Hello world and welcome to HaXeZ. On Friday the 16th of September 2022 the Uber Twitter account @Uber_Comms tweeted out that they were responding to a cybersecurity incident. Furthermore, they explained that they were in touch with law enforcement and would post additional updates as they become available.
Scale of the Uber Hack
Uber had been hacked. It was later revealed by various sources that the hacker had the keys to the kingdom. A complete compromise. In fact, the hacker was able to obtain an internal file with credentials to almost everything. To clarify, it was presumed that the hacker had full privileges on the cloud servers that power. This includes the Ubers store and user information (Publicly Identifiable Information). There are lessons to be learned here about storing everything in one document.
Discovering the Uber Hack
The hacker posted to Uber’s Slack messaging system the following: “I announce I am a hacker and Uber has suffered a data breach,”. The hacker then went on to list several internal databases and claimed that they were compromised.
How Uber Was Hacked
According to The Guardian, the hack was possible through social engineering. The 18-year-old hacker sent a text message to an Uber employee. The hacker claimed to be a member of the technical department and asked the Uber employee for their password. The worker complied which probably then allowed the hacker to laterally move throughout the Uber network.
Previous Uber Hack
This isn’t the first time Uber has been hacked either. Uber’s former chief security offer Joseph Sullivan is currently on trial for allegedly paying hackers in an attempt to cover up a previous hack. This hack lead to the personal information of almost 60 million customers and drivers being stolen.
Learning From The Hack
All the money that companies put into cybersecurity vs one teenager with a mobile phone. It says a lot about humans being the biggest vulnerability in an organization’s security. Whether it’s a disgruntled employee, someone being blackmailed, or someone who doesn’t have a good security awareness understanding. Humans are usually the weakest element in the security posture. Sure if you have devices with default credentials or unpatched servers then that’s low-hanging fruit for any threat actor.
Humans make mistakes, they can be tricked into performing actions that they otherwise wouldn’t do. Why? Because believe it or not, most humans actually want to help one another. It’s this desire to help other people that can get us into trouble. Other times it could be because they are desperate to impress their managers or are afraid of making mistakes. Whatever the motivation behind someone’s actions, it is usually driven (in some way) by emotion. Perhaps this is why a lot of studies have shown that sociopaths make effective leaders. Sociopaths lack empathy and other emotions which suggests their decisions aren’t usually motivated by emotions. However, I’m not an expert in psychology so I digress.
Did you see that one episode of Mr. Robot where Elliot and the gang needed to gain access to the Steel Mountain data facility? Romero says the place is impenetrable and that it was designed that way. He claims that it has no vulnerabilities to which Elliot responds “I see X of them walking around right now”. The gang then later goes on to exploit a number of Steel Mountain employees by manipulating their emotions. It’s a great episode, you should go and watch it. While I’m sure the Uber hacker didn’t go to this extent, it does demonstrate how humans are the weakest link. Sure it’s a fictional TV show but the truth remains that humans can be tricked. Computer systems have no such emotions, sure they have bugs but bugs can be fixed. Can we fix humans in the same way? Should we?
Security Awareness Training
I’m sure most employees sigh at the thought of security awareness training. Many people think it’s a waste of time and I tend to agree. Reading a security awareness document isn’t going to prepare people for an encounter with a skilled social engineer. Sure you may retain some information on such attacks but would it prevent you from divulging information that could aid a threat actor? You may be reading this thinking you would never fall victim to a social engineering attack but even Steve Wozniak from Apple fell victim to a crypto scam. Our emotions get the best of us, whether it is the fear of missing out or the desire to help others.
Is There A Solution?
Personally, I don’t believe there is. Not at the moment anyway. Due to the way we access sensitive information (usernames and passwords), there will always be hackers trying to steal credentials. Or, the way applications use passwords or keys to communicate with the database means a hacker could steal them and access everything. Even Apple’s decision to switch over to key-based authentication is flawed. If someone were to obtain your private key, they could authenticate as you. Perhaps identification and authentication is flawed. Maybe we need to completely rethink the way we access sensitive information.
If you’re interested in Social Engineering and would like to learn more then there are some great books I can recommend. The first is called The Art of Deception by Kevin Mitnick. If you don’t know who Kevin Mitnick is then go read up. His book explores various scenarios in which people can be tricked into giving up sensitive information.
The second book is Social Engineering: The Science of Human Hacking by Christopher J. Hadnagy. It explores the psychology of social engineering more and how to read people’s body language.
The final book I would recommend is How to win friends and influence people by Dale Carnegie. I would recommend this book to anyone, not just social engineers. Working in sales? Tech support? As a manager? This book will teach you how to better engage with other people. It will give you cheat codes for social interactions. It isn’t very long but it is very informative.
Sure, we can point the finger at Uber and laugh at their misfortune but try to remember that someone somewhere probably feels terrible right now. This was a human-focused attack and how many of us can say we haven’t been tricked by another person before? Whether we believed a lie or lent someone money who never paid it back. Sure, most of us know never to give out our passwords and definitely not to store the keys to the kingdom in a single document. However, it really could happen to anyone if the social engineer was skilled enough. If anything can be learned from this it’s that you should be careful who we trust with our sensitive information. Or as Deep Throat from the X-Files once said, “Don’t trust anyone”.