Data accessed on 5/13/2014, uber noticed on 9/17/2014, and then notifies affected on 2/27/2015. Thankfully it was only names and plate numbers, but still...
All I see from uber is bad publicity and poor management decisions. I wonder what it's like to work there from an insiders perspective, cause from the outside it doesn't look good.
It sounds like they realized the API was improperly exposed on 9/17/2014, but didn't necessary know if it had ever been accessed by an unauthorized request.
I could see it taking a while to find one bad request in the entire history of the API's lifespan -- presuming that they had to find the logs, weed out false positives, different sites and versions that behaved differently, etc.
That still doesn't explain a 5 month gap. The only (charitable) explanation that makes sense to me is that they discovered the API was exposed, thought they had proven it was never improperly accessed, and then only much later realized that it had been after all.
I'm not defending them on this because that does seem to be a long enough time to be more proactive about it. You did bring up an interesting point though, Uber is facing opposition from almost every city they are in. Whether it's small town South Carolina where I'm from and even in some of the largest cities in the world. It would be interesting to see how people deal with this on the inside and how it affects the culture.
Uber's in a position where they get flak for breaking the rules while also being painfully aware that following the rules is worse for them. They face opposition, but every time they play nice it doesn't go well for them.
The lesson here is that sometimes, you do much better by breaking all the rules.
Early 2014, you could see the drivers home address, cell phone number, ESN for their phone, the car(s) they had on their account's VINs... list goes on and on...
I don't know what happened here, but presumably they keep fairly detailed request logs. If they were notified of a security vulnerability like this, they would probably sweep logs for suspicious requests. This way they would become aware of all breaches using that vulnerability, but not until they found the vulnerability, which could be any amount of time after the breaches occurred.
Yeah, I definitely would not do that to a 3rd party system without a specific letter of engagement for penetration test or security review. Now, that being said, it's the first thing I would tell every single developer about as a senior developer and I would insist that test cases be written to verify that no such 'feature' was permitted into the application.
That is a bunch of lawyer words that they can stretch to mean anything. What we need are hard deadlines, say two days after the breakin. Not enough to full find out what happens, but enough to force the companies to act.
Congress needs to stop pissing in the wind and make a federal law on breach disclosure. Self evidently companies won't universally do this on their own, and state specific law makes compliance more difficult and expensive.
How would such legislation ensure companies are able to detect such breaches in the first place? For every Target/PSN/Anthem/Uber how many companies aren't even aware they've been breached?
Withholding knowledge of a breach is self-rewarding which is why there needs to be a law stating the time frame for disclosure, and either penalties or liablity (per affected customer, employee, contractor, vendor). Lack of skill in detection is a problem, but I don't know whether Congress is well equipped to legislate that, and also companies aren't exactly incentivized to just let themselves get completely owned. They're just ignorant. There's no question this behavior is changing, even if we're dissatisfied with how slow it's happening.
I mean, the average Congresscritter probably has no idea what the typical answer is to "how do you do a password reset?" other than "call daughter/son". They're not good at establishing competency. They are sorta half way decent at bringing out the hammer "disclose what you know within X days, or we're going to fine you... when we do find out when you knew it."
So that brings up the question how the legislation determines whether and exactly when the company knew they were breached. And I'd say they should learn from history which is not to be such dicks like they were with hackers in the 80's and 90's and instantly criminalize disproportionately. We were learning things as a result of all of that, and by repressing it, we learned a lot less. So with companies I'd say up front the disclosure needs to be civil in nature (fines), and if there's willful hiding of what they know, tampering of evidence, destruction of evidence in an attempt to claim they didn't know they were breached or how badly, then it becomes criminal and lay down the hammer. Ultimately though, the worst punishment is up to the states, since the corporate charter is granted by states, not the feds. Off hand I can't think of a case where a corporation was executed in this manner though (revoking it's charter or articles of incorporation).
Companies are asking Congress to do this because already states are doing it, and it's totally haphazard. If Congresscritters were to get doxxed maybe it'd go faster.
As much as Uber messed up here and there was a security breach, comparable information is publicly available. For example, the TLC in NYC provides this:
This is a spreadsheet containing all the taxi drivers in NYC with their names, license numbers, and license expiration dates. Given that the only information leaked (according to Uber) were names and license numbers, that really isn't much beyond what might otherwise be available publicly.
In Massachusetts the driver's license number used to be your social security number. This was changes but are there other states that have not done so?
Uber really needs to have a public data retention policy stating that they anonymize or delete all data older than a couple weeks. I'm just waiting for them to be hacked and have to reveal that people's trip data for years has been released.
It's definitely not just Uber. And drivers' license numbers are serious PII! It was my exact example that I gave to my last appsec talk for Ruby developers this month in Nashville.
Starting with the user story: "As a Pawn Shop Clerk, I scan a copy of the customer’s drivers’ license because the company is required by law to keep this record at least two years from the date we purchase a used valuable from a customer."
Readit News
All I see from uber is bad publicity and poor management decisions. I wonder what it's like to work there from an insiders perspective, cause from the outside it doesn't look good.
I could see it taking a while to find one bad request in the entire history of the API's lifespan -- presuming that they had to find the logs, weed out false positives, different sites and versions that behaved differently, etc.
That still doesn't explain a 5 month gap. The only (charitable) explanation that makes sense to me is that they discovered the API was exposed, thought they had proven it was never improperly accessed, and then only much later realized that it had been after all.
The lesson here is that sometimes, you do much better by breaking all the rules.
[0] https://news.ycombinator.com/item?id=9122369 [1] http://blog.uber.com/2-27-15
A charitable interpretation might be that they discovered a vulnerability in September, but didn't find the May breach until recently.
Dead Comment
Civil Code § 1798.82(a): http://leginfo.legislature.ca.gov/faces/codes_displaySection...
I find it hard to square that requirement with Uber waiting 5 months from when it found out.
I mean, the average Congresscritter probably has no idea what the typical answer is to "how do you do a password reset?" other than "call daughter/son". They're not good at establishing competency. They are sorta half way decent at bringing out the hammer "disclose what you know within X days, or we're going to fine you... when we do find out when you knew it."
So that brings up the question how the legislation determines whether and exactly when the company knew they were breached. And I'd say they should learn from history which is not to be such dicks like they were with hackers in the 80's and 90's and instantly criminalize disproportionately. We were learning things as a result of all of that, and by repressing it, we learned a lot less. So with companies I'd say up front the disclosure needs to be civil in nature (fines), and if there's willful hiding of what they know, tampering of evidence, destruction of evidence in an attempt to claim they didn't know they were breached or how badly, then it becomes criminal and lay down the hammer. Ultimately though, the worst punishment is up to the states, since the corporate charter is granted by states, not the feds. Off hand I can't think of a case where a corporation was executed in this manner though (revoking it's charter or articles of incorporation).
...will be the response by many Congresspersons. Nothing will happen on this until a number of public figures are doxxed to hell and back.
http://www.nyc.gov/html/tlc/downloads/excel/current_medallio...
This is a spreadsheet containing all the taxi drivers in NYC with their names, license numbers, and license expiration dates. Given that the only information leaked (according to Uber) were names and license numbers, that really isn't much beyond what might otherwise be available publicly.
[0] http://blog.uber.com/2-27-15
the number of f*cks i can give for the company is so low. just feel sorry for all the drivers with the leaked information...
Starting with the user story: "As a Pawn Shop Clerk, I scan a copy of the customer’s drivers’ license because the company is required by law to keep this record at least two years from the date we purchase a used valuable from a customer."
https://www.youtube.com/watch?v=dj196NhPyWs&t=26m00s
There was a good Q&A about data retention, that included a lawyer in the audience.
Obama's proposing data privacy regulations. I think it's worth considering what you'd like to see involved in same.