#hacked 

Shut up and drive. More like, "Shut up and don't tell users we were hacked." It has been discovered the ride service with the already questionable reputation, Uber, suffered a massive data breach in 2016. What's worse, they paid the hackers $100,000 to keep quiet. According to Bloomberg, the data of 57,000,000 drivers and customers was stolen, which the company failed to warn those affected about, but also paid the hackers to “delete the data and keep quiet." This breach was able to occur after Uber’s programmers uploaded security credentials to a GitHub repository where the hackers found them. Keeping in mind that GitHub is meant to store source code, this was an incredible mistake. Once the hackers had access, they were able to breach Uber servers hosted on Amazon, getting all of the personal information. “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” said CEO Dara Khosrowshahi, although users were never notified. There are multiple state regulations that dictate when disclosures must be made, so we can expect Uber to be facing repercussions in that respect.Ultimately, because drivers license details were acquired by the hackers, Uber certainly should have declared the breach promptly, because of the sensitivity of the data involved. As a result, Uber's reputation is under further scrutiny and users of the platform are advised to remain vigilant if they continue to use the service. Chester Wisniwewski perhaps said it best when he stated, "Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories... Putting the drama aside and the potential impacts from the upcoming GDPR enforcement in Europe, this is just another careless development team with shared credentials and poor security practices." But what's more concerning, the fact that the breach occurred or that customers failed to be notified? A look at the Uber site still makes no notice of the incident.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world… The personal information of about 7 million drivers was accessed as well, including some 600,000 US driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken. -Uber

For more information on the Uber hack-and-bribe, read the Tripwire blog.

#insecurities 

While we saw a poor use of GitHub in the previous section, often the site is extremely useful as a public code repository for millions of open- source projects. Now, GH has announced that it will be "scanning millions of code repositories looking for projects that rely on components that need a security update." This announcement comes as the site began to recognize some of the security issues inherent in the current model. Many projects build on other open- source components, so their vulnerability risk is more than the sum of all the unfixed security bugs in the code of the project an individual is using and includes "the recursive sum of all the security bugs in all the sub-projects on which your chosen software depends." Operating in this way means that the maintainers of a project need to be aware of potential issues in every sub-project on which they rely, otherwise you have layered, complex security problems to deal with. Going forward, GitHub will be proactively scanning code repositories and notifying project maintainers of any affected projects and that they need to take action.At this time, these automatic 'you ought to do something' warnings only apply to "dependencies written in Ruby or JavaScript (technically, Ruby Gems or NPM packages), and only to vulnerabilities that have been assigned an official CVE number." It is an extremely beneficial feature, however, because it prompts developers to take preventative action early in the code distribution process. Fingers crossed GitHub will extend the range of source code projects it validates in scanning and hopefully, soon enough, other source code repositories will follow suit.

We found potential security vulnerabilities in your dependencies. Some of the dependencies defined in your Gemfile [the way that Ruby programs list the components they rely upon] have known security vulnerabilities and should be updated. -warning email from GitHub

To get an in-depth look at why this is so important, read 'A Cautionary Tale About PHP Secure Coding Techniques.'

#surveillance 

While US Congress has yet to pass any legislation to control what critics call 'warrantless surveillance' of US citizens by the nation’s multiple spy agencies, there are now five proposals addressing the issue being considered. "Big brother, are you listening?" The latest proposal introduced last week by the Senate is a version of the USA (United and Strengthening American) Liberty Act of 2017. Initial feedback from privacy advocates say it is a vast improvement over a House bill of the same name that was introduced in early October 2017. What both bills share is a revision to Section 702, which has "allowed government intelligence agencies including the NSA, CIA, FBI and the National Counterterrorism Center to collect and sift through vast troves of information on an unknown number (intelligence agencies won’t say how many) of American citizens, all because it is 'incidentally' collected during surveillance of foreign targets. And they have been able to do it without probable cause, a warrant or any evidence of criminal activity." As you can imagine, 702 has received much criticism. With politics, it seems that there is no easy answer.In the House bill, law-enforcement agencies would be required to get a warrant before they can get an American citizen’s emails or phone calls recorded by the NSA. This some are calling a lack of transparency and oversight which won’t totally cease the NSA’s practices of collecting data on innocent people. Other critics say the Senate bill doesn’t address 'constitutional concerns' with Section 702, but one called it, “an important step forward from the dismal status quo.” It is too early to tell which way the law will sway, but from polls it appears we are far from a solution. Likewise on the agenda for US legislators are new regulations for net neutrality, which early reports indicate may not be positive for consumers.

For years, the NSA, CIA, and FBI have engaged in illegal ‘backdoor’ searches, deliberately looking for and accessing Americans’ private information collected under Section 702 without a warrant… This bill would help to rein in these illegal searches by requiring the government to get a warrant when they deliberately search for and then subsequently seek to view Americans’ private communications. -Neema Singh Guliani, legislative counsel for the American Civil Liberties Union (ACLU)

Looking to remain as anonymous as possible? Read 'Introducing Darknet Free VPN Services.'

#factbyte

A study by CTAM and research consultancy Magid estimates Americans will average 50 connected devices in their homes by 2020.Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.