Archive for September 18, 2022

Uber Posts A Statement On Their Hack…. And It Didn’t Say A Whole Lot

Posted in Commentary with tags on September 18, 2022 by itnerd

So, Uber got pwned. And it seems a lot like their 2016 hack. But Uber didn’t go there. Instead they posted a statement that did not say much of anything. Judge for yourself:

While our investigation and response efforts are ongoing, here is a further update on yesterday’s incident:

  • We have no evidence that the incident involved access to sensitive user data (like trip history).
  • All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.
  • As we shared yesterday, we have notified law enforcement.
  • Internal software tools that we took down as a precaution yesterday are coming back online this morning.

That’s it.

It really doesn’t offer any insight into what happened. Which isn’t a surprise as I am guessing a bunch of C-level types at Uber are freaking right now as they are likely getting a whole lot of attention right now that they don’t want. As a result they are likely going to say little to nothing unless forced to.

I suspect that any insight as to what might have happened is going to come from someone other than Uber. And it will be interesting to get those details.

How Do You Reduce The Chance Of Your Company Getting Pwned? Implement MFA Or Passwordless Authentication

Posted in Commentary with tags on September 18, 2022 by itnerd

On this blog, you often read about some company or organization getting pwned by hackers and ransomware groups. Uber being the latest example. But the real question is how do stop your company from being one of those companies. I’ll serve up two options for you. MFA and Passwordless Authentication. But before we talk about what those options are, let’s explain what the core problem is.

When you sign into your online accounts you’re proving to the service that you are who you say you are. Traditionally that’s been done with a username and a password. The problem is that if someone gets their hands on your password, they can get into said service. Or if you use the same password for all your services, then you’re asking for trouble if one of those services gets pwned by hackers. In short, by only using a password you are exposing yourself to being hacked 100% of the time. So to decrease the chance of that happening, you have two options:

MFA: “Two-Step Verification” or “Multifactor Authentication” operates on the principle that you provide a password, then you provide a second authentication factor. Such as a message being sent to your smart phone with a number that you use to authenticate to the service. Because you physically have to have the smart phone in your hand, hackers are less likely to be able to break into the service. I say less likely because SIM swap scams where a hacker either physically steals your SIM, or tricks a carrier into swapping your cellular service onto a SIM that they control to take over the service that you want to log into. Thus while not perfect, MFA does provide some protection.

Passwordless Authentication: This is an authentication method in which a user can log in to a computer system without the entering (and having to remember) a password. In most common implementations users are asked to enter their public identifier (username, phone number, email address etc.) and then complete the authentication process by providing a secure proof of identity through a registered device or token. This makes it very hard, if not impossible for a hacker break into the service that you want to log into.

So why are we having this discussion? Well, if you take the most recent Uber hack, it’s come out that the hacker got credentials and used them to break in. Which also implies that there was no MFA or Passwordless Authentication in place because if there were, the hacker would not have been able to break in. Thus if you want to reduce your attack surface, implementing either MFA or Passwordless Authentication would be a great way to do it. And I am starting to hear about insurance companies who offer cyber insurance starting to mandate MFA or Passwordless Authentication. Thus businesses may eventually not have a choice. So to get ahead of the game, you might want to implement one of the two.