Uber disguised $100,000 hacker payoff as bug bounty, claims Reuters

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
各类组织面临的挑战是,大部分的用户不会意识到自己的安全意识需要得到提升,甚至在由于自己在安全方面的无知或大意给组织和个人带来巨大损失之后,仍不能清楚地认识到。
Remember the 2017 Uber breach?
The one that was actually discovered in 2016, except that Uber conveniently forgot about it for a year before admitting, “Well, yes, now you mention it, some records did get taken.”
57,000,000 records in all, apparently, including – for Uber drivers, at least – data such as driving licence and vehicle registration details.
From a regulatory point of view, Uber ought to have reported this breach promptly in many jurisdictions around the world, rather than hushing it up; in the UK, for example, the Information Commissioner’s Office (ICO) has variously stated:
网络安全法普法宣传 004《网络安全法》的突出亮点
Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics. [2017-11-22T10:00Z]
It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies. [2017-11-22T17:35Z]
Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. [2017-11-29]
Sophos Home
Free home computer security software for all the family
Learn More
At the time the breach news broke, it also emerged that Uber had paid $100,000 in what was effectively hush money to the hacker or hackers behind the breach, making it possible for Uber to sweep the breach under the carpet.
We speculated at the time how this payout might have been orchestrated:
It’ll be interesting to see how the story unfolds – if the current Uber leadership can unfold it at this stage, that is. I suppose you could wrap the $100,000 up as a “bug bounty payout”, but that still leaves the issue of “very conveniently deciding for yourself that it wasn’t necessary to report it”.
Well, if an exclusive investigation published recently by Reuters has it right, then so did we: Reuters claims that the payoff was indeed made to look like a bug bounty payout.
Bug bounties are official rewards offered by companies to researchers who find security bugs, flaws, holes and problems, but this sort of payout is offered within a legal framework that – for obvious reasons – puts limits on exactly where bounty hunters should go, and how they should behave.
Deliberately hacking a live system in a way that is likely to crash it just to prove a point is understandably off-limits; so too is using unlawful techniques to achieve a result – stealing a physical server, for example, or threatening an employee to extract a password.
Another unlawful no-no is actually cracking into a server, stealing a giant pile of data and then offering the data back for what amounts to a ransom, even if that ransom payment would also lead to finding and fixing the security hole.
But Reuters is insisting that is pretty much how it played out in the Uber case.
According to Reuters, the attack and breach went something like this: the hacker who was ultimately paid off by Uber contracted a “researcher” to dig out Uber passwords on GitHub; those passwords led to the 57 million records; Uber then received “an email […] demanding money in exchange for user data”.
Of course, even if that wasn’t quite how it what happened, or if calling this a bug bounty payout is ultimately deemed ethically acceptable…
…there’s still the issue that we described above, namely the matter of Uber very conveniently deciding unilterally that it wasn’t necessary to report the breach.
Over here in the UK, we’ll be very interested to see what the ICO has to add to its earlier warnings.

托管安全服务即安全运营外包日渐被人们接受,环顾发达国家,提供安全服务的可管理安全服务商MSSP已经大行其道;在国内,包括安全厂商、电信运营商、安全集成商和安全服务商也开始进入这一领域。

猜您喜欢

企业安全歌,唱红中国,唱响全球
安全基础理论课程助力培养全民网络安全意识
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
湖南15岁大一新生在寝室斗殴死亡 6名学生被拘留
STEPHENCOVEY ELEGIBILITY
走向全球化,防范海外风险,要走得安全,需知晓: