Ubergate Post Mortem: Will We Ever Learn?

By Matt Kimball - December 8, 2017
"It’s not the crime, it’s the cover up,” is a phrase that was popularized during the Watergate scandal in the 70s. At the time, it was in reference to President Nixon lying to the American public about his knowledge of the wrongdoing—and as we all know, the coverup led to his eventual resignation of the Presidency. A couple of weeks back, Uber CEO Dara Khosrowshahi revealed a cyberattack his company fell victim to back in October, 2016, that certainly falls under the category of scandal. Sometime in 2016, two hackers gained Uber AWS credentials through GitHub ( GitHub is a cloud-based code repository for developers). The hackers then went to AWS and downloaded 57 million user accounts, including driver’s license numbers for 600,000 Uber drivers. After downloading this goldmine of data, the hackers contacted Uber to discuss ransom terms. The final settlement? Uber would pay the hackers $100,000, under two conditions: first, they had to destroy the stolen data (and “double promise” they did this). Second, they couldn’t tell anybody. Cyber hands were shaken, payment was made, and everybody went on their merry way.
The hacking of customer data happens. Uber is certainly not the first victim of ransom attacks, nor will it be the last. Making it easy for the hackers by exposing AWS credentials and not encrypting data? Not smart, but still not a scandal. Hiding this from regulators, customers, and the public in general? That’s where Ubergate was born. And it follows a pattern of corporate behavior by Uber that is disturbing (search on “Uber greyball”). Thanks to the coverup, politicians in Washington DC will be investigating Uber for decades to come. It’s worth mentioning that if the European Union’s General Data Protection Regulation (GDPR) was in effect, Uber would be paying very heavy fines for this.
The real issue
Uber is a technology company that plays in the transportation industry. As such, one would expect the development team at Uber to be more educated and diligent about security. Exposing credentials on a public code-sharing site seems like a pretty obvious “no-no”.
On the surface, this seems to be just another bit of misfortune to cap off a rough year for Uber . The real issue I see in this is a lack of seriousness with regards to security in organizations of all shapes and sizes. Maybe seriousness is the wrong word, but certainly a sense of being indestructible. Kind of like a fearless 15-year-old kid--confident bad things only happen to other people.
As we all know though, bad things do happen to good people. Today’s organizations face the real risk of being attacked and having data held hostage. In a survey Ponemon Institute recently published, 61% of respondents reported falling victim to a cyberattack.  54% of those suffered a breach of customer and/or employee data as a result. If that wasn’t enough, respondents saw a staggering 26x increase in ransomware attacks. 52% of cybercrimes reported were attributed to ransomware, compared to just 2% the previous year. I’m not paranoid, I know everybody is out to get me Thinking that Martians are infiltrating society and taking over the world is not a productive way to live your life. On the other hand, thinking that your data center is extremely vulnerable and using that paranoia to guide your cybersecurity strategy is good. This should lead to a more comprehensive plan that considers protection, detection, mitigation, and recovery. Smart IT organizations consider security from the ground up: CPUs, servers, virtualized platforms, applications and data. For applications that are hosted in the cloud, those smart IT organizations are even more deliberate in ensuring security mechanisms—for the sake of intellectual property (IP) and customer data. Unfortunately, many other IT organizations are less vigilant. There’s an assumption that infrastructure, operating systems, and applications are inherently secure. That collective logic leads to putting trust in cloud providers and sites like GitHub to fully protect IP and data. This attitude of “it’s in the cloud – it must be secure,” is what leads to exposing network credentials and not encrypting data. To be clear— Uber ’s breach was not a failing on the part of GitHub or AWS. Uber ’s breach was the result of an organization that was lax in its approach to security. The best offense is a good defense Ubergate should be a reminder of our vulnerability. Hackers are for hire. Malware can be purchased and customized for a small fee. Search the dark web and you can find pricing sheets for data theft. Because of this growing threat, developing a living strategy is critical. Look to third parties that specialize in cybersecurity and can offer an outside perspective. A critical part of any cybersecurity plan is recovering from ransomware attacks. The Federal Bureau of Investigations (FBI) has a very useful guide that should be read by every Chief Information Security Officer (CISO). Among this very useful guidance, there are three things I’d like to highlight:
  1. Having a thorough data recovery plan is key. Because of the nature of cyberattacks, I would suggest using a Disaster Recovery as a Service (DRaaS) provider. Housing data offsite with a provider that breathes data protection is a smart move. Cloud services like Microsoft  Azure provide this service, as do many cloud-based data protection services such as Carbonite.
  2. Notifying your local FBI office in the event of an attack is critical. There are teams dedicated to cybercrime, and you may find federal involvement alone can scare away less sophisticated hackers.
  3. Seriously weigh the pros and cons of paying a ransom. The FBI has found very mixed results regarding payment of ransomware—sometimes it results in retrieval of data, sometimes it doesn’t. Sometimes payment encourages those very same hackers to attack an organization repeatedly.
Don’t be the next ‘gate’ Hacks are going to happen. Even the most vigilant IT organizations can’t protect against an employee opening a phishing email or inserting a dirty USB stick into their laptop. The response to these events is what separates a responsible company from the next Ubergate. Stay paranoid.
 
+ posts

Matt Kimball is a Moor Insights & Strategy senior datacenter analyst covering servers and storage. Matt’s 25 plus years of real-world experience in high tech spans from hardware to software as a product manager, product marketer, engineer and enterprise IT practitioner.  This experience has led to a firm conviction that the success of an offering lies, of course, in a profitable, unique and targeted offering, but most importantly in the ability to position and communicate it effectively to the target audience.