“Hackers” use stolen Uber accounts to get free rides

Last week, many Uber users found that they had taken a ride in China. Quite the miracle I would say given that they were never in China.  

The cause of this incident  was the selling of Uber account on the dark web. Account credentials were selling for anywhere from 40 cents to a dollar. These accounts weren’t taken directly from Uber, but were found using software that tests usernames and passwords from other sources for use with Uber.

Uber has had its fair share of data missteps in the past, including the release of data from more than three dozen shared Uber trips. But this breach is not on Uber’s shoulders. This is all on the user. What could have prevented this was customers using common sense and picking strong, unique passwords.

168586679_1386224885_540x540

https://nakedsecurity.sophos.com/2015/09/25/uber-users-are-paying-for-fraudsters-to-take-rides-in-china/

Advertisements

Proposed EU Law: Security Agencies could access data on all European air passengers

For the third time in eight years, European politicians are moving to pass a PNR (passenger name record) law. Previously proposed in 2007, 2011, and 2013, the PNR would require all airlines servicing international flights to and from Europe to store all of the data that they collect on the passengers they transport. The data would then be available to security agencies “who [lawmakers] say need it to prevent, detect, investigate and prosecute serious crime”.

The main opposition to the PNR: The European Data Protection Supervisor, Giovanni Buttarelli states that: “The EU PNR Proposal entails an interference with the fundamental rights of a very large number of air passengers, without differentiation, limitation, or exception being made in the light of the objective of fighting against serious crime and terrorism.” “A massive, non-targeted and indiscriminate collection of data” needs to be justified.

Another thing to keep in mind, is that if airliners are required to store data on all of their passengers traveling to and from Europe, cyber-criminals (see fig 1.1) could target airliners to steal personal information (see fig 1.2). This could lead to a change in targeted data breaches; from retail in 2013, to possibly airlines in 2016.

John zumBrunnen

fig 1.1

fig 1.2

Sources:

https://nakedsecurity.sophos.com/2015/09/29/300-million-non-suspects-could-be-caught-up-in-airline-passenger-info-grab-warns-privacy-chief/

 

Hackers steal 5.6M Government fingerprints

On Wednesday, the Office of Personnel Management reported that 5.6 million fingerprints they had on file were stolen by hackers. This is extremely sensitive information that poses an immediate danger to American spies and undercover law enforcement agents. This is extremely important to find these hackers so that they can’t steal the identities of government officials. The U.S. Intelligence Director James Clapper says China is the number one suspect behind the hack.

The U.S. and China are the two major trade partners but they are also butting heads. They both are heavily into their respective military. They are both expanding their influence upon places Africa, southeastern Asia, South America and the Pacific.

Hackers stole federal personnel data on 21.5 million people, including federal employees, contractors, and in some cases their friends and family (because of background checks) which includes Social Security numbers.

Cybersecurity experts say the fingerprints could be the worst aspects of the theft. If the hack was committed by foreign government spies the information could put up for sale on the black market for identity thieves.

Dylan Hart

Sources:

http://www.abc17news.com/news/business/hackers-stole-56-million-government-fingerprints-more-than-estimated/35435510

Government vs Corporations: The Battle of Security and Privacy

After Edward Snowden released information that the NSA was tapping into private companies servers and getting their information without their knowledge, corporations have made promises to customers and buffed up security on their servers immensely. Higher levels of encryption, no backdoors, and buffing up servers make it much harder for hackers to break into your sensitive information, but it also keeps the government out.

The United States is currently in or contemplating legal battles with large tech companies such as Apple, Google, and Microsoft to compel them to give them information, break encryptions, or leave them a way in to look at the data themselves. Specifically with Microsoft, the company refuses to hand over data to the government without an Irish warrant because the servers the data is stored in are in Dublin.  Companies aren’t willing to cooperate with the government on this because of the promises they made to their customers and the huge security breaches it could cause leaving possible holes for hackers to steal or tamper with data.

The UK is facing a similar issue where their MI5 is looking for more power from Parliament to keep up with technological advances, and Andrew Parker, Director General of MI5, recently said in an interview that companies have an ethical responsibility to to turn over the information the government wants to them.

Major corporations remain hesitant to readily give over information to the government for fear of backlash from consumers and the fact that the government has not really been truthful with them in the past.  This argument is definitely one that comes down to ethics and we must determine what point we sacrifice too much privacy for the sake of security.  We will have to see what the courts or Congress say on the matter.

Sources:

http://www.nytimes.com/2015/09/08/us/politics/apple-and-other-tech-companies-tangle-with-us-over-access-to-data.html?_r=0

http://www.scmagazine.com/andrew-parker-says-mi5-needs-greater-cyber-security-powers/article/439663/

– Quinn White

Backdoor found in Curiosity rover OS

Nasa’s Curiosity rover has been on the surface of mars since August 6, 2012, just a little over three years since the landing. During this time Curiosity has been the main part of Nasa’s mars exploration program to assess if mars has an environment able to support small life forms. So far the lone rover has been working away at this task and everyone was satisfied. However recently there have been serious security flaws discovered within VXWorks, a real-time operating system made by Wind River of Alameda, California, US, in 1987. This OS not only is running on the Curiosity rover, it is also installed on machines that range from network routing to Boeing 787 Dreamliners. Scary stuff right? Using this security flaw hackers could get into a 787’s system and have the potential of taking the entire jet down, which is terrifying, or getting into Curiosities OS and being able to set back Nasa’s Mars team possibly months of research by messing with the rover.

hacking-vxworks-Curiosity-rover-os

The flaw was first shown at 44con by a Canadian researcher Yannick Formaggio. Yannick said “VxWorks is the world’s most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover.” The flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system.” as Formaggio quoted.

Seeing these kinds of vulnerabilities in such fragile systems is very scary. This means a hacker could setup a backdoor account and cause massive harm to anything they wanted. They could take control of parts of aircraft that run VxWorks, they could tamper with complex network routing systems, even the Curiosity rover if they wanted to. As you could imagine this doesn’t look good on VxWorks part but they have said that they are working on providing patches to all the machines that currently are affected by this flaw.

James O’Brien

source: http://www.ehackingnews.com/2015/09/security-bug-allows-hackers-to-take.html