Uber hacked….and covered up. Say it isn’t so!

Hello All. So the news is making the rounds. Not only did Uber get breached in 2016 affecting 57 million users, but they covered it up by paying the hackers responsible $100,000 to keep quiet and destroy any evidence of the event.

Uber acknowledged on Tuesday that two individuals in October 2016 had accessed and downloaded data on 57 million Uber riders and drivers that was stored in a third-party infrastructure system. The company says none of its own systems were breached.

As part of the cyber-attack, the names and driver license numbers of around 600,000 drivers were accessed, according to Uber. 57 million Uber users also had their information exposed, including names, emails, and mobile phone numbers, the company said in a blog post. Uber said other personal information, including trip details or credit card information, was not accessed.

According to news sources, Travis Kalanick, the CEO at the time, first learned of the incident in November 2016, when Uber was working on a settlement with the Federal Trade Commission for various privacy violations. The company chose to pay the hackers the ransom to delete any evidence and keep the event a secret.

Uber’s current CEO Dara Khosrowshahi has asked for the resignation of Uber’s Chief Security Officer, Joe Sullivan, and a lawyer who reported to him.

I can only imagine that Lyft business is going to be doing better in the months to come.

DHS Team Hacks a Boeing 757

Hello all. Probably not news to anyone. DHS cyber team have been able to remotely hack a Boeing 757 while it was parked at the airport in Atlantic City, NJ. This was admitted to during the 2017 CyberSat Summit held on November 8, 2017 in Virginia during a keynote by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” Hickey said in an article in Avionics Today. “[That] means I didn’t have anybody touching the airplane; I didn’t have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft.” While the details of the hack are classified, Hickey admitted that his team of industry experts and academics pulled it off by accessing the 757’s “radio frequency communications.”

As CBS News pointed out, Boeing stopped producing 757s in 2004, but that aircraft is still used by major airlines, such as American, Delta and United. President Trump has a 757, and Vice President Pence also uses one. In fact, Avionics Today claimed 90 percent of commercial planes in the sky are legacy aircraft that were not designed with security in mind.

KnockKnock – New Threat to O365?

Hello All. Just following some posts related to KnockKnock, a potential vulnerability that targets a small number of O365 accounts  (less than 2%), specifically system and admin accounts. Attackers are attempting to knock on backdoor system accounts to infiltrate Office 365 environments, the attacks have been ongoing since May and have targeted organizations in manufacturing, financial services, healthcare, consumer products, and the US public sector.

The attack was identified by Skyhigh Networks. Here is the attack profile from their website:

“First, it should be noted that KnockKnock is not a brute force attack for two reasons. First, it targets a very small proportion (typically <2%) of the O365 account base. Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses. KnockKnock has been operational since May 2017 and is currently active. The attack is launched using a relatively small network of 83 confirmed IPs distributed across 63 networks. The smaller size of the botnet is likely designed to keep the attacker low key (i.e. the attack focuses on a handful of users at a time, before moving on to the next set). In an attempt to further obfuscate the attack, enterprises are targeted in a staggered manner. When the attacks against one enterprise seem to be ramping up, they are slowing down for a different enterprise. While a majority of the activity stems from IPs registered to service providers in China, there is activity originating out of 15 other countries including Russia, Brazil, US, Argentina, Gabon, Azerbaijan, Malaysia.”

Further information can be found on their website – https://www.skyhighnetworks.com/cloud-security-blog/skyhigh-discovers-ingenious-new-attack-scheme-on-office-365/


Dnsmasq….Code Execution Flaw

Hello All. New code execution flaw affecting Dnsmasq has reared its ugly heard. Dnsmasq, provides code that makes it easier for networked devices to communicate using DNS and the DHCP. It’s included in Android, Ubuntu, and most other Linux distributions, and it can also run on a variety of other operating systems and in router firmware. Google security researchers posted a blog entry on October 2, 2017 (https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html) noting where they recently found seven vulnerabilities in Dnsmasq, three of which were flaws that allowed the remote execution of malicious code.

  • CVE-2017-14491 is a DNS-based vulnerability that affects both directly exposed and internal network setups. Although the latest git version only allows a 2-byte overflow, this could be exploited based on previous research. Before version 2.76 and this commit the overflow is unrestricted.
  • CVE-2017-14493 is a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability. In combination with CVE-2017-14494 acting as an info leak, an attacker could bypass ASLR and gain remote code execution.
  • Android is affected by CVE-2017-14496 when the attacker is local or tethered directly to the device—the service itself is sandboxed so the risk is reduced. Android partners received patches on 5 September 2017 and devices with a 2017-10-01 security patch level or later address this issue.