As the fallout continues over the Uber hack we first reported several days ago – security experts are still scrambling to understand the full potential impact of the Uber data breach. The hack was so damaging that Uber suspended all employee access to Slack, Zoom, and GMail according to the Wall Street Journal.
One important lesson thus far that has come to light is that all multi-factor authentication (MFA) is not created equal. And even big tech isn’t immune to cybersecurity failures. Uber is worth $63.2 billion, and should have access to the most sophisticated tools and talent to stop major cybersecurity attacks. And yet, here we are.
Rachel Tobac, CEO of SocialProof Security offered some great commentary on the Uber hack and inequity of MFA deployments:
Tobac’s analysis emphasizes a few key points. Let’s start with FIDO keys.
FIDO keys are a multi-protocol security key, aimed to help eliminate account takeovers with strong two-factor, multi-factor and passwordless authentication. FIDO keys come in various sizes and form factors, but are usually USB-A and USB-C compatible. The idea is that a user will enter their appropriate credentials, and then be prompted to physically touch a small FIDO key to enable a seamless touch-to-sign-on process.
Ironically, numerous enterprises have deployed FIDO keys to strengthen employee security and help prevent account takeovers. Google, Apple, Microsoft and Amazon are just a few examples of such companies.
The second key point that Tobac brings up is security teams—and their corporations they work for—”can’t let perfect be the enemy of good.” This is valid point, as too often security teams want to push security protocols so strict that the user experience and productivity is actually impacted negatively. This actually encourages “shadow IT” and unauthorized behavior as people feel that security controls prohibit them from doing their job.
Uber hacker was a member of Lapsus$
Breaking today, Techcrunch reports that Uber has evidence that the hacker who breached their internal systems was a member of Lapsus$. Lapsus$ is a cyber criminal gang with unknown origins but has successfully hacked companies like Cisco, Microsoft, Samsung and Okta.
Uber believes that it is possible the hacker may have bought stolen passwords from marketplaces on the dark web.
Uber goes on damage control
Uber is not taking any chances with further damage by stating that it performed the following across its enterprise IT infrastructure:
- We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
- We disabled many affected or potentially affected internal tools.
- We rotated keys (effectively resetting access) to many of our internal services.
- We locked down our codebase, preventing any new code changes.
- When restoring access to internal tools, we required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
- We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.