CySecurity News - Latest Information Security and Hacking Incidents: uber

AFP Cyberattacks Cybersecurity data threat Email Phishing Privacy uber

Uber's Costly Mistake: AUS$412,500 Fine for Spam Emails in Australia

There are many services offered by Uber Technologies, Inc., commonly known as Uber, which is a multinational company that offers a wide array of services, like ride-hailing, food delivery, and freight transportation, to its customers.

Founded in California, the company is located in around 70 countries around the world, providing its services in over 10,500 cities around the globe, from its headquarters in San Francisco. On a global scale, Uber brings together more than 6 million active drivers and couriers daily, which gives the app an extremely high user base, with more than 131 million active users every month.

The platform facilitates an estimated 25 million trips on a typical day, which is a record for the platform. The United States' largest ride-sharing company, Uber, has played a significant role in enabling a remarkable 42 billion trips since its establishment in 2010. Uber has also made a significant contribution to enabling a large share economy through opportunities such as the sharing economy.

AFP reported that Uber was fined Aus$412,500 ($260,000) by Australian Communications and Media Authority (ACMA) for sending more than two million emails to customers in violation of anti-spam laws, as the company had violated anti-spam laws by sending over two million emails.

There was a bulk email campaign distributed in January that marketed a new service that delivered alcohol to people at their homes. Furthermore, the company did not provide the option for customers to unsubscribe from the mailing list. Further, over 500,000 emails were sent to recipients who previously indicated that they did not want to receive marketing emails from us in the future.

There are explicit laws in the Australian laws that prohibit companies from sending marketing emails without receiving the express consent of the recipient. Additionally, these laws require that the email recipients be provided with a clear option to unsubscribe from these mailings.

It has been noted that Nerida O'Loughlin, the chair of the ACMA, described Uber's actions as an 'avoidable error' and that the importance of respecting the preferences of customers cannot be overstated, given that customers are becoming increasingly frustrated when their requests are not met.

As a response to these violations, Uber has apologized for sending these marketing emails, admitting that they had made an error in sending these emails. According to their apology, Uber acknowledged that they had made an error in this regard as well.

According to ACMA reports, over the past 18 months, the total amount of penalties and fines paid by Australian businesses for violating spam and telemarketing laws has been over Aus$11 million. Accordingly, Uber has been fined an amount of Australian dollars 412,500 (equivalent to US dollars 260,000) in response to these violations.

Law Firm for Uber Loses Drivers' Data to Hackers in Yet Another Breach



 

uber

Data Breach Data Theft Genova Burns uber

Law Firm for Uber Loses Drivers' Data to Hackers in Yet Another Breach

Uber Technologies has experienced its third data breach in six months, as sensitive data, including names and Social Security numbers of an unknown number of its drivers, was stolen by cyber attackers. The breach was discovered by law firm Genova Burns LLC, which had received the information from Uber as part of its legal representation.

The law firm noticed suspicious activity in January and confirmed that its systems had been compromised, leading to the data breach. The impacted drivers have been notified that their Social Security numbers and/or tax identification numbers may have been affected, and Uber has offered complimentary credit monitoring and identity protection services. Also, it is unclear if the Uber data breach was specifically targeted or caught up in a broader effort to attack legal services organizations.

Cyber attacks targeting legal firms have been on the rise, with cybercriminal campaigns using malicious search engine optimization techniques to lure potential victims to malicious sites.

Uber has experienced multiple cybersecurity breaches in the past, including leaks of the driver and user information in 2014 and 2016. In 2022, two more attacks occurred, one through a third-party cloud provider, resulting in the capture of sensitive data and the resignation of Uber's Chief Information Security Officer (CISO).

Genova Burns, after detecting the attack on January 31, conducted an investigation with the help of a third-party forensics and data security specialist. It was discovered that the data had been accessed and exfiltrated during the week prior to discovery.

On March 1, 2023, Genova Burns notified Uber that information related to the affected Uber drivers was contained in an impacted file. However, at this time, no actual or attempted misuse of the information has been identified.

"For the minority of cybercriminal attacks where a victim is targeted, organizations with access to large amounts of third-party data, such as law firms, present a valuable target. Law firms also frequently fit the profile of small to midsized organizations with a sizable IT footprint but no dedicated security resources,” Secureworks' Jarvis. said.

Genova Burns stated that they are taking additional steps to enhance security and protect against similar incidents in the future, as reported in a letter published by The Register.

Ex Uber Employee Made 388 Fake Driver Profiles, Duped Company of Rs 1.17 Crore



 

uber

Cyber Attacks Fraud Identity Theft Money Laundering Scam uber

Ex Uber Employee Made 388 Fake Driver Profiles, Duped Company of Rs 1.17 Crore

Ex Employee dupes Uber of Rs 1.17 Crore

A former Uber employee has been charged for duping the company of Rs. 1.17 crore by making 388 fake driver profiles and putting them on the company's server. The money was then transferred to only 18 bank accounts linked with these fake profiles. The accused was working with the company till December 2021 as a contractor. Uber's authorized signatory lodged the complaint in April last year. The accused's job was to look over driver payments and update the information of the authorized drivers in the company's spreadsheet so that the money could be transferred to the respective accounts.

FIR registered

Uber during its inquiry, discovered that out of the 388 fake driver profiles, 191 profiles were made using the same IP addresses associated with the accused man's system.

"To avoid inconveniencing driver partners, a spreadsheet is automatically uploaded regularly. A large number of transactions were processed by this automated spreadsheet and the accused was responsible for updating the details of the driver-partner accounts to be paid," Uber said in the complaint. The man created and made various fake driver partners’ accounts in the spreadsheet.

According to the police, the accused has been booked under sections 408 (criminal breach of trust by a servant), 420 (cheating), 477-A (falsification of accounts), and 120-B (criminal conspiracy) of the IPC.

The Uber complaint further read "191 cases out of 388 cases matched with the IP addresses used by Viney Gera to log into his work computer on the same day as the creation of the accounts. In the above manner, a total amount of Rs 1,17,03,033 has been fraudulently paid to these fake driver partners into only 18 bank accounts."

PTI quotes Inspector Deepak Kumar, SHO, Sushant Lok Police Station said "we are investigating the matter and the accused will be arrested as soon as possible," PTI reports.

Handling of driver partner payments

An Indian Express report explained how Uber handles driver payments when their accounts show a negative balance. A negative balance in an Uber driver's account means payment is overdue. This is removed when the driver pays the amount to the company. After this, a positive payment is credited to the partner's account, and the details of the transaction are updated in a spreadsheet.

The data (company spreadsheet) is then "uploaded to an Uber Payment Tool through an automated python script." The upload adds a positive balance to the driver partner's account to remove arrears that allow the driver to drive again.

Former Uber CSO Convicted for Covering up 2016 Data Breach



 

uber

Data Breach Data Theft LAPSUS$ New Technology Online crimes uber

Former Uber CSO Convicted for Covering up 2016 Data Breach

Uber's former chief security officer, Joe Sullivan, has been found guilty of illegally trying to cover up a 2016 data breach in which threat actors accessed 57 million Uber drivers' and customers' sensitive credentials.

Sullivan is a former cybercrime prosecutor officer of the US Department of Justice. A federal jury in San Francisco convicted him of obstructing justice and misprision – concealing a felony from law enforcement.

On November 21, 2017, Uber CEO Dara Khosrowshahi released a statement in which he acknowledged that miscreants had broken into the app giant's infrastructure and made off with 57 million customer and driver records. As a result of it Sullivan, along with legal director of security and law enforcement Craig Clark was fired.

"Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber," the U.S. attorney's office said.

Sullivan’s trial began days before when the news broke that Uber had been hacked again. Uber said the group of hackers LAPSUS$ is running a campaign against Uber.

The group accessed and stole data of an employee’s login credential to gain wide-ranging access to Uber’s internal systems including the company’s Amazon Web Services console, Google Workspace admin dashboard for managing the Uber email accounts, VMware vSphere/ESXi virtual machines, Slack server, and bug bounty program portal. However, Uber confirmed that the hackers did not gain access to the sensitive data of customers.

In the case of the 2016 data breach, Uber had to make two $50,000 payments to the intruders in December 2016. A month later, after managing to identify one of the attackers from the group, an Uber representative met the man in Florida and had him sign a confidentiality agreement.

"Technology companies in the Northern District of California collect and store vast amounts of data from users. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” U.S. Attorney Stephanie M. Hinds said in a statement.

Teen Hacking Suspect Arrested by London Police for GTA 6 and Uber Breach



 

User Privacy

Cyber Crime Flashpoint LAPSUS$ Online Gaming uber United Kingdom User Privacy

Teen Hacking Suspect Arrested by London Police for GTA 6 and Uber Breach

A 17-year-old Oxfordshire kid was detained on suspicion of hacking, according to information released by the City of London Police on Friday.

According to experts, the recent security breaches at Uber and Rockstar Games may have something to do with the arrest.

On September 18, a cyber threat actor identified as the 'teapotuberhacker' claimed to have hacked Rockstar Games, the company behind the well-known and contentious Grand Theft Auto (GTA) franchise, in a post on GTAForums.com. Teapotuberhacker claimed to have taken 90 movies of alpha material and the source code for Grand Theft Auto VI and its predecessor GTA V from Rockstar in that post, which has since been removed.

Notably, a 17-year-old Oxford boy was among the seven minors who were detained. The Oxford teenager was detained after other hackers posted his name and address online. The boy had two internet aliases: 'Breachbase' and 'White'. According to the reports, the boy had earned about $14 million via data theft.

Further information concerning the inquiry was kept under wraps by the UK authorities.

Seven adolescents were detained and later freed by City of London police in connection with a probe into the Lapsus$ hacking organization this spring.

Uber released more information regarding the latest security breach earlier this week. According to the firm, the threat actor responsible for the intrusion is connected to the LAPSUS$ hacker organization.

Flashpoint, a security company, presented a report of the Grand Theft Auto VI data breach this week and disclosed that the name of the hacker responsible for the two attacks had been made public on a dark web forum.

The forum administrator claimed that teapotuberhacker was the same guy who had allegedly hacked Microsoft and owned Doxbin in the debate, which was titled 'The Person Who Hacked GTA 6 and Uber is Arion,' according to the story that was published by FlashPoint.

If these claims are true, which is not entirely apparent, it will assist in explaining the most recent incident that law police conducted.

Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach



 

User Security

Data Data Breach Data Leak Hackers Hacking Group uber User Data User Privacy User Security

Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach

Uber revealed more details about the security incident that occurred last week on Monday, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group.

The financially motivated extortionist group was dealt a massive blow in March 2022 when the City of London Police arrested seven suspected LAPSUS$ gang members aged 16 to 21. Two of them were charged for their actions weeks later. The hacker responsible for the Uber breach, an 18-year-old teenager known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

As the company's investigation into the incident continues, Uber stated that it is functioning with "several leading digital forensics firms," in addition to cooperating with the US Federal Bureau of Investigation (FBI) and the Justice Department.

In terms of how the attack occurred, the ridesharing company stated that an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB report. The previous week, the Singapore-based company reported that at least two of Uber's employees in Brazil and Indonesia had been infected with Raccoon and Vidar information robbers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

After gaining access, the miscreant appears to have accessed other employee accounts, giving the malicious party access to "several internal systems" such as Google Workspace and Slack. The company also stated that as part of its incident response measures, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.

Uber did not say how many employee accounts were potentially compromised, but it emphasised that no unauthorised code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps. The firm also revealed that the attacker gained access to HackerOne bug reports, but added that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based [multi-factor authentication] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defence evangelist at KnowBe4, said in a statement.

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, organisations must recognise that MFA is not a "silver bullet" and that not all factors are created equal.

While there has been a transition from SMS-based authentication to an app-based approach to reduce the dangers associated with SIM swapping attacks, the attack against Uber and Cisco shows that security controls that were once thought to be infallible are being circumvented by other means.

The fact that threat actors are relying on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorising an access request underscores the importance of employing phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."

Uber Investigates Potential Breach Of its Computer System



 

User Security

Data Breach Data Leak data security Security Incident Slack uber User Data User Privacy User Security

Uber Investigates Potential Breach Of its Computer System

Uber announced on Thursday that it is responding to a cybersecurity incident involving a network breach and that it is in contact with law enforcement authorities. The incident was first reported by the New York Times. When reached for comment, the company referred to its tweeted statement.

As per two employees who were not authorised to speak publicly, Uber employees were instructed not to use the company's internal messaging service, Slack, and discovered that other internal systems were inaccessible.

Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach" shortly before the Slack system was taken offline on Thursday afternoon. The message went on to list a number of internal databases that the hacker claimed were compromised.

"It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times stated.

Uber has not released any additional information about the incident, but it appears that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to obtain their password by impersonating a corporate IT employee and then used it to gain access to the internal network.

The attacker was able to circumvent the account's two-factor authentication (2FA) protections by bombarding the employee with push notifications and contacting the individual on WhatsApp to abide by the authorization by claiming to be from Uber's IT department. The technique is similar to the recently disclosed Cisco hack, in which cybercriminal actors used prompt bombing to gain 2FA push acceptance.

"Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface," Kevin Reed, a chief information security officer at Acronis, told The Hacker News.

It's not the first time

This is not Uber's first security breach. It came under fire for failing to adequately reveal a 2016 data breach that affected 57 million riders and drivers and then paying hackers $100,000 to obfuscate the breach. It was only in late 2017 that the public became aware of it.

Uber's top security executive at the time, Joe Sullivan, was fired for his role in the company's response to the hack. Mr. Sullivan was charged with obstructing justice for failing to notify regulators of the breach, and he is currently on trial. Mr. Sullivan's lawyers have argued that other employees were responsible for regulatory disclosures and that the company had made Mr. Sullivan a scapegoat.

In December 2021, Sullivan was sentenced to three additional counts of wire fraud in addition to the previously filed felony obstruction and misprision charges.

"Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack," the superseding indictment said. It further said he "took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach."

The latest breach comes as Sullivan's criminal case goes to trial in the United States District Court in San Francisco.

Reed concluded, "The compromise is certainly bigger compared to the breach in 2016. Whatever data Uber keeps, the hackers most probably already have access."

Uber Admits Covering up Data Breach Involving 57M Users



 

Users

Data Breach Data Leak data security uber User Data User Security Users

Uber Admits Covering up Data Breach Involving 57M Users

Uber has reached an agreement with the US Department of Justice regarding its cover-up of a data breach in November 2016. In exchange for avoiding prosecution, the ride-hailing company has agreed to assist the DOJ in prosecuting its former top security officer Joseph Sullivan.

The agreement stemmed from a data breach that compromised the personal information of 57 million people, including both passengers and drivers. The attackers gained access to a secret source code repository and obtained an access key, which they then used to steal the data.

According to reports, the corporation decided to pay off the criminals while also hiding the breach from the Federal Trade Commission (FTC), which was already examining its security policies at the time. Uber notified the FTC and dismissed Sullivan in November 2017, following the resignation of previous CEO Travis Kalanick and the appointment of new CEO Dara Khosrowshahi. It reached an agreement with the Commission in 2018, agreeing to maintain a privacy programme that includes external audits. It also paid $148 million to resolve disputes with all 50 states.

In August 2020, the Department of Justice charged Sullivan with obstruction of justice and hiding a felony. In December 2021, it announced new accusations of wire fraud for neglecting to notify Uber drivers that their driver's licences had been compromised. Uber had previously been working with the investigation and will continue to do so under the conditions of the most recent settlement.

The corporation has agreed to disclose any materials and witnesses needed to help the DoJ prosecute Sullivan. In exchange, Uber and its affiliates are exempt from prosecution in connection with the 2016 data breach.

According to Ilia Kolochenko, founder of ImmuniWeb and member of the Europol Data Protection Experts Network, Uber may still face a private legal lawsuit.“To void such undesirable situations, companies should take privacy and data breaches seriously, considering their duties and obligations under all applicable laws and regulations,” he said.

“Having a well-thought-out data breach response plan in place that would include, among other things, swift interaction with internal and external legal teams, media and investors, is crucial to minimize reputational and financial damage of unpreventable data breaches. The close collaboration of technical and legal experts is the next big thing in cybersecurity,” further added.

Sullivan is a former federal prosecutor who currently serves as Cloudflare's chief security officer. He served as an assistant US attorney in the Northern District of California from 2000 to 2002, where he will be tried in September. He stated yesterday that he will be taking time off from work to prepare for the trial.

1.2 Million Aussies Suffered when Uber was Breached in 2016



 

User Security

Australia Data Breach Data Leak OAIC uber User Privacy User Security

1.2 Million Aussies Suffered when Uber was Breached in 2016

Uber infringed on the privacy of more than 1 million Australians in 2016, according to the Office of the Australian Information Commissioner (OAIC). Personal data of an estimated 1.2 million Australian customers and drivers was accessed from a breach in October and November 2016, Australia's Information Commissioner and Privacy Commissioner Angelene Falk said on Friday that US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to adequately protect it.

In late 2017, it was revealed that hackers had stolen data on 57 million Uber users throughout the world, as well as data on over 600,000 Uber drivers. Uber hid the breach for over a year and paid the hacker to keep it hidden instead of notifying individuals affected. OAIC said its investigation focused on whether Uber had preventative measures in place to secure Australians' data, even though Uber compelled the attackers to destroy the data so that there was no evidence of future exploitation.

The Uber company, according to Falk, violated the Privacy Act 1988 by failing to take reasonable precautions to protect Australians' personal information from unauthorized access and destroy or de-identify the data as required. She also claimed that the tech giant failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP).

"Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability," the determination says. "Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017."

Falk said the case presented complicated questions about how the Privacy Act applies to firms situated overseas that outsource the handling of Australians' personal information to other companies within their corporate group. "Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group," she added.

Uber agreed to pay $148 million in a US settlement over the incident in September 2018 and was fined over £900,000 by the UK and Dutch regulators a few months later for the 2016 data breach. In October 2019, two men pled guilty to the hack, and US authorities accused Uber's former chief security officer in August 2020 of the cover-up. "We learn from our mistakes and reiterate our commitment to continue to earn the trust of users," an Uber spokesperson said.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash



 

uber

Brazil Cyber Crime cybercriminals DOJ Fake Accounts FBI uber

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash

According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies.

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets.

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI.

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation.

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page.

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.

Uber's Former Chief Security Officer Charged for Covering up A Massive Data Breach



 

uber

Cyber Security Data Breach Hackers uber

Uber's Former Chief Security Officer Charged for Covering up A Massive Data Breach

Uber's former chief security officer, Joe Sullivan, was very recently charged by the federal prosecutors in the United States for covering up an enormous data breach that the company had endured in 2016.

Sullivan "took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach" that additionally included paying hackers $100,000 ransom to keep the incident a secret, according to the press release published by the U.S. Department of Justice.

It said, "A criminal complaint was filed today in federal court charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies.”

The 2016 Uber's data breach exposed names, email addresses, phone numbers of 57 million Uber riders and drivers, and driving license numbers of around 600,000 drivers.

The company revealed this data out in the open almost a year later in 2017, following Sullivan's exit from Uber in November.

Later it was reported for, that two hackers, Brandon Charles Glover of Florida and Vasile Mereacre of Toronto, were the ones responsible for the incident and were the ones to whom Sullivan ‘approved’ paying cash in return for the promises to delete information of the clients that they had stolen.

The problem initially began when Sullivan, as a representative for Uber, in 2016 was reacting to FTC inquiries with respect to a previous data breach incident in 2014, and at the same time, Brandon and Vasile reached him in regards to the new data breach.

"On November 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again and his team was able to confirm the breach within 24 hours of his receipt of the email. Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC."

As indicated by court archives, the ransom amount was paid through a bug bounty program trying to document the blackmailing payment as ‘bounty’ for white-hat hackers who highlight the security issues however have not compromised information.

The federal prosecutors said, “After Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber's new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017."

However just last year, the two hackers were pleaded guilty to a few counts of charges for hacking and blackmailing Uber, LinkedIn, and various other U.S. corporations. In 2018, English and Dutch data protection regulators had likewise fined Uber with $1.1 million for neglecting to secure its clients' personal data during a 2016 cyber-attack.

As of now, if Sullivan is found guilty of cover-up charges, he could expect at least eight years in prison along with potential fines of up to $500,000.

Flaw in Palo Alto VPN Solution Puts Uber and Other Enterprises at Risk



 

Vulnerability

uber VPNS. Vulnerability

Flaw in Palo Alto VPN Solution Puts Uber and Other Enterprises at Risk

A critical vulnerability has been discovered in Palo Alto GlobalProtect SSL VPN software, the bug, somewhat unusual and is apparently said to be utilized by big enterprise companies over the globe, including the 'ride-hailing platform' Uber.

Used to make secure channels and Virtual Private Network (VPN) tunnels for remote workers - however was discreetly existing in more established adaptations i.e. the older adaptations, the bug has been fixed with the release of recent solutions.

Researchers depict the bug as format string vulnerability in the PAN SSL Gateway, which handles clients/server SSL handshakes.

The issue lies in how the gateway handles specific value parameters without legitimate sanitization, and an attacker sending a 'crafted request' to a vulnerable SSL VPN target is sufficient to trigger an exploit easily.

As per Palo Alto's security advisory, ‘the remote code execution flaw, tracked as CVE-2019-1579, is present in GlobalProtect portal and GlobalProtect Gateway products…’

The vulnerability in old renditions of the product was first discovered and revealed by Devcore researchers Orange Tsai and Meh Chang in a blog entry just a week ago, a further examination found that there was no assigned CVE.

The "silent fix" RCE was not replicable on the most recent rendition of GlobalProtect, regardless of the success with the older variations.

After investigation and exploring a bit the researchers revealed just about 22 Uber-owned servers utilizing a vulnerable version of GlobalProtect.

Nevertheless Uber tackled the issue as soon as it was made aware of it and further clarified that, “Palo Alto SSL VPN was not the primary VPN in use by the majority of staff members, and the software was hosted in AWS rather than embedded within core infrastructure and so the potential impacted was deemed ‘low’...”

A partial proof-of-concept (PoC) has likewise been released after the discoveries provoked Palo Alto to publish a warning and the vulnerability's CVE was then assigned.

Indeed, even after Uber's potential exposure may have been low as the older software was facilitated in AWS, yet that does not mean other enterprises and companies may not be vulnerable. It is therefore, prescribed that users update to a much recent version as fast as they could given the circumstances.

Uber Working with AI to Determine the Probability of Drunken Passengers



 

uber

AI CNN uber

Uber Working with AI to Determine the Probability of Drunken Passengers

Recently according to CNN, the Uber Innovation Inc. documented a patent for a machine learning application that could precisely foresee a user's condition of sobriety and caution the driver with this information. Because apparently Uber is taking a shot at innovating a technology that could decide exactly just how drunken passengers are when requesting for a ride.

The patent application depicts artificial intelligence that figures out how passengers commonly utilize the Uber application, so it can better spot uncommon behaviour in light of the fact that, various Uber drivers have been physically assaulted by passengers as of late, a significant number of whom were inebriated.

The application's algorithms measure various factors that indicate that the passengers are most likely inebriated it incorporates typos, walking speed, how correctly the passengers press in-app buttons, and the amount of time it takes to arrange a ride. Somebody messing up most words, swaying side-to-side and taking at most 15 minutes to arrange for a ride late on Saturdays.

Uber's patent says that it could, possibly, utilize the innovation to deny rides to users in light of their current state, or maybe coordinate them with different drivers with pertinent abilities and training.

The application is said to likewise increase the wellbeing for both the rider as well as the driver.

As per an ongoing CNN investigation, no less than 103 Uber drivers have been blamed for sexually assaulting or abusing passengers in just the previous four years. Now, while the application won't stop the ruthless idea of a few people, it can definitely help in accurately recognizing disabled people so they can be placed with trusted drivers or those with experience in commuting inebriated passengers.

Uber Charges Rider C$18.5K for 20-minute Trip



 

uber

surge price uber

Uber Charges Rider C$18.5K for 20-minute Trip

We’re all familiar with surge pricing and paying high amounts of money for small distances to corporations like Uber or Ola, but last Friday, a man in Canada was charged about C$18,500 for a 5.6-kilometre trip.

That’s about 14,500 in US Dollars, or 9.3 lakhs in Indian Rupees. Hisham Salama, the rider in question, took to Instagram to share this story. His friend also posted a screenshot on Twitter:

My friend was charged 18K for a 20 Min ride (!), and they are sticking to it. What in the world??? This is insane! @Uber_Support @badassboz @Uber pic.twitter.com/RjFihVLKIC
— Emily Kennard (@emilykennard) December 9, 2017

Uber looked ready to shift all the blame on the customer, as proven by a screenshot of the conversation between Hisham and the company.

@Uber @Uber_Support what turned out to be an honest mistake is now turning into the biggest blunder of 2017. I’m no longer laughing at wondering when #uber will get their act together. Can anyone help? Obviously, no 20 min fare is $18,500. pic.twitter.com/zBhtMSBy67
— Hisham Salama (@The_Hish) December 9, 2017

Finally, it seems the uproar on social media caught their attention and they apologized as well as refunded the money back to Hisham. According to his tweet, they will be setting up a meeting with a representative and solve the problem.

Thank you to everyone who tweeted and retweeted about my magical $18,500 @Uber ride. @Uber_Support has refunded the fare and apologized. I am hopeful that I will be able to speak to someone on their leadership team about my issue and timing of resolution next week.
— Hisham Salama (@The_Hish) December 9, 2017

Uber later defended itself saying that the huge charge was an “error” and has been resolved, adding that they have refunded the money and apologized for the experience.

A spokesperson from the company, in a statement to Slate, said, “We have safeguards in place to help prevent something like this from happening, and we are working to understand how this occurred.”

Uber further went on to put the blame on the driver, saying that his cab was a traditional cab with a meter and the driver had made a mistake while putting in the fare details into it, and that the error was not a technical glitch.

(Currency figures are 1 CAD = 0.78 USD and 50.24 INR)

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Uber's Costly Mistake: AUS$412,500 Fine for Spam Emails in Australia

Law Firm for Uber Loses Drivers' Data to Hackers in Yet Another Breach