Uber HACKED!, What can we learn from it?

Hello world and welcome to HaXeZ. On Friday the 16th of September 2022 the Uber Twitter account @Uber_Comms tweeted out that they were responding to a cybersecurity incident. Furthermore, they explained that they were in touch with law enforcement and would post additional updates as they become available.

Uber HACKED! Tweet
Uber HACKED! Tweet

Scale of the Uber Hack

Uber had been hacked. It was later revealed by various sources that the hacker had the keys to the kingdom. A complete compromise. In fact, the hacker was able to obtain an internal file with credentials to almost everything. To clarify, it was presumed that the hacker had full privileges on the cloud servers that power. This includes the Ubers store and user information (Publicly Identifiable Information). There are lessons to be learned here about storing everything in one document.

Discovering the Uber Hack

The hacker posted to Uber’s Slack messaging system the following: “I announce I am a hacker and Uber has suffered a data breach,”. The hacker then went on to list several internal databases and claimed that they were compromised.

Slack
Slack

How Uber Was Hacked

According to The Guardian, the hack was possible through social engineering. The 18-year-old hacker sent a text message to an Uber employee. The hacker claimed to be a member of the technical department and asked the Uber employee for their password. The worker complied which probably then allowed the hacker to laterally move throughout the Uber network.

https://www.theguardian.com/technology/2022/sep/15/uber-computer-network-hack-report

The Guardian
The Guardian

Previous Uber Hack

This isn’t the first time Uber has been hacked either. Uber’s former chief security offer Joseph Sullivan is currently on trial for allegedly paying hackers in an attempt to cover up a previous hack. This hack lead to the personal information of almost 60 million customers and drivers being stolen.

Learning From The Hack

All the money that companies put into cybersecurity vs one teenager with a mobile phone. It says a lot about humans being the biggest vulnerability in an organization’s security. Whether it’s a disgruntled employee, someone being blackmailed, or someone who doesn’t have a good security awareness understanding. Humans are usually the weakest element in the security posture. Sure if you have devices with default credentials or unpatched servers then that’s low-hanging fruit for any threat actor.

Social Engineering

Humans make mistakes, they can be tricked into performing actions that they otherwise wouldn’t do. Why? Because believe it or not, most humans actually want to help one another. It’s this desire to help other people that can get us into trouble. Other times it could be because they are desperate to impress their managers or are afraid of making mistakes. Whatever the motivation behind someone’s actions, it is usually driven (in some way) by emotion. Perhaps this is why a lot of studies have shown that sociopaths make effective leaders. Sociopaths lack empathy and other emotions which suggests their decisions aren’t usually motivated by emotions. However, I’m not an expert in psychology so I digress.  

Exploiting Humans

Did you see that one episode of Mr. Robot where Elliot and the gang needed to gain access to the Steel Mountain data facility? Romero says the place is impenetrable and that it was designed that way. He claims that it has no vulnerabilities to which Elliot responds “I see X of them walking around right now”. The gang then later goes on to exploit a number of Steel Mountain employees by manipulating their emotions. It’s a great episode, you should go and watch it. While I’m sure the Uber hacker didn’t go to this extent, it does demonstrate how humans are the weakest link. Sure it’s a fictional TV show but the truth remains that humans can be tricked. Computer systems have no such emotions, sure they have bugs but bugs can be fixed. Can we fix humans in the same way? Should we?

Exploiting Humans
Exploiting Humans

Security Awareness Training

I’m sure most employees sigh at the thought of security awareness training. Many people think it’s a waste of time and I tend to agree. Reading a security awareness document isn’t going to prepare people for an encounter with a skilled social engineer. Sure you may retain some information on such attacks but would it prevent you from divulging information that could aid a threat actor? You may be reading this thinking you would never fall victim to a social engineering attack but even Steve Wozniak from Apple fell victim to a crypto scam. Our emotions get the best of us, whether it is the fear of missing out or the desire to help others.

Is There A Solution?

Personally, I don’t believe there is. Not at the moment anyway. Due to the way we access sensitive information (usernames and passwords), there will always be hackers trying to steal credentials. Or, the way applications use passwords or keys to communicate with the database means a hacker could steal them and access everything. Even Apple’s decision to switch over to key-based authentication is flawed. If someone were to obtain your private key, they could authenticate as you. Perhaps identification and authentication is flawed. Maybe we need to completely rethink the way we access sensitive information.

Further Reading

If you’re interested in Social Engineering and would like to learn more then there are some great books I can recommend. The first is called The Art of Deception by Kevin Mitnick. If you don’t know who Kevin Mitnick is then go read up. His book explores various scenarios in which people can be tricked into giving up sensitive information.

The second book is Social Engineering: The Science of Human Hacking by Christopher J. Hadnagy. It explores the psychology of social engineering more and how to read people’s body language.

The final book I would recommend is How to win friends and influence people by Dale Carnegie. I would recommend this book to anyone, not just social engineers. Working in sales? Tech support? As a manager? This book will teach you how to better engage with other people. It will give you cheat codes for social interactions. It isn’t very long but it is very informative.

The Art Of Deception, Social Engineering, How To Win Friends and Influence People
The Art Of Deception, Social Engineering, How To Win Friends and Influence People

Conclusions

Sure, we can point the finger at Uber and laugh at their misfortune but try to remember that someone somewhere probably feels terrible right now. This was a human-focused attack and how many of us can say we haven’t been tricked by another person before? Whether we believed a lie or lent someone money who never paid it back. Sure, most of us know never to give out our passwords and definitely not to store the keys to the kingdom in a single document. However, it really could happen to anyone if the social engineer was skilled enough. If anything can be learned from this it’s that you should be careful who we trust with our sensitive information. Or as Deep Throat from the X-Files once said, “Don’t trust anyone”.

Update 08/09/2022 – Hacking Through Paris

Hello world and welcome to Haxez, today I want to give an update about why I haven’t made content in a while. It’s been about a month since I last published a video or article and the reason for this is that I’ve been away. More specifically, I’ve been in Paris on a job and it was pretty awesome. I got to see a lot of the sights, experience a lot of the food, and met some incredible people.

The Paris Job

So I was sent to Paris at the start of the month to perform a test for a client. I got the train from my home city to London and then navigated the maze that is the London underground to get to Kings Cross St Pancras. From there I took the Eurostar to Paris where I met up with my colleague at the hotel. The hotel was ok, it was a 4-star hotel and had a pool but I have to say the internet was terrible.

London To Paris
London To Paris

Exploring Paris

I had a fairly early night the first night but the next day my colleague and I went adventuring around Paris. We had the worst McDonalds that both of us had had but we scoffed it down and set about sightseeing. Our first stop was the Louvre Museum which is quite a famous landmark, it has two glass pyramids and has been in films such as the Da-Vinci Code. It was a pretty spectacular sight to behold but we moved on.

Louvre Museum Paris
Louvre Museum Paris

Padlock Bridge

Paris has some awesome bridges that cross the canal or river. It stretches for miles and there are frequent bridges and we coincidently happened to walk across the one that has all the padlocks on it. Something about people in relationships, they write their name on the padlock and lock it to the fence. I had read somewhere that they were planning on cutting them all off because the weight had become too much. Who knows, perhaps there is some other bridge somewhere where that is the case. Anyway, that was interesting.

Padlock Bridge
Padlock Bridge

Eiffel tower

We then popped to the Eiffel tower and I have to say, it is pretty tall. It’s quite challenging to process the scale of things when you’re an ant on the ground but that thing was huge. We didn’t go up as there were other things we wanted to see but we said that we would come back and do it. We grabbed a bottle of water and decide to chill out for a bit, my legs were starting to hurt. Other than a weird encounter with some overzealous guy trying to force a friendship bracelet onto my arm it was a pretty awesome experience.

Eiffel tower
Eiffel tower

Arc De Triomphe

We then marched on to see the Arc De Triomphe and I have to say that thing impressed me the most. That was monumental in scale. It reminded me of the gates to Outland from the Burning Crusade World of Warcraft expansion pack. I’m sure someone has done the maths but I genuinely wonder how much it weight because it looked heavy.

Arc De Triomphe
Arc De Triomphe

Anyway, we managed to get a bit lost on our way back. The trains back to where we came from were canceled so we were in a bit of a pickle. My French is poor but luckily the French people were extremely helpful and pointed us in the right direction. My colleague saved our asses as by that point I was too tired and my brain wasn’t functioning at all. We made it back after about a 24km walk and lots of sunburns (ouch).

On-Site In Paris

It was the next day and it was time to go to work. We met up with the client and they walked us through what we would be testing. They were great guys and were very knowledgeable about Cybersecurity. They were also laid back and easy to have a laugh with. It didn’t feel like work for the first few days we were there as we were getting to know the system. However, as you can imagine, a whole month away from home is a long time (subjectively) and you start to get homesick. Our routine was to get to work at 9:00 am, eat lunch around 12:30, and then finish at about 5:00 pm. We would then normally eat out in a restaurant (Los Nanos I miss you).

Food in Paris
Food in Paris

That routine continued for the majority of the time we were there. However, on the weekend before our last, we decided to head back to Paris. This time I was prepared with suncream. We headed back to the Eiffel tower and were able to get the lift up to the second floor. We had a fantastic view of Paris and were even able to have a cheeky beer while we were up there.

Paris from the Eiffel tower
Paris from the Eiffel tower

Stranger Things

I had recently heard about the Stranger Things shop from one of the Film Theories’ videos about Stranger Things. Well, it goes without saying that we had to go and see it. So we punched the location into Google Maps and made our way there. There was a bit of a queue outside but it was well worth the wait. It was like stepping into a TV series. Obviously reading about it and seeing pictures won’t do it justice but it is well worth a visit if you’re a fan and are in the area.

Stranger Things Paris
Stranger Things Paris

Pantheon

We then visited a few other landmarks including the Pantheon and Notre Dame. Both were magnificent but admittedly the experience was somewhat tarnished by the scaffolding around it.  Regardless, it was still a sight to behold. The whole of Paris is honestly, the buildings are so large and well crafted. I can’t think of a word to describe it but it is like nothing I had ever seen before.

Pantheon
Pantheon

Clash at the Castle

Moving on to the final weekend, I thought it would be a good idea to go and watch WWE Clash at the Castle in Cardiff. I had my tickets booked for months (Thanks Karl) and thought I would have been back from Paris by then. However, due to unforeseen circumstances, the project was pushed back by a week which meant it overlapped with Clash at the Castle. I decided to go back anyway. However, after booking my flight with EasyJet and turning up at the airport, they told me that I didn’t have a seat. Ok, so what did I pay for? Well, it turns out that is a common scummy practice with airlines where they oversell their tickets. Fortunately, someone didn’t turn up for their flight and I was able to pinch their seat. I got a lift home and then drove myself and two friends to Clash at the Castle.

Clash at the Castle
Clash at the Castle

Final Thoughts

That was an awesome experience. I then drove back to the Airport, caught the flight back to Paris to work one day, and then got a flight back home. All things considered, everything went better than expected. I was expecting so many things to go wrong but it all turned out ok. I have to say though if it wasn’t for my colleague I sincerely wouldn’t have lasted the full month there. They kept me sane and were an absolute pleasure to work with.

Anyway, that’s where I have been. Now that I’m back I should hopefully start creating more content. I’m very eager to start going through the TryHackMe Red Teaming learning path so will probably be creating content about that.

My First Defcon Talk

Hello World and welcome to HaXeZ. This week has been interesting. Not only am I going to Bsides on Saturday but yesterday (Thursday), I performed my first Defcon talk at DC441242 and DC441452. I know it isn’t much to brag about but I consider it a personal achievement. I’m sure I’m not alone in saying that coming out of lockdown left me with a few social anxieties.

Having not been out socializing for a while, I’ve found myself avoiding social situations. Not so much because of the virus, but more because of wanting to stay within my comfort zone. That’s the problem with comfort zones, they are comfortable. However, staying in your comfort zone rarely allows you to achieve much.

Local Defcon
Local Defcon

Nerves at Defcon

I’ve always wanted to do a Defcon talk, it’s been on my bucket list for a while. However, the pandemic happened and meetings were postponed or done through Zoom. Given the number of video quizzes I did during the lockdown, I didn’t fancy it. I wanted to do it in person but with that comes nervousness. Despite how confident they are, anyone who has even performed public speaking before probably felt nervous. I remember giving the best man speech at my brother’s wedding and having my heart race the entire time. So why shouldn’t I throw myself to the wolves and deliver a cybersecurity talk to a room full of cybersecurity professionals?

With that said, I was surprised as I wasn’t feeling nervous at all. Sure, during the day leading up to the up to it I was, but being there and doing it, I was fine. I have been to a few of these events before so recognized a few people. I also asked a few of my friends to come (Thanks Jay, Mark, and Bob). During the presentation, there were moments where I fumbled my words or couldn’t explain things how I wanted to but I don’t think anyone noticed.

Anxiety at Defcon
Anxiety at Defcon

Imposter Syndrome

You know what I’m talking about. I’m sure others have it in different professions but I feel like it is prolific in the IT industry. I had it when I was doing tech support before I popped my first shell. I have it now even though I’ve been in IT for over a decade. It’s the feeling that you don’t belong somewhere, that you don’t fit in, that you’re faking it. That everyone else is a billion times smarter than you and will make fun of you for being a noob. Here’s the thing, everyone was once where you are today. Whether you’re at the beginning of your journey or have been doing it for years. Someone somewhere will know something you don’t. That’s ok, actually, that’s great, it means there is more to learn. Nobody knows everything (is that a double negative?).

The people at my local Defcon were great, they let me do my presentation and were an easy audience to talk to. They looked engaged the whole time and put me at ease. At the end of the presentation, they asked me a few questions about the techniques. To be honest with you, I didn’t know the answers to a lot of them. Again, that’s ok, it gives me something to go home and research. Some of the questions I felt I should have known but others I hadn’t even thought about. This is how we grow, we invite challenges into our lives and overcome them. We get feedback from other people and view things from different vantage points.

Imposter Syndrome
Imposter Syndrome

My Defcon Talk

I’m not sure if I will ever overcome imposter syndrome but honestly, I’m not sure I want to. I would rather feel like an imposter and push myself to learn something new every day than feel like I know everything and take my foot off the gas.

On to my talk, if you watch my Youtube videos then you may have seen one I did recently about DNS tunneling. It isn’t a revolutionary hacking technique, nor is it a new one. However, I thought it was cool. I presented it at a virtual work meeting on a Friday afternoon and people seemed to enjoy it so I thought why not take it a step further. Local Defcon groups are always looking for people who want to present and it just so happened that my local one had an opening. I spoke with the organizers and they were happy to have me.

The point I’m trying to make is, if you want to do something like this but are worried that people have heard it all before, don’t be. You will be presenting it from a different perspective and that could be the perspective that someone needs to understand something. Go for it.

Better Than Expected
Better Than Expected

Final Thoughts

So what’s next? well, I would like to do another talk in the future. I’m currently working on a video about the digi spark board. I’m going to be programming it to be a cheap alternative to the USB rubber ducky. I’ve written a similar post where I used a CJMCU but that was a bit more expensive and used a Micro SD card. Perhaps that is something I could talk about, or perhaps I could talk about the Flipper Zero when it arrives (oh yes! I ordered one).

Either way, I wouldn’t hate it if I became a regular talker. I feel like it is something I could do to give something back to my local community. It’s a great way to make connections and learn new things. If you’re into hacking or security in general, you should definitely check out your local Defcon if you have one. It could be the stepping stone you need to land your first Cybersecurity job or just a way to make new friends with similar interests. My local Defcon did a talk about lock-picking once and had a bunch of locks and lock-picking toys for everyone to play with. It was great.

Anyway, I’m now someone who has spoken at a local Defcon. Not going to lie, it feels good.

Thanks for reading.

Update 25/04/2022

Hello and welcome to HaXeZ. First and foremost, sorry I’ve been away so long. I want to give you an update on what’s been going on and where I’ve been. I’ve been desperately wanting to get back to making content but life has been chaotic and has only recently slowed down. For those who don’t know, I work as a penetration tester and work was insanely busy towards the end of the year. I was doing a lot of overtime and a doing lot of traveling to and from client locations.

Theres No Place Like ~

Of course, that wasn’t enough. I decided that it was also a good time to update my living conditions and move in to a new flat. However, I thought it would be a good idea to move it bit by bit. So, for a few weeks I was loading my car up with boxes and driving to my new flat and unpacking every evening. This took a lot longer than expected and it was exhausting. If you move house then I would advise that you do it all at once. Get it done and out the way.

Internet Update

Once moved in to the flat I was waiting for my new modem/wireless access point to be delivered. This was sent in the post and a certain postal company managed to deliver it to the wrong address. While waiting for an update, I was able to tether off my phone for basic internet access, but uploading videos wasn’t feasible. I’m happy to say that the modem was safely delivered and I now have internet access.

Time For A Break

Naturally, I needed a holiday to unwind from all this mayhem so I decided to go to Florida and check out all the theme parks. We managed to go to all the Disney parks, the Universal parks, a few water parks and NASA. We we’re able to squeeze this all in within two weeks. It was exhausting, amazing but absolutely exhausting.

Virus Visitation

Then, it turns out I contracted THAT virus while I was over there. I was feeling a bit under the weather for second week but thought it was down to tiredness and other environmental factors. However, the day we got back to the UK I was absolutely wiped out. I could barely get out of bed and was deaf in one ear. I took a rapid test and lo and behold I was positive for THAT virus. This kept me bed bound for about 2 weeks while I was recovering which brings us up to now. I’m now feeling better and well rested and ready to make content again.

Looking Forward

So, what are my plans going forward? Well I want to continue making content but I want to change things up a bit. I want to create a video playlist which focuses on introducing new people to cybersecurity. It will be like a “start here” point for people who are new to the industry. I will continue with the Hack This Site, Burp Suite and Hack The Box content but I’m going to be changing when I do things. I don’t have it all figured out yet and I thank you all for continuing to support my content.

Speaking the truth in times of universal deceit

Can we talk the truth about Julian Assange and how he is still in Belmarsh maximum-security prison in London? Today, I received a postcard from the Don’t Extradite Assange campaign which called for a march on the Royal Courts of Justice on the 23rd of October 2021. 

Regardless of how you feel about the man, I challenge you to question how you feel about truth. I’m sure at some point in your life you have pleaded with someone for them to tell you the truth. We all prefer to be told the truth regardless of how it may impact our lives. Sure, little white lies can help you bypass awkward situations, and nobody is questioning the necessity to be able to have secrets. Everyone has a right to privacy, it’s even part of the UK’s human rights act. However, the government is not an individual person. They are a collection of people who are supposed to make decisions based on the interests of the public. As the public, we have a right to know what decisions are being made and why. 

The right to respect for your family and private life, your home and your correspondence is one the rights protected by the Human Rights Act

The Human Rights Act 1998. Article 8

Truth during times of war

I’m not going to fall down the rabbit hole of whether the wars in Iraq and Afghanistan were justified or even legal. If you want my opinion, then I don’t believe we should have gone to war. Katharine Gun, the GCHQ whistleblower proved the wars weren’t legal when she leaked the memo about the United States requesting compromising intelligence on diplomats in 2003 so that they could swing the decision in favor of war. However, the world is far too complicated for me to pretend I understand what was truly going on behind the scenes. I don’t even want to address the intelligence failure behind the so-called WMDs.

Regardless of how the public felt about the war, it happened anyway. I was in my early teens when the war broke out but was more interested in Rap music and lying to be cool. However, it seemed like we were getting reports of war crimes daily. Whether it was the behavior of certain soldiers, decisions made by the government to torture people, or civilians being caught in the crossfire. You could argue that war is war and that certain lines must be crossed to succeed. However, I believe that someone should be held accountable for those decisions.

The Observer tells the truth
The Observer tells the truth

Journalistic Integrity

Julian Assange is a journalist who dared to tell the truth about these crimes. He created the Wikileaks platform to allow people to share information and release it to the public. I believe that the public has a right to know what our governments are doing overseas. If your local politician was embezzling funds and enacting policies that only benefited themselves, you would want to know about it. It’s in the public interest and the interest of the rest of the world for us to be able to hold our governments accountable for their actions.

Julian shone a spotlight on the crimes that were being committed. Like many journalists that have come before him, he highlighted injustices. He even won awards for the reports he produced. Yet he is currently being held in a maximum-security prison in the United Kingdom. Why? Because he dared to tell the truth. He dared to expose what our governments and politicians had become. He dared to question the authority. 

Wikileaks Truth Telling Website
Wikileaks Truth Telling Website

Extradition of a Truth Teller

The US has been trying to extradite Julian Assange and if they are successful, he could face a 175-year prison sentence. 175 years for telling the truth about crimes that were being committed overseas. Regardless of what you believe about the other charges that were brought up against him, conveniently at the same time the US was trying to extradite him, you must ask why such a large sentence. 

The US trying to make an example of him, but they should be more concerned about making him a martyr. By throwing such a heavy sentence at him they are trying to scare people into not following in his footsteps. If you question the government then you’re an enemy. However, the message it sends to me is, if you tell the truth, you will be punished. Do as I say, not as I do. Orwell Is rolling in his grave. 

Julian Assange does not deserve to be in prison. He deserves to be recognized for what he is. He is the journalist of the century. I’ve read his book and I have no opinion on his character. Others have said that he is quite difficult to work with but that doesn’t matter. His actions are what’s important. Like Edward Snowden, Julian Assange dared to tell the truth while others remained quiet. He put his life on the line to expose the truth about how far our governments are willing to go to protect their interests. Julian Assange shouldn’t be locked in a cell or forced into exile. He should be celebrated for his heroic actions.

Conclusion

I believe new laws should be written to protect whistle-blowers from governments when the information being leaked is of public interest. I believe that new legal systems to share sensitive information should be implemented. Legal Systems outside of government, who could then work with the government to address the information without making it go away.  I do not believe that whistle-blowers should be subjected to lengthy legal proceedings and possible incarceration for telling the truth. Obviously, there are extenuating circumstances like the sharing of a private organization’s secrets (such as patents) or causing physical harm to a person through the leaking of information. Whistle-blowers are the truth-tellers in an age where telling the truth has become a crime. 

Many people throughout history including US politician Senator Hiram Warren Johnson in 1918, or Dr. Samuel Johnson in 1758, or even the ancient Greek dramatist Aeschylus around 550 BC have been quoted as saying something like:

“The first casualty of war is the truth”

However, with this dystopia that we are slowly slipping into. With every surveillance device that gets added to the network. With every right that gets taken away (such as the right to protest) in the pursuit of increased security. I feel the following is a more fitting quote for our time.

 “speaking the truth in times of universal deceit is a revolutionary act”

George Orwell

Check out some of my other posts on HaXeZ.