Uber’s hack, Twitter whistleblower updates and a White House cyber blitz

ajay_suresh/Flickr

Welcome to Changelog for 9/18/22, published by Synack! It’s me, Blake, coming up for air after a busy week for cybersecurity news. Let’s dive in:

 

The payload

Pour one out for Uber’s cybersecurity team.

Last Thursday, the ridesharing company saw a purported 18-year-old hacker start swinging around its internal systems like they were monkey bars. The hacker sent @ here Slack messages to the bemused Uber team and may have stolen source code, as The New York Times reported. Still, he evidently stopped short of breaching customer and driver data, based on Uber statements and public reporting so far.

That may offer little consolation to Uber’s beleaguered incident responders.

“This is a total compromise, from what it looks like,” Yuga Labs security engineer Sam Curry, who exchanged messages with the hacker, told the Times.

Not even Uber’s bug bounty program was spared, as Bleeping Computer observed: The attacker allegedly had access to sensitive information in a trove of vulnerability reports.

For its part, Uber said it has contacted law enforcement and would investigate the incident. And, hey, the company is hiring a senior security incident commander (remote available!) if any of you Changelog readers are ready to spice up your careers with a real challenge.

The week, compiled

If Uber’s corporate security came across like a house of cards this week, Twitter resembled a nest of spies.

Peiter “Mudge” Zatko, the famous hacker and former Twitter security chief, testified before Congress last Tuesday on some startling takeaways from his whistleblower allegations against the tech giant.

He recounted an exchange with a Twitter executive who had raised the possibility of a foreign spy on the company’s payroll. According to the allegations, the unnamed executive brushed off Zatko’s concerns, telling Zatko, “Well, since we already have one [foreign agent], what does it matter if we have more? Let’s keep growing the office.”

Twitter has pushed back against the claims, saying Zatko’s accounts are “riddled with inconsistencies and inaccuracies,” as The Daily Beast reported. But Zatko’s testimony and whistleblower revelations are bound to stay in the spotlight as Twitter continues its high-profile legal clash with billionaire Elon Musk. The company is trying to force Musk to follow through with his agreement to buy Twitter for $44 billion earlier this year.

Expect more fireworks from Zatko in that fight. In the meantime, here’s what else was on my radar this week:

The CyberWire: The White House issued highly anticipated guidance on software supply chain security last week. M-22–18 directs federal agencies to ensure their software providers attest to following guidelines set by the National Institute of Standards and Technology. The ultimate goal is to “allow the federal government to quickly identify security gaps when new vulnerabilities are discovered,” as federal CISO Chris DeRusha put it.

 1_u1yTfVo3erQjVFo7Rwst3g
Pierre-Selim/Flickr

Wired: The head of Ukraine’s State Service of Special Communications and Information Protection — analogous to CISA in the U.S. — told Wired’s Chris Stokel-Walker that his country is facing “full-fledged cyberwar” for the first time in history. “The whole civilized world needs to recognize that the threat goes beyond Ukraine,” Yurii Shchyhol said. “Cyberspace has no boundaries. If there’s any attack perpetrated against the cyberspace of one country, by default it’s affecting and attacking other countries as well.”

Bloomberg: Tucked away in a U.S. warning on Iranian hacking activity is a missive for organizations to start “continually testing your security program, at scale.” The alert from CISA contained details of a ransomware threat tied to the Iranian government’s Islamic Revolutionary Guard Corps.

A message from Synack

Cybersecurity professionals face a raft of challenges when it comes to staffing up to meet ever-evolving digital threats. Hear how the U.S. Department of Health and Human Services navigates cybersecurity hiring hurdles in a webinar featuring Matthew Shallbetter, Director for Security Design and Innovation at HHS, and Synack’s own Scott Ormiston, who speak to tactics and solutions for augmenting public sector security teams and best practices for setting up continuous penetration testing. Learn more and view the webinar on demand here.

Flash memory

Last week’s breach of Uber was hardly the company’s first cybersecurity dustup.

But hopefully Uber navigates its latest cyber dilemma better than when a purported fall 2016 “bug bounty” incident spiraled into a PR crisis, spawned multiple lawsuits and culminated in a $148 million settlement with the U.S. Justice Department earlier this year.

The New York Times has many of the grisly details, but in short: Hackers cajoled a $100,000 payout from Uber’s security team to help the company brush a breach of 57 million user records under the rug for over a year.

By the time the company finally disclosed the extent of the breach — or “authorized vulnerability disclosure,” as Uber executives initially described it — it was far too late for affected users to take meaningful action.

Local files

AP: A sustained cyberattack on Montenegro appears to be tied to pro-Russian hackers with the “Cuba” ransomware gang. “We have been faced with serious challenges related to the cyberattack for about 20 days, and the entire state system, the system of state administration, and the system of services to citizens are functioning at a rather restrictive level,” Montenegro’s Defense Minister Rasko Konjevic told AP.

CBS News: The White House opened the taps on $1 billion in cybersecurity grants available for state and local governments. The funds are set to be doled out through the next four years and are expected to help shore up voting system security in the 2024 election cycle.

Off-script

Kudos to Patagonia founder Yvon Chouinard for living by his principles and giving away his multibillion-dollar ownership stake in the company.

“Hopefully this will influence a new form of capitalism that doesn’t end up with a few rich people and a bunch of poor people,” the 83-year old rock climber and unconventional business leader told The New York Times.

Chouinard and his family have transferred their estimated $3 billion stake in the outdoor clothing retailer to a trust that will funnel Patagonia’s profits to combat climate change and advance other environmental causes.

It’s a mic drop move, though I doubt any other billionaires are taking notes.

 1_tIel3hHxCuBswS8x_MpkMA
Chouinard fishing in Wyoming. Sam Beebe/Flickr

That’s it for this Sunday — send tips and feedback to bsobczak@synack.com. Catch you next week!