The Uber hack || Sophisticated ATM skimmers
CyberInsights #62
Uber hacked
The social engineering method claimed to have been used, MFA fatigue, questions something we have come to indiscriminately rely on.
On the 16th of September, Uber released a twitter post:
Before that, an attacker claiming to be an 18 year old hacker said that Uber has been compromised. You will find a lot of hullabaloo around this. Read this article on Wired for one of the simplest analysis.
Quoting the most relevant paragraph from the article:
“ The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login.”
Employees get phished all the time. What’s scary is the extent of data that could be compromised by phishing just one employee. The article goes on to mention this about zero trust:
The phrase "zero trust" has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what zero trust is not.
Privileged Access Management software have the digital equivalent of sealed envelopes - one time use admin passwords called “Break the Glass” accounts. These accounts are used in case of emergencies to access systems that are inaccessible. Well, you know the rest…
Then there were hard coded passwords for administrator accounts in PowerShell scripts.
The more you read about it, the deeper the rabbit hole goes. If you want to collaborate with me on a detailed analysis, please feel free to reach out to me on
chaitanyakunthe(at)duck(dot)com
Update: Uber released a statement that no customer confidential data has been breached.
Take Action:
There is just so much to unpack here:
Are your users a victim of MFA fatigue? Check to see how many times a user has to enter an MFA for access. Think about how you can reduce MFA fatigue
Check to see if there are SPOA (Single Point Of Access) accounts - accounts that have the master key!
Check all scripts for hardcoded administrative passwords
Evaluate your architecture - Zero Trust and Single Sign on - do they work together? Or are they essentially opposites?
P.S: There is news that the hacker who compromised Uber also compromised the yet to be released GTA VI. Read the Reuters news release here.
ATM hacks get more sophisticated
Card skimmers after unencrypted magnetic stripe data and pin.
ATM skimming gets more and more sophisticated. This article by Brian Krebs shows the latest hardware in ATM hacking. Deep insert ATM skimmers are beautifully thin and scary!
Read the article to see images of well hidden cameras to capture your pin.
Take Action:
The simplest possible solution - Cover the keypad when withdrawing cash from an ATM. Use ATMs attached to a bank and be doubly careful while using ATMs on weekends.
Monkey, Shakespeare, Typewriter: Cybersecurity for everyone has a chapter on Situational Awareness that helps you be prepared.
Enjoyed reading? Receive this in your email every week.