as a fellow worker from the IT department and expressing urgency. Ultimately, the employee caved and confirmed with a mouse click.
Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Teenagers used it in 2020 to hack Twitter and it has more recently been used in hacks of the tech companies Twilio and Cloudflare, said Rachel Tobac, CEO of SocialProof Security, which specialises in training workers not to fall victim to social engineering.
"The hard truth is that most orgs in the world could be hacked in the exact way Uber was just hacked," Tobac tweeted. In an interview, she said "even super tech savvy people fall for social engineering methods every day".
"Attackers are getting better at by-passing or hi-jacking MFA (multi-factor authentication)," said Ryan Sherstobitoff, a senior threat analyst at SecurityScorecard.
That's why many security professionals advocate the use of so-called FIDO physical security keys for user authentication. Adoption of such hardware has been spotty among tech companies, however.
The hack also highlighted the need for real-time monitoring in cloud-based systems to better detect intruders, said Tom Kellermann of Contrast Security.
"Much more attention must be paid to protecting clouds from within" because a single master key can typically unlock all their doors.
Some experts questioned how much cybersecurity has improved at Uber since it was hacked in 2016.
Its former chief security officer, Joseph Sullivan, is currently on trial for allegedly arranging to pay hackers USD 100,000 to cover up that high-tech heist, when the personal information of about 57 million customers and drivers was stolen.
Let the Truth be known. If you read VB and like VB, please be a VB Supporter and Help us deliver the Truth to one and all.
'Made in India' must become symbol of excellence, global competitiveness: PM
New Delhi (PTI): Prime Minister Narendra Modi on Sunday called upon states to encourage manufacturing, boost 'ease of doing business' and strengthen the services sector to make India a global services giant.
Addressing the 5th National Conference of Chief Secretaries here, Modi emphasised the need for quality in governance, service delivery and manufacturing, and said the label 'Made in India' must become a symbol of excellence and global competitiveness.
He said India has the potential to become the world's food basket and the country must move towards high-value agriculture, horticulture, animal husbandry, dairying and fisheries to become a major food exporter.
"Called upon states to encourage manufacturing, boost 'Ease of Doing Business' and strengthen the services sector. Let us aim to make India a Global Services Giant," Modi said in a series of posts on X.
The theme of the three-day conference, which began on December 26, was 'Human Capital for Viksit Bharat'.
Modi observed that this conference marks another decisive step in strengthening the spirit of cooperative federalism and deepening Centre-State partnership to achieve the vision of a 'Viksit Bharat'.
Highlighting India's demographic advantage, he said nearly 70 per cent of the population is in the working-age group, creating a unique historical opportunity which, when combined with economic progress, can significantly accelerate the journey towards a 'Viksit Bharat', according to an official statement.
Modi said India has boarded the "Reform Express", driven primarily by the strength of its young population, and empowering this demographic remains the government's key priority.
He noted that the conference is being held at a time when the country is witnessing next-generation reforms and steadily moving towards becoming a major global economic power.
Underlining the need to strengthen 'atmanirbharta' (self-reliance), he said India must pursue self-reliance with zero defect in products and minimal environmental impact, making the label 'Made in India' synonymous with quality and strengthening the commitment to "zero effect, zero defect".
The PM urged the Centre and states to jointly identify 100 products for domestic manufacturing to reduce import dependence and strengthen economic resilience in line with the vision of 'Viksit Bharat'.
In higher education, too, he said, there is a need for academia and industry to work together to create high-quality talent.
He highlighted that India has a rich heritage and history with the potential to be among the top global tourist destinations.
Modi urged the states to prepare a roadmap for creating at least one global-level tourist destination and nourishing an entire tourist ecosystem.
He said it is important to align the national sports calendar with the global sports calendar.
"India is working to host the 2036 Olympics. India needs to prepare infrastructure and sports ecosystem at par with global standards," he said.
The prime minister said the next 10 years must be invested in the states, only then will India get the desired results in such sports events.
Every state must give this top priority and create infrastructure to attract global companies, he said.
In the services sector, Modi said, there should be greater emphasis on other areas like healthcare, education, transport, tourism, professional services and artificial intelligence, etc. to make India a global services giant.
He said India will soon be launching the National Manufacturing Mission (NMM).
States should work in tandem with the discussions and decisions emerging from the conferences of both chief secretaries and DGPs to strengthen governance and implementation.
The PM said similar conferences could be replicated at the departmental level to promote a national perspective among officers and improve governance outcomes in pursuit of a 'Viksit Bharat'.
In conclusion, he said every state must create a 10-year actionable plan based on the discussions of this conference with one, two, five and 10-year target timelines wherein technology can be utilised for regular monitoring.
The conference featured a series of special sessions that enabled focused deliberations on cross-cutting and emerging priorities.
It marks another important milestone in strengthening the Centre-State partnership through structured and sustained dialogue on national development priorities, according to the statement.
The PM's principal secretaries P K Mishra and Shaktikanta Das, Cabinet Secretary T V Somanathan, members of the NITI Aayog, chief secretaries of all states and Union territories, and domain experts attended the meeting.
Anchored in the prime minister's vision of cooperative federalism, this conference serves as the forum where the Centre and states collaborate, designing a unified roadmap to maximise India's human capital potential and accelerate inclusive, future-ready growth.
It has been organised annually over the past four years.
The first conference was held in Dharamshala in June 2022, followed by subsequent conferences in New Delhi in January 2023, December 2023 and December 2024.
