Tag Archive for: über

Former Uber security chief sentenced for data-breach cover-up

/in


SAN FRANCISCO — The former chief security officer for Uber was sentenced to probation Thursday for trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.

Joseph Sullivan was sentenced to a three-year term of probation and ordered to pay a fine of $50,000, the U.S. attorney’s office announced.

Sullivan, 54, of Palo Alto was convicted by a federal jury in San Francisco last October of obstructing justice and concealing knowledge that a federal felony had been committed.

It was believed to be the first criminal prosecution of a company executive over a data breach.

Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’ ” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.

Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new chief executive officer and others, the truth was uncovered, and the breach was made public, prosecutors said.

Sullivan was fired along with Craig Clark, an Uber lawyer he had told about the breach. Clark was given immunity by prosecutors and testified against Sullivan.

Prosecutors had recommended a sentence of 15 months in federal prison for Sullivan, who submitted more than 100 letters of support from friends, family and colleagues.

In an April sentencing memo, prosecutors said that showed that Sullivan is “a wealthy, powerful man” with a deep network of family and friends.

“There…

Source…

Another Uber SNAFU, an AI chatbot quiz, and is juice-jacking genuine? • Graham Cluley

/in


Smashing Security podcast #317: Another Uber SNAFU, an AI chatbot quiz, and is juice-jacking genuine?

Everyone’s talking juice-jacking – but has anyone ever been juice-jacked? Uber suffers yet another data breach, but it hasn’t been hacked. And Carole hosts the “AI-a-go-go or a no-no?” quiz for Dave and Graham.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.

Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Guest:

Dave Bittner – @bittner

Episode links:

Sponsored by:

  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
  • hCaptcha – hCaptcha Enterprise is the leading Security ML platform. hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats.Start your free trial today.

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Twitter at @SmashinSecurity, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.

Thanks:

Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on…

Source…

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat

/in


Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Deserialized web security roundup

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are…

Source…

Former Uber security officer found guilty of hiding major hack from regulators

/in


An Uber executive was found guilty of paying off hackers to hide a major data breach from the Federal Trade Commission.

A federal jury found Joseph Sullivan, the former chief security officer at Uber, guilty of obstructing the FTC from investigating a 2016 hack of the ride-sharing platform.

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” said U.S. Attorney Stephanie Hinds in a press release. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”

GOOGLE ANNOUNCES PIXEL 7 AND FIRST-EVER SMARTWATCH

“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI special agent Robert Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”

Sullivan’s lawyers pushed back on the verdict. “Mr Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, who represented Sullivan in court, according to Computing.

Sullivan was prosecuted over his role in a 2016 breach in which the data of 50 million users and seven million drivers was exposed, including names, email addresses, and phone numbers. Sullivan had only been on the job for a few months and assisted with an FTC investigation into a 2014 hack. However, the CSO attempted to hide the existence of the 2016 hack, telling employees that the information around it had to be “tightly controlled,” and paid the hackers $100,000 in bitcoin in exchange for them to sign non-disclosure agreements to not publicly speak about the security breach.

Uber fired Sullivan…

Source…