Mo money mo problems , lamented Biggie Smalls in 1997, unaware of the rather mundane application the predicament would have some 20 years on in Britain s automotive industry . But it turns out he was really rather prescient; UK motorists have become increasingly at risk of car theft, as unconventional security systems on high-tech vehicles are vulnerable to new avenues of compromisation. Police data has revealed a 30% increase in car theft over the past three years, a trend they attribute in part to canny thieves capacity to bypass modern security systems in cars .
Indeed, police footage1 emerged in November showing how thieves were able to steal cars without the need for keys, a feat which becomes increasingly problematic as the demand for keyless-type vehicles continues its onward march. Over the past few years, cars have not been omitted from the digital revolution, with many manufacturers eschewing traditional metal keys for a push button fob . Ostensibly a more convenient means of security, the new technology opens up different types of criminality . Speaking to Sky News2, Steve Launchbury of Thatcham Research explains, When you have keyless-type vehicles where you physically just press a button and walk away, you ve got the risk now of the signal being captured . The problem, although of the First World variety, isn t negligible; reports of car theft to 40 police forces in England and Wales rose from 65,783 in 2013 to 85,688 in 2016 . The bulk of these were situated in the capital, with 26,496 cars reported stolen to the Metropolitan Police. How can we bolster defences against the onslaught of vehicular theft ? In an age of fingerprint sensors and facial recognition, the answer is comfortingly old school; the RAC recommends a return to more traditional means of security, including some rumination on where to park your car ideally a well-lit location in an area not known for criminal activity . Concealing your valuables that old chestnut still serves as a powerful disincentive for criminals looking to break into a car.
In an amusingly kitschy turn of events, security professionals have also advised a nod to the 80s with a revived use of the tangible security lock . Clunky, awkward and inelegant, the devices are thought to provide a robust visual and physical deterrent . Which, in an age of fancy gadgets and seemingly boundless tech, feels terribly salt-of-the-earth, albeit a bit of a pain .
High-tech vehicle owners, you have been warned.
In late November it was revealed that Uber reportedly paid cyber attackers $100,000 to delete breached data obtained and concealed for over a year . In the wake of the news, Uber’s chief security officer Joe Sullivan had to resign from the company. Uber s breach highlights the fact that passwords and simple two-factor authentication are no longer enough to stop attackers .
81 percent of data breaches come from attackers using stolen credentials and Uber is now responsible for losing another 57 million usernames and passwords . In Uber s case the weak link was the authentication process around GitHub and AWS. This breach will have knock on effects in the cyber-security industry as stolen credentials often lie dormant on the dark web or in the possession of cybercriminals only to resurface in the future . Uber users should reset their account passwords for the app and all other accounts where it may have been re-used. Organizations (especially global businesses like Uber!) need to implement smart, adaptive methods of authentication with contextual risk analysis built in throughout, negating the damage of stolen or lost credentials. Here s a recap of how the Uber attack took place: attackers gained access to a private GitHub coding site used by Uber software engineers . They then used login credentials obtained there to access data stored on an Amazon Web Services (AWS) account that handled computing tasks for the company . From this point, the hackers were able to uncover a valuable archive of rider and driver information . Armed with this data, they contacted Uber to demand money.
Learning from Uber s mistakes, there s three key steps businesses can take to ensure they don t fall victim to a similar attack: 1 . Protect GitHub repositories with strong, multi-factor authentication (MFA): additional authentication steps can be triggered by characteristics including suspicious originating network behaviour (such as using anonymous proxy or any high-risk IP) or unfamiliar location and device usage phone.
2 . Invoke code review processes and make sure all credentials are scrubbed from GitHub repositories: This is best practice that should be adopted by all development teams. 3 . Protect systems running in AWS with Adaptive Authentication: adaptive access controls provide additional security beyond just passwords or even MFA . Looking at contextual risk factors around every user means businesses can deny high-risk or unusual access attempts. Breaches like Uber s can also be prevented by fundamentally changing the way businesses approach identity and security . Taking a proactive approach to protecting identities and credentials should be the number one focus of any IT security team . This not only prevents the misuse of user credentials but more importantly will reduce risk of cyber-attacks. Organizations often try to sweep breaches under the rug .
This may be due to fear of brand damage, reputation, a hesitation to reveal company details, fear of further questioning on practices and policies or simply the costly clean up required after a breach . All of these are valid concerns . However, by effectively and promptly disclosing breaches, businesses can get in front of the story (and backlash), helping the wider industry to learn from the breach and act accordingly to minimise the chance of it happening again. There s plenty of data available to develop mitigation strategies, specifically tailored for vertical sectors or business sizes . This data can help protect an organization, or even best practices within an entire industry . Data can help reveal where the threats are and the scope and size of the problem. The less-than-1% scenario, .003% to be exact, is the deadliest for enterprises . These are the access attempts from suspicious or known bad IPs . In these cases it is almost certain that an attack is underway .
Legitimate users do not, with few exceptions, come in from bad IPs or anonymous proxies . This is classic attack behaviour and we stop it by requiring additional factors. To further explore these risks, SecureAuth released its inaugural State of Authentication report this year . Over the course of twelve months, our team gathered data from approximately 500 customers using Adaptive Authentication . We then analysed 617.3 million user authentication attempts to identify success rates, how often multi-factor authentication was required, and the reasons behind failed authentication attempts . Nearly 90 percent of the time authentication took place without a hitch. However, the remaining 69.1 million authentication attempts were either denied outright or stepped up for additional authentication, such as a one-time-passcode (OTP) or push/symbol-to-accept . The top five reasons for denying access were as follows:
- Incorrect Passwords: 60.3 million times.
- Suspicious IP address: 2.45 million access attempts stepped up to multi-factor authentication because a log-in request was coming from an unusual IP address.
- An unrecognised device used: 830,000 times.
- Suspicious one-time passcode used: 524,000 times, including when ‘deny’ was hit on the push-to-accept request.
- Self-service password reset: 200,000 password change requests were denied.
Of the 2.45 million authentication attempts coming from suspicious IP addresses, further analysis found that over 77,000 were denied outright because the IP address was deemed to be malicious, which is very concerning . Malicious IP addresses include those known to be associated with anomalous internet infrastructure, advanced persistent threat (APT) activity, hacktivism, or cybercriminal activity.
Examining many of the high-profile breaches in recent years, and most recently Uber, it only takes a single successful misuse of credentials to expose highly sensitive and confidential company and customer data . These events can incur severe costs to the business and damage that may take brands years to recover from . As businesses plan for 2018 they should ensure all their systems are secured with multi-factor or adaptive authentication technology .
This essential step provides a dynamic defence against opportunistic cyber-criminals and is vital for protecting valuable business data.
Image Credit: Rawpixel.com / Shutterstock
Uber has got rid of its chief security officer and announced that his team paid off hackers who stole data belonging to 57 million users. The ride-hailing app’s chief executive, Dara Khosrowshahi, said: “None of this should have happened, and I will not make excuses for it.” Former CSO, Joe Sullivan, presided over a loss of the names, email addresses and mobile phone numbers belonging to Uber drivers and passengers, according to Bloomberg. Mr Sullivan’s team then paid the hackers $100,000 to delete the data instead of notifying the victims. Uber’s former chief executive, Travis Kalanick, learned of the hack in 2016, according to Bloomberg – seven months before a shareholder revolt forced him to quit1 and replaced him with Mr Khosrowshahi. “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals,” said Mr Khosrowshahi. Uber says it does not believe its customers need to take any action.
Image: ‘None of this should have happened, and I will not make excuses for it,’ said Uber’s CEO
“We have seen no evidence of fraud or misuse tied to the incident,” says a help page on its site.
“We are monitoring the affected accounts and have flagged them for additional fraud protection.” Mr Khosrowshahi said the data had been stolen from a “third-party cloud-based service” – understood to be Amazon Web Services, which the attackers accessed using legitimate passwords stolen via coding website Github. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed”.
The chief executive, who joined the company in August, added in his statement: “You may be asking why we are just talking about this now, a year later. “I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Image: Details of the hack come as Uber fights against the loss of its London licence
The data breach comes as Uber looks to improve its image after bad publicity during the tenure of Uber’s founder Travis Kalanick, and the decision by transport bosses in London to take away its licence. Mr Kalanick was ousted as chief executive in June after an internal investigation concluded he had built a culture that allowed female workers to be sexually harassed and encouraged employees to push legal limits. Uber’s new boss said the company was now working with regulators on the breach and notifying drivers whose licence numbers were downloaded – as well as giving them credit monitoring and identity theft protection.
A review of its security is also taking place in conjunction with Matt Olsen, a former National Security Agency general counsel and cybersecurity expert.