Uber attack; Sophos advices developers not to embed access tokens and keys in source code repositories

0
290
James Lyne, Sophos cyber security advisor

Uber suffered a data breach that has affected 57 million customers and drivers. According to an IBM study the average cost of a data breach hit USD 4 million up to USD 3.8 million in 2015 and criminals have now focussed on payment based attacks. Due to lack of preparedness and the magnitude of stakes involved, Uber valuation may be affected this year due to the international data breach.

“Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.” Says Chester Wisniewski, Principal Research Scientist.

According to Bloomberg, the data of 57,000,000 drivers and customers was stolen, after which Uber not only kept the breach secret from the victims, but also paid the hackers USD 100,000 to “delete the data and keep quiet”. Apparently, Uber’s security chief, Joe Sullivan, lured to Uber from Facebook in 2015, has been sacked in the fallout.

James Lyne, Sophos cyber security advisor says Uber isn’t the only and won’t be the last company to hide a data breach or cyberattack. However not notifying consumers puts them at greater risk of being victimized with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.

It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is a place where you are supposed to store source code, not the keys to the castle! – where the hackers stumbled across them. From there, the crooks were able to get into Uber servers hosted on Amazon, and from there to access the personal information involved in the breach.

If this sounds terribly familiar, Uber suffered a breach with a similar cause just over three years ago, an intrusion that was discovered in May 2014 but not disclosed until February 2015.

Wisniewski says Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organisations aren’t caught while actively involved in a cover-up as well.

Putting the drama aside and the potential impacts from the upcoming GDPR enforcement in Europe, this is just another careless development team with shared credentials and poor security practices. Sadly, this is common more often than not in “agile” development environments, especially in high-growth technology start-ups.

LEAVE A COMMENT

Please enter your comment!
Please enter your name here