skip to Main Content

At The Identity Organisation, we're here to help!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Uber security breach ‘looks bad’, caused by social engineering

    It was all over the news, but ZDNet’s Eileen Yu was one of the first. — “Hacker is believed to have breached Uber’s entire network in a social engineering attack, which one security vendor says is more extensive than the company’s 2016 global data breach and access logs potentially altered.”

    Push-Fatigue

    The article continues: ” A hacker on Thursday was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP).

    “The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” Sam Curry wrote in a tweet. The security engineer at Yuga Labs, who corresponded with the hacker, added: “This is a total compromise from what it looks like.”

    Uber since had shut down online access to its internal communications and engineering systems, while it investigated the breach, according a report by The New York Times (NYT), which broke the news. The company’s internal messaging platform, Slack, also was taken offline.

    The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology personnel. The social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak.

    With the employee’s password, the hacker was able to get into the internal VPN, said Acronis’ CISO Kevin Reed in a LinkedIn post. The hacker then gained access to the corporate network, found highly privileged credentials on network file shares, and used these to access everything, including production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface.”

    Quote from WIRED: “One independent security engineer described the OneLogin account access the Uber hacker seems to have had access to as “the golden ticket jackpot.”

     “That’s God—they own that there’s nothing they can’t access,” the security engineer added. “It’s Disneyland. It’s a blank check at the candy shop and Christmas morning all rolled up together. But sure, customer ride data wasn’t impacted. OK.” 

    Don’t let this happen to you. Train your users.

    The full article is at ZDNet:

    https://www.zdnet.com/article/uber-security-breach-looks-bad-potentially-compromising-all-systems/


    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    Here’s how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW


    close

    Sign Up to the TIO Intel Alerts!

    Back To Top